6428 configuring and troubleshooting microsoft windows server 2008 terminal services

O F F I C I A L M I C R O S O F T L E A R N I N G P R O D U C T

6428A: Configuring and Troubleshooting Microsoft® Windows Server® 2008 Terminal Services

ii Configuring and Troubleshooting Microsoft® Windows Server® 2008 Terminal Services

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission received from any linked site. Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement of Microsoft of the site or the products contained therein.

© 2008 Microsoft Corporation. All rights reserved.

Microsoft, Access, Active Directory, ActiveX, Aero, ClearType, Internet Explorer, Jscript, MSDN, MSN, Outlook, PowerPoint, SharePoint ,SQL Server, Visual Basic, Visual SourceSafe, Windows, Windows Media, Windows NT, Windows Server, and Windows Vista are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

All other trademarks are property of their respective owners.

Technical Reviewer: Corey J. Hynes

Product Number: 6428A

Part Number: X14-99399

Released: 06/2008

MICROSOFT LICENSE TERMS OFFICIAL MICROSOFT LEARNING PRODUCTS - TRAINER EDITION – Pre-Release and Final Release Versions These license terms are an agreement between Microsoft Corporation and you. Please read them. They apply to the Licensed Content named above, which includes the media on which you received it, if any. The terms also apply to any Microsoft

• updates,

• supplements,

• Internet-based services, and

• support services

for this Licensed Content, unless other terms accompany those items. If so, those terms apply.

By using the Licensed Content, you accept these terms. If you do not accept them, do not use the Licensed Content.

If you comply with these license terms, you have the rights below.

1. DEFINITIONS.

a. “Academic Materials” means the printed or electronic documentation such as manuals, workbooks, white papers, press releases, datasheets, and FAQs which may be included in the Licensed Content.

b. “Authorized Learning Center(s)” means a Microsoft Certified Partner for Learning Solutions location, an IT Academy location, or such other entity as Microsoft may designate from time to time.

c. “Authorized Training Session(s)” means those training sessions authorized by Microsoft and conducted at or through Authorized Learning Centers by a Trainer providing training to Students solely on Official Microsoft Learning Products (formerly known as Microsoft Official Curriculum or “MOC”) and Microsoft Dynamics Learning Products (formerly know as Microsoft Business Solutions Courseware). Each Authorized Training Session will provide training on the subject matter of one (1) Course.

d. “Course” means one of the courses using Licensed Content offered by an Authorized Learning Center during an Authorized Training Session, each of which provides training on a particular Microsoft technology subject matter.

e. “Device(s)” means a single computer, device, workstation, terminal, or other digital electronic or analog device.

f. “Licensed Content” means the materials accompanying these license terms. The Licensed Content may include, but is not limited to, the following elements: (i) Trainer Content, (ii) Student Content, (iii) classroom setup guide, and (iv) Software. There are different and separate components of the Licensed Content for each Course.

g. “Software” means the Virtual Machines and Virtual Hard Disks, or other software applications that may be included with the Licensed Content.

h. “Student(s)” means a student duly enrolled for an Authorized Training Session at your location.

i. “Student Content” means the learning materials accompanying these license terms that are for use by Students and Trainers during an Authorized Training Session. Student Content may include labs, simulations, and courseware files for a Course.

j. “Trainer(s)” means a) a person who is duly certified by Microsoft as a Microsoft Certified Trainer and b) such other individual as authorized in writing by Microsoft and has been engaged by an Authorized Learning Center to teach or instruct an Authorized Training Session to Students on its behalf.

k. “Trainer Content” means the materials accompanying these license terms that are for use by Trainers and Students, as applicable, solely during an Authorized Training Session. Trainer Content may include Virtual Machines, Virtual Hard Disks, Microsoft PowerPoint files, instructor notes, and demonstration guides and script files for a Course.

l. “Virtual Hard Disks” means Microsoft Software that is comprised of virtualized hard disks (such as a base virtual hard disk or differencing disks) for a Virtual Machine that can be loaded onto a single computer or other device in order to allow end-users to run multiple operating systems concurrently. For the purposes of these license terms, Virtual Hard Disks will be considered “Trainer Content”.

m. “Virtual Machine” means a virtualized computing experience, created and accessed using Microsoft® Virtual PC or Microsoft® Virtual Server software that consists of a virtualized hardware environment, one or more Virtual Hard Disks, and a configuration file setting the parameters of the virtualized hardware environment (e.g., RAM). For the purposes of these license terms, Virtual Hard Disks will be considered “Trainer Content”.

n. “you” means the Authorized Learning Center or Trainer, as applicable, that has agreed to these license terms.

2. OVERVIEW.

Licensed Content. The Licensed Content includes Software, Academic Materials (online and electronic), Trainer Content, Student Content, classroom setup guide, and associated media.

License Model. The Licensed Content is licensed on a per copy per Authorized Learning Center location or per Trainer basis.

3. INSTALLATION AND USE RIGHTS.

a. Authorized Learning Centers and Trainers: For each Authorized Training Session, you may:

i. either install individual copies of the relevant Licensed Content on classroom Devices only for use by Students enrolled in and the Trainer delivering the Authorized Training Session, provided that the number of copies in use does not exceed the number of Students enrolled in and the Trainer delivering the Authorized Training Session, OR

ii. install one copy of the relevant Licensed Content on a network server only for access by classroom Devices and only for use by Students enrolled in and the Trainer delivering the Authorized Training Session, provided that the number of Devices accessing the Licensed Content on such server does not exceed the number of Students enrolled in and the Trainer delivering the Authorized Training Session.

iii. and allow the Students enrolled in and the Trainer delivering the Authorized Training Session to use the Licensed Content that you install in accordance with (ii) or (ii) above during such Authorized Training Session in accordance with these license terms.

i. Separation of Components. The components of the Licensed Content are licensed as a single unit. You may not separate the components and install them on different Devices.

ii. Third Party Programs. The Licensed Content may contain third party programs. These license terms will apply to the use of those third party programs, unless other terms accompany those programs.

b. Trainers:

i. Trainers may Use the Licensed Content that you install or that is installed by an Authorized Learning Center on a classroom Device to deliver an Authorized Training Session.

ii. Trainers may also Use a copy of the Licensed Content as follows:

A. Licensed Device. The licensed Device is the Device on which you Use the Licensed Content. You may install and Use one copy of the Licensed Content on the licensed Device solely for your own personal training Use and for preparation of an Authorized Training Session.

B. Portable Device. You may install another copy on a portable device solely for your own personal training Use and for preparation of an Authorized Training Session.

4. PRE-RELEASE VERSIONS. If this is a pre-release (“beta”) version, in addition to the other provisions in this agreement, these terms also apply:

a. Pre-Release Licensed Content. This Licensed Content is a pre-release version. It may not contain the same information and/or work the way a final version of the Licensed Content will. We may change it for the final, commercial version. We also may not release a commercial version. You will clearly and conspicuously inform any Students who participate in each Authorized Training Session of the foregoing; and, that you or Microsoft are under no obligation to provide them with any further content, including but not limited to the final released version of the Licensed Content for the Course.

b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, you give to Microsoft, without charge, the right to use, share and commercialize your feedback in any way and for any purpose. You also give to third parties, without charge, any patent rights needed for their products, technologies and services to use or interface with any specific parts of a Microsoft software, Licensed Content, or service that includes the feedback. You will not give feedback that is subject to a license that requires Microsoft to license its software or documentation to third parties because we include your feedback in them. These rights survive this agreement.

c. Confidential Information. The Licensed Content, including any viewer, user interface, features and documentation that may be included with the Licensed Content, is confidential and proprietary to Microsoft and its suppliers.

i. Use. For five years after installation of the Licensed Content or its commercial release, whichever is first, you may not disclose confidential information to third parties. You may disclose confidential information only to your employees and consultants who need to know the information. You must have written agreements with them that protect the confidential information at least as much as this agreement.

ii. Survival. Your duty to protect confidential information survives this agreement.

iii. Exclusions. You may disclose confidential information in response to a judicial or governmental order. You must first give written notice to Microsoft to allow it to seek a

protective order or otherwise protect the information. Confidential information does not include information that

• becomes publicly known through no wrongful act;

• you received from a third party who did not breach confidentiality obligations to Microsoft or its suppliers; or

• you developed independently.

d. Term. The term of this agreement for pre-release versions is (i) the date which Microsoft informs you is the end date for using the beta version, or (ii) the commercial release of the final release version of the Licensed Content, whichever is first (“beta term”).

e. Use. You will cease using all copies of the beta version upon expiration or termination of the beta term, and will destroy all copies of same in the possession or under your control and/or in the possession or under the control of any Trainers who have received copies of the pre-released version.

f. Copies. Microsoft will inform Authorized Learning Centers if they may make copies of the beta version (in either print and/or CD version) and distribute such copies to Students and/or Trainers. If Microsoft allows such distribution, you will follow any additional terms that Microsoft provides to you for such copies and distribution.

5. ADDITIONAL LICENSING REQUIREMENTS AND/OR USE RIGHTS.

a. Authorized Learning Centers and Trainers:

i. Software.

ii. Virtual Hard Disks. The Licensed Content may contain versions of Microsoft XP, Microsoft Windows Vista, Windows Server 2003, Windows Server 2008, and Windows 2000 Advanced Server and/or other Microsoft products which are provided in Virtual Hard Disks.

A. If the Virtual Hard Disks and the labs are launched through the Microsoft Learning Lab Launcher, then these terms apply:

Time-Sensitive Software. If the Software is not reset, it will stop running based upon the time indicated on the install of the Virtual Machines (between 30 and 500 days after you install it). You will not receive notice before it stops running. You may not be able to access data used or information saved with the Virtual Machines when it stops running and may be forced to reset these Virtual Machines to their original state. You must remove the Software from the Devices at the end of each Authorized Training Session and reinstall and launch it prior to the beginning of the next Authorized Training Session.

B. If the Virtual Hard Disks require a product key to launch, then these terms apply:

Microsoft will deactivate the operating system associated with each Virtual Hard Disk. Before installing any Virtual Hard Disks on classroom Devices for use during an Authorized Training Session, you will obtain from Microsoft a product key for the operating system software for the Virtual Hard Disks and will activate such Software with Microsoft using such product key.

C. These terms apply to all Virtual Machines and Virtual Hard Disks:

You may only use the Virtual Machines and Virtual Hard Disks if you comply with the terms and conditions of this agreement and the following security requirements:

o You may not install Virtual Machines and Virtual Hard Disks on portable Devices or Devices that are accessible to other networks.

o You must remove Virtual Machines and Virtual Hard Disks from all classroom Devices at the end of each Authorized Training Session, except those held at Microsoft Certified Partners for Learning Solutions locations.

o You must remove the differencing drive portions of the Virtual Hard Disks from all classroom Devices at the end of each Authorized Training Session at Microsoft Certified Partners for Learning Solutions locations.

o You will ensure that the Virtual Machines and Virtual Hard Disks are not copied or downloaded from Devices on which you installed them.

o You will strictly comply with all Microsoft instructions relating to installation, use, activation and deactivation, and security of Virtual Machines and Virtual Hard Disks.

o You may not modify the Virtual Machines and Virtual Hard Disks or any contents thereof.

o You may not reproduce or redistribute the Virtual Machines or Virtual Hard Disks.

ii. Classroom Setup Guide. You will assure any Licensed Content installed for use during an Authorized Training Session will be done in accordance with the classroom set-up guide for the Course.

iii. Media Elements and Templates. You may allow Trainers and Students to use images, clip art, animations, sounds, music, shapes, video clips and templates provided with the Licensed Content solely in an Authorized Training Session. If Trainers have their own copy of the Licensed Content, they may use Media Elements for their personal training use.

iv. iv Evaluation Software. Any Software that is included in the Student Content designated as “Evaluation Software” may be used by Students solely for their personal training outside of the Authorized Training Session.

b. Trainers Only:

i. Use of PowerPoint Slide Deck Templates. The Trainer Content may include Microsoft PowerPoint slide decks. Trainers may use, copy and modify the PowerPoint slide decks only for providing an Authorized Training Session. If you elect to exercise the foregoing, you will agree or ensure Trainer agrees: (a) that modification of the slide decks will not constitute creation of obscene or scandalous works, as defined by federal law at the time the work is created; and (b) to comply with all other terms and conditions of this agreement.

ii. Use of Instructional Components in Trainer Content. For each Authorized Training Session, Trainers may customize and reproduce, in accordance with the MCT Agreement, those portions of the Licensed Content that are logically associated with instruction of the Authorized Training Session. If you elect to exercise the foregoing rights, you agree or ensure the Trainer agrees: (a) that any of these customizations or reproductions will only be used for providing an Authorized Training Session and (b) to comply with all other terms and conditions of this agreement.

iii. Academic Materials. If the Licensed Content contains Academic Materials, you may copy and use the Academic Materials. You may not make any modifications to the Academic Materials and you may not print any book (either electronic or print version) in its entirety. If you reproduce any Academic Materials, you agree that:

• The use of the Academic Materials will be only for your personal reference or training use

• You will not republish or post the Academic Materials on any network computer or broadcast in any media;

• You will include the Academic Material’s original copyright notice, or a copyright notice to Microsoft’s benefit in the format provided below:

Form of Notice:

© 2008 Reprinted for personal reference use only with permission by Microsoft Corporation. All rights reserved.

Microsoft, Windows, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the US and/or other countries. Other product and company names mentioned herein may be the trademarks of their respective owners.

6. INTERNET-BASED SERVICES. Microsoft may provide Internet-based services with the Licensed Content. It may change or cancel them at any time. You may not use these services in any way that could harm them or impair anyone else’s use of them. You may not use the services to try to gain unauthorized access to any service, data, account or network by any means.

7. SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some rights to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation, you may use the Licensed Content only as expressly permitted in this agreement. In doing so, you must comply with any technical limitations in the Licensed Content that only allow you to use it in certain ways. You may not

• install more copies of the Licensed Content on classroom Devices than the number of Students and the Trainer in the Authorized Training Session;

• allow more classroom Devices to access the server than the number of Students enrolled in and the Trainer delivering the Authorized Training Session if the Licensed Content is installed on a network server;

• copy or reproduce the Licensed Content to any server or location for further reproduction or distribution;

• disclose the results of any benchmark tests of the Licensed Content to any third party without Microsoft’s prior written approval;

• work around any technical limitations in the Licensed Content;

• reverse engineer, decompile or disassemble the Licensed Content, except and only to the extent that applicable law expressly permits, despite this limitation;

• make more copies of the Licensed Content than specified in this agreement or allowed by applicable law, despite this limitation;

• publish the Licensed Content for others to copy;

• transfer the Licensed Content, in whole or in part, to a third party;

• access or use any Licensed Content for which you (i) are not providing a Course and/or (ii) have not been authorized by Microsoft to access and use;

• rent, lease or lend the Licensed Content; or

• use the Licensed Content for commercial hosting services or general business purposes.

• Rights to access the server software that may be included with the Licensed Content, including the Virtual Hard Disks does not give you any right to implement Microsoft patents or other Microsoft intellectual property in software or devices that may access the server.

8. EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and regulations. You must comply with all domestic and international export laws and regulations that apply to the Licensed Content. These laws include restrictions on destinations, end users and end use. For additional information, see www.microsoft.com/exporting.

9. NOT FOR RESALE SOFTWARE/LICENSED CONTENT. You may not sell software or Licensed Content marked as “NFR” or “Not for Resale.”

10. ACADEMIC EDITION. You must be a “Qualified Educational User” to use Licensed Content marked as “Academic Edition” or “AE.” If you do not know whether you are a Qualified Educational User, visit www.microsoft.com/education or contact the Microsoft affiliate serving your country.

11. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you fail to comply with the terms and conditions of these license terms. In the event your status as an Authorized Learning Center or Trainer a) expires, b) is voluntarily terminated by you, and/or c) is terminated by Microsoft, this agreement shall automatically terminate. Upon any termination of this agreement, you must destroy all copies of the Licensed Content and all of its component parts.

12. ENTIRE AGREEMENT. This agreement, and the terms for supplements, updates, Internet-based services and support services that you use, are the entire agreement for the Licensed Content and support services.

13. APPLICABLE LAW.

a. United States. If you acquired the Licensed Content in the United States, Washington state law governs the interpretation of this agreement and applies to claims for breach of it, regardless of conflict of laws principles. The laws of the state where you live govern all other claims, including claims under state consumer protection laws, unfair competition laws, and in tort.

b. Outside the United States. If you acquired the Licensed Content in any other country, the laws of that country apply.

14. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the laws of your country. You may also have rights with respect to the party from whom you acquired the Licensed Content. This agreement does not change your rights under the laws of your country if the laws of your country do not permit it to do so.

15. DISCLAIMER OF WARRANTY. The Licensed Content is licensed “as-is.” You bear the risk of using it. Microsoft gives no express warranties, guarantees or conditions. You may have additional consumer rights under your local laws which this agreement cannot change. To the extent permitted under your local laws, Microsoft excludes the implied warranties of merchantability, fitness for a particular purpose and non-infringement.

16. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER FROM MICROSOFT AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP TO U.S. $5.00. YOU CANNOT RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL, LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES.

This limitation applies to

• anything related to the Licensed Content, software, services, content (including code) on third party Internet sites, or third party programs; and

• claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence, or other tort to the extent permitted by applicable law.

It also applies even if Microsoft knew or should have known about the possibility of the damages. The above limitation or exclusion may not apply to you because your country may not allow the exclusion or limitation of incidental, consequential or other damages.

Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in this agreement are provided below in French.

Remarque : Ce le contenu sous licence étant distribué au Québec, Canada, certaines des clauses dans ce contrat sont fournies ci-dessous en français.

EXONÉRATION DE GARANTIE. Le contenu sous licence visé par une licence est offert « tel quel ». Toute utilisation de ce contenu sous licence est à votre seule risque et péril. Microsoft n’accorde aucune autre garantie expresse. Vous pouvez bénéficier de droits additionnels en vertu du droit local sur la protection dues consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties implicites de qualité marchande, d’adéquation à un usage particulier et d’absence de contrefaçon sont exclues.

LIMITATION DES DOMMAGES-INTÉRÊTS ET EXCLUSION DE RESPONSABILITÉ POUR LES DOMMAGES. Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de dommages directs uniquement à hauteur de 5,00 $ US. Vous ne pouvez prétendre à aucune indemnisation pour les autres dommages, y compris les dommages spéciaux, indirects ou accessoires et pertes de bénéfices.

Cette limitation concerne:

• tout ce qui est relié au le contenu sous licence , aux services ou au contenu (y compris le code) figurant sur des sites Internet tiers ou dans des programmes tiers ; et

• les réclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilité stricte, de négligence ou d’une autre faute dans la limite autorisée par la loi en vigueur.

Elle s’applique également, même si Microsoft connaissait ou devrait connaître l’éventualité d’un tel dommage. Si votre pays n’autorise pas l’exclusion ou la limitation de responsabilité pour les dommages indirects, accessoires ou de quelque nature que ce soit, il se peut que la limitation ou l’exclusion ci-dessus ne s’appliquera pas à votre égard.

EFFET JURIDIQUE. Le présent contrat décrit certains droits juridiques. Vous pourriez avoir d’autres droits prévus par les lois de votre pays. Le présent contrat ne modifie pas les droits que vous confèrent les lois de votre pays si celles-ci ne le permettent pas.

Configuring and Troubleshooting Microsoft® Windows Server® 2008 Terminal Services xi

Contents

Module 1: Configuring Terminal Services Core Functionality

Lesson 1: Configuring the TS Server Role Service 1-3

Lesson 2: Configuring the TS Settings 1-20

Lab: Configuring TS Core Functionality 1-25

Module 2: Configuring and Managing Terminal Services Licensing

Lesson 1: Configuring TS Licensing 2-3

Lesson 2: Managing TS Licenses 2-12

Lab Demonstration: Configuring and Managing TS Licensing 2-17

Module 3: Configuring and Troubleshooting Terminal Services Connections

Lesson 1: Configuring the TS Connection Properties 3-3

Lesson 2: Configuring the TS Connection Properties by Using Group Policy 3-16

Lesson 3: Troubleshooting TS Connections 3-22

Lab: Configuring and Troubleshooting the TS Connections 3-25

Module 4: Configuring Terminal Services RemoteApp and Easy Print

Lesson 1: Installing Applications 4-3

Lesson 2: Configuring RemoteApp Programs 4-7

Lesson 3: Configuring Printers 4-17

Lab: Configuring TS RemoteApp and Easy Print 4-21

Module 5: Configuring Terminal Services Web Access and Session Broker

Lesson 1: Installing TS Web Access 5-3

Lesson 2: Configuring TS Session Broker 5-14

Lab: Configuring TS Web Access and Session Broker 5-19

xii Configuring and Troubleshooting Microsoft® Windows Server® 2008 Terminal Services

Module 6: Configuring and Troubleshooting Terminal Services Gateway

Lesson 1: Configuring TS Gateway 6-3

Lesson 2: Monitoring and Troubleshooting TS Gateway Connections 6-16

Lab: Configuring and Troubleshooting TS Gateway 6-23

Module 7: Managing and Monitoring Terminal Services

Lesson 1: Methods for Managing and Monitoring TS 7-3

Lesson 2: Configuring Windows System Resource Manager for TS 7-9

Lab: Managing and Monitoring TS 7-14

Lab Answer Keys

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

About This Course xiii

About This Course This section provides you with a brief description of the course, audience, suggested prerequisites, and course objectives.

Course Description This two-day instructor-led course introduces you to Microsoft® Windows Server® 2008 Terminal Services. The course prepares you for configuring and managing the TS roles—TS licensing, Gateway, and Web Access—as well as monitoring and troubleshooting a TS environment.

Audience The primary audiences for this course include Technology Specialists in an enterprise environment as well as individuals who are assuming a new role requiring skills to manage connections served by a terminal server session over the intranet, extranet, and Internet.

Student Prerequisites This course requires that you meet the following prerequisites:

• Course 6420: Fundamentals of a Windows Server 2008 Network Infrastructure and Application Platform

• Course 6421: Configuring and Troubleshooting a Windows Server 2008 Network Infrastructure

or

• Microsoft Windows Server 2003 Terminal Server experience in an enterprise environment as follows:

• Minimum of one year of experience in administering and supporting TS

• Minimum of one year of experience in administering and supporting Windows Server 2003 or Windows Server 2003 R2

• Minimum of one year of experience in administering certificate services

• Network + certification

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

xiv About This Course

Course Objectives After completing this course, students will be able to:

• Configure the TS role.

• Manage TS licensing.

• Configure TS connection properties by using the Terminal Services Configuration snap-in and Group Policy.

• Configure TS Easy Print and TS RemoteApp programs.

• Configure the TS Web Access role service.

• Configure the TS Session Broker role for a load-balanced TS farm.

• Configure and troubleshoot TS Gateway.

• Maintain TS connections post installation and configure Windows System Resource Manager (WSRM) for TS.

Course Outline This section provides an outline of the course:

Module 1, "Configuring Terminal Services Core Functionality" prepares you for installing and configuring the TS role. The module also introduces the new core functionality in TS, lists the considerations for using a standalone instance and a farm, and briefly explains how to configure the TS settings.

Module 2, "Configuring and Managing Terminal Services Licensing" introduces you to TS Licensing and covers how the license server and terminal server need to be configured for issuing and managing licenses. The module also includes installing Per User and Per Device TS Client Access Licenses (CALs) on the license server as well as managing the licensing lifecycle.

Module 3, "Configuring and Troubleshooting Terminal Services Connections" introduces the connection properties that can be set by using either the Terminal Services Configuration snap-in or Group Policy. Besides setting these properties, the module also covers configuring the authentication and encryption levels, Desktop Experience and Plug and Play (PnP) Device Redirection Framework, and Single Sign-On (SSO) for user profiles. The module ends with troubleshooting connectivity issues.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

About This Course xv

Module 4, "Configuring Terminal Services RemoteApp and Easy Print" starts with discussing the types of applications that can be installed on the terminal server. The module then provides an overview of RemoteApp programs, advantages of using these programs, and the methods used to deploy them on the terminal server. Also covered in the module is TS Easy Print, which facilitates printer redirection over a TS session.

Module 5, "Configuring Terminal Services Web Access and Session Broker" provides the steps for installing and configuring RemoteApp programs by using TS Web Access. The module also covers a separate role service, the TS Session Broker, which facilitates reconnection to an existing session in a load-balanced TS farm.

Module 6, "Configuring and Troubleshooting Terminal Services Gateway" explains how to install and configure the TS Gateway role service. The module also covers how to manage TS Connection Authorization Policies (CAPs) and TS Resource Authorization Policies (RAPs). Following a brief introduction to Network Access Protection (NAP), the module goes on to discuss troubleshooting TS Gateway.

Module 7, "Managing and Monitoring Terminal Services" explains the tasks involved in managing and monitoring TS Connections. The module also introduces the enhanced features of WSRM and how to configure WSRM.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

xvi About This Course

Course Materials The following materials are included with your kit:

• Course Handbook. The Course Handbook contains the material covered in class.

• Course CD. The Course CD contains the full lab exercises and answer keys as well as the topical and categorized resources and Web links.

Note: To access the Course CD, insert the CD into the CD-ROM drive, and then in the root directory of the CD, double-click StartCD.exe.

• Course evaluation. At the end of the course, you will have the opportunity to complete an online evaluation to provide feedback on the course, training facility, and instructor.

To provide additional comments or feedback on the course, send e-mail to [email protected]. To inquire about the Microsoft Certification Program, send e-mail to [email protected].

Virtual Machine Environment This section provides the information for setting up the classroom environment to support the business scenario of the course.

Virtual Machine Configuration In this course, you will use Microsoft Virtual Server 2005 to perform the labs.

Important: At the end of each lab, you must close the virtual machine and must not save any changes. To close a virtual machine without saving the changes, perform the following steps: 1. On the host computer, click Start, point to All Programs, point to Microsoft Virtual Server, and then click Virtual Server Administration Website. 2. Under Navigation, click Master Status. For each virtual machine that is running, point to the virtual machine name, and, in the context menu, click Turn off Virtual Machine and Discard Undo Disks. Click OK.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

About This Course xvii

The following table shows the role of each virtual machine that this course uses:

Virtual machine Role

NYC-DC1 A Domain Controller for woodgrovebank.com

NYC-TS Terminal server with terminal services installed

NYC-WEB A member of the woodgrovebank.com domain

Software Configuration The following software is installed on each virtual machine:

• Windows Server 2008 Enterprise

Classroom Setup Each classroom computer will have the same virtual machine configured in the same way.

Course Hardware Level To ensure a satisfactory student experience, Microsoft Learning requires a minimum equipment configuration for trainer and student computers in all Microsoft Certified Partner for Learning Solutions (CPLS) classrooms in which Official Microsoft Learning Product courseware are taught. This course requires a computer that meets or exceeds hardware level 5.5, which specifies a 2.4–gigahertz (minimum) Pentium 4 or equivalent CPU, at least 2 gigabytes (GB) of RAM, 16 megabytes (MB) of video RAM, and a 7200 RPM 40-GB hard disk.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

Configuring Terminal Services Core Functionality 1-1

Module 1 Configuring Terminal Services Core Functionality

Contents: Lesson 1: Configuring the TS Server Role Service 1-3

Lesson 2: Configuring the TS Settings 1-20

Lab: Configuring TS Core Functionality 1-25

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

1-2 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

Module Overview

TS in Windows Server 2008 has been upgraded to incorporate improved features that are especially useful for organizations with branch offices. This module introduces the new features in TS and prepares you for installing and configuring the TS server role service.

The module also includes considerations for using a standalone instance and a farm, as well as configuring the TS settings.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lesson 1: Configuring the TS Server Role Service

TS in Windows Server 2008 includes new core functionality that provides enhanced features to remotely deploy and access applications. This new core functionality includes Remote Desktop Connection (RDC) 6.1, Remote Desktop Connection Display improvements, and Plug and Play (PnP) device redirection.

The TS server role service can be installed as a standalone instance or in a farm with multiple terminal servers.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


TS Features

Key Points TS in Windows Server 2008 allows users to connect to a server running Windows-based programs or the full Windows desktop.

In addition, Windows Server 2008 TS also provides:

• A secure and encrypted connection between remote users and the resources on a local network.

• Support for Embedded Point of Service (POS) device redirection.

• Support for Network Access Protection (NAP) that enforces network authentication.

• A new role management tool and an improved scalable spooler.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• Support for Microsoft Internet Protocol version 6 (IPv6) that enables peer-to-peer and mobile applications.

• The Windows System Resource Manager (WSRM) tool to manage system resources by using preconfigured policies or custom resource policies.

Question: Which features of Windows Server 2008 TS will be useful in your organization?

For more information about TS features, see "What's New in Terminal Services for Windows Server 2008" on the Microsoft TechNet Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Installing the TS Server Role Service

Key Points You can install the TS server role service by using the Server Manager, if no other TS role services, such as TS Gateway and TS Licensing, are installed on the server. If a TS role service is already installed on the server, the Terminal Services check box will be selected and dimmed. You then need to select the "To install the Terminal Server role server when Terminal Services is already installed" option.

For more information about installing the TS server role, see "Terminal Server Installation" on the Microsoft TechNet Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Authentication Modes

Key Points Two types of authentication modes can be used on a terminal server:

• User authentication supported by password, smart card, Windows NT LAN Manager (NTLM), and one-time password (OTP) over encrypted channels

• Host level authentication supported by Kerberos and Secure Sockets Layer (SSL) or Transport Layer Security (TLS) certificates

NTLM authentication is mostly used for stand-alone systems on the network. The Kerberos authentication protocol provides a more secure network connection than traditional authentication methods.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


You can also configure Single Sign-On (SSO) on the terminal server. SSO is an access method that allows a client to gain access to multiple systems with a single set of credentials.

Note: Besides providing the Basic authentication method, Windows Server 2008 also provides Network Level Authentication. If you select this method, only clients running Windows Server 2008 or Microsoft Windows Vista with RDC version 6.0, or later, will be able to connect to the terminal server.

For more information about authentication modes, see "Windows Server 2008 Technical Review" and "Single Sign-On for Terminal Services" on the Microsoft TechNet Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


TS Core Functionality

Key Points The following are the requirements for configuring TS core functionality on the client:

• High resolution monitors, such as super video graphics array (SVGA) or 1680 x 1050 or 1920 x 1200

• Windows portable devices

• Embedded POS for .NET devices

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


The core functionality works with:

• RDC 6.0 available with Windows Vista and Microsoft Windows XP

• RDC 6.1available with Windows Server 2008

For more information about TS core functionality, see "What’s New in Terminal Services for Windows Server 2008" on the Microsoft TechNet Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Remote Desktop Connection 6.1

Key Points RDC 6.1:

• Is available with Windows Server 2008 and Windows Vista with SP1.

• Supports Remote Desktop Protocol (RDP) 6.1 on the client computer.

As an administrator, you can remotely connect to a Windows Server 2008-based server by using the new /admin switch introduced in RDC 6.1. RDC 6.1 does not support the /console switch used in Microsoft Windows Server 2003. However, to connect to a physical console session on Windows Server 2003-based server from Windows Vista SP1, you can use the mstsc.exe/admin command.

For more information about RDC, see "Terminal Services Core Functionality" on the Microsoft TechNet Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Remote Desktop Connection Display

Key Points Both RDC 6.0 and RDC 6.1 support higher-resolution desktops and provide for spanning of multiple monitors horizontally to form a single large desktop.

You can also set a custom display resolution in a .rdp file using the RemoteApp Microsoft Management Console (MMC) or at the command prompt.

To set a custom display resolution in a .rdp file by using a text editor, add or change the following settings:

desktopwidth:i:<width> desktopheight:i:<height>

To set a custom display resolution at the command prompt, use the mstsc.exe command as follows:

mstsc.exe /w:<width> /h:<height>

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


In the syntax, <width> and <height> are the resolution values—for example, 1680 and 1050.

Spanning of a session across multiple monitors requires:

• Same resolution on all the monitors—for example, all monitors having 1024 x 768 resolution

• Horizontal alignment of all monitors

• Total resolution of all monitors not to exceed 4096 x 2048

You can enable spanning of the same session across multiple monitors by changing the settings in a .rdp file or at the command prompt.

To set spanning in a .rdp file using a text editor, add or modify the following setting:

Span:i:<num>

If <num> = 0, then monitor spanning is disabled and if <num> = 1, then monitor spanning is enabled.

To set spanning at the command prompt, type the following command:

mstsc.exe /span

Question: In which scenarios, would custom display resolution and spanning help in an organization?

For more information about RDC display, see "Remote Desktop Connection Display" on the Microsoft TechNet Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Remote Desktop Experience

Key Points In Windows Server 2008 TS, you can further enhance the end-user’s experience of connecting to a remote desktop with the Desktop Experience feature. This feature provides the functionality of Windows Vista such as Windows Media® Player 11, desktop themes, and photo management.

The TS client computers with Windows Vista include the Windows Aero™ interface that shows:

• Translucent glass windows

• Customized lightweight window colors

• Open windows in a three-dimensional stack on the desktop

• Subtle animations supporting the repositioning of windows

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Note: The desktop composition feature using Windows Aero works from a Vista client to a Vista terminal server only.

Windows Server 2008 also provides the ClearType® feature that is now supported over RDP. This feature works by smoothing the characters, thus making it easier to read text on LCD screens. Because this feature was not supported over RDP prior to Windows Server 2008, text over TS was displayed in low resolution.

The smoothing of fonts is also available on client computers having:

• Windows Vista

• Windows Server 2003 with SP1 and SP2 and RDC 6.0

• Windows XP with SP2 and RDC 6.0

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Device Redirection

Key Points The new PnP Redirection Framework provided in Windows Server 2008 enhances the PnP device redirection over RDP. The PnP device redirection, however, is not available for nested terminal server connections. For example, a client computer with a PnP device is redirected to a session with terminal server 1. The client then connects to another session with terminal server 2 from within the terminal server 1 session. The PnP device will not be available for this session with terminal server 2. Windows Server 2008 also redirects devices that use POS for .NET1.11.

Note: POS redirection is not supported if the terminal server has x86-based version of Windows Server 2008.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


You can enable POS for .NET device redirection by editing the .rdp file used to connect to the terminal server as follows:

redirectposdevices:i <value>

In the above syntax, if <value> = 0, POS for .NET device redirection is disabled and if the <value> =1, it is enabled.

For more information about device redirection, see "Plug and Play Device Redirection for Media Players and Digital Cameras" and "Microsoft Point of Service for .NET Device Redirection" on the Microsoft TechNet Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Introduction to a Standalone Instance and a Farm

Key Points The TS sever role service can be installed on a single server as a standalone instance. Alternatively, you can implement a TS farm comprising multiple terminal servers to facilitate load balancing in a large organization. Windows Server 2008 provides the TS Session Broker role service that allows administrators to load balance sessions between terminal servers in a farm. TS Session Broker stores information related to the state of a session. This information is used to distribute the sessions evenly between the terminal servers.

Question: What problems do you anticipate if a standalone instance is used as a terminal server in an organization having many branches?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Standalone Instance vs. Farm

A standalone instance is used in small organizations that require minimum administration. This environment usually includes one terminal server that is accessed by a few client computers.

Large organizations require a farm installation that caters to many branches. This type of environment requires multiple terminal servers that can be easily accessed by many client computers.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lesson 2: Configuring the TS Settings

After installing the TS server role service, you can start configuring the TS settings according to your organization’s requirements. To take maximum advantage of TS, you need to plan what type of applications you would require to run on the terminal server. You can even configure a specific program to start when you start a session on the terminal server. To enhance the performance of the terminal server, you can restrict the number of simultaneous remote connection sessions on the terminal server. You can configure these settings on TS by using the Terminal Services Configuration snap-in.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Demonstration: Configuring ‘Start Program on Connection’

Question: Which program would you want to launch at the start of a TS session in your organization?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Restricting Remote Connection Sessions

Key Points It is a best practice to configure the maximum number of sessions that can connect to the server by using Group Policy. Any modifications in Group Policy should be validated before applying them to users and computers. As an administrator, you can invoke Group Policy by using the Active Directory Users and Computers snap-in on the computer that has the domain controller.

Note: The recommended practice is to limit users to one remote session.

Question: What kind of problems do users encounter when there are too many remote connections?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Configuring Other TS Settings

Key Points The Terminal Services Configuration snap-in can be used to edit settings such as security, session timeouts, and encryption levels based on the connection. To configure RDP-Tcp Connections, you can use the following tabs in the RDP-Tcp Properties dialog box:

• General

• Log On Settings

• Sessions

• Environment

• Security

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• Remote control

• Client Settings

• Network Adapter

Some best practices for using terminal servers:

• Install only specific services required in a branch office environment to minimize security risks.

• Configure the TS session broker role service that enables load balancing of sessions between terminal servers in a farm.

• Configure the license server discovery mode to ensure that the terminal server can obtain the required license from the license server.

For more information about configuring TS, see "Windows Server 2008 RC0 TS Session Broker Load Balancing Step-by-Step Guide" and "Configuring License Settings on a Terminal Services" on the Microsoft TechNet Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lab: Configuring TS Core Functionality

Overarching Scenario You are the Windows Application Platform Services technology specialist for Woodgrove Bank, which has a presence in America, Europe, the Middle East, Africa (EMEA), and Asia. Woodgrove Bank's information technology (IT) department is responsible for maintaining the database, applications, user authentication, Group Policy, and permissions. It is also responsible for the performance of the server and enterprise infrastructure.

Currently, you are using simple RDP or any third party utility to control the remote console. You install all programs on all client computers, which is time consuming. It is also difficult to maintain and upgrade all the applications on every individual machine. Therefore, the management has advised you to implement the Windows Server 2008 TS environment. Installing TS would increase productivity and ensure optimal utilization of the network bandwidth to access remote applications. As a technology specialist in Woodgrove Bank’s IT department, you have been tasked with installing and configuring the TS environment.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 1: Installing and Configuring the TS Server Role Service

Scenario You receive a service request based on an enterprise administrator’s design to deploy a standalone instance of TS with core functions. You have to select an authentication method that will ensure that users can securely access applications over the network. You also want to optimize the administrative tasks that can be done by configuring SSO and WSRM. The end users require that the local machines display the Windows Vista desktop during the TS session. To enable this functionality, you need to configure RDC 6.1. The enterprise administrator has also requested you to provide enhanced program performance for users at the branch offices who access centralized data stores.

Exercise Overview In this exercise, you will install and configure the TS core functionality at the New York head office.

The main tasks for this exercise are as follows:

1. Start the 6428A-NYC-DC1-01 and 6428A-NYC-TS-01 virtual machines and log on to these machines as Administrator.

2. Install the TS server role service.

3. Configure authentication on the terminal server.

4. Configure the default credentials to be used on the terminal server.

5. Create a .rdp file and configure custom display.

6. Enable ClearType and Font smoothing.

7. Enable support for PnP redirection.

8. Install and configure WSRM.

9. Install the Desktop Experience.

10. Remotely connect to TS by using RDC.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 1: Start the 6428A-NYC-DC1-01 and 6428A-NYC-TS-01 virtual machines and log on these machines as Administrator 1. Start 6428A-NYC-DC1-01 and log on with the default User ID

WOODGROVEBANK\Administrator with the password Pa$$w0rd.

2. Verify the membership in the local administrators group in the Active Directory User and Group.

Note: Wait for the domain controller virtual machine, 6428A-NYC-DC1-01, logon screen to appear before starting 6428A-NYC-TS-01 VM.

3. Start 6428A-NYC-TS-01 and log on as WOODGROVEBANK\Administrator with the password Pa$$w0rd.

4. Confirm that 6428A-NYC-TS-01 is a member of the Woodgrove.com domain under Computers in the Active Directory User and Group.

Task 2: Install the TS server role service 1. On 6428A-NYC-TS-01, start Server Manager from the Administrative Tools

menu.

2. Add the Terminal Services role in the Add Roles wizard.

3. On the Terminal Services page, configure the Terminal Server:

• Authentication Method: Network Level Authentication setting for a terminal server

• Licensing Mode: Per-User

• Select User Groups Allowed Access to This Terminal Server: Add NYC_MarketingGG nested in NYC under WoodgroveBank.com.

4. Confirm the installation of the TS role service in the Server Manager.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 3: Configure authentication on the terminal server 1. Start Terminal Services Configuration by using the tsconfig.msc command.

2. In the RDP-Tcp Properties dialog box, configure the authentication method to be used as SSL (TLS 1.0).

Task 4: Configure the default credentials to be used on the terminal server 1. Open the Local Group Policy Editor by using the gpedit.msc command.

2. On the Credentials Delegation page, enable Allow Delegating Default Credentials and add the 6428A-NYC-TS-01 server.

Task 5: Create a .rdp file and configure custom display 1. Create a .rdp file by using the TS RemoteApp Manager snap-in.

2. In the RemoteApp Wizard, verify that the location of the .rdp file is C:\Program files\Packaged Programs\mstsc.rdp.

3. Open the C:\Program files\Packaged Programs\mstsc.rdp file in a text editor.

4. Specify the following custom display settings:

desktopwidth:i = 1680

desktopheight:i = 1050

5. Enable monitor spanning by using Span:i:1.

Task 6: Enable ClearType and Font smoothing 1. In Control Panel, under Appearance and Personalization, enable ClearType.

2. Display the Remote Desktop Connection dialog box, and enable font smoothing on the Experience tab.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 7: Enable support for PnP redirection 1. Display the Remote Desktop Connection dialog box.

2. On the Options tab, under Local devices and resources, enable Devices that I plug in later.

Task 8: Install and configure WSRM 1. Start Server Manager, under Features Summary, select Windows System

Resource Manager.

2. Install Windows System Resource Manager by using the wizard.

3. Open the Windows System Resource Manager snap-in.

4. In the Connect to computer dialog box, enable WSRM to administer the local computer.

Task 9: Install the Desktop Experience 1. Start Server Manager. Under Features Summary, select Desktop Experience.

2. Install the Desktop Experience by using the wizard.

3. Confirm the installation of the Desktop Experience.

Task 10: Remotely connect to TS by using RDC 1. On 6428A-NYC-DC1-01, display the Remote Desktop Connection dialog box

by using the mstsc command.

2. Connect to NYC-TS by using the user ID WOODGROVEBANK\Baris and password Pa$$w0rd.

You will be connected to the terminal server remotely.

Results: After this exercise, you should have configured the TS settings.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 2: Configuring the TS Settings

Scenario You have been tasked with configuring the TS settings to streamline the infrastructure and secure the database and applications on the terminal server. For this, you need to specify a program to start when a user logs on, limit users to a single remote session, and set default permissions for built-in accounts. To further ensure load-balancing in a TS farm environment, you need to configure the Session Broker settings and create a policy for the retention of the temporary folder.

Exercise Overview In this exercise, you will configure the TS settings and the session broker settings.


1. Specify the program to start when a user logs on to a remote session.

2. Configure the TS settings by using the Terminal Services Configuration snap-in.

3. Modify the default permissions for built-in accounts.

4. Configure the Session Broker settings.

5. Shut down the virtual machines.

Task 1: Specify the program to start when a user logs on to a remote session 1. Start Terminal Services Configuration on 6428A-NYC-TS-01.

2. Under Connections, select RDP-Tcp and then display the Properties dialog box.

3. On the Environment tab, configure the Initial starting program setting as C:\Program Files\Packaged Programs\wordpad.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 2: Configure the TS settings by using the Terminal Services Configuration snap-in • In the Terminal Services Configuration snap-in, under the Edit Settings area,

verify the following are selected:

• Restrict each user to a single session

• Delete Temporary folder on exit

• Use Temporary folders per session

Task 3: Modify the default permissions for built-in accounts 1. Start WMI Console by using the wmimgmt.msc command.

2. Display the WMI Control Properties dialog box.

3 On the Security tab, modify the Read Security permission for Baris Centinok and change it to Allow.

Task 4: Configure the Session Broker settings 1. Start Terminal Services Configuration.

2. In the Edit settings area, under TS Session Broker, select :

• Member of farm in TS Session Broker

• Join a farm in TS Session Broker

• Participate in Session Broker Load-Balancing

3. Provide the server name as NYC-TS, the farm name as WoodGroveBank, and IP address as 10.10.0.23.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 5: Shut down the virtual machines • Turn off each virtual machine that is running and discard changes.

Note: After this exercise, you should have configured the TS settings.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lab Review

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

Configuring and Managing Terminal Services Licensing 2-1

Module 2 Configuring and Managing Terminal Services Licensing

Contents: Lesson 1: Configuring TS Licensing 2-3

Lesson 2: Managing TS Licenses 2-12

Lab Demonstration: Configuring and Managing TS Licensing 2-17

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Module Overview

The TS licensing management system in Microsoft Windows Server 2008 includes some significant enhancements as compared to TS licensing in Microsoft Windows 2003.

After the TS server role service is installed in Windows Server 2008, users and devices require TS client access licenses (CALs) to connect to the terminal server. The TS licensing role service on the terminal server obtains these TS CALs from a TS license server.

This module introduces TS licensing and covers the steps to configure the license and terminal servers for issuing and managing licenses. The module also includes installing Per User and Per Device TS CALs on the license server as well as managing the licensing lifecycle.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lesson 1: Configuring TS Licensing

The TS licensing role service is a license management system that manages TS CALs. You need to install the TS licensing role service on a server running Windows Server 2008. After installation, you are required to activate the license server. Only after activation, the license server can issue TS CALs to devices or users that want to connect to the terminal server.

You can use the TS Licensing Manager snap-in to manage TS licensing.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


TS Licensing Role

Key Points In large organizations, the TS license server is different from the terminal server. An organization needs to deploy at least one license server to issue licenses to users and devices wanting to connect to the terminal server. A license server can concurrently serve many terminal servers.

Note: A terminal server running Windows Server 2008 cannot communicate with a license server running Windows Server 2003. A terminal server running Windows Server 2003 can, however, communicate with a license server running Windows Server 2008.

For more information about the TS Licensing role, see "TS Licensing" on the Microsoft TechNet Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


TS Licensing Manager Snap-In

Key Points The TS Licensing Manager snap-in requires minimum 10 MB of CPU memory for its transactions. The license database increases by 5 MB with the issuance of every 6,000 TS CALs. The license server is active only when it receives a request for a TS CAL from the terminal server.

For more information about the TS Licensing Manager snap-in, see "TS Licensing" on the Microsoft TechNet Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


TS Client Access Licenses

Key Points The two types of TS CALs, Per Device and Per User, are obtained as follows:

1. When a user or device connects to the terminal server, the terminal server first determines whether a TS CAL is required.

2. If a TS CAL is required, then the terminal server requests the CAL from the license server.

3. After receiving the TS CAL, the terminal server:

• Delivers the TS CAL to the client device in case of a Per Device TS CAL.

• Stores the information as part of the user account in the Active Directory Domain Services in case of a Per User TS CAL.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


The Per Device TS CALs are issued statically to client machines, and the Per User TS CALs are issued to a user’s account and can be used from any device.

Tracking the TS Per User CAL issuances is supported only in domain-joined scenarios. Active Directory Domain Services is used for tracking the Per User TS CALs.

Note: Active Directory Domain Services can be based on either Windows Server 2008 or Windows Server 2003, and no updates to its schema are required for generating tracking reports of the Per User TS CALs.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Installing the TS Licensing Role Service

Key Points The TS Licensing database should be located on the same computer on which the TS licensing role service is being installed.

The TS Licensing Manager snap-in is automatically installed when you install the TS licensing role service. You can also manage your license servers from a remote computer running Windows Server 2008 by installing the TS Licensing Manager snap-in on that computer.

You need to activate a license server only once. While waiting for the activation process to complete, the license server can issue temporary TS CALs that allow clients to use the terminal server for 120 days.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


In addition, you need to configure the TS license server discovery scope to help the terminal servers discover the license server. The three discovery scopes are:

• Workgroup

• Domain

• Forest

Note: To install the TS Licensing role service, you should be a member of the Administrators group.

For more information about installing the TS Licensing role service, see "Activating a Terminal Services License Server" and "Terminal Services License Server Discovery" on the Microsoft TechNet Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Configuring the Terminal Server for Licensing

Key Points The TS licensing mode, Per Device or Per User, can be set:

• During the installation of the TS server role service.

• By using the Terminal Services Configuration snap-in.

• By using Group Policy.

The TS licensing discovery mode can be set:

• By using the Terminal Services Configuration snap-in.

• By using Group Policy.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• By using the automatic license discovery process where the terminal server contacts:

• First, the license servers configured by using the Terminal Services Configuration snap-in.

• Then, the license servers published in Active Directory Domain Services.

• Finally, the license servers installed on the domain controller within the same domain as the terminal server.

Note: The TS licensing mode on the terminal server should be the same as that on the license server.

Note: A user connecting to a terminal server in a Per User licensing mode should have a TS Per User CAL. If the user does not have TS Per User CAL for the terminal server, the terminal server will contact the license server for the required Per User CAL.

Question: Can you change the TS Per Device CAL to a TS Per User CAL on your license server?

For more information about configuring the terminal server for licensing, see "Configuring License Settings on a Terminal Server" on the Microsoft TechNet Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lesson 2: Managing TS Licenses

After installing and configuring the TS licensing role service, you need to manage the licensing lifecycle. For this, you will be required to track the issuance of the TS Per User CALs.

You might also need to judiciously revoke device licenses and reallocate them, as required. While managing the license server, you can troubleshoot licensing issues related to the license server by using the Review Configuration snap-in.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Managing TS Client Access Licenses

To manage the TS licensing, you can perform the following tasks by using the TS Licensing Manager snap-in:

• Change the properties such as the connection method used to communicate with the Microsoft Clearing House and the mandatory and optional information about your organization.

• Change the discovery scope: domain or forest.

• Review the configuration of the license server.

• Control the issuance of TS CALs.

• Track the issuance of TS CALs.

• Revoke the Per Device TS CALs.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• Deactivate and reactivate the license server.

• Locate the Microsoft ClearingHouse telephone number for your country or region to activate the license server.

Note: You cannot revoke a Per User TS CAL. After you have revoked a Per Device TS CAL, it will be immediately available for issuance to another device. You must not revoke licenses only to ensure that there are enough licenses available to support the requirement.

Other generic tasks that you can perform to manage TS licensing are:

• Back up a TS license server

• Move TS licensing to a new server

• Uninstall the TS licensing role service

For more information about managing TS CALs, see "Managing TS Licensing" on the Microsoft TechNet Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Troubleshooting Licenses

Key Points You can use the Review Configuration tool to identify problems on the license server related to the:

• Discovery scope

• Issuance of the TS CALs to devices or users

• Tracking and reporting of the issuance of the TS CALs

You can use the Licensing Diagnosis tool to analyze the following information on the terminal server:

• Configuration of the terminal server

• License servers that the terminal server discovered

• Configuration information of the license servers

• Licensing issues with possible solutions

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


For more information about troubleshooting licenses, see "Troubleshooting TS Licensing Installation" and "Known Issues for TS Licensing Installation" on the Microsoft TechNet Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lab Demonstration: Configuring and Managing TS Licensing

Overarching Scenario You have configured TS for Woodgrove Bank. To support the TS environment you need to install the TS licensing role. The TS licensing role will enable you to determine the TS client access licenses (CALs) that are required for each device or user to connect to the terminal server. You need to use this role to install, issue, and monitor the availability of TS CALs on a TS license server.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Demonstration: Configuring and Managing TS Licensing The main tasks for configuring and managing TS licensing are as follows:

1. Install the TS Licensing role.

2. Add a new device to the HR group.

3. Activate the license server and install TS Per Device CALs by using telephone.

4. Specify the TS Per Device mode on the terminal server.

5. Specify the TS licensing server discovery mode on the terminal server.

6. Revoke a Per Device CALs and make it available for a new device.

Task 1: Install the TS Licensing Role 1. On the terminal server, start Server Manager and install the TS Licensing role

service.

2. On the Configure Discovery Scope for TS Licensing page, specify the discovery scope for TS Licensing as domain.

3. On the Configure Discovery Scope for TS Licensing page, specify the default location of the TS Licensing database.

Task 2: Add a new device to the HR group 1. On a client, add the computer you want to add to the domain

WoodgroveBank.com on the Properties page of the computer.

2. On the domain controller, add the computer to the HR group in the Active Directory Users and Computers snap-in.

Task 3: Activate the license server and install TS Per Device CALs by using telephone 1. On the terminal server, activate the license server in the TS Licensing

Manager snap-in.

2. On the Connection Method page, select the connection method Telephone.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


3. On the Country or Region Selection page, select your country/region.

4. Call Microsoft by using the telephone number that is displayed on the License Server Activation page, and then provide the Microsoft customer support representative with the Product ID that is displayed on your screen. The representative will also ask you to provide your name and the name of your company. The representative processes your request to activate the license server, and creates a unique ID for your license server.

5. Activate the license server with the ID and select the option to install the licenses now.

6. On the Obtain client license key pack page, use the telephone number that is displayed to call the Microsoft Clearinghouse, and give the representative your Terminal Services license server ID and the required information for the licensing program through which you purchased your TS CALs. The representative then processes your request to install TS CALs, and gives you a unique ID for the TS CALs. This unique ID is referred to as the license key pack ID.

7. In the Install Licenses Wizard, on the Obtain client license key pack page, enter the license key pack ID provided by the representative into the boxes provided.

8. The Terminal Services license server can now issue TS CALs to clients that connect to a terminal server.

Task 4: Specify the TS Per Device mode on the terminal server • On the terminal server, in the Terminal Services Configuration snap-in,

under Licensing, specify the licensing mode as Per Device.

Task 5: Specify the TS licensing server discovery mode on the terminal server • On the terminal server, in the Terminal Services Configuration snap-in,

under Licensing, specify the license server to be used.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 6: Revoke a Per Device CAL 1. On the license server, in the TS Licensing Manager snap-in, under NYC-TS,

select Windows Server 2008 - Installed TS Per Device CALs.

2. Select the TS Per Device CAL that you want to revoke.

3. Revoke the TS CAL by using the Action menu.

The Status column for the TS Per Device CAL will show a status of Revoked when the TS Licensing Manager display is refreshed.

Results: After this demonstration, you should have seen how to install the license server and add a device to the HR group. Then you saw how to activate the license server, and install TS CALs by using the telephone. Then you should have seen how to configure the Per Device mode and the licensing server discovery mode on the terminal server. Finally, you saw how to revoke a Per Device CAL.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lab Review

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

Configuring and Troubleshooting Terminal Services Connections 3-1

Module 3 Configuring and Troubleshooting Terminal Services Connections

Contents: Lesson 1: Configuring the TS Connection Properties 3-3

Lesson 2: Configuring the TS Connection Properties by Using Group Policy 3-16

Lesson 3: Troubleshooting TS Connections 3-22

Lab: Configuring and Troubleshooting the TS Connections 3-25

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Module Overview

After configuring TS Licensing on the terminal server, you need to set the TS connection properties on the terminal server as well as the clients. This module introduces the connection properties that can be set by using either the Terminal Services Configuration snap-in or Group Policy.

Besides setting these properties, it is also important to configure the authentication and encryption levels for the TS connections between the terminal server and the clients.

When configuring the client settings, you might also want to enhance the user experience by enabling the Desktop Experience and Plug and Play (PnP) Device Redirection Framework.

In addition, configuring Single Sign-On (SSO) for user profiles can be helpful in reducing administrative effort.

As an administrator, you will also need to perform some checks to identify and troubleshoot connectivity issues.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lesson 1: Configuring the TS Connection Properties

You can use the Terminal Services Configuration snap-in to configure and administer TS connection properties such as the maximum number of simultaneous connections and time-out and reconnection settings.

Using this snap-in, you can also configure authentication and encryption levels for clients to minimize security risks over remote connections. Also, configuring the Desktop Experience and enabling PnP device redirection help to enhance the user experience on TS.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Introduction to TS Properties

Key Points In a TS environment, you can configure the TS properties such as the TS connection properties, device and resource redirection, remote session environments, session time limits, and user profiles. These TS properties can be configured both by administrators and standard users. The User Account Control (UAC) feature of Microsoft Windows Server 2008 displays a prompt for the credentials of an administrator or equivalent account.

If you are logged on as an administrator, you will be provided with two access tokens: an administrator token and a standard user access token. The administrator token is used only when you attempt to perform administrative tasks.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


With the administrator token, you can change the system state, install software, turn off the firewall, install a service or drive, and configure the security policy. As a standard user, you are not allowed to perform the administrator tasks but you can install software on a per-user basis.

The TS properties can apply to users or computers. For example, on a client, you can enable or disable user profiles. You can also configure connection properties for the computer, such as allowing a process to run over a slow network connection.

On the server, you can configure settings for the computer, such as retain or delete temporary folders on exit. For users, you can configure settings that restrict them to a single remote session on the server.

Question: Configuring which TS settings helps enhance the performance of the terminal server?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Introduction to the TS Connection Properties

Key Points You can use either Group Policy or the Terminal Services Configuration snap-in to configure the TS connection properties on the terminal server and clients. The TS connection properties set by using Group Policy always override the settings configured by using the Terminal Services Configuration snap-in.

The TS connection properties can be set for a specific user and at the server level. If both user and server settings are configured, the server settings take precedence.

By using the Terminal Services Configuration snap-in, you can configure:

• A new connection

• Automatic logon to the server by a user

• Authentication of the terminal server

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


With respect to connection permissions, for each connection, you can:

• Add users and groups to permission lists

• Change the permissions of a user or group

• Remove users or groups from the permission lists

For more information about configuring TS connection properties, see "Configure Terminal Services Connections" on the Microsoft TechNet Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Configuring the Maximum Number of Simultaneous Connections

Key Points The default TS settings allow an unlimited number of sessions to connect to the server. This affects the performance of the terminal server as multiple sessions demand system resources. To improve performance, therefore, you can restrict the number of sessions.

When using the Terminal Services Configuration snap-in to perform this procedure, you need to be a member of the administrators group on the local computer.

For more information about configuring maximum number of simultaneous connections, see "Specify a maximum number of sessions that can connect to the server" on the Microsoft TechNet Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Demonstration: Configuring the Time-Out and Reconnection Settings

Question: Which connection setting can result in the loss of data at the client side?

For more information about configuring the time-out and reconnection settings, see "Configure Time-out and Reconnection Settings" on the Microsoft TechNet Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Configuring Authentication and Encryption

Key Points To configure the authentication and encryption levels for clients, you will require a certificate from a certification authority (CA).

In Windows Server 2008, the terminal server uses native Remote Desktop Protocol (RDP) for encryption. However, RDP does not authenticate the identity of the terminal server. You, therefore, need to configure the terminal server and clients to use Transport Layer Security (TLS) 1.0 for server authentication and encryption of the terminal server communications.

Note: You can enable TLS only by using the Terminal Services Configuration snap-in. You cannot use Group Policy to enable TLS authentication.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


TLS authentication on a server requires:

• Microsoft Windows Server 2003 SP1

• A computer certificate by using the Web or Certificate Request wizard

TLS authentication on a client requires:

• Microsoft Windows 2000 or Microsoft Windows XP

• RDP 5.2, or later

• Certificate of the certification authority (CA) that issued the server certificate in the client’s Trusted Root Certification Authorities store

You can configure four levels of encryption by using the Terminal Services Configuration snap-in:

• Federal Information Processing Standard (FIPS)-compliant

• High

• Client Compatible

• Low

Question: Which encryption level is most commonly used in organizations?

For more information about configuring authentication and encryption, see "Configure Authentication and Encryption" on the Microsoft TechNet Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Configuring the Desktop Experience

Key Points To further enhance the user’s experience in TS, you can install and configure the Desktop Experience. For features such as Windows Media® Player and Desktop Themes, you will have to enable audio redirection. The audio redirection setting is available on the Client Settings tab in the Properties page of the required connection in the Terminal Services Configuration snap-in. You can also use Group Policy to configure this setting.

Note: The Sound Recorder feature of Microsoft Windows Vista is not supported by RDP. Desktop Experience does not enable any of the Windows Vista features automatically; you need to enable them manually.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Question: Which scenarios require audio data to be shared between the terminal server and client?

For more information about configuring the Desktop Experience, see "Remote Desktop Connection Display" on the Microsoft TechNet Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Configuring the Plug and Play Device Redirection Framework

Key Points You can control the PnP device redirection framework on the Client Settings tab in the Properties page of the required connection in the Terminal Services Configuration snap-in.

To redirect devices that use Microsoft Point of Service (POS) for .NET 1.11:

1. Install POS for .NET 1.11.

2. Install the .NET service objects or XML configuration files required by the POS for .NET device.

3. Stop and start the Terminal Services UserMode Port Redirector service in the Terminal Services Configuration snap-in.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Note: POS for .NET 1.11 device redirection is only supported if the terminal server is running an x86-based version of Windows Server 2008.

For more information about device redirection, see "Terminal Server Plug and Play Device Redirection Framework in Vista and Longhorn" on the Microsoft TechNet Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lesson 2: Configuring the TS Connection Properties by Using Group Policy

As an administrator, you might prefer to configure some connection properties by using Group Policy. The Group Policy settings override the settings configured by using the Terminal Services Configuration snap-in.

In addition to configuring TS connection properties, you can use Group Policy to configure the Single Sign-On (SSO) feature of Windows Server 2008. This feature helps reduce the administrative load significantly as it enables users to log on to multiple devices or services with a single set of credentials.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Using Group Policy to Configure the TS Connection Properties

Key Points Although most TS connection properties can be set by using the Terminal Services Configuration snap-in, you might want to set these by using Group Policy. The choice of method can depend on the complexity of your TS environment. Using Group Policy is often considered to be a simpler approach to configuring TS, especially in an environment with multiple terminal servers and users.

By using Group Policy, you can configure properties such as the maximum number of sessions, encryption level, automatic start program, remote control, time-out and reconnection, and some other client settings such as connection drives and printers. In addition, you can also configure the following settings:

• Specifying the interval for the session to be kept alive and keeping it consistent with the client state

• Removing the Disconnect item from the Shut Down dialog box

• Disabling smart card device redirection

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Question: What will happen if you disable a Remote Desktop connection by using the Group Policy setting while a user is connected to the target computer?

For more information about configuring TS properties by using Group Policy, see "Configure Group Policy Settings" on the Microsoft TechNet Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Introduction to Single Sign-On

The security benefit provided by SSO is that a user needs to log on to the domain only once by using a password. Subsequently, the user will be authenticated on any server in the domain. For administrators, this feature minimizes the administrative effort required to maintain a user account.

For more information about SSO, see "Single Sign-On for Terminal Services" on the Microsoft TechNet Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Considerations for Configuring Single Sign-On

Key Points As an administrator, for configuring SSO, you need to ensure that the client computers should be either Windows Vista-based or Windows Server 2008-based computers, and the users have appropriate rights to log on to both the client and server. SSO can also be used on the client computers and terminal server that are part of a domain.

You also need to note that Windows Server 2008 provides Credential Security Service Provider (CredSSP) that supports SSO. By using this feature, you can securely save your credentials for later use.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Note: SSO will not work on a server that cannot be authenticated by using Kerberos or Secure Sockets Layer (SSL) certificate. If the terminal server connection is using a TS Gateway server, then in some cases the credentials of the TS Gateway will override the SSO settings.

For more information about considerations for configuring SSO, see "How to enable Single Sign-On for my Terminal Server connections" on the Microsoft Terminal Services Team Blog Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lesson 3: Troubleshooting the TS Connections

A number of connectivity issues can arise in a TS environment. While specific issues need to be handled by using specific methods, there are some troubleshooting steps that can help you determine common problems and rectify them.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Troubleshooting Connectivity Issues

Key Points Depending on the connectivity problem, you can perform troubleshooting steps such as checking the RDP settings, analyzing event and error logs, and verifying licenses, policies, permissions, and encryption levels.

In addition, you can perform the following troubleshooting steps:

• Use the Terminal Services Manager to view users connected to the terminal server.

• Identify and fix connectivity problems between the terminal server and domain controller by using the ping command.

• Use the ping command to determine connectivity problems with other computers.

• Start the Device Manager by using the devmgmt.msc command, and check the status of the network adapter.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• Check the network indicator lights on the computer and the hub or router. Also, check the network cabling.

• Check the firewall settings by using the Windows Firewall with the Advanced Security snap-in.

• Check the IPsec settings by using the IP Security Policy Management snap-in.

For example, if a user logon request is denied, as an administrator you can check if the Allow all connections option is selected on the General tab in the Terminal Services Configuration snap-in.

Another common connectivity issue is the failure of authentication when a user tries to reconnect to the terminal server. In this case, you can verify the user accounts connected to the terminal server on the Users tab in the Terminal Services Configuration snap-in.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lab: Configuring and Troubleshooting the TS Connections

Overarching Scenario You receive a service request from the enterprise administrator to configure the connection settings for TS. As an administrator, you need to configure connection permissions, SSO, client settings, and time-out and reconnection settings, as defined in the service request. These connection settings will enable you to efficiently manage connections to remote applications. To avoid overloading of the terminal server, you need to set permissions for all users and restrict the number of sessions.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 1: Configuring the TS Connection Properties

Scenario The enterprise administrator is receiving many complaints about unauthorized users accessing the terminal server. Also some connections get disconnected automatically and users have a problem working with the applications on the terminal server. You receive a service request to modify the connection permissions of Baris, Bernard, and Anton.

Exercise Overview In this exercise, you will configure the TS connection properties by using the Terminal Services Configuration snap-in.


1. Start the 6428A-NYC-DC1-01 and the 6428A-NYC-TS- 03 virtual machines and log on to these machines as Administrator.

2. Configure the TS connection properties by using the Terminal Services Configuration snap-in.

Task 1: Start the 6428A-NYC-DC1-01 and 6428A-NYC-TS- 03 virtual machines and log on to these machines as Administrator 1. Start 6428A-NYC-DC1-01 and log on with the default login ID

WOODGROVEBANK\Administrator by using the password Pa$$w0rd.

2. Start 6428A-NYC-TS-03 and log on as WOODGROVEBANK\Administrator by using the password Pa$$w0rd.

3. Verify that TS is installed on the 6428A-NYC-TS-03 virtual machine.

Note: Wait for the domain controller, 6428A-NYC-DC1-01, logon screen to appear before starting the 6428A-NYC-TS-03 virtual machine.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 2: Configure the TS connection properties by using the Terminal Services Configuration snap-in 1. On 6428A-NYC-TS-03, start the Terminal Services Configuration snap-in.

2. Verify that the remote control setting for default users is selected on the Remote Control tab in the RDP-Tcp Properties dialog box.

3. Configure the connection permissions for users as follows:

• Baris Cetinok: Deny permission to disconnect a connection

• Bernard Duerr: Allow all connection permissions

• Anton Kirilov: Allow permission to disconnect a connection

Results: After this exercise, you should have configured the connection properties.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 2: Configuring the TS Connection Properties by Using Server Group Policy

Scenario You have been tasked with restricting the maximum number of terminal sessions to two and configuring the TS connection setting to automatically reconnect to the server. In addition, you need to configure the RDP client connection security and encryption levels on the server. You want to configure the connection settings by using the Group Policy editor. These settings are critical to the performance of the TS and they will override any other settings that users might have configured by using the Terminal Services Configuration snap-in.

Exercise Overview In this exercise, you will configure the TS connection properties by using Group Policy.


1. Configure the TS connection properties.

2. Verify that a maximum of two clients can connect to the terminal server.

Task 1: Configure the TS connection properties 1. On 6428-NYC-DC1-01, start Group Policy Management by using the

gpmc.msc command.

2. Create a new Group Policy Object (GPO) for the Marketing OU as GPO for TS Connection.

3. Start the Group Policy Management Editor, and configure the following:

• TS Maximum Connections allowed: 2

• Automatic reconnection: Enabled

• Set client connection encryption level: Enabled

• Encryption level: Client Compatible

• Set time limit for disconnected sessions: Enabled

• End a disconnected session: 5 minutes

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 2: Verify that a maximum of two clients can connect to the terminal server 1. On 6428A-NYC-DC1-01, display the Remote Desktop Connection dialog box

by using the mstsc command.

2. Connect to Nyc-ts, log on as Baris with the password Pa$$w0rd.

3. Log on as a second user, Bernard with the password Pa$$w0rd.

4. Log on as a third user, Anton with the password Pa$$w0rd.

5. Observe that Anton gets a failed logon message.

Results: After this exercise, you should have configured the TS connection properties by using server Group Policy.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 3: Configuring SSO by Using Client Group Policy

Scenario As an administrator, you want to reduce your administrative tasks. Currently, you are spending a lot of time maintaining the user accounts that are connecting to the TS. You want to configure SSO to reduce the administrative effort.

Exercise Overview The main task for this exercise is to configure SSO by using client Group Policy.

Task 1: Configure the SSO setting by using client Group Policy 1. On 6428A-NYC-DC1-01, start the Terminal Services Configuration snap-in

by using the tsconfig.msc command.

2. In the RDP-Tcp Properties dialog box, select Security Layer as SSL (TLS 1.0).

3. Start the Local Group Policy Editor by using the gpedit.msc command.

4. Select the option Allow Delegating Default Credentials.

5. Add the server 6428A-NYC-TS- 03 to the list of servers in the Show Contents dialog box.

Results: After this exercise, you should have configured SSO by using client Group Policy.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 4: Troubleshooting Connectivity Issues

Scenario Users in the organization are having problems connecting to the terminal server. A user Monika Buschmann is unable to log on because her password has expired. You need to reset her password. Another user Dana Birkby is unable to connect to the Remote Desktop. Verify her user permissions. After updating the users account settings, validate that the users can connect to the terminal server. Help Desk has verified that this is not a network connectivity issue from the client and that the firewall is also correctly configured.

Exercise Overview In this exercise, you will troubleshoot connectivity issues.


1. Verify the RDP settings and check the event logs.

2. Verify the user and group permissions and policy settings.

3. Verify that the users are able to log on with the updated settings.


Task 1: Verify the RDP settings and check the event logs 1. On 6428A-NYC-TS-03, start TS RemoteApp Manager.

2. Verify that the RDP Port for NYC-TS.WoodgroveBank.Com is 3389.

3. Start Event Viewer by using the eventvwr command.

4. Check the details under Application.

Task 2: Verify the user and group permissions and policy settings 1. On 6428A-NYC-DC1-01, start the Active Directory Users and Computers

snap-in.

2. Under Marketing, reset the password for Monika Buschmann to Pass@word1.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


3. Start the Terminal Services Configuration snap-in, in the RDP-Tcp Properties dialog box, verify permission settings for Dana Birkby and modify the settings to enable her remote connection.

4. Check that the Encryption Level is Client Compatible.

Task 3: Verify that users are able to log on with the updated settings 1. On 6428A-NYC-DC1-01, start Remote Desktop Connection by using the

mstsc command.

2. Connect to Nyc-ts and log on as Monika with the password as Pass@word1.

3. Log on as the second user, Dana with the password as Pa$$w0rd.

Task 4: Shut down the virtual machines 1. Turn off 6428A-NYC-DC1-01, and discard changes.

2. Turn off 6428A-NYC-TS-03, and discard changes.

Results: After this exercise, you should have used troubleshooting techniques to resolve connectivity issues.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lab Review

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Module 4 Configuring Terminal Services RemoteApp and Easy Print

Contents: Lesson 1: Installing Applications 4-3

Lesson 2: Configuring RemoteApp Programs 4-7

Lesson 3: Configuring Printers 4-17

Lab: Configuring TS Resources 4-21

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Module Overview

Before installing programs on the terminal server, it is important that you are familiar with the types of applications that can be installed and considerations for installing these applications. This module provides an overview of TS RemoteApp programs that can be remotely accessed through TS, advantages of using these programs, and the methods used to deploy them.

The module also introduces TS Easy Print, which facilitates printer redirection over a TS session.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lesson 1: Installing Applications

You can install any Windows-based application on a terminal server. However, running some of these applications might affect the performance of the terminal server. Therefore, it is important to bear in mind some key considerations for installing these applications.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Types of Applications

Key Points Terminal servers support off-the-shelf, custom, and line of business (LOB) applications. You can also install applications that use application virtualization technologies.

Application virtualization isolates an application from the underlying operating system. The application runs in a virtualized environment and does not need to be installed on or interact with the underlying operating system.

Windows Server 2008 TS provides a functionality that facilitates central hosting of client applications by using a virtualization technique called presentation virtualization. Using this technique, the keyboard and mouse inputs are directed to the server, and the video output is sent to the client over a network connection.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Considerations for Installing Applications

Key Points Although all Windows-based applications run on a terminal server, you need to remember that some 16-bit applications require more RAM than others. These applications may affect the performance of other applications.

Also note that all applications on the terminal server should be installed by using the Windows installer.

Note: Most programs have been tested for compatibility, and scripts are available for those that require some minor changes to the installation. These scripts are located in the System root, in the following path: \Application Compatibility Scripts\Install. You need to run these scripts after the installation of the program is completed.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Note: It is recommended that you avoid installing Microsoft DOS-based applications in a TS environment because these applications require frequent keyboard checks that use a lot of CPU memory. Applications accessing INI files also cause problems in a TS environment, owing to the frequent changes in the INI files.

For more information about considerations for installing applications, see "Build Your Skills: How to Optimize Apps to Run in Terminal Services" on TechRepublic.com Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lesson 2: Configuring RemoteApp Programs

TS RemoteApp programs are applications that can be accessed remotely through TS. Using RemoteApp programs, organizations can provide access to Windows-based applications from any location to any computer or user.

These RemoteApp programs can be deployed by using TS Web Access, Windows installer package (.msi file), or Remote Desktop Protocol (.rdp file).

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Introduction to TS RemoteApp Programs

Key Points In Windows Server 2008 TS, a RemoteApp program is integrated with the client's desktop and runs in its own resizable window with its own entry on the taskbar. A RemoteApp program that uses a notification area icon displays the icon in the client's notification area.

Using RemoteApp programs, the popup windows can be redirected to the local desktop and the local drives and printers can be redirected to appear in the RemoteApp program.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Question: You want to access multiple programs running on the terminal server at the same time. How many terminal server sessions will be required to run multiple RemoteApp programs?

For more information about TS RemoteApp programs, see “Windows Server 2008 Terminal Services RemoteApp Step-by-Step Guide" on the Microsoft TechNet Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Advantages of Using RemoteApp Programs

Key Points Using TS RemoteApp programs minimizes the overall administrative effort, enhances user experience, and facilitates running different programs on multiple desktops.

You can use TS RemoteApp programs in the following scenarios:

• For users who need to access applications from remote locations

• In an organization having many branches with limited local IT support and bandwidth

• In companies that have LOB applications, which need to be deployed on computers with different configurations

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• For users who need to use different versions of a program

• For users who are mobile and need to work from different computers and/or locations

Question: What is the scenario in your organization and how will the implementation of RemoteApp programs assist you?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Methods for Deploying RemoteApp Programs

Key Points Depending on the deployment method used—TS Web Access, .msi file, or .rdp file—you can access RemoteApp programs by:

• Clicking a link to the program on a Web site

• Double-clicking a .rdp file created by the administrator through a file share

• Double-clicking a program icon created by an administrator on the desktop or in the Start menu of the client computer

• Double-clicking a file with a file name extension that is associated with the RemoteApp program through a file share

Questions: Can you access a RemoteApp program by using Internet Explorer?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Using TS Web Access to Deploy RemoteApp Programs

Key Points TS Web Access provides access to RemoteApp programs through a Web page over the Internet or an intranet.

When using TS Web Access to deploy RemoteApp programs, you first need to install the required RemoteApp programs and verify the remote connection settings on the terminal server. Then, you need to add the programs to the RemoteApp Programs list in the TS RemoteApp Manager. The TS RemoteApp Manager is then used to configure the following global settings that will apply to all RemoteApp programs:

• Terminal server

• TS Gateway

• Common Remote Desktop Protocol (RDP)

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• Custom RDP

• Digital signature

You can then install the TS Web Access role service by using the Server Manager snap-in.

If the TS Web Access server is different from the terminal server that hosts the RemoteApp programs, then you need to add the computer account of the TS Web Access server to the TS Web Access Computers security group on the terminal server. You can add the computer account by using the Computer Management administrative tool on the terminal server.

Finally, you can specify the data source or the terminal server from which to populate the RemoteApp programs list. For this you can connect to the TS Web Access Web site. By using the Configuration tab on the site, you can enter the name of the terminal server that you want to use as the data source.

Note: You can use a digital signature to sign .rdp files for connecting RemoteApp programs to the terminal server. The client must be running RDC 6.1.

Note: Windows Installer packages or MSI packages are made available by using a file share, Microsoft Systems Center Configuration Manager, or Active Directory software distribution. These methods enable you to make RemoteApp programs available to users without using TS Web Access.

For more information about using TS Web Access for deploying RemoteApp programs, see “Windows Server 2008 Terminal Services RemoteApp Step-by-Step Guide" on the Microsoft TechNet Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Considerations for Connecting to TS Web Access

Key Points Clients connecting to TS Web Access must be running Windows Server 2008, Windows Vista, or Windows XP and must have the TS ActiveX client control approved by a standard user.

In case of any problems in connecting to TS Web Access from the client computer, you can use the Manage Add-ons tool available on the Tools menu of Internet Explorer. The add-on will be displayed as Microsoft Terminal Services Client Control.

On Windows XP SP3, you might need to modify the registry to enable the ActiveX control.

Note: RDC 6.1 is included in Vista SP1 and XP SP3.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Demonstration: Using an MSI File to Deploy RemoteApp Programs

Question: Why is it important to view the associated file name extensions for programs on the terminal server?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lesson 3 Configuring Printers

TS Easy Print is a new feature in Windows Server 2008 TS. This feature enables users to print to the correct printer on the client computer from a RemoteApp program or from a remote desktop connection to a terminal server. TS Easy Print simplifies printer redirection as it requires only Group Policy to be configured.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


TS Easy Print

Key Points TS Easy Print redirects all print jobs from a TS session to the client computer without the need to install any printer driver on the terminal server.

In addition, it provides enhanced enumeration performance by listing only the printers that are available for a particular session instead of all the redirected printers.

Note: The Group Policy setting applies to both TS Easy Print and legacy fallback. TS Easy Print is the default behavior, however, it coexists with the legacy fallback behavior of Windows Server 2003 RTM.

For more information about TS Easy Print, see "Terminal Services Printing" on the Microsoft TechNet Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Considerations for Using TS Easy Print

Key Points Client computers using TS Easy Print must be running either Windows Vista or Windows XP. If, however, these computers do not support Easy Print, then the local and network printer drivers will have to be installed on the terminal server. If you are using a third-party printer driver, then that driver needs to be signed by Windows Hardware Quality Labs (WHQL). The third-party printer driver should be compatible with Windows Server 2008 to run without any connectivity problems.

On client computers that do not support TS Easy Print, printing defaults to the behavior in Windows 2003 and prior to Windows 2000.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Configuring Group Policy for Printer Redirection

Key Points Windows Server 2008 has introduced a new Group Policy that is available in the Group Policy Management snap-in. The policy is located under the Administrative Templates\Windows Components\Terminal Services\Terminal Server\Printer Redirection node. The policy is named Redirect only the default client printer.

The possible values for this Group Policy setting are:

• Enabled or Not Configured

• Disabled

By enabling this policy, you can ensure that only the TS client’s default printer is redirected on the terminal server. This policy will function from any version of the TS client.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lab: Configuring TS Resources

Overarching Scenario Woodgrove Bank is launching a new investment scheme to benefit the underprivileged. The management has prepared a presentation that needs to be distributed to all the members of the Marketing group. The IT department is responsible for deploying the presentation on the terminal server so that it is accessible to all the members of the Marketing group.

As a technology specialist in Woodgrove Bank’s IT department, you have been tasked with installing Microsoft PowerPoint Viewer on the terminal server and making it available as a RemoteApp program. You also need to ensure that members are able to print the presentation if required.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 1: Configuring and Deploying TS RemoteApp Programs

Scenario You receive a service request from the enterprise administrator to install PowerPoint Viewer on the terminal server. You need to create a RemoteApp program link to PowerPoint Viewer for the Marketing group because they need to use the application to view the presentation of the new investment scheme.

Exercise Overview In this exercise, you will install TS Web Access and create a link to PowerPoint Viewer for the Marketing group.



2. Install the TS Web Access role service.

3. Add the computer account of the TS Web Access server to the security group.

4. Specify the data source.

5. Install PowerPoint Viewer.

6. Add the PowerPoint Viewer program in the RemoteApp Programs list.

7. Configure an RDP file from the PowerPoint Viewer RemoteApp program.

8. Determine if the RemoteApp program is enabled for TS Web Access.

9. Configure the TS Web Access server to allow access from the Internet.

Task 1: Start the 6428A-NYC-DC1-01 and 6428A-NYC-TS-03 virtual machines and log on to these machines as Administrator 1. Start 6428A-NYC-DC1-01 and log on as WoodgroveBank\Administrator

using the password Pa$$w0rd.

2. Start 6428A-NYC-TS-03 and log on as WoodgroveBank\Administrator using the password Pa$$w0rd.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 2: Install the TS Web Access role service 1. On 6428A-NYC-TS-03, start Server Manager and display the Add Role

Services link.

2. Add the TS Web Access role service by using the Select Role Services page.

Task 3: Add the computer account of the TS Web Access server to the security group 1. On 6428A-NYC-TS-03, start the Computer Management snap-in.

2. Under the Local Users and Groups node, select the group TS Web Access Computers, and add the computer NYC-TS.

Task 4: Specify the data source 1. Connect to the TS Web Access Web site by using the URL http://NYC-TS/ts.

2. Log on to the site as WoodgroveBank\Administrator using the password Pa$$w0rd.

3. Use the Configuration tab on the title bar to name the terminal server as NYC-TS.

Task 5: Install PowerPoint Viewer 1. Display the command prompt and enter change user /install.

2. Use Control Panel to install the application on the terminal server.

3. Install the PowerPointViewer.exe from E:\Tools.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 6: Add the PowerPoint Viewer program in the RemoteApp Programs list 1. Start TS RemoteApp Manager.

2. Use the RemoteApp wizard to add PowerPoint Viewer to the RemoteApp Programs list page.

3. Verify that the RemoteApp program, Microsoft Office PowerPoint Viewer 2007, is available through TS Web Access.

Task 7: Configure an RDP file from the PowerPoint Viewer RemoteApp program 1. In the TS RemoteApp Manager, in the RemoteApp Programs list, select

Microsoft Office PowerPoint Viewer 2007.

2. Create a .rdp file for Microsoft Office PowerPoint Viewer 2007 by using the RemoteApp Wizard and on the Specify Package Settings page, verify the following settings:

• Location of the program: C:\Program Files\Packaged Programs

• Terminal server: NYC-TS.WoodgroveBank.com

• Server authentication: Yes

• Port: 3389

Task 8: Determine if the RemoteApp program is enabled for TS Web Access 1. On 6428A-NYC-TS-03, in the RemoteApp Programs list, verify that Microsoft

Office PowerPoint Viewer 2007 is available through TS Web Access.

2. Start Internet Explorer.

3. Access the URL http:// NYC-TS/TS.

4. Provide the user credentials as WoodGroveBank\Baris with the password Pa$$w0rd.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 9: Configure the TS Web Access server to allow access from the Internet 1. On the 6428A-NYC-TS-03, start Internet Information Services (IIS) Manager.

2. Enable Windows Authentication.

Results: After this exercise, you should have installed the PowerPoint program and created a link to C:\Program Files\Packaged Programs.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 2: Configuring TS Easy Print

Scenario The Marketing group wants to print documents remotely. They might also want to print the investment scheme presentation. You receive a service request from the server administrator to ensure that TS Easy Print on the terminal server is used as the default printer driver on the client computers.

Exercise Overview The main tasks for this exercise are as follows:

1. Configure the printer redirection settings.


Task 1: Configure the printer redirection settings 1. On 6428A-NYC-DC1-01 start Group Policy Management.

2. Create a GPO, GPO for RDP link, for Marketing.

3. Under Printer Redirection, enable:

• Use Terminal Services Easy Print printer driver first.

• Redirect only the default client printer.

Task 2: Shutdown the virtual machines • Turn off each virtual machine that is running and discard changes.

Results: After this exercise, you should have configured TS Easy Print and the client print driver should have been redirected to TS.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lab Review

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

Configuring Terminal Services Web Access and Session Broker 5-1

Module 5 Configuring Terminal Services Web Access and Session Broker

Contents: Lesson 1: Installing TS Web Access 5-3

Lesson 2: Configuring TS Session Broker 5-14

Lab: Configuring TS Web Access and Session Broker 5-19

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Module Overview

TS Web Access is a role service that allows you to access TS RemoteApp™ programs on a Microsoft Windows Server 2008-based terminal server through a Web browser. This role service allows you to remotely connect to the desktop of any computer that provides Remote Desktop access.

This module introduces TS Web Access and covers the considerations for installing this role service followed by the steps to install and configure RemoteApp programs by using TS Web Access. The module also describes the procedure to connect to the Remote Desktop Web by using TS Web Access.

The module finally covers another role service, TS Session Broker, which facilitates reconnecting to an existing session in a load-balanced terminal server farm.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lesson 1: Installing TS Web Access

With TS Web Access, you can easily access a list of RemoteApp programs from a Web site on the Internet or intranet. When you start a RemoteApp program, a TS session is started on the terminal server that hosts the application.

The TS Web Access page includes the TS Web Access Web part that displays the list of RemoteApp programs. This Web part can be included on a customized Web page of an organization or can be incorporated in a Microsoft Windows SharePoint Services (WSS) Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Introduction to TS Web Access

Key Points TS Web Access in Windows Server 2008:

• Allows users to run multiple RemoteApp programs on the same terminal server in the same TS session

• Provides for centralized and easy remote administration and maintenance

TS Web Access in Windows Server 2008 also includes the Remote Desktop Web Connection feature, which enables users to connect to the desktop of remote computers.

This feature is available as a Remote Desktop tab on the TS Web Access Web page. Remote Desktop Web Connection is installed as part of the TS Web Access role service and is not an optional component of Microsoft Internet Information Services (IIS) 7.0.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Note: TS Web Access does not route Remote Desktop Protocol (RDP) over the Internet. To connect to RemoteApp programs over the Internet, TS Gateway is used in conjunction with TS Web Access.

For more information about TS Web Access, see “Terminal Services Web Access (TS Web Access)" on the Microsoft TechNet Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


What's Different in Windows Server 2008 TS Web Access?

Key Points TS Web Access in Windows Server 2008 replaces the TS Web Connection software available with Microsoft Windows Server 2003. An important point to note is that accessing TS Web Access does not require a separate ActiveX control to be downloaded. The required Active X control is included in Remote Desktop Connection (RDC) 6.1.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Considerations for Installing TS Web Access

Key Points Before installing TS Web Access in Windows Server 2008, you need to ensure that the client computers are running either Windows Server 2008 or Microsoft Windows Vista with SP1.

RDC 6.1, a necessary component for running TS Web Access, is included with Windows Server 2008 and Windows Vista with SP1.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Deploying the TS Web Access Web Part

Key Points The list of RemoteApp programs that appears on the TS Web Access Web part is taken from a single terminal server that is specified by an administrator. This list is dynamically updated.

You can deploy the Web part as part of a customized Web page by using an ActiveX control and Active Server Pages (ASP).

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


To add the TS Web Access Web part to a WSS site, ensure that the server is running the release to manufacturing (RTM) version of Windows Server 2008 Standard. This feature does not work properly with Windows Server 2008 Release Candidate (RC)1.

For more information about the steps used to add the TS Web Access Web part to a WSS Web site, see the document “Customizing TS Web Access by Using Windows SharePoint Services" on the Microsoft Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Installing and Configuring RemoteApp Programs by Using TS Web Access

To configure RemoteApp programs on the terminal server:

1. Install the programs required on the terminal server.

2. Verify existing remote connections or change remote connection settings as required.

To enable RemoteApp programs for TS web Access:

1. Add the programs that you want to display in the RemoteApp Programs list.

2. Configure the following:

• Terminal server deployment settings

• TS Gateway deployment settings

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• RDP settings for RemoteApp connections

• Custom RDP settings for RemoteApp connections

• Digital signature to sign the .rdp files

To install TS Web Access on the server:


2. Populate the TS Web Access Computers security group.

3. Specify the terminal server with the RemoteApp programs list on the TS Web Access Web part.

All remote programs on the terminal server or farm configured for TS Web Access appear on the TS Web Access Web site.

Question: Which RemoteApp programs would you prefer to include on the TS Web Access Web part in your organization?

For more information about installing and configuring RemoteApp programs by using TS Web Access, see “Windows Server 2008 Terminal Services RemoteApp Step-by-Step Guide” on the Microsoft TechNet Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Connecting to Remote Desktop Web by Using TS Web Access

Key Points If you are an administrator, you can specify whether the Remote Desktop tab on the TS Access Web page is available to users by using the IIS Manager. You can also configure settings such as the TS Gateway server, authentication method, and default device and resource redirection options.

By default, server authentication is enabled for the Remote Desktop Web connection.

To connect to the remote computer:

• The computer must be configured to accept Remote Desktop connections.

• The user must be a member of the Remote Desktop Users group on the remote computer.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Note: You can also configure the settings for the Remote Desktop Web connection by changing the %windir%\Web\ts\Web.config file in Notepad.

Question: What are the advantages of using the Remote Desktop Web connection in a branch scenario?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lesson 2: Configuring TS Session Broker

In a farm environment, you can use the TS Session Broker role service to balance the load among the terminal servers. By using TS Session Broker, you can distribute the sessions such that the more powerful terminal servers take more load than the less powerful terminal servers.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Introduction to TS Session Broker

Key Points In Windows Server 2008, TS Session Broker provides session-based load balancing as compared to connection-based Network Load Balancing (NLB) in Windows Server 2003. However, Windows Server 2008 continues to support third party NLB configurations of Windows 2003.

TS Session Broker works through the following two phases:

• In the first phase, the connections are distributed to the terminal servers by using a load balancing mechanism such as Domain Name System (DNS) round robin. The terminal server in turn then queries TS Session Broker for redirection.

• In the second phase, the terminal server redirects the user connections to the terminal server specified by TS Session Broker.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Note: The TS Session Directory feature available in the previous versions is called TS Session Broker in Windows Server 2008.

For more information about TS Session Broker, see "Windows Server 2008 TS Session Broker Load Balancing Step-by-Step Guide" on the Microsoft TechNet Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Prerequisites for Configuring TS Session Broker

Key Points Windows Server 2003 terminal servers cannot use the TS Session Broker load balancing feature.

As a best practice, you should install the TS Session Broker role service on a back-end infrastructure server, such as a file server. This ensures that the service will not be affected when you need to perform maintenance on the terminal servers in the farm.

To use the TS Session Broker role service, the terminal servers should be members of the Session Directory Computers local group. This group is located on the TS Session Broker server.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Demonstration: Configuring TS Session Broker

Question: You need to configure the IP addresses for reconnection. What precaution do you need to take to include the terminal servers running Windows Server 2003?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lab: Configuring TS Web Access and Session Broker

Overarching Scenario The Marketing group of Woodgrove bank has prepared a presentation about a new product by using Microsoft PowerPoint. This presentation should be available on a Web site to all users of this group. The Finance group has also prepared a presentation on the current financial position of the organization. The management wants users from the Finance group to access this presentation from the WSS Web site.

To manage all the traffic on the Web servers in the farm, the enterprise administrator wants to implement TS Session Broker.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 1: Configuring TS RemoteApp Programs for TS Web Access

Scenario You receive a service request from the enterprise administrator to create a link to Microsoft Office PowerPoint Viewer 2007 on the terminal server. This link should be available to all users of the Marketing Group through a Web browser. To enable this, you need to create the link to PowerPoint Viewer that can be accessed through the TS Web Access Web site.

Exercise Overview In this exercise, you will install and configure the TS Web Access role service on the terminal server and create a .msi file for PowerPoint Viewer. A link for this .msi file needs to be created so that the marketing group can access it through a Web browser.


1. Start the 6428A-NYC-DC1-01, 6428A-NYC-TS-05, and 6428A-NYC-WEB-05 virtual machines and log on to these machines as Administrator.



4. Create an MSI file.

5. Create a link to the TS RemoteApp program on the terminal server.

6. Verify that the link is functional and available through the Web browser.

Task 1: Start the 6428A-NYC-DC1-01, 6428A-NYC-TS-05, and 6428A-NYC-WEB-05 virtual machines and log on to these machines as Administrator 1. Start 6428A-NYC-DC1-01, and log on as WoodgroveBank\Administrator by


2. Start 6428A-NYC-TS-05, and log on as WoodgroveBank\Administrator by using the password Pa$$w0rd.

3. Start 6428A-NYC-WEB-05, and log on as WoodgroveBank\Administrator by using the password Pa$$w0rd.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 2: Install the TS Web Access role service 1. In the Server Manager snap-in on 6428A-NYC-TS-05, under Role Summary,

add the TS Web Access role service.

2. Start the Computer Management snap-in.

3. In the left pane on the Computer Management page, under the Local Users and Groups node, select TS Web Access Computers, and add the NYC-TS computer.

4. Connect to the TS Web Access Web site by using the URL http://NYC-TS/ts.

5. Log on to the site as Woodgrovebank\Administrator by using the password Pa$$w0rd.

6. Add the site to trusted sites.

7. Use the Configuration tab on the title bar to name the terminal server as NYC-TS.

Task 3: Determine if the RemoteApp program is enabled for TS Web Access 1. On 6428A-NYC-TS-05, start the TS RemoteApp Manager.

2. In the RemoteApp Programs list, verify that Microsoft Office PowerPoint Viewer 2007 is available through TS Web Access.

Task 4: Create an MSI file 1. On 6428A-NYC-TS-05, start the TS RemoteApp Manager.

2. In the RemoteApp Programs list, select the program Microsoft Office PowerPoint Viewer 2007.

3. In the Actions pane, select the option to create the Windows Installer package by using the RemoteApp Wizard.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 5: Create a link to the TS RemoteApp program on the terminal server 1. In the TS RemoteApp Manager, in the RemoteApp Programs list, verify that a

Yes value is displayed for TS Web Access next to Microsoft Office PowerPoint Viewer.

2. Start Internet Explorer and type the URL as http:// NYC-TS/ts.

3. Display the Connect to nyc-ts dialog box, and provide the user credentials as WoodGroveBank\Bernard with password Pa$$w0rd.

4. Add the URL to trusted sites.

5. On 6428A-NYC-TS-05, start the Internet Information Services (IIS) Manager and specify the default Web site as TS.

6. To configure TS Web Access server to allow access from the Internet, verify that Windows Authentication is enabled.

Task 6: Verify that the link in functional and available through the Web browser 1. On 6428A-NYC-WEB-05, verify that you are logged on as

WoodgroveBank\Administrator with the password Pa$$w0rd.

2. Start Internet Explorer and type the URL as http://NYC-TS/ts.

3. In the Connect to NYC-TS dialog box, provide the user name as WoodgroveBank\Bernard and password as Pa$$w0rd.

4. Observe that Microsoft Office PowerPoint is listed in the remote application programs list.

Results: After this exercise, you should have installed TS Web Access on the terminal server, created an MSI file for the remote program, created a link to the remote program, and verified that the link is functional through Internet Explorer.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 2: Customizing TS Web Access by Using WSS

Scenario The enterprise administrator has tasked you with customizing the TS Web Access Web part to provide a link to Microsoft PowerPoint Viewer and adding the Web part to a WSS Web site. Users from the Finance group should be able to access this link so that they can view the PowerPoint presentation put up by the group.

Exercise Overview In this exercise, you will create a customized Web part and export it to a WSS Web site.


• Add a Web Part to a WSS site.

Task 1: Add a Web Part to a WSS site 1. On 6428A-NYC-WEB-05, visit the SharePoint 3.0 Central Administration

Web site.

2. Display the authentication dialog box, and connect to the WSS Site http://nyc-web:44341/ as WoodgroveBank\Administrator by using the password Pa$$w0rd.

3. On the Home page of the Central Administration site, click Site Actions, and then select Edit Page from the drop-down list.

4. On the Edit page, under the Resources section, add the Web part as a new link http:// NYC-TS/ts link.

Results: After this exercise, you should have added a customized Web part by using TS Web Access, and exported it to a WSS site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 3: Configuring TS Session Broker

Scenario You receive a service request from the enterprise administrator to configure the TS Session Broker role service to manage all the TS Web Access servers in the farm.

Exercise Overview In this exercise, you will install the TS Session Broker role service and configure the Session Broker settings for servers in a TS farm.


1. Install the TS Session Broker role service.

2. Add each server in the farm to the Session Directory Computers local group.

3. Configure the TS Session Broker settings by using Group Policy.


Task 1: Install the TS Session Broker role service 1. On 6428A-NYC-TS-05, start Server Manager.

2. On the Select Role Services page, install the TS Session Broker role service.

Task 2: Add each server in the farm to the Session Directory Computers local group 1. Start the Computer Management snap-in.

2. In the left pane, under Local Users and Groups, select the Session Directory Computers group.

3. In the Select Users, Computers or Groups dialog box, in the Object Type dialog box, add the computer accounts NYC-WEB and NYC –TS.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 3: Configure the TS Session Broker settings by using Group Policy 1. On 6428A-NYC-DC1-01, start the Group Policy Management snap-in.

2. In the left pane, under the NYC node, create a new GPO GPO for TS Web Access.

3. In the right pane, on the Settings tab of GPO for TS Web Access, edit the computer configuration.

4. Under the Computer Configuration node, click TS Session Broker, and configure the following settings:

• Join TS Session Broker policy: Enabled

• Configure TS Session Broker farm name: Enabled

• TS Session Broker server name: NYC-TS

• Use TS session Broker load balancing: Enabled

Task 4: Shut down the virtual machines • Turn off all virtual machines and discard changes.

Results: After this exercise, you should have configured TS Session Broker load balancing for a farm.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lab Review

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

Configuring and Troubleshooting Terminal Services Gateway 6-1

Module 6 Configuring and Troubleshooting Terminal Services Gateway

Contents: Lesson 1: Configuring TS Gateway 6-3

Lesson 2: Monitoring and Troubleshooting TS Gateway Connections 6-16

Lab: Configuring and Troubleshooting TS Gateway 6-23

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Module Overview

TS Gateway is a role service that provides access to the terminal servers, computers running RemoteApp programs as well as the computers and servers that have Remote Desktop enabled.

By using TS Gateway, remote users can access resources on an internal network with minimum security risks.

This module covers configuring the TS Gateway role service as well as monitoring and troubleshooting the TS Gateway connections.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lesson 1: Configuring TS Gateway

The installation and configuration of TS Gateway has some requirements. For example, you must obtain a trusted Secure Sockets Layer (SSL) certificate for the TS Gateway server to function.

In addition, users can connect to internal resources by using TS Gateway only if they meet the conditions specified in a TS Connection Authorization Policy (CAP) or TS Resource Authorization Policy (RAP).

By using TS CAPs or RAPs, you can manage the connections made through TS Gateway.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Introduction to TS Gateway

Key Points TS Gateway uses Remote Desktop Protocol (RDP) tunneled over Hypertext Transfer Protocol over Secure Socket Layer (HTTPS). By using TS Gateway, you can make secure and encrypted connections between users on the Web and the remote production application computers. The connection is made by using port 443. This connection works even if the remote computers are located behind a network address translation (NAT) traversal-based router in a network.

The TS Gateway secure remote connection can also be used by TS Web Access. By integrating TS Web Access with TS Gateway, you can ensure transport-level SSL security for all terminal server traffic. Remote users can also access RemoteApp programs through TS Gateway securely.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Note: TS Gateway does not require any additional configuration to provide access to resources behind a firewall in private networks or across NATs.

For more information about the TS Gateway server, see "Terminal Services Gateway (TS Gateway)" on the Microsoft TechNet Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Requirements for TS Gateway

Key Points To install TS Gateway, you need to be a member of the administrator group on the server.

You also need to obtain an SSL certificate from a trusted third party. Alternatively, you can obtain a self-signed certificate.

It is recommended that you use HTTPS with a certificate for TS Web Access. You can use the TS Web Access certificate if TS Gateway is installed on the same server as TS Web Access. You can also use wildcard SSL certificates.

In addition, TS Gateway requires some role services and features to be installed and functioning.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


You can configure the TS Gateway server to use the TS CAPs that are stored on another server running the Network Policy Server (NPS) service. This NPS server can then be used to centrally administer and manage TS CAPs, thus improving the deployment of TS Gateway.

Note: TS Gateway does not require any change in code when routing connections to a TS-based session with Microsoft Windows Server 2003, Microsoft Windows Vista, or Microsoft Windows XP-based computers.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Configuring TS Gateway

Key Points You can configure TS Gateway by using the Server Manager snap-in. You can use an existing certificate for SSL encryption or create a self-signed certificate. You can also select an option that will allow you to obtain the certificate later.

Note: If you select an existing certificate, only certificates that can be used to authenticate the TS Gateway server with the appropriate Enhanced Key Usage (EKU) will be displayed in the list of certificates.

You need not map a self-signed certificate if you have created it by using:

• The Add Remove Roles Wizard during the installation of the TS Gateway role service

• The TS Gateway Manager after the installation of the TS Gateway role service

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Question: When is it recommended to use self-signed certificates?

For more information about configuring TS Gateway, see "Configuring the TS Gateway Core Scenario" on the Microsoft TechNet Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Obtaining Certificates

Key Points You can generate and submit a certificate request by using various methods depending on the policies and configuration of your organization. It is recommended that you use self-signed certificates for evaluation and testing purposes only.

An organization can have the following certificates:

• A stand-alone or enterprise certificate authority (CA)-issued certificate that must be cosigned by a trusted public CA. This CA must participate in the Microsoft Root Certification Program Members program. You need to install this certificate on the TS Gateway server and then map the certificate.

• A certificate from a trusted public CA that participates in the Microsoft Root Certificate Program Members program. You need to install this certificate on the TS Gateway server and then map the certificate.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• A self-signed certificate for technical evaluation and testing purposes only. You must install this certificate in the Trusted Root Certification Authorities store on the client computer. You do not need to install this certificate or map it to the TS Gateway server.

Note: The Windows Server 2003 Certificate Services Web enrollment feature depends on an ActiveX control named Xenroll.

Question: Which certificate enables users to connect from home computers and kiosks to a TS Gateway server?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


TS Connection Authorization Policies

Key Points TS CAPs enhance security by regulating access to TS Gateway and are stored on the network policy server. Using these policies, you can specify user groups, and optionally client computer groups, that can connect to the TS Gateway server. You can also specify conditions that a user needs to meet to connect to the server—for example, whether a user should use a password or a smart card to access the server. TS CAPs can be created by using the TS Gateway Manager.

Tasks involved in managing TS CAPs include:

• Enabling or disabling TS CAPs

• Modifying or removing a local TS CAP

• Specifying a new central TS CAP

• Evaluating the permissions of the user and computer groups that connect to TS Gateway

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


You can also use TS CAPs to specify which client device redirection should be enabled or disabled for specific groups. Devices can be disk drives or supported Plug and Play (PnP) devices.

The suggested device redirection settings can only be enforced on client computers running Remote Desktop Connection (RDC).

Note: The enforcing of device redirection feature on a client cannot provide guaranteed security even for RDC clients.

For more information about TS CAPs, see "TS Gateway Overview" on the Microsoft TechNet Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


TS Resource Authorization Policies

Key Points TS RAPs allow you to regulate access by specifying the internal network resources that users can connect to through TS Gateway. You can create a computer group and associate it with a TS RAP. You can also create a group of computer accounts in Active Directory and associate it with a TS RAP.

When you associate a TS Gateway-managed computer group with a TS RAP, you can use both the fully qualified domain names (FQDNs) and NetBIOS names by adding them separately to the computer group.

When you associate an Active Directory security group to a TS RAP, both FQDNs and NetBIOS computer names are automatically supported, if the computer to which you are connecting is in the same domain as the TS Gateway server. If the client computer is in a different domain from the TS Gateway server, then the FQDN of the client computer needs to be specified.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


If you want remote users to connect to a computer managed by TS Gateway by using either the computer name or the IP address, then you need to add the computer twice to the computer group—once by the computer name and then by the IP address of the computer.

Tasks involved in managing TS RAPs include:

• Enabling or disabling TS RAPs

• Modifying or removing a local TS RAP

• Specifying the computers that users can connect to through TS Gateway

• Configuring the TS clients to access resources on the network

Note: Remote users should meet the conditions specified in at least one TS CAP and one TS RAP to be able to connect to resources on the internal network through TS Gateway.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lesson 2: Monitoring and Troubleshooting TS Gateway Connections

TS Gateway has monitoring capabilities that allow you to view the information about active connections from the TS clients to the internal network resources. Furthermore, the TS Gateway server can be configured to use Network Access Protection (NAP). NAP is a feature of Microsoft Windows Server 2008 that allows administrators to maintain computer health.

Although TS Gateway provides these tools to monitor connections and enforce compliance with health requirement policies for network access, you will still need to resolve connectivity issues. You can use the TS Gateway Manager to troubleshoot the TS Gateway connections.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Monitoring Active Connections Through TS Gateway

Key Points You can use the TS Gateway Manager to monitor the active connections from TS clients to network resources.

You can specify the events to be logged, such as successful or unsuccessful connection attempts to an internal network computer through the TS Gateway server. When an event occurs, you can monitor the event by using the Windows Event Viewer.

For more information about monitoring active connections by using the TS Gateway server, see "Monitoring Active Connections Through a TS Gateway Server" on the Microsoft TechNet Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Network Access Protection

Key Points Configuring TS Gateway to use NAP allows administrators to enforce system health requirements, security update requirements, required computer configurations, and other settings.

NAP controls network resources based on the identity of a computer and compliance with corporate governance policy.

NAP presents an application programming interface (API) that allows developers to create solutions for validation of health status, limitation of network access or communication, and ongoing compliance.

In addition, NAP allows administrators to define granular levels of network access based on the identity of the client, the group the client belongs to, and the degree of compliance with corporate governance policy.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Note: NAP does not prevent authorized users on a compliant computer from uploading malicious program to the network.

For more information about NAP, see "Network Access Protection" on the Microsoft MSDN Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Demonstration: Configuring Network Access Protection on TS Gateway

Question: Which operating systems are supported as NAP clients when TS Gateway server enforces NAP?

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Troubleshooting TS Gateway

Key Points To ensure that client computers successfully connect through TS Gateway, the TS Gateway server must be configured correctly. You need to ensure that the server is configured to use an appropriate SSL-compatible X.509 certificate, and the TS CAPs and RAPs are correctly configured.

In addition, you need to:

• Check the authentication method used for the connection.

• Check the number of simultaneous connections being made.

• Check the traffic of ports used for TS on the firewall.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Question: If you get an error message displaying that the authentication method used by you is not supported, how will you change the authentication settings?

For more information about troubleshooting connections, see "TS Gateway Server Connections" on the Microsoft TechNet Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lab: Configuring and Troubleshooting TS Gateway

Overarching Scenario The enterprise administrator of Woodgrove Bank wants you to configure TS Gateway so that remote users in the HR group can securely access the internal network resources of the organization. You need to install the TS Gateway role on the terminal server and create the connection and resource authorization policies for the HR group.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 1: Configuring and Monitoring TS Gateway

Scenario You need to install the TS Gateway role service on the terminal server and install a self-signed certificate for the TS Gateway to function. You also need to create a CAP and a RAP for the HR group so that the members of the HR group are able to access the computers existing in the HR group.

Exercise Overview In this exercise, you will install and configure the TS Gateway server role on the terminal server and create a CAP and a RAP for the HR group.



2. Install the TS Gateway role.

3. Install the certificate.

4. Create a CAP for the HR group.

5. Select the pre-configured Active Directory Security group HR.

6. Create a RAP for the HR group.

Task 1: Start the 6428A-NYC-DC1-06 and 6428A-NYC-TS-05 virtual machines and log on to these machines as Administrator 1. Start 6428A-NYC-DC1-06 and log on as WoodgroveBank\Administrator by


2. Start 6428A-NYC-TS-05 and log on as Administrator by using the password Pa$$w0rd.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 2: Install the TS Gateway role 1. On 6428A-NYC-TS-05, start Server Manager and install the TS Gateway role

service.

2. On the Select Roles Services page, select the options to configure the server authentication certificate for SSL encryption and the authorization policies for TS Gateway, later.

Task 3: Install the certificate 1. Start TS Gateway Manager, under NYC-TS, create a self-signed for SSL

encryption.

2. Specify the certificate name as NYC-TS.WOODGROVEBANK.COM.

3. Specify the certificate location as c:\certificate\NYS-TS.cer.

4. Start the Certificates snap-in by using the MMC command.

5. On the File menu, select Add/Remove Snap-in.

6. Import the certificate from c:\certificate\NYC-TS.cer by using the Certificate Import Wizard.

7. Start the TS Gateway Manager, and on the properties page of NYC-TS, install the certificate for NYC-TS.woodgrovebank.com.

Task 4: Create a CAP for the HR group 1. On the TS Gateway Manager, under NYC-TS, create a new connection

authorization policy as TS CAP.

2. On the Requirements tab, under Supported Windows authentication methods verify that Password is selected.

3. Add a group HR, and enable device redirection for all client devices for the group.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 5: Select the pre-configured Active Directory Security group HR 1. Start Active Directory Users and Computers and select the HR group for

WoodgroveBank.com.

2. Select NYC-TS as the Object Type for Computers.

Task 6: Create a RAP for the HR group 1. On 6428A-NYC-TS-05 start the TS Gateway Manager, create Resource

Authorization Policy as TS RAP.

2. Add user group, HR and on the Computer Group tab, verify Select an existing Active Directory security group is selected.

3. Select group HR, and on Allowed Ports tab, verify Allow connections only through TCP port 3389 is selected.

Results: After this exercise, you should have installed the TS Gateway Server role service and created a TS CAP and TS RAP for the HR group.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 2: Troubleshooting the TS Gateway Connections

Scenario You receive a service request from the Help Desk that a user, Baris, is unable to connect to the network using TS Gateway. You need to verify that the TS Gateway Server certificate has not expired. You also need to verify that the TS Gateway configuration is correct. In addition, you need to check that the user exists in the HR group, which can access the TS Gateway Server. An additional service request is to include Bernard to the HR group.

Exercise Overview In this exercise, you need to verify that the TS Gateway server certificate has not expired. You also need to check the TS CAP and RAP for the HR group. In addition, you need to verify the existence of the user Baris in the HR group and add a new user Bernard to the HR group.


1. Verify that the TS Gateway Server certificate has not expired.

2. Verify that the TS CAP is accurate.

3. Verify that the TS RAP is accurate.

4. Verify that the user Baris exists in the HR group.

5. Add Bernard to the HR group.

6. Verify that the TS RAP is functional.


Task 1: Verify that the TS Gateway Server certificate has not expired 1. On 6428A-NYC-TS-05, in the TS Gateway Manager, in the properties page of

NYC-TS, on the SSL Certificate tab, verify that Select an existing certificate for SSL encryption (recommended) is selected.

2. Install the certificate for NYC-TS.woodgrovebank.com.

3. Verify validity of certificate has not expired.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 2: Verify that the TS CAP is accurate 1. In the Server Manager, under NYC-TS, in Connection Authorization Policies

select TS CAP policy.

2. In the properties page of TS CAP, verify that the policy is enabled.

3. Verify that the authentication method for Windows is Password.

4. Verify that WOODGROVEBANK\HR group exists.

5. Verify that Device redirection for all client devices is selected.

Task 3: Verify that the TS RAP is accurate 1. In the Server Manager, under NYC-TS in Resource Authorization Policies

select TS RAP policy.

2. In the TS RAP Policy Properties page, verify that the policy is enabled.

3. Verify that WOODGROVEBANK\HR group exists.

4. Under Select an existing Active Directory security group verify that WOODGROVEBANK\HR exists.

5. On the Allowed Ports tab, verify that Allow connections only through TCP port 3389 is selected.

Task 4: Verify that the user Baris exists in the HR group 1. On 6428A-NYC-DC1-06, start Active Directory Users and Computers.

2. Under WoodgroveBank.com select HR Security group.

3. In the properties of HR security group, verify user Baris Cetinok exists.

Task 5: Add Bernard to the HR group 1. In the Active Directory Users and Computers snap-in, under

WoodgroveBank.com, verify Users is selected.

2. In the properties of HR security group, add a user Bernard Duerr.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 6: Verify that the TS RAP is functional 1. Install the certificate, NYC-TS.cer from \\NYC-TS\certificate using the

Certificate Import Wizard.

2. Open remote connection by using the MSTSC command.

3. In Remote Desktop Connection, configure these TS Gateway Server settings as:

• Server name: NYC-TS.woodgrovebank.com

• Logon method: Ask for password (NTLM)

4. Connect to NYC-TS, as Woodgrovebank\Baris with password Pa$$w0rd.

Task 7: Shut down the virtual machines 1. Turn off 6428A-NYC-DC1-06 virtual machine and discard undo disk.

2. Turn off 6428A-NYC-TS-05 virtual machine and discard changes.

Results: After this exercise, you should have verified that the configuration of TS Gateway is correct and the user Baris exists in the HR group. In addition, you should have added a new user Bernard to the HR group.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lab Review

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

Managing and Monitoring Terminal Services 7-1

Module 7 Managing and Monitoring Terminal Services

Contents: Lesson 1: Methods for Managing and Monitoring TS 7-3

Lesson 2: Configuring Windows System Resource Manager for TS 7-9

Lab: Managing and Monitoring TS 7-14

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Module Overview

As an administrator using Microsoft Windows Server® 2008 TS, you need to manage and monitor TS connections to ensure smooth transactions between the terminal server and the client computers. This module introduces the tasks involved in managing TS connections. It also describes some of the tools used to monitor TS connections.

Additionally, you can use Windows System Resource Manager (WSRM) to manage server processor resources and memory usage. This module introduces the features of WSRM and how to configure WSRM.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lesson 1: Methods for Managing and Monitoring TS

To manage the TS connections, you need to perform tasks such as remotely controlling user sessions and resetting connections. The TS connections can be monitored by using tools such as the TS Gateway Manager and the Performance and Reliability Monitor.

Besides managing and monitoring TS connections, you will also need to perform troubleshooting steps to resolve client connectivity issues. These issues can be resolved by reviewing the errors in the Event Viewer.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Managing the TS Connections

Key Points To remotely manage the TS connections, you need to be a member of the administrators group. You can enable, disable, rename, or delete the TS connections.

Note: It is a security best practice to manage TS connections by using the Run as command through the user interface or at the command prompt, instead of logging on with administrator credentials.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Question: When logged on as an administrator, which setting will you use to remotely interact with a user’s session?

For more information about managing connections, see "Manage Terminal Services Connections" on the Microsoft TechNet Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Monitoring the TS Connections

Key Points You can use the TS Gateway Manager to audit specific events such as the unsuccessful attempts to connect to the TS Gateway server by the client. These events can then be monitored by using the Event Viewer.

You can monitor the TS Web Access outbound traffic by using the Microsoft® Internet Security and Acceleration (ISA) Server Management tool, and check the ISA Server log to determine which rule is denying the outbound traffic to the Internet.

The Performance and Reliability Monitor provides the following new features in Windows Server 2008:

• A data collector set that groups portable data collectors used with different performance monitoring scenarios

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


• The Resource View that provides an enhanced view of the CPU, disk, network, and memory usage

• The Reliability Monitor that helps you to diagnose potential causes of the instability of the system

For more information about monitoring methods, see "Troubleshooting Web Access for Internal Clients," "Windows Server "Longhorn" Performance and Reliability Monitoring Step-by-Step Guide, " and "Introducing Microsoft System Center Operations Manager 2007" on Microsoft TechNet Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Discussion: Troubleshooting the Client Connectivity Issues

For more information about troubleshooting client connectivity issues, see "TS Gateway Server Connections" on the Microsoft TechNet Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lesson2 Configuring Windows System Resource Manager for TS

With WSRM, you can manage your resources such that all resources are provided evenly to all processes. Alternatively, you can make resources available to high-priority services, applications, or users.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Introduction to Windows System Resource Manager

Key Points The condition for WSRM to function is that the combined processor load should be greater than 70%. In case of a conflict among processor resources, resource allocation policies are used to ensure minimum resource availability. This availability is based on the management profile defined by the administrator.

Question: You want to troubleshoot a processor resource problem. Which tool in WSRM can you use to view the usage of hardware resources and the activity of system services on the computer?

For more information about WSRM, see "Terminal Services and Windows System Resource Manager" on the Microsoft TechNet Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Features of Windows System Resource Manager

Key Points WSRM can be used to collect resource usage data from multiple servers and store it on a single computer running WSRM.

The benefits of using WSRM are:

• Improved availability of services on a single server through dynamically managed resources

• Improved accessibility of the system for high-priority users or administrators during maximum resource load

For more information about the features of WSRM, see "Overview of Windows System Resource Manager" on the Microsoft TechNet Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Configuring Windows System Resource Manager

Key Points Equal_Per_Session is the new and recommended resource allocation policy for configuring WSRM in Windows Server 2008 TS.

While monitoring the performance of the terminal server, it is also recommended that you collect data before and after implementing the Equal_Per_Session resource allocation policy.

There are some applications and processes that dynamically change their own memory limits. As a best practice, you should not specify the memory limits in WSRM for such applications and processes.

You must also note that excessive limitation of memory for an application can slow down the working of the application and increase disk usage.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Question: You want to set a limit on the memory used by the different processes on a system. Which feature of WSRM will help you do this?

For more information about configuring WSRM using resource allocation policies, see "Creating Resource Management Policies" and "Working with Resource Allocation Policies" on Microsoft TechNet Web site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lab: Managing and Monitoring TS

Overarching Scenario You receive a service request from the Network Operations Center (NOC) claiming that there is an overload of resource utilization. Therefore, you have been asked to configure the NOC technicians’ client computers to connect to TS through TS Gateway and manage these connections.

The enterprise administrator has also tasked you with installing WSRM on the TS. You need to configure WSRM to monitor the performance of the terminal server. You are also required to configure the resource allocation policies.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 1: Managing the TS Connections

Scenario You are required to configure the NOC technician’s client computer for a TS Gateway connection. To manage the remote connections, you have been asked to log off, disconnect, and reset all TS connections for your TS Gateway server. You also need to verify that the NOC technician’s computer is properly configured by remotely controlling the user session.

Exercise Overview In this exercise, you will configure the TS Gateway settings on the client computer. You will then disconnect the NOC technician’s computer and reset the connection.


1. Start the 6428A-NYC-DC1-06 and 6428A-NYC-TS -07 virtual machines and log on to these machines as Administrator.

2. Start the 6428A-NYC-WEB-05 virtual machine and log on as Susan.

3. Configure the TS Gateway settings on the client.

4. Manage the TS connections on the terminal server.

Task 1: Start the 6428A-NYC-DC1-06 and 6428A-NYC-TS-07 virtual machines and log on to these machines as Administrator 1. Start 6428A-NYC-DC1-06 and log on as WoodgroveBank\Administrator by


2. Start 6428A-NYC-TS-07 and log on as WoodgroveBank\Administrator by using the password Pa$$w0rd.

Task 2: Start the 6428A-NYC-WEB-05 virtual machine and log on as Susan • Start 6428A-NYC-WEB-05, switch the user and log on as Susan who belongs

to the NOC Department using the password pass@word1.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 3: Configure the TS Gateway settings on client 1. To configure TS Gateway on 6428A-NYC-WEB-05, start Remote Desktop

Connection.

2. Configure the following settings in Options:

• TS Gateway server name as NYC-TS.Woodgrovebank.com

• Logon method as Ask for password (NTLM)

• Logon settings as NYC-TS

3. Connect to the terminal server NYC-TS.

4. Log on as Woodgrovebank\Susan with the password pass@word1.

Task 2: Manage the TS connections on the terminal server 1. Log off all TS Gateway connections on 6428A-NYC-TS -07 by using Terminal

Services Manager.

2. Disconnect all TS Gateway connections.

3. Reset all TS Gateway Connections.

Results: After this exercise, you should have configured the TS Gateway settings on the client and managed the TS connections remotely.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 2: Monitoring the TS Connections

Scenario You receive a request from the enterprise administrator asking you to configure the TS connections. As an administrator, you need to limit the number of TS connections to 2. You also need to configure the refresh option of the connection. These settings will help you monitor the TS connections. In addition, you also need to specify the events to be logged for the TS Gateway connections.

Exercise Overview In this exercise, you need to monitor TS connections by using the TS Gateway Manager and specify the TS Gateway events to be logged.

The main tasks for this exercise are:

1. Connect to the remote computer.

2. Monitor TS Gateway.

3. Specify the TS Gateway events to be logged.

Task 1: Connect to the remote computer 1. Connect to 6428A-NYC-TS -07 by using Remote Desktop Connection on

6428A-NYC-WEB-05.

2. Log on as Woodgrovebank\Susan using the password pass@word1.

Task 2: Monitor TS Gateway 1. On 6428A-NYC-TS -07, start TS Gateway Manager.

2. On the NYC-TS node, monitor Susan’s session.

3. Edit the connection by using the NYC_TS Properties dialog box.

4. Limit the maximum number of simultaneous connections to 2.

5. On the Actions panel, set the Automatic Refresh Options to 0:30:20.

6. Disconnect Susan’s connection.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 3: Specify the TS Gateway events to be logged 1. On the TS Gateway Manager snap-in, in the NYC-TS Properties dialog box,

select the events to be audited for TS Gateway server.

2. View the events in the Event Viewer.

Results: After this exercise, you should have monitored the TS Gateway connections and specified the events to be logged for TS Gateway.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 3: Configuring WSRM for TS

Scenario You receive a service request from the enterprise administrator to install and configure WSRM for Terminal Services. You are asked to monitor the Equal_Per_Session resource allocation policy for TS. After observing the performance and generating a report for the per session policy, you need to implement the Equal_Per_User policy on TS.


1. Install WSRM on TS.

2. Configure the TS resource allocation policy for per session.

3. Monitor TS performance by using Resource Monitor.

4. Configure the TS resource allocation policy for per user.


Task 1: Install WSRM on TS 1. Start Server Manager on 6428A-NYC-TS-07, under Features Summary, select

Windows System Resource Manager.

2. Install WSRM by using the wizard.

3. Open the Windows System Resource Manager snap-in.

4. In the Connect to computer dialog box, select This computer.

Task 2: Configure the TS resource allocation policy for per session • In the Windows System Resource Manager snap-in, under the Resource

Allocation Policies node, implement the per session resource-allocation policy.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 3: Monitor TS performance using Resource Monitor 1. In the Windows System Resource Manager snap-in, display the Resource

Monitor.

2. Review the performance data.

3. Display the Properties dialog box, and change the Graph to Report.

4. In the Windows System Resource Manager Properties dialog box, configure the e-mail notification options as [email protected].

5. Use the SMTP server NYC-TS.woodgrovebank.com.

6. Select two or more events under the Error, Warning, and Information nodes.

Task 4: Configure the TS resource allocation policy for per user • On the Windows System Resource Manager snap-in, under the Resource

Allocation Policies node, implement the per user resource-allocation policy.

Task 5: Shut down the virtual machines • Turn off each virtual machine that is running and discard changes.

Results: After this exercise, you should have configured WSRM, configured the resource allocation policies, and monitored the TS performance by using the Resource Monitor.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Lab Review

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Course Evaluation

Your evaluation of this course will help Microsoft understand the quality of your learning experience.

Please work with your training provider to access the course evaluation form.

Microsoft will keep your answers to this survey private and confidential, and will use your responses to improve your future learning experience. Your open and honest feedback is valuable and appreciated.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

Lab: Configuring TS Core Functionality L1-1

Module 1: Configuring Terminal Services Core Functionality

Lab: Configuring TS Core Functionality


Exercise 2: Configuring the TS Settings

Logon Information:

• Virtual Machine1: 6428A-NYC-DC1-01

• Virtual Machine 2: 6428A-NYC-TS-01

• User Name: Administrator/Baris

• Password: Pa$$w0rd

Estimated time: 65 minutes


Exercise Overview In this exercise, you will install and configure the TS core functionality at the New York head office.



2. Install the TS server role service.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

L1-2 Module 1: Configuring Terminal Services Core Functionality

3. Configure authentication on the terminal server.

4. Configure the default credentials to be used on the terminal server.

5. Create a .rdp file and configure custom display.

6. Enable ClearType and Font smoothing.

7. Enable support for PnP redirection.

8. Install and configure WSRM.

9. Install the Desktop Experience.

10. Remotely connect to TS by using RDC.

Task 1: Start the 6428A-NYC-DC1-01 and 6428A-NYC-TS-01 virtual machines and log on to these machines as Administrator 1. Start 6428A-NYC-DC1-01 using the Lab Launcher tool.

Wait for the virtual machine to start. The Recent Events section will display the messages of the events.

2. Log on with the default login ID WOODGROVEBANK\Administrator and the password Pa$$w0rd, and then click Go. The Server Manager snap-in is displayed.

Note: Wait for the domain controller, 6428A-NYC-DC1-01, logon screen to appear before starting 6428A-NYC-TS-01 virtual machine. If the virtual machine is not properly shut down, the Shutdown Event Tracker dialog box will be displayed. Select the Security issue option from the drop-down list and click OK.

3. Start 6428A-NYC-TS-01 using the Lab Launcher tool.

4. Log on with the ID WOODGROVEBANK\administrator and password Pa$$w0rd.The Server Manager snap-in is displayed.

5. On 6428A-NYC-DC1-01, click Start, point to Administrative Tools, click Active Directory Users and Computers.

6. In the left pane, click the WoodgroveBank.com node, click Computers, and verify that NYC-TS is displayed in the right pane.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 2: Install the TS server role service 1. On 6428A-NYC-TS-01, in Server Manager, in the left pane, right-click Roles,

and then click Add Roles.

2. In the Add Roles Wizard, on the Before You Begin page, click Next.

3. On the Select Server Roles page, under Roles list, select the Terminal Services check box, and then click Next.

4. On the Terminal Services page, click Next.

5. On the Select Role Services page, select the Terminal Server check box, and then click Next.

6. On the Uninstall and Reinstall Applications for Compatibility page, click Next.

7. On the Specify Authentication Method for Terminal Server page, select Require Network Level Authentication option, and then click Next.

8. On the Specify Licensing Mode, select Per User, and then click Next.

9. On the Select User Groups Allowed Access To This Terminal Server page, click Add.

10. In the Select Users, Computers, or Groups dialog box, verify that From this location box has WoddgroveBank.com.

11. In the Enter the object names to select{examples} box, type NYC_MarketingGG, click Check Names, click OK, and then click Next.

12. On the Confirm Installation Selections page, click Install.

13. On the Installation Progress page, note the installation progress. On completion of the installation, the Installation Results page is displayed.

14. On the Installation Results page, you are prompted to restart the server to finish the installation process. Click Close.

15. On the Add Roles Wizard message box, click Yes to restart the server.

16. After the server restarts and you log on to the computer as WOODGROVEBANK\Administrator and password Pa$$w0rd, the Resume Configuration Wizard is displayed. On the Installation Progress page, note the installation progress. On completion of the installation, the Installation Results page is displayed.

17. Observe that the installation of the Terminal Services has succeeded. Click Close.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


18. On the Server Manager link, scroll down to the Roles Summary section, click the Terminal Services link.

19. On the Terminal Services page, scroll down to System Services section, and confirm that the Status for TS is Running.

20. In the Role Services section, confirm that the Status for TS is Installed.

21. Close the Server Manager.

Task 3: Configure authentication on the terminal server 1. Start the Terminal Services Configuration snap-in on 6428A-NYC-TS-01.

Click Start, click Run, in the Open box type tsconfig.msc, and then click OK.

2. On the Terminal Services Configuration page, in the middle pane, in the Connections section, under Connection Name, right-click RDP-Tcp, and then click Properties.

3. In the RDP-Tcp Properties dialog box, on the General tab, in the Security Layer box, select SSL (TLS 1.0) from the drop-down list box, and then click OK.

Task 4: Configure the default credentials to be used on the terminal server 1. Start the Local Group Policy Editor on 6428A-NYC-TS-01. Click Start, in the

Start Search box, type gpedit.msc, and then press ENTER.

2. In the left pane, under the Computer Configuration node, open the Administrative Templates folder, then open the Systems folder, and then open the Credentials Delegation folder.

3. In the right pane, under Setting, double-click Allow Delegating Default Credentials.

4. In the Allow Delegating Default Credentials Properties dialog box, on the Setting tab, click Enabled, and then click Show.

5. In the Show Contents dialog box, click Add to add servers to the list.

6. In the Add Item dialog box, in the Enter the item to be added box, type 6428A-NYC-TS-01, and then click OK.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


7. Click OK to close the Show Contents dialog box.

8. In the Allow Delegating Default Credentials Properties dialog box, click OK.

9. Close the Local Group Policy Editor.

Task 5: Create .a rdp file and configure custom display 1. To create .rdp file, click Start, click Administrative tools, click Terminal

Services, and then click TS RemoteApp Manager.

2. On the TS RemoteApp Manager page, in the Actions pane, click Add RemoteApp Programs, and then click Next.

3. In the RemoteApp Wizard page, select Remote Desktop Connection check box, and click Next.

4. In the Review settings page, click Finish.

5. In TS RemoteApp Manager, scroll down to RemoteApp Programs, click Remote Desktop Connection, and then right-click Create .rdp file to display the RemoteApp Wizard page.

6. In the RemoteApp Wizard page, click Next.

7. Under the Specify Package Settings, verify the location of package is C:\Program Files\Packaged Programs, click Next.

8. In the Review Settings page, click Finish.

9. To configure the custom display, click Start, click Computer, and browse to C:\Program files\Packaged Programs\Mstsc.rdp.

10. Right-click the mstsc.rdp file, click Open With, double-click Other Programs, and then select Notepad. Click OK.

11. At the bottom of the mstsc.rdp file, type desktopwidth:i:1680. Press ENTER.

12. Then type desktopheight:i:1050. Press ENTER.

13. Then type Span:i:1.

14. Click File, and then click Save. Close the mstsc.rdp file.

15. Close Packaged Programs.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 6: Enable ClearType and Font smoothing 1. Click Start, click Control Panel, and then in the left panel, click Control Panel

Home.

2. In Control Panel, click the Appearance and Personalization link.

3. Under Personalization, click Change the color scheme.

4. On the Appearance Settings page, on the Appearance tab, click Effects, and then select the Use the following method to smooth edges of screen fonts check box.

5. Verify that ClearType is selected by default, and then click OK twice.

6. Close the Control Panel\Appearance and Personalization screen.

7. Click Start, point to All Programs, click Accessories, and then click Remote Desktop Connection.

8. In the Remote Desktop Connection dialog box, click Options.

9. In the Remote Desktop Connection dialog box, click the Experience tab, in the Performance section, select the Font smoothing check box.

Task 7: Enable support for PnP redirection 1. In the Remote Desktop Connection dialog box, on the Local Resources tab,

under Local devices and resources section, click More.

2. Under Local devices and resources, expand the Supported Plug and Play devices node.

3. Select the Devices that I plug in later check box, and then click OK.

4. Close the Remote Desktop Connection dialog box.

Task 8: Install and configure WSRM 1. To start the Server Manager snap-in on 6428A-NYC-TS-01, click Start, point to

Administrative Tools, and then click Server Manager.

2. In the Server Manager, scroll down to the Features Summary section, click the Add Features link. The Add Features Wizard page is displayed.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


3. In the wizard, on the Select Features page, scroll down and select the Windows System Resource Manager check box. The Add Features Wizard message box is displayed informing you that Windows Internal Database also needs to be installed for Windows System Resource Manager (WSRM) to work properly.

4. Click Add Required Features, and then click Next.



7. On the Installation Results page, confirm that the installation of Windows Internal Database and WSRM succeeded, and then click Close.

8. To start the WSRM snap-in, click Start, point to Administrative Tools, and then click Windows System Resource Manager. The WSRM snap-in is displayed.

9. In the Connect to computer dialog box, under Administer, verify that This Computer is selected, and then click Connect. This will enable the WRSM to administer the local computer."

10. Close WSRM [Windows System Resource Manager (local)].

Task 9: Install the Desktop Experience 1. To start the Server Manager snap-in on 6428A-NYC-TS-01, click Start, point to



3. In the wizard, on the Select Features page, select the Desktop Experience check box, and then click Next.

4. On the Confirm Installation Selections page, observe the message that the server must be restarted after the installation of the Desktop Experience completes, and then click Install.


6. On the Installation Results page, you are prompted to restart the server to finish the installation process. Click Close.

7. On the Add Features Wizard message box, click Yes to restart the server.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


8. After the server restarts and you log on to the computer as WOODGROVEBANK\Administrator with password Pa$$w0rd, the Resume Configuration Wizard is displayed. On the Installation Progress page, note the installation progress. On completion of the installation, the Installation Results page is displayed.

9. Observe that the installation of the Desktop Experience has succeeded.

10. Click Close.


Task 10: Remotely connect to TS by using RDC 1. On 6428A-NYC-DC1-01, open the Remote Desktop Connection. Click Start,

and then type mstsc in the Start Search box, and then press ENTER.

2. In the Remote Desktop Connection dialog box, in the Computer box, verify that NYC-TS is displayed by default, and then click Connect. The Windows Security dialog box is displayed.

3. In the Windows Security dialog box, click Use another account.

4. In the User name box, type WOODGROVEBANK\Baris.

5. In the Password box, type Pa$$w0rd, and then click OK. The Remote Control screen is displayed.

6. Close the remote connection. The Disconnect Terminal Services Session confirmation message box is displayed. Click OK.

Result: After this exercise, you should have installed and configured the TS server role service.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 2: Configuring the TS Settings In this exercise, you will configure TS settings and the session broker settings.


1. Specify the program to start when user logs on to a remote session.

2. Configure the TS settings by using the Terminal Services Configuration snap-in.

3. Modify the default permissions for built-in accounts.

4. Configure the Session Broker settings.


Task 1: Specify the program to start when user logs on to a remote session 1. Log on to 6428A-NYC-TS-01. Start Terminal Services Configuration on

6428A-NYC-TS-01. Click Start, point to Administrative tools, point to Terminal Services, and then click Terminal Services Configuration.

2. In the Terminal Services Configuration snap-in, in the middle pane, in the Connections section, under Connection Name, right-click RDP-Tcp, and then click Properties.

3. In the RDP-Tcp Properties dialog box, click the Environment tab, under Initial program area, click Start the following program when the user logs on option.

4. In Program path and file name box, type C:\Program Files\Packaged Programs\wordpad, and then click OK.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 2: Configure the TS settings by using the Terminal Services Configuration snap-in 1. In Terminal Services Configuration NYC-TS, in the middle panel, under the

Edit Settings area, under the General section, double-click the Delete Temporary folders on exit option. The Properties dialog box is displayed.

2. On the General tab, verify that the following check boxes are selected:

• Restrict each user to a single session

• Delete Temporary folders on exit

• Use Temporary folders per session

Then click OK.

3. Close Terminal Services Configuration.

Task 3: Modify the default permissions for built-in accounts 1. Start WMI Console. Click Start, click Run and type wmimgmt.msc, and press

ENTER.

2. In the Root tree, right-click WMI Control(Local), and then click Properties.

3. In the WMI Control (Local) Properties dialog box, click the Security tab, click Security.

4. In the Security for Root dialog box, click Add.

5. In the Select Users, Computers, or Groups dialog box, in the Enter the object names to select (Examples) box, type Baris, and then click Check Names. Click OK.

6. Under Permissions for Baris Centinok, select the Allow check box for the Read Security permission, and then click OK.

7. Click OK to close WMI Control.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 4: Configure the Session Broker Settings 1. Click Start, point to Administrative tools, point to Terminal Services, and

then click Terminal Services Configuration.

2. In the middle pane, in the Edit settings area, scroll down to the TS Session Broker section, double-click Member of farm in TS Session Broker.

3. In the Properties page, on the TS Session Broker tab, select the Join a farm in TS Session Broker check box.

4. In the TS Session Broker server name or IP address box, type NYC-TS.

5. In the Farm name in TS Session Broker box, type WoodgroveBank.

6. Select the Participate in Session Broker Load-Balancing check box.

7. Verify that the Use IP address redirection (recommended) check box is enabled.

8. Select the IP address 10.10.0.23 check box, and then click OK.

9. The Terminal Services Configuration dialog box is displayed. Click Yes. Close Terminal Services Configuration.

Task 5: Shut down the virtual machines 1. Exit the Lab Launcher tool by clicking the close button.

2. In the Close window, click Turn off machine and discard changes.

3. Click OK.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

Lab: Configuring and Troubleshooting TS Connections L3-13

Module 3: Configuring and Troubleshooting Terminal Services Connections

Lab: Configuring and Troubleshooting TS Connections





Logon Information:



• User Names: Administrator/Bernard/Baris/Anton/Monika/Dana

• Password 1: Pa$$w0rd • Password 2: Pass@word1


MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

L3-14 Module 3: Configuring and Troubleshooting Terminal Services Connections


Exercise Overview In this exercise, you will configure the TS connection properties by using the Terminal Services Configuration snap-in.


1. Start the 6428A-NYC-DC1-01 and 6428A-NYC-TS- 03 virtual machines and log on to these machines as Administrator.

2. Configure the TS connection properties by using the Terminal Services Configuration snap-in.

Task 1: Start the 6428A-NYC-DC1-01 and 6428A-NYC-TS- 03 virtual machines and log on to these machines as Administrator

1. Start 6428A-NYC-DC1-01 using the Lab Launcher tool.

2. The login ID is displayed as WOODGROVEBANK\Administrator. Log on by

using the password Pa$$w0rd, and then press ENTER.

Note: Wait for the domain controller 6428A-NYC-DC1-01 logon screen to appear before starting the 6428A-NYC-TS-03 virtual machine.


4. Log on as WoodgroveBank\Administrator using the password Pa$$w0rd,

and then press ENTER. The Server Manager page is displayed by default.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


5. On 6428A-NYC-TS-03, verify that TS is installed on this virtual machine by

performing the following steps:

• In the Server Manager, scroll down to the Roles Summary section, click the Terminal Services link.

• On the Terminal Services page, under System Services section, verify that the Status of Terminal Services is shown as Running.

• Under the Role Services section, verify that the Status of Terminal Server is shown as Installed.

• Close the Server Manager console.

Task 2: Configure the TS connection properties by using the Terminal Services Configuration snap-in 1. To start the Terminal Services Configuration snap-in on 6428A-NYC-TS-03,

click Start, point to Administrative Tools, point to Terminal Services, and then click Terminal Services Configuration.

2. Verify the remote control setting as follows:

a. In the middle pane, in the Connections section, under Connection Name, right-click RDP-Tcp, and then click Properties.

b. In the RDP-Tcp Properties dialog box, click the Remote Control tab and verify that the Use remote control with default user settings option is selected.

3. To configure connection permissions:

a In the RDP-Tcp Properties dialog box, click the Security tab.

b. The Terminal Services Configuration message box is displayed. Click OK.

c. Click the Advanced button below the Permissions for SYSTEM section. The Advanced Security Settings for RDP-Tcp dialog box is displayed.

d. On the Permissions tab, in the Permission entries list, select the record for Baris Cetinok, and then click the Edit button. The Permission Entry for RDP-Tcp dialog box is displayed.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


e. On the Object tab, in the Permissions list, select the Deny check box for the Disconnect permission, and then click OK.

f. In the Advanced Security Settings for RDP-Tcp dialog box, on the Permissions tab, in the Permission entries list, select the record for Bernard Duerr, and then click Edit. The Permission Entry for RDP-Tcp dialog box is displayed.

g. On the Object tab, in the Permissions list, verify that the Allow check boxes for all permissions are selected, and then click OK.

h. In the Advanced Security Settings for RDP-Tcp dialog box, on the Permissions tab, in the Permissions entries list, select the record for Anton Kirilov, and then click Edit.

i. On the Object tab, in the Permissions list, select the Allow check box for the Disconnect permission and Deny check box for login permission. A Windows Security Warning dialog box appears. Click Yes.

j. Click Yes to close the RDP-Tcp Properties dialog box.

4. Close the Terminal Services Configuration snap-in.

Results: After this exercise, you should have configured the connection properties.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED



Exercise Overview In this exercise, you will configure the TS connection properties by using Group Policy.


1. Configure the TS connection properties.

2. Verify that a maximum of two clients can connect to the terminal server.

Task 1: Configure the TS connection properties 1. To open the Group Policy Management snap-in on 6428-NYC-DC1-01, click

Start, click Run and in the Open box type gpmc.msc, and then click OK.

2. In the Group Policy Management snap-in, expand Forest: WoodgroveBank.com, expand Domains, WoodgroveBank.com, NYC nodes, then right-click Marketing, and then click Create a GPO in this domain, and Link it here.

3. In the New GPO dialog box that is displayed, type the name of the policy as GPO for TS Connection, and then click OK.

4. On the Marketing node, right-click the GPO for TS Connection link, and then click Edit.

5. In the Group Policy Management Editor page, under the Computer Configuration node, expand Policies, expand Administrative Templates, expand Windows Components, click Terminal Services, and under the Terminal Server node, click Connections.

6. In the right pane, under Setting, double-click Limit number of connections.

7. In the Limit number of connections properties dialog box, on the Setting tab, select Enabled, in the TS Maximum Connections allowed box, select 2, and then click OK.

8. In the right pane of the Group Policy Management Editor snap-in, under Setting, double-click Automatic reconnection.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


9. In the Automatic reconnection Properties dialog box, select Enabled, and then click OK.

10. In the left pane of the Group Policy Management Editor snap-in, under Terminal Services node, expand the Terminal Server node, and then click Security.

11. In the right pane of the Group Policy Management Editor snap-in, under Setting, double-click Set client connection encryption level.

12. In the Set client connection encryption level Properties dialog box, select Enabled.

13. From the Encryption level drop-down list, verify that Client Compatible is selected, and then click OK.

14. In the left pane, under Terminal Services node, click Terminal Server, and then click Session Time Limits.

15. In the right pane, double-click Set time limit for disconnected sessions.

16. In the Set time limit for disconnected sessions Properties dialog box, select Enabled.

17. In the End a disconnected session box, select 5 minutes from the drop-down list, and then click OK.

18. Close the Group Policy Management Editor page.

19. Close the Group Policy Management snap-in.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 2: Verify that a maximum of two clients can connect to the terminal server 1. On 6428A-NYC-DC1-01, click Start, click Run, in the Open box type mstsc,

and then click OK.

2. In the Remote Desktop Connection dialog box, verify that the Computer box displays Nyc-ts, and then click Connect.

Note: If the Remote Desktop Connection is disconnected perform the following steps to create the remote connection:

a. Open Control Panel.

b. Click the Network and Sharing Center icon. Verify whether NYC-DC is connected to Unidentified network.

c. Check the status of the Local Area Connection.

d. In the Network and Sharing Center window, under Tasks, click Manage network connections.

e. In the Network Connections window, right-click Local Area Connection, and then click Disable.

f. Then right-click Local area Connection, and click Enable.

g. Close the Network Connections window. In the Network and Sharing Center window, check whether NYC-DC is connected to WoodgroveBank.com.

3. In the Windows Security dialog box, click Use another account. Log on with the login ID WOODGROVEBANK\Baris using the password Pa$$w0rd, and then press ENTER.

4. Minimize the Nyc-ts Remote Desktop connection.

5. To log on as the second user, click Start, click Run, in the Open box type mstsc, and then click OK.

6. In the Remote Desktop Connection dialog box, verify that the Computer is Nyc-ts, and then click Connect.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED



8. Log on as WOODGROVEBANK\Bernard with the password as Pa$$w0rd and then press ENTER.

9. Minimize the Nyc-ts Remote Desktop connection.

10. To log on as the third user, click Start, click Run, in the Open box type mstsc, and then click OK.

11. In the Remote Desktop Connection dialog box, verify that the Computer is Nyc-ts, and then click Connect.

12. In the Windows Security dialog box, click Use another account, log on with the login ID WOODGROVEBANK\Anton using the password Pa$$w0rd, and then click OK.

13. Observe that a message displaying “The requested session access is denied” appears on the screen. Click OK.

14. Close all the remote connections.

15. The Disconnect Terminal Services Session dialog box is displayed. Click OK.

Results: After this exercise, you should have configured the TS connection properties by using Server Group Policy.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED



Exercise Overview The main task for this exercise is to configure SSO by using client Group Policy.

Task 1: Configure the SSO setting by using client Group Policy 1. To open the Terminal Services Configuration snap-in on 6428A-NYC-DC1-

01, click Start, click Run, in the Open box type tsconfig.msc, and then click OK.

2. In the middle pane, under Connections section, under Connection Name, right-click RDP-Tcp, and then click Properties.

3. In the RDP-Tcp Properties dialog box, on the General tab, in the Security layer box, select SSL (TLS 1.0) from the drop-down list, and then click OK.


5. To open the Local Group Policy Editor, click Start and in the Start Search box, type gpedit.msc, and then press ENTER.

6. In the left pane, under the Computer Configuration node, expand the Administrative Templates node, expand System node, and then click Credentials Delegation.

7. In the right pane, under Setting, double-click Allow Delegating Default Credentials.

8. In the Allow Delegating Default Credentials Properties dialog box, on the Setting tab, click Enabled, and then click Show to add servers to the list.

9. In the Show Contents dialog box, click Add to add servers to the list.

10. In the Add Item dialog box, in the Enter the item to be added box, type 6428A-NYC-TS- 03, and then click OK.

11. Click OK to close the Show Contents dialog box.

12. In the Allow Delegating Default Credentials Properties dialog box, click OK.

13. Close the Local Group Policy Editor.

Results: After this exercise, you should have configured SSO by using client Group Policy.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED



Exercise Overview In this exercise, you will troubleshoot connectivity issues.


1. Verify the RDP settings, and check the event logs.

2. Verify the user and group permissions and policy settings.

3. Verify that the users are able to log on with the updated settings.


Task 1: Verify the RDP settings and check the event Logs 1. On 6428A-NYC-TS-03, click Start, point to Administrative Tools, point to

Terminal Services, and then click TS RemoteApp Manager.

2. In the TS RemoteApp Manager page, under the Overview section for RDP Settings, click the Change link.

3. In the RemoteApp Deployment Settings dialog box, click the Terminal Server tab.

4. On the Terminal Server tab, ensure that the Server name box has NYC-TS.WoodgroveBank.Com.

5. Ensure that the port number in RDP Port is 3389, and then click OK to close the RemoteApp Deployment Settings dialog box.

6. Close the TS RemoteApp Manager.

7. To display the Event Viewer dialog box, click Start, click Run, in the Open box type eventvwr, press ENTER.

8. In the Event Viewer dialog box, expand the Windows Logs node.

9. Click Application, and check the details of any error in the events.

10. Close Event Viewer.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 2: Verify the user and group permissions and policy settings 1. On 6428A-NYC-DC1-01, click Start, point to Administrative Tools, and then

click Active Directory Users and Computers.

2. In the left pane, under the WoodgroveBank.com node, expand the NYC node, and then click Marketing.

3. In the right pane, right-click Monika Buschmann and then click Reset Password.

4. In the Reset Password dialog box, in the New password box type Pass@word1.

5. In the Confirm password box type Pass@word1, and then click OK.

6. In the Active Directory Domain Services confirmation box, click OK.

7. Close Active Directory Users and Computers snap-in.

8. To start the Terminal Services Configuration snap-in on 6428A NYC-TS-03, click Start, point to Administrative Tools, point to Terminal Services, and then click Terminal Services Configuration.

9. In the Connections section, under Connection Name, right-click RDP-Tcp, and then click Properties.

10. In the RDP-Tcp Properties dialog box, click the Security tab. The Terminal Services Configuration message box is displayed. Click OK to close the message box.

11. On the Security tab, under Group or user names section, select Dana Birkby.

12. Click Advanced, select the record for Dana Birkby, click Edit and verify that the check box under Deny for Remote Control is not selected. If selected, clear the check box, and then click OK twice.

13. In the RDP-Tcp Properties dialog box, click the General tab.

14. In the Encryption level box, verify that the value is Client Compatible, and then click OK.


MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 3: Verify that the users are able to log on with the updated settings 1. On 6428A-NYC-DC1-01, click Start, click Run, in the Open box type mstsc,

and then click OK.

2. In the Remote Desktop Connection dialog box, verify that the computer is Nyc-ts, and then click Connect.

Note: If the Remote Desktop Connection is disconnected, perform the following steps to create the remote connection:

a. Open Control Panel.

b. Click the Network and Sharing Center icon. Verify that NYC-DC is connected to Unidentified network.

c. Check the status of the Local Area Connection.

d. In the Network and Sharing Center window, under Tasks, click Manage network connections.

e. In the Network Connections window, right-click Local Area Connection, and then click Disable.

f. Then, right-click Local area Connection and click Enable.

g. Close the Network Connections window. In the Network and Sharing Center window, verify that NYC-DC is connected to WoodgroveBank.com.

3. In the Windows Security dialog box, click Use another account, log on as WOODGROVEBANK\Monika with the password as Pass@word1 and then click OK.

4. To log off Monika, click Start, point to the arrow key next to the lock computer button, and then click Log off.

5. To log on as the second user, click Start, click Run, type mstsc, and then click OK.

6. In the Remote Desktop Connection dialog box, click Connect.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED



8. Log on as WOODGROVEBANK\Dana with the password as Pa$$w0rd and then click OK.

9. Close the remote connection.

10. The Disconnect Terminal Services Session dialog box is displayed. Click OK.

Task4: Shut down the virtual machines 1. Exit the Lab Launcher tool by clicking the close button.


3. Click OK.

Results: After this exercise, you should have used troubleshooting techniques to resolve connectivity issues.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

Lab: Configuring TS RemoteApp and Easy Print L4-27

Module 4: Configuring Terminal Services RemoteApp and Easy Print

Lab: Configuring TS RemoteApp and Easy Print



Logon Information:



• User Names: Administrator/Baris




Exercise Overview In this exercise, you will install TS Web Access and create a link to Microsoft® PowerPoint Viewer for the Marketing group.




3. Add the computer account of the TS Web Access server to the security group.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

L4-28 Module 4: Configuring Terminal Services RemoteApp and Easy Print

4. Specify the data source.

5. Install PowerPoint Viewer.

6. Add the PowerPoint Viewer program in the RemoteApp Programs list.

7. Configure an RDP file from the PowerPoint Viewer RemoteApp program.


9. Configure the TS Web Access server to allow access from the Internet.


2. Log on using the default ID as WOODGROVEBANK\Administrator and password Pa$$w0rd. The Server Manager page is displayed by default.

Note: Wait for the domain controller 6428A-NYC-DC1-01 logon screen to appear before starting the 6428A-NYC-TS-03 virtual machine.


4. Log on as WoodgroveBank\Administrator using the password Pa$$w0rd. The Server Manager page is displayed by default.

Task 2: Install the TS Web Access role service 1. On 6428A-NYC-TS-03, in Server Manager, scroll down to the Roles Summary

section, click the Terminal Services link. On Terminal Services, scroll down to Roles Services.

2. In the Role Services section, click the Add Role Services link.

3. On the Select Role Services page, select the TS Web Access check box. The Add Role Services dialog box is displayed.

4. Review the information about the required role services for Web Server (IIS) and click Add Required Role Services, and then click Next.

5. Review the Web Server (IIS) page, and then click Next.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


6. On the Select Role Services page, you are prompted to select the role services that you want to install for IIS. Then, click Next.


8. On the Installation progress page, note the installation progress. On completion of the installation, the Installation Results page is displayed.

9. On the Installation Results page, confirm that the installation of TS Web Access succeeded, and then click Close.

10. On the Server Manager page under Roles Services, confirm that TS Web Access is Installed.


Task 3: Add the computer account of the TS Web Access server to the security group 1. On 6428A-NYC-TS-03, click Start, point to Administrative Tools, and then

click Computer Management.

2. In the left pane, click the Local Users and Groups node, and then click the Groups node.

3. In the middle pane, double-click the group name TS Web Access Computers.

4. In the TS Web Access Computers Properties dialog box, to add members in the group, click the Add button.

5. In the Select Users, Computers, or Groups dialog box, click Object Types.

6. In the Object Types dialog box, select the Computers check box, and then click OK.

7. In the Enter the object names to select {examples} box, type NYC-TS as the computer account of the TS Web Access server, click Check Names, and then click OK.

8. Click OK to close the TS Web Access Computers Properties dialog box.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 4: Specify the data source 1. To start Internet Explorer, click Start, click All Programs, and then click

Internet Explorer.

2. To connect to the TS Web Access Web site, in the URL box, type http://NYC-TS/ts. Click the go button.

3. In the Connect to nyc-ts dialog box, log on to the site as WoodgroveBank\Administrator with the password Pa$$w0rd.

4. A message box regarding the blocked content is displayed. To add the site as a trusted site, click the Add button.

5. The Trusted sites message box is displayed. Click Add.

6. Close the Trusted sites message box.

Note: If you are already logged on to the computer, you are not prompted for the credentials. You need to add the Web site as a trusted Web site only the first time you access the site.

7. On the title bar, click the Configuration tab.

8. On the right side of the page, in the Editor Zone area, in the TS Web Access Properties section, in the Terminal server name box, type NYC-TS.

9. Click Apply to apply the changes.

Task 5: Install PowerPoint Viewer 1. Click Start, and then click Command Prompt.

2. At the command prompt, type change user /install, press ENTER, and then close the window.

3. Click Start, click Control Panel, and then double-click the Install Application on Terminal Server icon.

4. In the Install Program From Floppy Disk or CD-ROM wizard, click Next.

5. Click Browse. In the left pane, click Computer, and then browse to E:\Tools.

6. At the bottom of the page, in the Setup programs box, select All Files from the drop-down list.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


7. Double-click PowerPointViewer.exe.

8. In the Run Installation Program page, click Next.

9. In the Microsoft Office PowerPoint Viewer 2007 license agreement page, select the check box to accept the license terms, and click Continue.

10. The Microsoft Office PowerPoint Viewer 2007 message box informing about the completion of the installation is displayed. Click OK.

11. On the Finish Admin Install page, click Finish.

Task 6: Add the PowerPoint Viewer program in the RemoteApp Programs list 1. Start TS RemoteApp Manager on 6428A-NYC-TS-03. Click Start, point to

Administrative Tools, point to Terminal Services, and then click TS RemoteApp Manager.

2. In the Actions pane on the right, click Add RemoteApp Programs.

3. On the Welcome to the RemoteApp Wizard page, click Next.

4. On the Choose programs to add to the RemoteApp Programs list page, select the check box next to Microsoft Office PowerPoint Viewer 2007 program.

5. Click Microsoft Office PowerPoint Viewer 2007 program, and then click Properties.

6. In the RemoteApp Properties dialog box, verify that the RemoteApp program is available through TS Web Access check box is selected, click OK, and then click Next.

7. On the Review Settings page, review the settings and then click Finish.

Task 7: Configure an RDP file from the PowerPoint Viewer RemoteApp program 1. Scroll down to the RemoteApp Programs list and click Microsoft Office

PowerPoint Viewer 2007.

2. On the Actions pane under Microsoft PowerPoint Viewer 2007, click Create .rdp File.

3. On the Welcome to the Remote App Wizard page, click Next.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


4. On the Specify Package Settings page:

• Keep the default location to save the program as C:\Program Files\Packaged Programs.

• Verify that the terminal server setting is NYC-TS.WoodgroveBank.com.

• Verify that the required server authentication is set to Yes.

• Verify that the port is 3389.

5. Click Next.

6. On the Review Settings page, click Finish.

Task 8: Determine if the RemoteApp program is enabled for TS Web Access 1. On 6428A-NYC-TS-03, in the RemoteApp Programs list, verify that a Yes

value appears for TS Web Access next to Microsoft Office PowerPoint Viewer 2007 that you want to make available through TS Web Access.

2. Click Start, click All Programs, and then click Internet Explorer.

3. In URL box type http:// NYC-TS/TS.

4. In the Connect to nyc-ts dialog box, provide user credentials from the Marketing Group. In User name type WoodGroveBank\Baris and provide password Pa$$w0rd, and then click OK.

Task 9: Configure the TS Web Access Server to allow access from the Internet 1. On 6428A-NYC-TS-03, click Start, point to Administrative Tools, and then

click Internet Information Services (IIS) Manager.

2. In the left pane of Internet Information Services (IIS) Manager, click the NYC-TS(WOODGROVEBANK\Administrator) node, click the Sites node, click the Default Web Site node, and then click TS.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


3. In the middle pane, scroll down to IIS, double-click the Authentication icon.

4. Verify Windows Authentication is set to Enabled. If it is not, right-click Windows Authentication, and then click Enable.

Results: After this exercise, you should have installed the PowerPoint program and created a link to C:\Program Files\Packaged Programs.



1. Configure the printer redirection settings.


Task 1: Configure the printer redirection settings 1. On 6428A-NYC-DC1-01, start the Group Policy Management snap-in. Click

Start, point to Administrative Tools, and then click Group Policy Management.

2. In the left panel, under Group Policy Management, click Forest: WoodgroveBank.com, followed by Domains, WoodgroveBank.com, NYC nodes, and right click the Marketing node.

3. Click Create a GPO in this domain, and Link it here.

4. In the New GPO dialog box, under the Name box, type GPO for RDP Link, and then click OK.

5. In the left panel, click the Marketing node, right click GPO for RDP link, and then click Edit.

6. In the left panel on the Group Policy Management Editor page, under Computer Configuration, click Policies and Administrative Templates nodes, and then click the Windows Components node.

7. Under Windows Component, click the Terminal Services node, and then click the Terminal Server node.

8. In the left panel, double-click Printer Redirection.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


9. In the right panel, double-click Use Terminal Services Easy Print printer driver first.

10. In the Use Terminal Services Easy Print printer driver first Properties dialog box, on the Setting tab, select Enabled, and then click OK.

11. In the right panel, double-click Redirect only the default client printer.

12. In the Redirect only the default client printer Properties dialog box, on the Setting tab, select Enabled, and then click OK.



3. Click OK.

Results: After this exercise, you should have configured TS Easy Print and the client print driver should have been redirected to TS.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

Lab: Configuring TS Web Access and Session Broker L5-35

Module 5: Configuring Terminal Services Web Access and Session Broker

Lab: Configuring TS Web Access and Session Broker

Exercise 1: Configuring TS RemoteApp Programs for TS Web Access.

Exercise 2: Customizing TS Web Access by Using WSS.

Exercise 3: Configuring TS Session Broker.

Logon Information:



• Virtual Machine 3: 6428A-NYC-WEB-05

• User Name: Administrator\Bernard



MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

L5-36 Module 5: Configuring Terminal Services Web Access and Session Broker

Exercise 1: Configuring TS RemoteApp Programs for TS Web Access

Exercise Overview In this exercise, you will install and configure the TS Web Access role service on the terminal server and create a .msi file for Microsoft® Office PowerPoint Viewer. A link for this .msi file needs to be created so that the Marketing group can access it through a Web browser.


1. Start the 6428A-NYC-DC1-01, 6428A-NYC-TS-05, and 6428A-NYC-WEB-05 virtual machines and log on to these machines as Administrator.



4. Create an MSI file.

5. Create a link to the TS RemoteApp program on the terminal server.

6. Verify that the link is functional and available through the Web browser.

Task 1: Start the 6428A-NYC-DC1-01, 6428A-NYC-TS-05, and 6428A-NYC-WEB-05 virtual machines and log on to these machines as Administrator 1. Start 6428A-NYC-DC1-01using the Lab Launcher tool.

2. Log on using the default WOODGROVEBANK\Administrator user ID and password Pa$$w0rd.


4. Log on as WoodgroveBank\Administrator by using the password Pa$$w0rd.

5. Start 6428A-NYC-WEB-05 using the Lab Launcher tool.

6. Log on as WOODGROVEBANK\Administrator by using the password Pa$$w0rd.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 2: Install the TS Web Access role service 1. Start the Server Manager snap-in on 6428A-NYC-TS-05. In the snap-in, scroll

down to Roles Summary, and click the Terminal Services link.

2. Scroll down to Role Services, and click the Add Role Services link.

3. On the Select Role Services page, select the TS Web Access check box.

4. In the Add Role Services message box, click Add Required Role Services.

5. On the Select Role Services page, click Next.

6. On the Web Server (IIS) page, click Next.



9. The Installation Progress page is displayed. Observe the progress indicator.

10. On the Installation Results page, observe that the installation of TS Web Access succeeded, and then click Close.

11. On the Server Manager page, under Role Services, verify that TS Web Access is installed.


13. On 6428A-NYC-TS-05, click Start, point to Administrative Tools, and then click Computer Management.

14. In the left pane of the Computer Management window, click the Local Users and Groups node, and then click Groups.

15. In the right pane, double-click TS Web Access Computers.

16. In the TS Web Access Computers Properties dialog box, click Add to add members in the group.

17. In the Select Users, Computers, or Groups dialog box, click Object Types.

18. In the Object Types dialog box, select the Computers check box, and then click OK.

19. In the Enter the object names to select (examples) box, type NYC-TS as the computer account of the TS Web Access server. Click Check Names, and then click OK.

20. Click OK to close the TS Web Access Computers Properties dialog box.


MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


22. In the URL box, type http://NYC-TS/ts, and then press ENTER.

23. In the Connect to nyc-ts dialog box, log on to the site by using WoodgroveBank\Administrator as the login ID and Pa$$w0rd as the password, and then click OK.

24. A message box regarding blocked content is displayed. To add the site as a trusted site, click the Add button.

25. The Trusted sites message box is displayed. Click Add.

26. Close the Trusted sites message box.

Note: If you are already logged on to the computer, you are not prompted for the credentials. You need to add the Web site as a trusted Web site only the first time you access the site.

27. On the title bar, click the Configuration tab.

28. On the right side of the page, in the Editor Zone section, in the TS Web Access Properties section, in the Terminal Server name box, type NYC-TS.

29. Click Apply to apply the changes.

Task 3: Determine if the RemoteApp program is enabled for TS Web Access 1. On 6428A-NYC-TS-05, click Start, point to Administrative Tools, point to


2. Scroll down to the RemoteApp Programs list and verify that a Yes value appears for TS Web Access next to Microsoft Office PowerPoint Viewer 2007.

3. Click Microsoft Office Power Point Viewer 2007.

4. To enable a RemoteApp program for TS Web Access, on the Actions pane for Microsoft Office PowerPoint Viewer 2007, click Show in TS Web Access.

5. Close the TS RemoteApp Manager.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 4: Create an MSI file 1. On 6428A-NYC-TS-05, click Start, point to Administrative Tools, point to


2. Scroll down to the RemoteApp Programs list, and click Microsoft Office PowerPoint Viewer 2007.

3. In the Actions pane for Microsoft Office PowerPoint Viewer 2007, click Create Windows Installer package.

4. On the Welcome to the RemoteApp Wizard page, click Next.

5. On the Specify Package Settings page, click Next.

6. On the Configure Distribution Package page, click Next.

7. On the Review Settings page, click Finish.

8. Close the Packaged Programs folder.

Task 5: Create a link to the TS RemoteApp program on the terminal server 1. On the TS RemoteApp Manager page, in the RemoteApp Programs list, verify

that a Yes value is displayed for TS Web Access next to Microsoft Office PowerPoint Viewer 2007.


3. In the URL box, type http:// NYC-TS/ts, and then click Go.

4. In the Connect to nyc-ts dialog box, provide a user credential from the Marketing Group. In User name, type WoodGroveBank\Bernard and type the password as Pa$$w0rd, and then click OK.

5. A message box regarding blocked content is displayed. To add the site as a trusted site, click the Add button, and then click Close.

6. Configure the TS Web Access server to allow access from the Internet. On 6428A-NYC-TS-05, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.

7. In the left pane of Internet Information Services (IIS) Manager, expand the NYC-TS (WOODGROVEBANK\Administrator) node, expand the Sites node, expand the Default Web Site node, and then click TS.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


8. In the middle pane, scroll down to IIS, and double-click the Authentication icon.

9. Select Status from the Group by drop-down list. Select Enabled for Windows Authentication.

Task 6: Verify that the link is functional and available through the Web browser 1. On 6428A-NYC-WEB-05, verify that you are logged on as

Woodgrovebank\Administrator with the password Pa$$w0rd.

2. Click Start, click All Programs, and then click Internet Explorer. In the URL box, type http://NYC-TS/ts, and then click Go.

3. In the Connect to nyc-ts dialog box, type the user name as WoodgroveBank\Bernard and the password as Pa$$w0rd. Then click OK.

4. The Trusted Sites message box is displayed. Click Add. Close the Trusted Sites message box.

5. Observe that Microsoft Office PowerPoint is listed in the remote application program list.

Results: After this exercise, you should have installed TS Web Access on the terminal server, created an MSI file for the remote program, created a link to the remote program, and verified that the link is functional through Internet Explorer.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 2: Customizing TS Web Access by Using WSS

Exercise Overview In this exercise, you will create a customized Web part and export it to a WSS Web site.

The main task for this exercise is as follows:

• Add a Web part to a WSS site.

Task 1: Add a Web part to a WSS site 1. On 6428A-NYC-WEB-05, click Start, point to Administrative Tools, and then

click SharePoint 3.0 Central Administration.

2. To connect to the WSS site http://nyc-web:44341/, in the authentication dialog box, type the user name as WoodgroveBank\Administrator and password as Pa$$w0rd. Then click OK.

3. On the Home page of the Central Administration site, click Site Actions, and then select Edit Page from the drop-down list.

4. On the Edit Page, in the center panel, click Add a Web Part.

5. On the Add Web Parts – Webpage Dialog page, in the Add Web Parts to Left section, under the List and Libraries section, select the Resources check box, and then click Add.

6. On the Central Administration page, under the Resources section, click the Add new link link.

7. On the Resources: New Item page, in the URL box, type http:// NYC-TS/ts.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


8. In the Description box, type Link for TS Web Access Web Part, and then click OK.

9. Connect to NYC-ts and click Link for TS Web Access Web Part. The Connect to nyc-ts dialog box is displayed.

10. Log on to the site as WOODGROVEBANK\Administrator with the password Pa$$w0rd. Then click OK.

The TS Web Access Web site with the remote applications list will be displayed.

Results: After this exercise, you should have added a customized Web part by using TS Web Access, and exported it to a WSS site.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Exercise 3: Configuring TS Session Broker

Exercise Overview In this exercise, you will install the Session Broker role service and configure the TS Session Broker settings for servers in a TS farm.


1. Install the TS Session Broker role service.

2. Add each server in the farm to the Session Directory Computers local group.

3. Configure the TS Session Broker settings by using Group Policy.


Task 1: Install the TS Session Broker role service 1. On 6428A-NYC-TS-05, start Server Manager. Click Start, point to


2. Scroll down to the Roles Summary section, click the Terminal Services link.

3. On the Terminal Services page, scroll down to Role Services, and then click the Add Role Services link.

4. On the Select Role Services page, select the TS Session Broker check box, and then click Next.


6. The Installation Progress page is displayed. Observe the progress indicator.

7. On the Installation Results page, confirm that the installation succeeded, and then click Close.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 2: Add each server in the farm to the Session Directory Computers local group 1. Click Start, point to Administrative Tools, and then click Computer

Management.

2. In the left pane, click the Local Users and Groups node, and then click Groups.

3. In the middle pane, right-click the Session Directory Computers group, and then click Properties.

4. In the Session Directory Computer Properties dialog box, click Add.

5. In the Select Users, Computers or Groups dialog box, click Object Types.

6. In the Object Type dialog box, select the Computers check box, and then click OK.

7. In the Enter the object names to select {examples} box, type NYC-WEB; NYC –TS, and then click Check Names. Click OK twice.

8. Close Computer Management.

Task 3: Configure the TS Session Broker settings by using Group Policy 1. On 6428A-NYC-DC1-01, click Start, point to Administrative Tools, and then

click Group Policy Management.

2. In the Group Policy Management snap-in, in the left pane, expand the Forest: WoodgroveBank.com node, followed by Domains and WoodgroveBank.com. Then, right-click the NYC node, and click Create a GPO in this domain, and Link it here.

3. In the New GPO dialog box, in the Name box, type GPO for TS Web Access, and then click OK.

4. In the left pane, expand the Group Policy Objects node, and expand GPO for TS Web Access.

5. In the right pane, click the Settings tab.

6. Right-click Computer Configuration, and then click Edit.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


7. In the left pane, expand the Computer Configuration node, expand the Policies node, expand Administrative Templates followed by the Windows Components, Terminal Services, Terminal Server nodes, and then click TS Session Broker.

8. In the right pane, double-click the Join TS Session Broker policy setting.

9. In the Join TS Session Broker Properties dialog box, click Enabled, and then click OK.

10. Double-click the Configure TS Session Broker farm name policy setting.

11. In the Configure TS Session Broker farm name Properties dialog box, click Enabled.

12. In the TS Session Broker farm name box, type NYC-TS, and then click OK.

13. Double-click the Use TS Session Broker load balancing policy setting.

14. In the Use TS Session Broker load balancing Properties dialog box, click Enabled, and then click OK.

15. Close the Group Policy Management editor.



3. Click OK.

Results: After this exercise, you should have configured TS Session Broker load balancing for a farm.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

Lab: Configuring and Troubleshooting TS Gateway L6-47

Module 6: Configuring and Troubleshooting Terminal Services Gateway

Lab: Configuring and Troubleshooting TS Gateway



Logon Information:



• User Name: Administrator




Exercise Overview In this exercise, you will install and configure the TS Gateway server role on the terminal server and create a CAP and a RAP for the HR group.



2. Install the TS Gateway role.

3. Install the certificate.

4. Create a CAP for the HR group.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

L6-48 Module 6: Configuring and Troubleshooting Terminal Services Gateway

5. Select the pre-configured Active Directory Security group HR.

6. Create a RAP for the HR group.


2. Log on as WOODGROVEBANK\Administrator by using the password Pa$$w0rd. The Server Manager snap-in is displayed.


4. Log on as Administrator by using the password Pa$$w0rd. The Server Manager snap-in is displayed.

Task 2: Install the TS Gateway role 1. On 6428A-NYC-TS-05, in the Server Manager snap-in, scroll down to Roles

Summary, click the Terminal Services link.

2. Scroll down to Role Services, click Add Role Services.

3. On the Select Role Services page, select the TS Gateway check box.


5. On the Choose a Server Authentication Certificate for SSL Encryption page, select Choose a certificate for SSL encryption later, and then click Next.

6. On the Create Authorization Policies for TS Gateway page, select Later, and then click Next.

7. On the Confirm Installation Selections page, click Install. The Installation Progress page is displayed.

8. On the Installation Results page, observe that the installation for TS Gateway roles, role services, and features is successful, and then click Close.

9. Close the Server Manager snap-in.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 3: Install the certificate 1. Click Start, point to Administrative Tools, point to Terminal Services, and

then click TS Gateway Manager.

2. In the TS Gateway Manager console tree, right-click NYC-TS (Local), and then click Properties.

3. On the NYC-TS Properties page, click the SSL Certificate tab, verify that the Create a self-signed certificate for SSL encryption option is selected, and then click Create Certificate.

4. In the Create Self-Signed Certificate dialog box, under Certificate name verify that NYC-TS.WoodgroveBank.com appears by default.

5. Under Certificate location, delete the default location, type c:\certificate\NYC-TS.cer, and then click OK.

6. A message box stating that TS Gateway has successfully created a self-signed certificate is displayed. Click OK twice.

7. Close the TS Gateway Manager.

8. To open the Certificates snap-in, click Start, click Run, type MMC, and then click OK. The Console1-[Console Root] window is displayed.

9. On the File menu, click Add/Remove Snap-in.

10. In the Add or Remove Snap-ins dialog box, under the Available snap-ins list, click Certificates, and then click Add.

11. In the Certificates snap-in dialog box, select Computer account, and then click Next.

12. In the Select Computer dialog box, verify that Local computer: (the computer this console is running on) is selected, and then click Finish.

13. In the Add or Remove snap-ins dialog box, click OK.

14. In the console dialog box, in the console tree, double-click the Certificates (Local Computer) node.

15. Right-click the Trusted Root Certification Authorities folder, point to All Tasks, and then click Import.

16. On the Certificate Import Wizard page, click Next.

17. On the File to Import page, in the File name box type c:\certificate\NYC-TS.cer, and then click Next.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


18. On the Certificate Store page, click Next.

19. On the Completing the Certificate Import Wizard page, click Finish.

20. A message stating that the import was successful is displayed. Click OK.

21. In the Console1-[Console Root] window, click File, and then click Exit.

22. A message prompting you to save the console settings to Console1 is displayed. Click No.

23. To open the TS Gateway Manager, click Start, point to Administrative Tools, point to Terminal Services, and then click TS Gateway Manager.

24. In the TS Gateway Manager console tree, right-click NYC-TS(Local), and then click Properties.

25. In the NYC-TS Properties dialog box, click the SSL Certificate tab, verify Select an existing certificate for SSL encryption (recommended) is selected, and then click Browse Certificates.

26. In the Install Certificate dialog box, click NYC-TS.WoodgroveBank.com, click Install, and then click OK.

Task 4: Create a CAP for the HR group 1. In the TS Gateway Manager console tree, expand the NYC-TS(Local) node,

and then expand the Policies node.

2. Under Policies, right-click the Connection Authorization Policies folder, point to Create New Policy, and then click Custom.

3. In the New TS CAP dialog box, on the General tab, in Policy name, type TS CAP.

4. Click the Requirements tab, under Supported Windows authentication methods, verify that Password is selected.

5. Under User group membership (required), click Add Group.

6. In the Select Groups dialog box, click Advanced, and then click Find Now.

7. Under the Search Results section, scroll down and select the group name HR, click OK twice.

8. In the New TS CAP dialog box, click the Device Redirection tab, verify that Enable device redirection for all client devices is selected, and then click OK.


MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 5: Select the pre-configured Active Directory Security group HR 1. On 6428A-NYC-DC1-06, click Start, point to Administrative Tools, and then


2. In the Active Directory Users and Computers console tree, under the WoodgroveBank.com node, click Users.

3. In the right pane, click HR Security Group.

4. Right-click HR Security Group, click Properties.

5. In the HR Properties dialog box, click the Members tab, and then click Add.

6. In the Select Users, Contacts, Computers or Groups dialog box, click Object Types.

7. Select the Computers check box, and then click OK.

8. Click Advanced, and then click Find Now.

9. Under the Search Results section, scroll down to select the computer name as NYC-TS, click OK. Then click OK twice.

10. Close Active Directory Users and Computers.

Task 6: Create a RAP for the HR group 1. Start the TS Gateway Manager on 6428A-NYC-TS-05. Click Start, point to

Administrative Tools, point to Terminal Services, and then click TS Gateway Manager.

2. In the console tree, open the NYC-TS (Local) folder.

3. Open the Policies folder, and then right-click the Resource Authorization Policies folder, point to Create New Policy, and then click Custom.

4. In the New TS RAP dialog box, on the General tab, in Policy name, type TS RAP.

5. On the User Groups tab, click Add.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


6. In the Select Groups dialog box, click Advanced, click Find Now.

7. Under the Search Results section, scroll down to select the group name HR, and then click OK twice.

8. Click the Computer Group tab, verify Select an existing Active Directory security group is selected, and then click Browse.

9. In the Select Groups dialog box, click Advanced, and then click Find Now.

10. Under the Search Results section, scroll down to select group HR, and then click OK twice.

11. Click Allowed Ports tab, verify Allow connections only through TCP port 3389 is selected, and then click OK.

Results: After this exercise, you should have installed the TS Gateway Server role service and created a TS CAP and TS RAP for the HR group.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED



Exercise Overview In this exercise, you need to verify that the TS Gateway server certificate has not expired. You also need to check the TS CAP and RAP for the HR group. In addition, you need to verify the existence of the user Baris in the HR group and add a new user Bernard to the HR group.


1. Verify that the TS Gateway Server certificate has not expired.

2. Verify that the TS CAP is accurate.

3. Verify that the TS RAP is accurate.

4. Verify that the user Baris exists in the HR group.

5. Add Bernard to the HR group.

6. Verify that the TS RAP is functional.


Task 1: Verify that the TS Gateway Server certificate has not expired 1. In the TS Gateway Manager, in the console tree, right-click NYC-TS (Local),

and then click Properties.

2. In the NYC-TS Properties dialog box, click the SSL Certificate tab, verify Select an existing certificate for SSL encryption (recommended) is selected, and then click Browse Certificates.

3. In the Install Certificate dialog box, click NYC-TS.WoodgroveBank.com.

4. Click View Certificate and verify that the validity of certificate has not expired in the valid from field.

5. Click OK, click Cancel, and then click OK.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 2: Verify that the TS CAP is accurate 1. In the console tree, under the NYC-TS (Local) node, under the Policies node,

click Connection Authorization Policies.

2. In the right pane, right-click TS CAP policy, and then click Properties.

3. In the TS CAP Properties dialog box, on the General tab, verify that Enable this policy is selected.

4. Click the Requirements tab. Under Supported Windows authentication methods, verify that Password is selected.

5. Under User group membership (required), verify that WOODGROVEBANK\HR group exists.

6. Click Device Redirection tab, verify Enable device redirection for all client devices is selected, and then click OK.

Task 3: Verify that the TS RAP is accurate 1. In TS Gateway Manager, under the Policies node, click Resource

Authorization Policies.

2. In the right-pane, right-click TS RAP policy, and then click Properties.

3. In the TS RAP Properties dialog box, on the General tab, verify Enable this policy is selected.

4. Click the User Groups tab and verify that the WOODGROVEBANK\HR group exists.

5. Click the Computer Group tab, under Select an existing Active Directory security group, verify that WOODGROVEBANK\HR exists.

6. Click Allowed Ports tab, verify Allow connections only through TCP port 3389 is selected, and then click OK.


MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 4: Verify that the user Baris exists in the HR group 1. On 6428A-NYC-DC1-06, click Start, point to Administrative Tools, and then


2. In the Active Directory Users and Computers console tree, under WoodgroveBank.com, click Users.

3. In the right pane, click HR Security Group.

4. Right-click HR Security Group, click Properties.

5. In the HR Properties dialog box, click the Members tab, verify user Baris Cetinok exists, and then click OK.

Task 5: Add Bernard to the HR group 1. In Active Directory Users and Computers, under WoodgroveBank.com,

click Users.

2. In the right pane, right-click HR Security group, and then click Properties.

3. In the HR Properties dialog box, click the Members tab, and then click Add.

4. In the Select Users, Contacts, Computers or Groups dialog box, click Advanced, and then click Find Now.

5. Scroll down to select user name Bernard Duerr, click OK,

6. In the Active Directory Domain Services dialog box, click OK twice.

7. Close Active Directory Users and Computers.

Task 6: Verify that the TS RAP is functional 1. On 6428A-NYC-TS-05, click Start, click Run, type \\NYC-TS\certificate, and

then click OK.

2. In the Certificate (\\NYC-TS) Explorer, select NYC-TS.cer.

3. Right-click NYC-TS.cer, click Install Certificate.

4. The Open file – Security Warning dialog box is displayed, click Open.

5. On the Welcome to the Certificate Import Wizard page, click Next.

6. On the Certificate Store page, select Place all certificates in the following store, and then click Browse.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


7. In the Select Certificate Store dialog box, select Trusted Root Certification Authorities, click OK, and then click Next.

8. On the Completing the Certificate Import Wizard page, click Finish.

9. A message box that the import was successful is displayed, click OK.

10. Close Certificate Explorer.

11. On 6428A-NYC-DC1-06, click Start, click Run, type mstsc, and then click OK.

12. In the Remote Desktop Connection dialog box, click Options, click the Advanced tab, and then click Settings.

13. On the TS Gateway Server Settings page, select Use these TS Gateway Server settings.

14. In the Server name box, type NYC-TS.woodgrovebank.com, in the Logon method box select Ask for password (NTLM) from the drop-down list, and then click OK.

15. Click the General tab, in the Computer box, type NYC-TS, and then click Connect.

16. In the Windows Security dialog box, type user name as Woodgrovebank\Baris and password as Pa$$w0rd, and then click OK.

17. Close Remote Desktop Connection.



3. Click OK.

Results: After this exercise, you should have verified that the configuration of TS Gateway is correct and the user Baris exists in the HR group. In addition, you should have added a new user Bernard to the HR group.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

Lab: Managing and Monitoring TS L7-57

Module 7: Managing and Monitoring Terminal Services

Lab: Managing and Monitoring TS




Logon Information:



• Virtual Machine 3: 6428A-NYC-WEB-05

• User Names: Administrator/Susan

• Password : Pa$$w0rd



Exercise Overview In this exercise, you will configure the TS Gateway settings on the client computer. You will then disconnect the NOC technician’s computer and reset the connection.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED

L7-58 Module 7: Managing and Monitoring Terminal Services


1. Start the 6428A-NYC-DC1-06 and 6428A-NYC-TS -07 virtual machines and log on to these machines as Administrator.

2. Start the 6428A-NYC-WEB-05 virtual machine and log on as Susan.

3. Configure the TS Gateway settings on the client.

4. Manage the TS connections on the terminal server.


2. The default login ID WOODGROVEBANK\Administrator is displayed. Log on with the password Pa$$w0rd.

Note: Wait for the domain controller, 6428A-NYC-DC1-06, logon screen to appear before starting 6428A-NYC-TS-07 virtual machine.


4. Log on as WoodgroveBank\Administrator with the password Pa$$w0rd.

5. On 6428A-NYC-DC1-06, to verify the membership of the NYC-TS, click Start, point to Administrative Tools, and then click Active Directory users and Computers.

6. In the left pane, click Computers node.

7. In the right pane, verify that the computer name NYC-TS exists.

Task 2: Start the 6428A-NYC-WEB-05 virtual machine and log on as Susan 1. Start 6428A-NYC-WEB-05 using the Lab Launcher tool.

2. Log on as WoodgroveBank\Susan who belongs to the NOC Department by using the password Pa$$w0rd.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 3: Configure the TS Gateway settings on the client 1. To configure TS Gateway on 6428A-NYC-WEB-05, click Start, click All

Programs, click Accessories, and then click Remote Desktop Connection.

2. In the Remote Desktop Connection dialog box, click Options, and then click the Advanced tab.

3. On the Advanced tab, under Connect from anywhere area, click Settings.

4. Under Connection settings, select Use these TS Gateway server settings.

5. In the Server name box, verify that the FQDN of TS Gateway Server is NYC-TS.Woodgrovebank.com.

6. Under Logon method, verify that Ask for password (NTLM) from the drop-down list is selected

7. Verify that the Bypass TS Gateway server for local address check box is not selected. If selected, then clear the check box and then click OK.

8. Click the General tab. Under Logon settings, in the Computer box, type NYC-TS.

9. Click Save, and then click Connect.

10. In the Windows Security dialog box, enter the login ID as Woodgrovebank\Susan. Log on with the password Pa$$w0rd, and then click OK.

Note: If the Remote Desktop Connection is disconnected, perform the following steps to create the remote connection:

a. Log off WoodgroveBank\Susan on 6428A-NYC-WEB-05.

b. Log on to 6428A-NYC-WEB-05 as Administrator with the password Pa$$w0rd.

c. Open Control Panel.

d. Click the Network and Sharing Center icon. Verify that NYC-WEB is connected to Unidentified network.

e. Check the status of the Local Area Connection.

f. In the Network and Sharing Center window, under Tasks, click Manage network connections.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


g. In the Network Connections window, right-click Local Area Connection, and then click Disable.

h. Then, right-click Local area Connection and click Enable.

i. Close the Network Connections window. In the Network and Sharing Center window, check whether NYC-WEB is connected to WoodgroveBank.com.

11. Log off as administrator and log on as WoodgroveBank\Susan using the password Pa$$w0rd.

Task 4: Manage the TS connections on the terminal server 1. To log off all TS Gateway connections on 6428A-NYC-TS-07, click Start, point

to Administrative Tools, point to Terminal Services, and then click Terminal Services Manager.

a. In Terminal Services Manager, the Terminal Services Manager dialog box is displayed, click OK. In the left panel, select NYC-TS.

b. In the middle panel, on the Users tab, observe that the RDP-Tcp#0 Session for Susan has the state as Active.

c. In the middle panel, select the user Susan. In the right panel, under Actions, click Logoff.

d. The Terminal Services Manager message box about the selected user getting logged off is displayed. Click OK.

e. The RDC connection in 6428A-NYC-WEB-05 will also get disconnected. Perform steps 2 to 9 in Task 3 of this exercise to set up the RDC connection before moving on to the next steps.

2. Disconnect all TS Gateway connections.

a. In the middle panel, select the user Susan. In the right panel, under Actions, click Disconnect.

b. The Terminal Services Manager message box about the selected user getting disconnected is displayed. Click OK.

c. The RDC connection in 6428A-NYC-WEB-05 will also get disconnected. Perform steps 2 to 9 in Task 3 of this exercise to set up the RDC connection before moving on to the next steps.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


3. Reset all TS Gateway Connections.

a. In the middle panel, select the user Susan. In the right panel, under Actions, click Reset.

b. The Terminal Services Manager message box about the selected user getting reset is displayed. Click OK.

c. The RDC connection in 6428A-NYC-WEB-05 will also get disconnected. Log off from 6428A-NYC-WEB-05 and then log on again using WOODGROVEBANK\Administrator with the password Pa$$w0rd.

4. Close the Terminal Services Manager.

Results: After this exercise, you should have configured the TS Gateway settings on the client and managed TS connections remotely.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED



Exercise Overview In this exercise, you need to monitor the TS connections by using the TS Gateway Manager and specify the TS Gateway events to be logged.

The main tasks for this exercise are:

1. Connect to the remote computer.

2. Monitor TS Gateway.

3. Specify the TS Gateway events to be logged.

Task 1: Connect to the remote computer 1. To connect using TS Gateway on 6428A-NYC-WEB-05, click Start, click All

Programs, click Accessories, and then click Remote Desktop Connection.

2. In the Remote Desktop Connection dialog box, click Connect.

3. In the Windows Security dialog box, the login ID is displayed as Woodgrovebank\Susan. Log on with the password Pa$$w0rd, and then click OK.

Task 2: Monitor TS Gateway 1. On 6428A-NYC-TS-07, click Start, point to Administrative tools, point to

Terminal Services, and then click TS Gateway Manager.

2. In TS Gateway Manager, expand the NYC-TS node, and then expand Monitoring.

3. Select Susan’s session in the middle panel.

4. In the Actions panel, under Monitoring, click Edit Connection. The NYC-TS Properties dialog box is displayed.

5. Click Limit maximum allowed simultaneous connections to and select 2 in the spin box, and then click OK.

6. In the Actions panel, under Monitoring, click Set Automatic Refresh Options.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


7. In the Set Automatic Refresh Options dialog box, verify Refresh automatically is selected, in the spin box verify 0:30:0 seconds is selected, and then click OK.

8. In the middle panel, right-click Susan, click Disconnect This Connection. The TS Gateway message box about disconnecting from Susan Burk to the computer NYC-TS is displayed. Click Yes.

9. The RDC connection in 6428A-NYC-WEB-05 will also get disconnected. Perform steps 2 to 9 in Task 3 of Exercise 1 to set up the RDC connection before moving on to the next steps.

Task 3: Specify the TS Gateway events to be logged 1. In the TS Gateway Manager, right click NYC-TS (Local), and then click

Properties.

2. In the NYC-TS Properties dialog box, on the Auditing tab, select all the checkboxes that you want to monitor for TS Gateway, and then click OK.


4. To check the event log, click Start, click Administrative Tools, and click Event Viewer.

5. On the Event Viewer page, in the middle panel, check the Overview and Summary page.

6. Under Summary of Administrative Events, scroll down and click the Audit Success node.

7. In the Actions panel, under Audit Success, click View All Instances of This Event.

8. In the middle panel, under Summary page events, view the event logs.

9. Close the Event Viewer.

Results: After this exercise, you should have monitored TS Gateway and specified the events to be logged for TS Gateway.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED




1. Install WSRM on TS.

2. Configure the TS resource allocation policy for per session.

3. Monitor TS performance by using Resource Monitor.

4. Configure the TS resource allocation policy for per user.


Task 1: Install WSRM on TS 1. To start the Server Manager snap-in on 6428A-NYC-TS-07, click Start, point to



3. In the Add Features Wizard, on the Select Features page, scroll down to select the Windows System Resource Manager check box. If the Add Features Wizard message box displays, informing you that Windows Internal Database also needs to be installed for WSRM to work properly click Add Required Features, and then click Next.



6. On the Installation Results page, confirm that the installation of Windows Internal Database and WSRM succeeded, and then click Close.


8. To start the WSRM snap-in, click Start, point to Administrative Tools, and then click Windows System Resource Manager.

9. In the Connect to computer dialog box, under Administer, verify This computer is selected, and then click Connect to enable the WSRM to administer the local computer.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 2: Configure the TS resource allocation policy for per session 1. To implement the Equal_Per_Session resource-allocation policy, on the

Windows System Resource Manager snap-in, in the left pane, click the Resource Allocation Policies node.

2. Right-click Equal_Per_Session and then click Set as Managing Policy.

3. If the End Snap-In dialog box appears stating that snap-in is not responding, click Cancel.

4. If a Warning dialog box is displayed informing you that the calendar will be disabled, click OK.

Task 3: Monitor TS performance by using Resource Monitor 1. On the Windows System Resource Manager snap-in, in the navigation tree,

click Resource Monitor.

2. Review the performance data.

3. In the middle pane, on the toolbar, click Properties.

4. In the Properties dialog box, click the Graph tab.

5. On the Graph tab, in the View box, select Report from the drop-down list, and then click OK.

6. Observe the report for Equal_Per_Session.

7. To configure the notification options, in the left pane, right-click Windows System Resource Manager (Local), and then click Properties. The Windows System Resource Manager Properties dialog box is displayed.

8. Click the Notification tab, select Enable e-mail notification.

9. In Notify these e-mail aliases, type [email protected].

10. In Use this SMTP server, type NYC-TS.woodgrovebank.com.

11. In Select the event log messages, select two or more events. To view the list of events for each category, click the Error node, followed by the Warning and Information nodes.

12. Click each category, and then select two or more events in each category.

13. When you have finished selecting the events, click OK.

MC

T USE O

NLY. STU

DEN

T USE PR

OH

IBITED


Task 4: Configure the TS resource allocation policy for per user 1. To implement the Equal_Per_User resource-allocation policy, in the Windows

System Resource Manager snap-in, in the console tree, click the Resource Allocation Policies node.

2. Right-click Equal_Per_User and then click Set as Managing Policy.

3. If a dialog box appears informing you that the calendar will be disabled, click OK.



3. Click OK.

Results: After this exercise, you should have configured WSRM, configured resource allocation policies, and monitored the TS performance by using the Resource Monitor.

6428 configuring and troubleshooting microsoft windows server 2008 terminal services

Documents