6428a configuring and troubleshooting windows server 2008 terminal services
DESCRIPTION
Troubleshooting to Windows Server 2008TRANSCRIPT
O F F I C I A L M I C R O S O F T L E A R N I N G P R O D U C T
6428A Configuring and Troubleshooting Windows Server 2008 Terminal Services
ii Configuring and Troubleshooting Windows Server 2008 Terminal Services
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission received from any linked site. Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement of Microsoft of the site or the products contained therein.
© 2008 Microsoft Corporation. All rights reserved.
Microsoft, and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
All other trademarks are property of their respective owners.
Product Number: 6428A
Part Number: X17-41897
Released: 06/2008
MICROSOFT LICENSE TERMS OFFICIAL MICROSOFT LEARNING PRODUCTS - TRAINER EDITION –
Pre-Release and Final Release Versions
These license terms are an agreement between Microsoft Corporation and you. Please read them. They apply to the Licensed Content named above, which includes the media on which you received it, if any. The terms also apply to any Microsoft
updates,
supplements,
Internet-based services, and
support services
for this Licensed Content, unless other terms accompany those items. If so, those terms apply.
By using the Licensed Content, you accept these terms. If you do not accept them, do not use the Licensed Content.
If you comply with these license terms, you have the rights below.
1. DEFINITIONS.
a. “Academic Materials” means the printed or electronic documentation such as manuals, workbooks, white papers, press releases, datasheets, and FAQs which may be included in the Licensed Content.
b. “Authorized Learning Center(s)” means a Microsoft Certified Partner for Learning Solutions location, an IT Academy location, or such other entity as Microsoft may designate from time to time.
c. “Authorized Training Session(s)” means those training sessions authorized by Microsoft and conducted at or through Authorized Learning Centers by a Trainer providing training to Students solely on Official Microsoft Learning Products (formerly known as Microsoft Official Curriculum or “MOC”) and Microsoft Dynamics Learning Products (formerly know as Microsoft Business Solutions Courseware). Each Authorized Training Session will provide training on the subject matter of one (1) Course.
d. “Course” means one of the courses using Licensed Content offered by an Authorized Learning Center during an Authorized Training Session, each of which provides training on a particular Microsoft technology subject matter.
e. “Device(s)” means a single computer, device, workstation, terminal, or other digital electronic or analog device.
f. “Licensed Content” means the materials accompanying these license terms. The Licensed Content may include, but is not limited to, the following elements: (i) Trainer Content, (ii) Student Content, (iii) classroom setup guide, and (iv) Software. There are different and separate components of the Licensed Content for each Course.
g. “Software” means the Virtual Machines and Virtual Hard Disks, or other software applications that may be included with the Licensed Content.
h. “Student(s)” means a student duly enrolled for an Authorized Training Session at your location.
i. “Student Content” means the learning materials accompanying these license terms that are for use by Students and Trainers during an Authorized Training Session. Student Content may include labs, simulations, and courseware files for a Course.
j. “Trainer(s)” means a) a person who is duly certified by Microsoft as a Microsoft Certified Trainer and b) such other individual as authorized in writing by Microsoft and has been engaged by an Authorized Learning Center to teach or instruct an Authorized Training Session to Students on its behalf.
k. “Trainer Content” means the materials accompanying these license terms that are for use by Trainers and Students, as applicable, solely during an Authorized Training Session. Trainer Content may include Virtual Machines, Virtual Hard Disks, Microsoft PowerPoint files, instructor notes, and demonstration guides and script files for a Course.
l. “Virtual Hard Disks” means Microsoft Software that is comprised of virtualized hard disks (such as a base virtual hard disk or differencing disks) for a Virtual Machine that can be loaded onto a single computer or other device in order to allow end-users to run multiple operating systems concurrently. For the purposes of these license terms, Virtual Hard Disks will be considered “Trainer Content”.
m. “Virtual Machine” means a virtualized computing experience, created and accessed using Microsoft Virtual PC or
Microsoft Virtual Server software that consists of a virtualized hardware environment, one or more Virtual Hard Disks,
and a configuration file setting the parameters of the virtualized hardware environment (e.g., RAM). For the purposes of these license terms, Virtual Hard Disks will be considered “Trainer Content”.
n. “you” means the Authorized Learning Center or Trainer, as applicable, that has agreed to these license terms.
2. OVERVIEW.
Licensed Content. The Licensed Content includes Software, Academic Materials (online and electronic), Trainer Content, Student Content, classroom setup guide, and associated media.
License Model. The Licensed Content is licensed on a per copy per Authorized Learning Center location or per Trainer basis.
3. INSTALLATION AND USE RIGHTS.
a. Authorized Learning Centers and Trainers: For each Authorized Training Session, you may:
i. either install individual copies of the relevant Licensed Content on classroom Devices only for use by Students enrolled in and the Trainer delivering the Authorized Training Session, provided that the number of copies in use does not exceed the number of Students enrolled in and the Trainer delivering the Authorized Training Session, OR
ii. install one copy of the relevant Licensed Content on a network server only for access by classroom Devices and only for use by Students enrolled in and the Trainer delivering the Authorized Training Session, provided that the number of Devices accessing the Licensed Content on such server does not exceed the number of Students enrolled in and the Trainer delivering the Authorized Training Session.
iii. and allow the Students enrolled in and the Trainer delivering the Authorized Training Session to use the Licensed Content that you install in accordance with (ii) or (ii) above during such Authorized Training Session in accordance with these license terms.
i. Separation of Components. The components of the Licensed Content are licensed as a single unit. You may not separate the components and install them on different Devices.
ii. Third Party Programs. The Licensed Content may contain third party programs. These license terms will apply to the use of those third party programs, unless other terms accompany those programs.
b. Trainers:
i. Trainers may Use the Licensed Content that you install or that is installed by an Authorized Learning Center on a classroom Device to deliver an Authorized Training Session.
ii. Trainers may also Use a copy of the Licensed Content as follows:
A. Licensed Device. The licensed Device is the Device on which you Use the Licensed Content. You may install and Use one copy of the Licensed Content on the licensed Device solely for your own personal training Use and for preparation of an Authorized Training Session.
B. Portable Device. You may install another copy on a portable device solely for your own personal training Use and for preparation of an Authorized Training Session.
4. PRE-RELEASE VERSIONS. If this is a pre-release (“beta”) version, in addition to the other provisions in this agreement, these terms also apply:
a. Pre-Release Licensed Content. This Licensed Content is a pre-release version. It may not contain the same information and/or work the way a final version of the Licensed Content will. We may change it for the final, commercial version. We also may not release a commercial version. You will clearly and conspicuously inform any Students who participate in each Authorized Training Session of the foregoing; and, that you or Microsoft are under no obligation to provide them with any further content, including but not limited to the final released version of the Licensed Content for the Course.
b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, you give to Microsoft, without charge, the right to use, share and commercialize your feedback in any way and for any purpose. You also give to third parties, without charge, any patent rights needed for their products, technologies and services to use or interface with any specific parts of a Microsoft software, Licensed Content, or service that includes the feedback. You will not give feedback that is subject to a license that requires Microsoft to license its software or documentation to third parties because we include your feedback in them. These rights survive this agreement.
c. Confidential Information. The Licensed Content, including any viewer, user interface, features and documentation that may be included with the Licensed Content, is confidential and proprietary to Microsoft and its suppliers.
i. Use. For five years after installation of the Licensed Content or its commercial release, whichever is first, you may not disclose confidential information to third parties. You may disclose confidential information only to your employees and consultants who need to know the information. You must have written agreements with them that protect the confidential information at least as much as this agreement.
ii. Survival. Your duty to protect confidential information survives this agreement.
iii. Exclusions. You may disclose confidential information in response to a judicial or governmental order. You must first give written notice to Microsoft to allow it to seek a protective order or otherwise protect the information. Confidential information does not include information that
becomes publicly known through no wrongful act;
you received from a third party who did not breach confidentiality obligations to Microsoft or its suppliers; or
you developed independently.
d. Term. The term of this agreement for pre-release versions is (i) the date which Microsoft informs you is the end date for using the beta version, or (ii) the commercial release of the final release version of the Licensed Content, whichever
is first (“beta term”).
e. Use. You will cease using all copies of the beta version upon expiration or termination of the beta term, and will destroy all copies of same in the possession or under your control and/or in the possession or under the control of any Trainers who have received copies of the pre-released version.
f. Copies. Microsoft will inform Authorized Learning Centers if they may make copies of the beta version (in either print and/or CD version) and distribute such copies to Students and/or Trainers. If Microsoft allows such distribution, you will follow any additional terms that Microsoft provides to you for such copies and distribution.
5. ADDITIONAL LICENSING REQUIREMENTS AND/OR USE RIGHTS.
a. Authorized Learning Centers and Trainers:
i. Software.
ii. Virtual Hard Disks. The Licensed Content may contain versions of Microsoft XP, Microsoft Windows Vista, Windows Server 2003, Windows Server 2008, and Windows 2000 Advanced Server and/or other Microsoft products which are provided in Virtual Hard Disks.
A. If the Virtual Hard Disks and the labs are launched through the Microsoft Learning Lab Launcher, then these terms apply:
Time-Sensitive Software. If the Software is not reset, it will stop running based upon the time indicated on the install of the Virtual Machines (between 30 and 500 days after you install it). You will not receive notice before it stops running. You may not be able to access data used or information saved with the Virtual Machines when it stops running and may be forced to reset these Virtual Machines to their original state. You must remove the Software from the Devices at the end of each Authorized Training Session and reinstall and launch it prior to the beginning of the next Authorized Training Session.
B. If the Virtual Hard Disks require a product key to launch, then these terms apply:
Microsoft will deactivate the operating system associated with each Virtual Hard Disk. Before installing any Virtual Hard Disks on classroom Devices for use during an Authorized Training Session, you will obtain from Microsoft a product key for the operating system software for the Virtual Hard Disks and will activate such Software with Microsoft using such product key.
C. These terms apply to all Virtual Machines and Virtual Hard Disks:
You may only use the Virtual Machines and Virtual Hard Disks if you comply with the terms and conditions of this agreement and the following security requirements:
o You may not install Virtual Machines and Virtual Hard Disks on portable Devices or Devices that are accessible to other networks.
o You must remove Virtual Machines and Virtual Hard Disks from all classroom Devices at the end of each Authorized Training Session, except those held at Microsoft Certified Partners for Learning Solutions locations.
o You must remove the differencing drive portions of the Virtual Hard Disks from all classroom Devices at the end of each Authorized Training Session at Microsoft Certified Partners for Learning Solutions locations.
o You will ensure that the Virtual Machines and Virtual Hard Disks are not copied or downloaded from Devices on which you installed them.
o You will strictly comply with all Microsoft instructions relating to installation, use, activation and deactivation, and security of Virtual Machines and Virtual Hard Disks.
o You may not modify the Virtual Machines and Virtual Hard Disks or any contents thereof.
o You may not reproduce or redistribute the Virtual Machines or Virtual Hard Disks.
ii. Classroom Setup Guide. You will assure any Licensed Content installed for use during an Authorized Training
Session will be done in accordance with the classroom set-up guide for the Course.
iii. Media Elements and Templates. You may allow Trainers and Students to use images, clip art, animations, sounds, music, shapes, video clips and templates provided with the Licensed Content solely in an Authorized Training Session. If Trainers have their own copy of the Licensed Content, they may use Media Elements for their personal training use.
iv. iv Evaluation Software. Any Software that is included in the Student Content designated as “Evaluation Software” may be used by Students solely for their personal training outside of the Authorized Training Session.
b. Trainers Only:
i. Use of PowerPoint Slide Deck Templates. The Trainer Content may include Microsoft PowerPoint slide decks. Trainers may use, copy and modify the PowerPoint slide decks only for providing an Authorized Training Session. If you elect to exercise the foregoing, you will agree or ensure Trainer agrees: (a) that modification of the slide decks will not constitute creation of obscene or scandalous works, as defined by federal law at the time the work is created; and (b) to comply with all other terms and conditions of this agreement.
ii. Use of Instructional Components in Trainer Content. For each Authorized Training Session, Trainers may
customize and reproduce, in accordance with the MCT Agreement, those portions of the Licensed Content that are logically associated with instruction of the Authorized Training Session. If you elect to exercise the foregoing rights, you agree or ensure the Trainer agrees: (a) that any of these customizations or reproductions will only be used for providing an Authorized Training Session and (b) to comply with all other terms and conditions of this agreement.
iii. Academic Materials. If the Licensed Content contains Academic Materials, you may copy and use the Academic Materials. You may not make any modifications to the Academic Materials and you may not print any book (either electronic or print version) in its entirety. If you reproduce any Academic Materials, you agree that:
The use of the Academic Materials will be only for your personal reference or training use
You will not republish or post the Academic Materials on any network computer or broadcast in any media;
You will include the Academic Material’s original copyright notice, or a copyright notice to Microsoft’s benefit in the format provided below:
Form of Notice:
© 2010 Reprinted for personal reference use only with permission by Microsoft Corporation. All rights reserved.
Microsoft, Windows, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the US and/or other countries. Other product and company names mentioned herein may be the trademarks of their respective owners.
6. INTERNET-BASED SERVICES. Microsoft may provide Internet-based services with the Licensed Content. It may change or cancel them at any time. You may not use these services in any way that could harm them or impair anyone else’s use of them. You may not use the services to try to gain unauthorized access to any service, data, account or network by any means.
7. SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some rights to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation, you may use the Licensed Content only as expressly permitted in this agreement. In doing so, you must comply with any technical limitations in the Licensed Content that only allow you to use it in certain ways. You may not
install more copies of the Licensed Content on classroom Devices than the number of Students and the Trainer in the Authorized Training Session;
allow more classroom Devices to access the server than the number of Students enrolled in and the Trainer delivering the Authorized Training Session if the Licensed Content is installed on a network server;
copy or reproduce the Licensed Content to any server or location for further reproduction or distribution;
disclose the results of any benchmark tests of the Licensed Content to any third party without Microsoft’s prior written approval;
work around any technical limitations in the Licensed Content;
reverse engineer, decompile or disassemble the Licensed Content, except and only to the extent that applicable law expressly permits, despite this limitation;
make more copies of the Licensed Content than specified in this agreement or allowed by applicable law, despite this limitation;
publish the Licensed Content for others to copy;
transfer the Licensed Content, in whole or in part, to a third party;
access or use any Licensed Content for which you (i) are not providing a Course and/or (ii) have not been authorized by Microsoft to access and use;
rent, lease or lend the Licensed Content; or
use the Licensed Content for commercial hosting services or general business purposes.
Rights to access the server software that may be included with the Licensed Content, including the Virtual Hard Disks does not give you any right to implement Microsoft patents or other Microsoft intellectual property in software or devices that may access the server.
8. EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and regulations. You must comply with all domestic and international export laws and regulations that apply to the Licensed Content. These laws include restrictions on destinations, end users and end use. For additional information, see www.microsoft.com/exporting.
9. NOT FOR RESALE SOFTWARE/LICENSED CONTENT. You may not sell software or Licensed Content marked as “NFR” or “Not for Resale.”
10. ACADEMIC EDITION. You must be a “Qualified Educational User” to use Licensed Content marked as “Academic Edition” or “AE.” If you do not know whether you are a Qualified Educational User, visit www.microsoft.com/education or contact the Microsoft affiliate serving your country.
11. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you fail to comply with the terms and conditions of these license terms. In the event your status as an Authorized Learning Center or Trainer a) expires, b) is voluntarily terminated by you, and/or c) is terminated by Microsoft, this agreement shall automatically terminate. Upon any termination of this agreement, you must destroy all copies of the Licensed Content and all of its component parts.
12. ENTIRE AGREEMENT. This agreement, and the terms for supplements, updates, Internet-based services and support services that you use, are the entire agreement for the Licensed Content and support services.
13. APPLICABLE LAW.
a. United States. If you acquired the Licensed Content in the United States, Washington state law governs the interpretation of this agreement and applies to claims for breach of it, regardless of conflict of laws principles. The laws of the state where you live govern all other claims, including claims under state consumer protection laws, unfair competition laws, and in tort.
b. Outside the United States. If you acquired the Licensed Content in any other country, the laws of that country apply.
14. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the laws of your country. You may also have rights with respect to the party from whom you acquired the Licensed Content. This agreement does not change your rights under the laws of your country if the laws of your country do not permit it to do so.
15. DISCLAIMER OF WARRANTY. The Licensed Content is licensed “as-is.” You bear the risk of using it. Microsoft gives no express warranties, guarantees or conditions. You may have additional consumer rights under your local laws which this agreement cannot change. To the extent permitted under your local laws, Microsoft excludes the implied warranties of merchantability, fitness for a particular purpose and non-infringement.
16. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER FROM MICROSOFT AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP TO U.S. $5.00. YOU CANNOT RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL, LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES.
This limitation applies to
anything related to the Licensed Content, software, services, content (including code) on third party Internet sites, or third party programs; and
claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence, or other tort to the extent permitted by applicable law.
It also applies even if Microsoft knew or should have known about the possibility of the damages. The above limitation or exclusion may not apply to you because your country may not allow the exclusion or limitation of incidental, consequential or other damages.
Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in this agreement are provided below in French.
Remarque : Ce le contenu sous licence étant distribué au Québec, Canada, certaines des clauses dans ce contrat sont fournies ci-dessous en français.
EXONÉRATION DE GARANTIE. Le contenu sous licence visé par une licence est offert « tel quel ». Toute utilisation de ce contenu sous licence est à votre seule risque et péril. Microsoft n’accorde aucune autre garantie expresse. Vous pouvez bénéficier de droits additionnels en vertu du droit local sur la protection dues consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties implicites de qualité marchande, d’adéquation à un usage particulier et d’absence de contrefaçon sont exclues.
LIMITATION DES DOMMAGES-INTÉRÊTS ET EXCLUSION DE RESPONSABILITÉ POUR LES DOMMAGES. Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de dommages directs uniquement à hauteur de 5,00 $ US. Vous ne pouvez prétendre à aucune indemnisation pour les autres dommages, y compris les dommages spéciaux, indirects ou accessoires et pertes de bénéfices.
Cette limitation concerne:
tout ce qui est relié au le contenu sous licence , aux services ou au contenu (y compris le code) figurant sur des sites Internet tiers ou dans des programmes tiers ; et
les réclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilité stricte, de négligence ou d’une autre faute dans la limite autorisée par la loi en vigueur.
Elle s’applique également, même si Microsoft connaissait ou devrait connaître l’éventualité d’un tel dommage. Si votre pays n’autorise pas l’exclusion ou la limitation de responsabilité pour les dommages indirects, accessoires ou de quelque nature que ce soit, il se peut que la limitation ou l’exclusion ci-dessus ne s’appliquera pas à votre égard.
EFFET JURIDIQUE. Le présent contrat décrit certains droits juridiques. Vous pourriez avoir d’autres droits prévus par les lois de votre pays. Le présent contrat ne modifie pas les droits que vous confèrent les lois de votre pays si celles-ci ne le permettent pas.
Configuring and Troubleshooting Windows Server 2008 Terminal Services ix
Contents
Module 1: Configuring Terminal Services Core Functionality Lesson 1: Configuring the TS Server Role Service 1-3
Lesson 2: Configuring the TS Settings 1-15
Lab: Configuring TS Core Functionality 1-19
Module 2: Configuring and Managing Terminal Services Licensing
Lesson 1: Configuring TS Licensing 2-3
Lesson 2: Managing TS Licenses 2-10
Lab: Demonstration: Configuring and Managing TS Licensing 2-14
Module 3: Configuring and Troubleshooting Terminal Services Connections
Lesson 1: Configuring the TS Connection Properties 3-3
Lesson 2: Configuring the TS Connection Properties by Using Group Policy 3-12
Lesson 3: Troubleshooting TS Connections 3-16
Lab: Configuring and Troubleshooting the TS Connections 3-18
Module 4: Configuring Terminal Services RemoteApp and Easy Print
Lesson 1: Installing Applications 4-3
Lesson 2: Configuring RemoteApp Programs 4-6
Lesson 3: Configuring Printers 4-14
Lab: Configuring TS RemoteApp and Easy Print 4-18
Module 5: Configuring Terminal Services Web Access and Session Broker
Lesson 1: Installing TS Web Access 5-3
Lesson 2: Configuring TS Session Broker 5-11
Lab: Configuring TS Web Access and Session Broker 5-15
Module 6: Configuring and Troubleshooting Terminal Services Gateway
Lesson 1: Configuring TS Gateway 6-3
Lesson 2: Monitoring and Troubleshooting TS Gateway Connections 6-10
Lab: Configuring and Troubleshooting TS Gateway 6-15
Module 7: Managing and Monitoring Terminal Services
Lesson 1: Methods for Managing and Monitoring TS 7-3
Lesson 2: Configuring Windows System Resource Manager for TS 7-7
Lab: Managing and Monitoring TS 7-11
Lab Answer Keys
x Configuring and Troubleshooting Windows Server 2008 Terminal Services
About This Course xi
About This Course This section provides you with a brief description of the course, audience, suggested prerequisites, and course objectives.
Course Description This two-day instructor-led course introduces you to Microsoft® Windows Server® 2008 Terminal Services. The course prepares you for configuring and managing the TS roles—TS licensing, Gateway, and Web Access—as well as monitoring and troubleshooting a TS environment.
Audience The primary audiences for this course include Technology Specialists in an enterprise environment as well as individuals who are assuming a new role requiring skills to manage connections served by a terminal server session over the intranet, extranet, and Internet.
Student Prerequisites This course requires that you meet the following prerequisites:
• Course 6420: Fundamentals of a Windows Server 2008 Network Infrastructure and Application Platform
• Course 6421: Configuring and Troubleshooting a Windows Server 2008 Network Infrastructure
or
• Microsoft Windows Server 2003 Terminal Server experience in an enterprise environment as follows:
• Minimum of one year of experience in administering and supporting TS
• Minimum of one year of experience in administering and supporting Windows Server 2003 or Windows Server 2003 R2
• Minimum of one year of experience in administering certificate services
• Network + certification
Course Objectives After completing this course, students will be able to:
• Configure the TS role.
• Manage TS licensing.
• Configure TS connection properties by using the Terminal Services Configuration snap-in and Group Policy.
• Configure TS Easy Print and TS RemoteApp programs.
• Configure the TS Web Access role service.
• Configure the TS Session Broker role for a load-balanced TS farm.
• Configure and troubleshoot TS Gateway.
• Maintain TS connections post installation and configure Windows System Resource Manager (WSRM) for TS.
xii About This Course
Course Outline This section provides an outline of the course:
Module 1, "Configuring Terminal Services Core Functionality" prepares you for installing and configuring the TS role. The module also introduces the new core functionality in TS, lists the considerations for using a standalone instance and a farm, and briefly explains how to configure the TS settings.
Module 2, "Configuring and Managing Terminal Services Licensing" introduces you to TS Licensing and covers how the license server and terminal server need to be configured for issuing and managing licenses. The module also includes installing Per User and Per Device TS Client Access Licenses (CALs) on the license server as well as managing the licensing lifecycle.
Module 3, "Configuring and Troubleshooting Terminal Services Connections" introduces the connection properties that can be set by using either the Terminal Services Configuration snap-in or Group Policy. Besides setting these properties, the module also covers configuring the authentication and encryption levels, Desktop Experience and Plug and Play (PnP) Device Redirection Framework, and Single Sign-On (SSO) for user profiles. The module ends with troubleshooting connectivity issues.
Module 4, "Configuring Terminal Services RemoteApp and Easy Print" starts with discussing the types of applications that can be installed on the terminal server. The module then provides an overview of RemoteApp programs, advantages of using these programs, and the methods used to deploy them on the terminal server. Also covered in the module is TS Easy Print, which facilitates printer redirection over a TS session.
Module 5, "Configuring Terminal Services Web Access and Session Broker" provides the steps for installing and configuring RemoteApp programs by using TS Web Access. The module also covers a separate role service, the TS Session Broker, which facilitates reconnection to an existing session in a load-balanced TS farm.
Module 6, "Configuring and Troubleshooting Terminal Services Gateway" explains how to install and configure the TS Gateway role service. The module also covers how to manage TS Connection Authorization Policies (CAPs) and TS Resource Authorization Policies (RAPs). Following a brief introduction to Network Access Protection (NAP), the module goes on to discuss troubleshooting TS Gateway.
Module 7, "Managing and Monitoring Terminal Services" explains the tasks involved in managing and monitoring TS Connections. The module also introduces the enhanced features of WSRM and how to configure WSRM.
About This Course xiii
Course Materials The following materials are included with your kit:
• Course Handbook A succinct classroom learning guide that provides all the critical technical information in a crisp, tightly-focused format, which is just right for an effective in-class learning experience.
• Lessons: Guide you through the learning objectives and provide the key points that are critical to the success of the in-class learning experience.
• Labs: Provide a real-world, hands-on platform for you to apply the knowledge and skills learned in the module.
• Lab Answer Keys: Provide step-by-step lab solution guidance at your finger tips when it’s needed.
Course Companion Content on the http://www.microsoft.com/learning/companionmoc/ Site: Provides additional resources pertaining to this course.
• Lab Answer Keys: Provide step-by-step lab solution guidance at your finger tips when it’s needed.
• Resources: Include well-categorized additional resources that give you immediate access to the most up-to-date premium content on TechNet, MSDN®, Microsoft Press®
• Send Us Your Feedback Instructions: Provide you with an opportunity to send feedback on the all aspects of the course.
Student Course files on the http://www.microsoft.com/learning/companionmoc/ Site: Includes the Allfiles.exe, a self-extracting executable file that contains all the files required for the labs and demonstrations.
• Course evaluation At the end of the course, you will have the opportunity to complete an online evaluation to provide feedback on the course, training facility, and instructor.
To provide additional comments or feedback on the course, send e-mail to [email protected]. To inquire about the Microsoft Certification Program, send e-mail to [email protected].
xiv About This Course
Virtual Machine Environment This section provides the information for setting up the classroom environment to support the business scenario of the course.
Virtual Machine Configuration In this course, you will use Microsoft Virtual Server 2005 to perform the labs.
Important: At the end of each lab, you must close the virtual machine and must not save any changes. To close a virtual machine without saving the changes, perform the following steps: 1. On the virtual machine, on the Action menu, click Close. 2. In the Close dialog box, in the What do you want the virtual machine to do? list, click Turn off and delete changesOK
, and then click .
The following table shows the role of each virtual machine used in this course:
Virtual machine Role
NYC-DC1 A Domain Controller for woodgrovebank.com
NYC-TS Terminal server with terminal services installed
NYC-WEB A member of the woodgrovebank.com domain
Software Configuration The following software is installed on each VM:
• Windows Server 2008 Enterprise
Classroom Setup Each classroom computer will have the same virtual machine configured in the same way.
Course Hardware Level To ensure a satisfactory student experience, Microsoft Learning requires a minimum equipment configuration for trainer and student computers in all Microsoft Certified Partner for Learning Solutions (CPLS) classrooms in which Official Microsoft Learning Product courseware are taught.
Configuring Terminal Services Core Functionality 1-1
Module 1 Configuring Terminal Services Core Functionality
Contents: Lesson 1: Configuring the TS Server Role Service 1-3
Lesson 2: Configuring the TS Settings 1-15
Lab: Configuring TS Core Functionality 1-19
1-2 Coonfiguring and Troubbleshooting Windowss Server 2008 Terminnal Services
Moduule Oveerview
TSfoin
S in Windows or organizationnstalling and co
Server 2008 hans with branchonfiguring the
as been upgrah offices. This me TS server role
aded to incorpmodule introde service.
orate improveuces the new f
ed features thafeatures in TS
at are especialland prepares
ly useful you for
as well as conThthhe module alsohe TS settings.
o includes connsiderations foor using a standdalone instancce and a farm, nfiguring
Configuring Terminal Services Core Functionality 1-3
LC
TSde6.
Thse
Lesson 1 Configu
S in Windows eploy and acce.1, Remote De
he TS server roervers.
ring the
Server 2008 iness applicationsktop Connect
ole service can
e TS Server Role Serviice
ncludes new cons. This new cotion Display im
ore functionaliore functionalimprovements,
ty that providety includes Reand Plug and
es enhanced fmote DesktopPlay (PnP) dev
eatures to remp Connection (vice redirectio
motely (RDC) n.
s a standalone be installed a e instance or inn a farm with mmultiple terminal
1-4 Coonfiguring and Troubbleshooting Windowss Server 2008 Terminnal Services
TTS Featuress
KKey Points
TSfuS in Windows ull Windows de
Server 2008 alesktop.
llows users to connect to a sserver running Windows-bassed programs oor the
Inn addition, Winndows Server 22008 TS also pprovides:
•
•
•
•
•
•
Q
FoSe
A secure an
Support for
Support for
A new role
Support forapplication
The Windopreconfigu
Question: Whic
or more informerver 2008" o
nd encrypted cconnection between remotee users and thee resources on a local network.
r Embedded PPoint of Servicee (POS) device redirection.
r Network Acccess Protectionn (NAP) that ennforces networrk authentication.
management tool and an immproved scalable spooler.
r Microsoft Ints.
ternet Protocol version 6 (IPvv6) that enablees peer-to-peeer and mobile
ws System Resred policies or
source Managr custom resou
er (WSRM) toource policies.
ol to manage ssystem resourcces by using
ch features of WWindows Servver 2008 TS willl be useful in yyour organizattion?
mation about n the Microso
TS features, soft TechNet W
see "What's NWeb site.
ew in Terminaal Services forr Windows
Configuring Terminal Services Core Functionality 1-5
In
K
YoTSsein
nstalling th
Key Points
ou can install tS Gateway anderver, the Termnstall the Term
Foth
or more informhe Microsoft T
he TS Serv
the TS server rd TS Licensing,minal Services c
inal Server rol
mation about TechNet Web
ver Role Se
role service by , are installed ocheck box will e server when
ervice
using the Servon the server.be selected a Terminal Serv
installing thesite.
e TS server role
ver Manager, iIf a TS role sernd dimmed. Yvices is already
e, see "Termin
if no other TS rvice is already
You then need y installed" opt
role services, sy installed on tto select the "
tion.
such as the "To
nal Server Insttallation" on
1-6 Coonfiguring and Trou
A
K
Tw
•
•
Npr
Yocl
NN20te
FoRe
b
Authentica
Key Points
wo types of au
bleshooting Windowss Server 2008 Terminnal Services
tion Mode
uthentication m
es
modes can be
used on a termminal server:
User authenone-time p
ntication supppassword (OTP)
ported by passw) over encrypt
word, smart cated channels
ard, Windows NT LAN Manaager (NTLM), aand
Host level aSecurity (TL
authenticationLS) certificates
supported byy Kerberos andd Secure Sockeets Layer (SSL) or Transport LLayer
TLM authenticrotocol provid
ou can also coient to gain ac
cation is mostldes a more sec
onfigure Singleccess to multip
ly used for staure network c
e Sign-On (SSOple systems wit
nd-alone systeonnection tha
O) on the termth a single set
ems on the netn traditional a
inal server. SSof credentials
twork. The Kerauthentication
O is an access s.
rberos authentmethods.
method that a
tication
allows a
Note: Besides petwork Level A008 or Microsoerminal server.
or more informeview" and "S
providing the BAuthenticationoft Windows V
mation about Single Sign-On
Basic authenticn. If you select Vista with RDC
authentication for Terminal
cation methodthis method, version 6.0, o
d, Windows Seonly clients rur later, will be
rver 2008 alsonning Windowable to conne
o provides ws Server ect to the
on modes, seee "Windows Seerver 2008 Tecchnical l Services" on the Microsoftt TechNet Web site.
Configuring Terminal Services Core Functionality 1-7
TS Core Functionality
Key Points
The following are the requirements for configuring TS core functionality on the client:
• High resolution monitors, such as super video graphics array (SVGA) or 1680 x 1050 or 1920 x 1200
• Windows portable devices
• Embedded POS for .NET devices
The core functionality works with:
• RDC 6.0 available with Windows Vista and Microsoft Windows XP
• RDC 6.1available with Windows Server 2008
For more information about TS core functionality, see "What’s New in Terminal Services for Windows Server 2008" on the Microsoft TechNet Web site.
1-8 Coonfiguring and Trou
R
K
R
•
•
A/aWse
FoTe
b
Remote De
Key Points
DC 6.1:
bleshooting Windowss Server 2008 Terminnal Services
esktop Connnection 66.1
Is available with Windows Server 2008 and Windows Vista with SP11.
Supports Reemote Desktop Protocol (RDDP) 6.1 on the client computter.
s an administradmin switch i
Windows Serveerver from Win
rator, you can ntroduced in Rr 2003. Howevndows Vista SP
remotely connRDC 6.1. RDC ver, to connectP1, you can use
nect to a Wind6.1 does not st to a physical e the mstsc.ex
dows Server 20upport the /coconsole sessioe/admin comm
008-based servonsole switch uon on Windowmand.
ver by using thused in Micros
ws Server 2003-
he new soft -based
or more informechNet Web s
mation about site.
RDC, see "Terminal Servicees Core Functiionality" on thhe Microsoft
Configuring Terminal Services Core Functionality 1-9
R
K
Bom
YoCo
Tose
To
In
Sp
Remote De
Key Points
oth RDC 6.0 anmonitors horizo
ou can also seonsole (MMC)
o set a customettings:
desktopwidthdesktopheigh
o set a custom
mstsc.exe /w
n the syntax, <
panning of a s
•
•
•
Yofil
To
Same resol
Horizontal
Total resolu
ou can enablele or at the co
o set spanning
Span:i:<num>
esktop Con
nd RDC 6.1 suontally to form
t a custom dis) or at the com
m display resolu
:i:<width> t:i:<height>
m display resolu
w:<width> /h:
width> and <
ession across m
ution on all th
alignment of a
ution of all mo
spanning of tmmand prom
g in a .rdp file u
nnection D
pport higher-rm a single large
play resolutionmmand promp
ution in a .rdp
>
ution at the co
<height>
height> are th
multiple moni
e monitors—f
all monitors
onitors not to e
the same sessiopt.
using a text ed
Display
resolution dese desktop.
n in a .rdp filet.
file by using a
ommand prom
he resolution v
tors requires:
for example, al
exceed 4096 x
on across mult
ditor, add or m
ktops and pro
using the Rem
a text editor, a
mpt, use the ms
values—for exa
ll monitors hav
2048
tiple monitors
modify the follo
ovide for spann
moteApp Micro
dd or change
stsc.exe comm
ample, 1680 a
ving 1024 x 76
by changing t
owing setting:
ning of multip
osoft Managem
the following
mand as follow
nd 1050.
68 resolution
the settings in
le
ment
s:
a .rdp
1-10 Configuring and Troubleshooting Windows Server 2008 Terminal Services
If <num> = 0, then monitor spanning is disabled and if <num> = 1, then monitor spanning is enabled.
To set spanning at the command prompt, type the following command:
mstsc.exe /span
Question: In which scenarios, would custom display resolution and spanning help in an organization?
For more information about RDC display, see "Remote Desktop Connection Display" on the Microsoft TechNet Web site.
Configuring Terminal Services Core Functionality 1-11
R
K
Indesu
Th
Remote De
Key Points
n Windows Seresktop with thuch as Window
he TS client co
•
•
•
•
Nse
Www
Th
•
•
•
Translucent
Customized
Open wind
Subtle anim
Note: The deskerver only.
Windows Serveworks by smootwas not suppor
he smoothing
Windows V
Windows S
Windows X
esktop Exp
rver 2008 TS, yhe Desktop Expws Media® Pla
omputers with
t glass window
d lightweight w
ows in a three
mations suppo
top compositi
r 2008 also prothing the charrted over RDP
of fonts is also
Vista
erver 2003 wit
XP with SP2 an
perience
you can furtheperience featuayer 11, deskto
Windows Vist
ws
window colors
e-dimensional
rting the repo
on feature usi
ovides the Cleacters, thus mprior to Windo
o available on
th SP1 and SP2
d RDC 6.0
r enhance the re. This featureop themes, and
a include the W
s
stack on the d
sitioning of wi
ng Windows A
arType® featuaking it easierows Server 200
client comput
2 and RDC 6.0
end-user’s exe provides thed photo mana
Windows Aero
desktop
indows
Aero works fro
ure that is nowr to read text o08, text over T
ters having:
0
perience of coe functionality gement.
o™ interface th
onnecting to a of Windows V
hat shows:
remote Vista
om a Vista clien
w supported ovon LCD screensTS was displaye
nt to a Vista te
ver RDP. This fs. Because thised in low resol
erminal
feature s feature ution.
1-12 CConfiguring and Tro
D
K
Threcose1 al
N20
Yose
Inen
FoMRe
u
Device Red
Key Points
he new PnP Reedirection overonnections. Foerver 1. The clisession. The P
lso redirects de
ubleshooting Windowws Server 2008 Termiinal Services
direction
edirection Framr RDP. The PnP
or example, a cent then conn
PnP device willevices that use
Note: POS redir008.
ou can enableerver as follow
redirectposd
n the above synabled.
or more informMedia Players a
edirection" on
rection is not s
POS for .NET ws:
evices:i <va
ntax, if <value
mation about and Digital Can the Microso
mework providP device redireclient computenects to anothe not be availab
e POS for .NET
supported if th
device redirec
alue>
e> = 0, POS fo
device redireameras" and "ft TechNet W
ded in Windowection, howeveer with a PnP der session withble for this ses
T1.11.
he terminal ser
ction by editin
r .NET device
ection, see "PluMicrosoft Poi
Web site.
ws Server 2008er, is not availadevice is redireh terminal servssion with term
rver has x86-b
g the .rdp file
redirection is d
ug and Play Dnt of Service f
8 enhances theable for nestedected to a sessver 2 from withminal server 2.
e PnP device d terminal servion with termi
hin the terminaWindows Serv
ver inal al server ver 2008
based version o
used to conne
disabled and if
of Windows Se
ect to the term
f the <value>
erver
minal
=1, it is
Device Redirecfor .NET Devic
ction for ce
Configuring Terminal Services Core Functionality 1-13
In
K
Thimortotose
Qor
ntroductio
Key Points
he TS sever romplement a TSrganization. Wo load balanceo the state of aervers.
Question: Wharganization ha
on to a Sta
le service can S farm compris
Windows Servee sessions betwa session. This
t problems doaving many bra
andalone In
be installed onsing multiple tr 2008 provide
ween terminal sinformation is
o you anticipatanches?
nstance an
n a single serveerminal serveres the TS Sessiservers in a far
s used to distri
te if a standalo
nd a Farm
er as a standalrs to facilitate lon Broker rolerm. TS Sessionbute the sessio
one instance is
lone instance. load balancinge service that a Broker stores ons evenly bet
used as a term
Alternatively, g in a large allows adminis
information rtween the term
minal server in
you can
trators elated
minal
n an
1-14 CConfiguring and Tro
S
A en
Lare
u
tandalone
standalone innvironment us
arge organizatequires multip
ubleshooting Windowws Server 2008 Termiinal Services
e Instance
nstance is usedsually includes
tions require ale terminal ser
vs. Farm
d in small orgaone terminal
farm installatrvers that can b
nizations that server that is a
ion that catersbe easily acces
require minimaccessed by a
s to many branssed by many
mum administrfew client com
nches. This typclient comput
ration. This mputers.
pe of environmers.
ment
Configuring Terminal Services Core Functionality 1-15
LC
AoraptoseYo
Lesson 2 Configu
fter installing trganization’s rpplications youo start when yoerver, you can ou can configu
ring the
the TS server rrequirements. Tu would requiou start a sessirestrict the nuure these setti
e TS Set
role service, yoTo take maximre to run on thion on the term
umber of simungs on TS by u
ttings
ou can start comum advantaghe terminal serminal server. Tltaneous remousing the Term
onfiguring the ge of TS, you nrver. You can e
To enhance theote connectionminal Services C
TS settings acceed to plan weven configuree performancen sessions on tConfiguration
cording to youhat type of e a specific proe of the terminhe terminal sesnap-in.
ur
ogram nal erver.
1-16 CConfiguring and Tro
D
Q
u
Demonstra
Question: Whic
ubleshooting Windowws Server 2008 Termiinal Services
ation: Conf
ch program wo
figuring ‘S
ould you want
Start Progr
t to launch at t
ram on Co
the start of a T
nnection’
TS session in yo
our organization?
Configuring Terminal Services Core Functionality 1-17
R
K
It GcoCo
Restricting
Key Points
is a best practroup Policy. Aomputers. As aomputers snap
N
Q
Note: The recom
Question: Wha
Remote C
tice to configuAny modificatioan administratp-in on the co
mmended pra
t kind of prob
Connection
ure the maximuons in Group Por, you can invmputer that h
n Sessions
um number ofPolicy should bvoke Group Po
has the domain
actice is to limi
blems do users
t users to one
encounter wh
f sessions that be validated beolicy by using n controller.
remote sessio
hen there are t
can connect tefore applyingthe Active Dir
to the server bg them to userectory Users a
by using s and nd
on.
too many remoote connectionns?
1-18 CConfiguring and Tro
C
K
Thtimth
•
•
•
•
•
•
•
•
So
•
•
•
FoLoSe
u
Configuring
Key Points
he Terminal Semeouts, and ehe following ta
ubleshooting Windowws Server 2008 Termiinal Services
g Other TS
ervices Configuencryption leveabs in the RDP
S Settings
uration snap-iels based on th-Tcp Propertie
General
Log On Set
Sessions
Environmen
Security
Remote con
Client Setti
Network Ad
ome best prac
Install only
Configure tservers in a
Configure trequired lic
or more informoad Balancingervices" on th
ttings
nt
ntrol
ngs
dapter
tices for using
specific servic
the TS session farm.
the license servcense from the
mation about g Step-by-Stepe Microsoft T
g terminal serv
ces required in
broker role se
ver discovery me license server
configuring Tp Guide" and echNet Web s
n can be usedhe connection.es dialog box:
ers:
a branch offic
ervice that ena
mode to ensurr.
TS, see "Windo"Configuring site.
to edit setting. To configure
ce environmen
bles load bala
re that the ter
ows Server 20License Settin
gs such as secuRDP-Tcp Con
urity, session nections, you can use
nt to minimize security risks.
ncing of sessioons between teerminal
minal server caan obtain the
008 RC0 TS Sesngs on a Term
ssion Broker inal
Configuring Terminal Services Core Functionality 1-19
L
O
Yoa teGin
CprththutWen
Lab: Con
Overarching
ou are the Winpresence in A
echnology (IT) roup Policy, an
nfrastructure.
urrently, you arograms on alhe applicationshe Windows Setilization of th
Woodgrove Bannvironment.
nfigurin
Scenario
ndows Applicamerica, Europdepartment isnd permission
are using simpl client compus on every indierver 2008 TS e network bannk’s IT departm
ng TS Co
ation Platform e, the Middle s responsible fs. It is also resp
ple RDP or any uters, which is tividual machinenvironment.
ndwidth to accment, you have
ore Fun
Services technEast, Africa (EM
for maintainingponsible for th
third party uttime consuminne. Therefore, tInstalling TS w
cess remote ape been tasked
nctional
nology specialMEA), and Asiag the databasehe performanc
ility to controlng. It is also dithe managem
would increasepplications. As
with installing
ity
ist for Woodga. Woodgrove e, applications,ce of the serve
the remote cofficult to mainent has advise productivity aa technology
g and configur
rove Bank, whBank's inform, user authentr and enterpri
onsole. You inntain and upgred you to impland ensure opspecialist in
ring the TS
ich has mation
ication, se
stall all rade all ement timal
1-20 Configuring and Troubleshooting Windows Server 2008 Terminal Services
Exercise 1: Installing and Configuring the TS Server Role Service
Scenario
You receive a service request based on an enterprise administrator’s design to deploy a standalone instance of TS with core functions. You have to select an authentication method that will ensure that users can securely access applications over the network. You also want to optimize the administrative tasks that can be done by configuring SSO and WSRM. The end users require that the local machines display the Windows Vista desktop during the TS session. To enable this functionality, you need to configure RDC 6.1. The enterprise administrator has also requested you to provide enhanced program performance for users at the branch offices who access centralized data stores.
Exercise Overview
In this exercise, you will install and configure the TS core functionality at the New York head office.
The main tasks for this exercise are as follows:
1. Start the 6428A-NYC-DC1-01 and 6428A-NYC-TS-01 virtual machines and log on to these machines as Administrator.
2. Install the TS server role service. 3. Configure authentication on the terminal server. 4. Configure the default credentials to be used on the terminal server. 5. Create a .rdp file and configure custom display. 6. Enable ClearType and Font smoothing. 7. Enable support for PnP redirection. 8. Install and configure WSRM. 9. Install the Desktop Experience. 10. Remotely connect to TS by using RDC.
Task 1: Start the 6428A-NYC-DC1-01 and 6428A-NYC-TS-01 virtual machines and log on these machines as Administrator
1. Start 6428A-NYC-DC1-01 and log on with the default User ID WOODGROVEBANK\Administrator with the password Pa$$w0rd.
2. Verify the membership in the local administrators group in the Active Directory User and Group.
Note: Wait for the domain controller virtual machine, 6428A-NYC-DC1-01, logon screen to appear before starting 6428A-NYC-TS-01 VM.
3. Start 6428A-NYC-TS-01 and log on as WOODGROVEBANK\Administrator with the password Pa$$w0rd.
4. Confirm that 6428A-NYC-TS-01 is a member of the Woodgrove.com domain under Computers in the Active Directory User and Group.
Task 2: Install the TS server role service
1. On 6428A-NYC-TS-01, start Server Manager from the Administrative Tools menu. 2. Add the Terminal Services role in the Add Roles wizard. 3. On the Terminal Services page, configure the Terminal Server:
• Authentication Method: Network Level Authentication setting for a terminal server
• Licensing Mode: Per-User
Configuring Terminal Services Core Functionality 1-21
• Select User Groups Allowed Access to This Terminal Server: Add NYC_MarketingGG nested in NYC under WoodgroveBank.com.
4. Confirm the installation of the TS role service in the Server Manager.
Task 3: Configure authentication on the terminal server
1. Start Terminal Services Configuration by using the tsconfig.msc command. 2. In the RDP-Tcp Properties dialog box, configure the authentication method to be used as SSL (TLS
1.0).
Task 4: Configure the default credentials to be used on the terminal server
1. Open the Local Group Policy Editor by using the gpedit.msc command. 2. On the Credentials Delegation page, enable Allow Delegating Default Credentials and add the
6428A-NYC-TS-01 server.
Task 5: Create a .rdp file and configure custom display
1. Create a .rdp file by using the TS RemoteApp Manager snap-in. 2. In the RemoteApp Wizard, verify that the location of the .rdp file is C:\Program files\Packaged
Programs\mstsc.rdp. 3. Open the C:\Program files\Packaged Programs\mstsc.rdp file in a text editor. 4. Specify the following custom display settings:
desktopwidth:i = 1680 desktopheight:i = 1050
5. Enable monitor spanning by using Span:i:1.
Task 6: Enable ClearType and Font smoothing
1. In Control Panel, under Appearance and Personalization, enable ClearType. 2. Display the Remote Desktop Connection dialog box, and enable font smoothing on the Experience
tab.
Task 7: Enable support for PnP redirection
1. Display the Remote Desktop Connection dialog box. 2. On the Options tab, under Local devices and resources, enable Devices that I plug in later.
Task 8: Install and configure WSRM
1. Start Server Manager, under Features Summary, select Windows System Resource Manager. 2. Install Windows System Resource Manager by using the wizard. 3. Open the Windows System Resource Manager snap-in. 4. In the Connect to computer dialog box, enable WSRM to administer the local computer.
Task 9: Install the Desktop Experience
1. Start Server Manager. Under Features Summary, select Desktop Experience. 2. Install the Desktop Experience by using the wizard. 3. Confirm the installation of the Desktop Experience.
Task 10: Remotely connect to TS by using RDC
1. On 6428A-NYC-DC1-01, display the Remote Desktop Connection dialog box by using the mstsc command.
2. Connect to NYC-TS by using the user ID WOODGROVEBANK\Baris and password Pa$$w0rd.
1-22 Configuring and Troubleshooting Windows Server 2008 Terminal Services
You will be connected to the terminal server remotely.
Results: After this exercise, you should have configured the TS settings.
Configuring Terminal Services Core Functionality 1-23
Exercise 2: Configuring the TS Settings
Scenario
You have been tasked with configuring the TS settings to streamline the infrastructure and secure the database and applications on the terminal server. For this, you need to specify a program to start when a user logs on, limit users to a single remote session, and set default permissions for built-in accounts. To further ensure load-balancing in a TS farm environment, you need to configure the Session Broker settings and create a policy for the retention of the temporary folder.
Exercise Overview
In this exercise, you will configure the TS settings and the session broker settings.
The main tasks for this exercise are as follows:
1. Specify the program to start when a user logs on to a remote session. 2. Configure the TS settings by using the Terminal Services Configuration snap-in. 3. Modify the default permissions for built-in accounts. 4. Configure the Session Broker settings. 5. Shut down the virtual machines.
Task 1: Specify the program to start when a user logs on to a remote session
1. Start Terminal Services Configuration on 6428A-NYC-TS-01. 2. Under Connections, select RDP-Tcp and then display the Properties dialog box. 3. On the Environment tab, configure the Initial starting program setting as C:\Program
Files\Packaged Programs\wordpad.
Task 2: Configure the TS settings by using the Terminal Services Configuration snap-in • In the Terminal Services Configuration snap-in, under the Edit Settings area, verify the following
are selected:
• Restrict each user to a single session
• Delete Temporary folder on exit
• Use Temporary folders per session
Task 3: Modify the default permissions for built-in accounts
1. Start WMI Console by using the wmimgmt.msc command. 2. Display the WMI Control Properties dialog box. 3. On the Security tab, modify the Read Security permission for Baris Centinok and change it to
Allow.
Task 4: Configure the Session Broker settings
1. Start Terminal Services Configuration. 2. In the Edit settings area, under TS Session Broker, select :
• Member of farm in TS Session Broker
• Join a farm in TS Session Broker
• Participate in Session Broker Load-Balancing
3. Provide the server name as NYC-TS, the farm name as WoodGroveBank, and IP address as 10.10.0.23.
1-24 Configuring and Troubleshooting Windows Server 2008 Terminal Services
Task 5: Shut down the virtual machines • Turn off each virtual machine that is running and discard changes.
Note: After this exercise, you should have configured the TS settings.
Configuring Terminal Services Core Functionality 1-25
Lab Revieww
1-26 Configuring and Troubleshooting Windows Server 2008 Terminal Services
Configuring and Managing Terminal Services Licensing 2-1
Module 2 Configuring and Managing Terminal Services Licensing
Contents: Lesson 1: Configuring TS Licensing 2-3
Lesson 2: Managing TS Licenses 2-10
Lab Demonstration: Configuring and Managing TS Licensing 2-14
2-2 Configuring and Troubleshooting Windows Server 2008 Terminal Services
Module Overview
The TS licensing management system in Microsoft Windows Server 2008 includes some significant enhancements as compared to TS licensing in Microsoft Windows 2003.
After the TS server role service is installed in Windows Server 2008, users and devices require TS client access licenses (CALs) to connect to the terminal server. The TS licensing role service on the terminal server obtains these TS CALs from a TS license server.
This module introduces TS licensing and covers the steps to configure the license and terminal servers for issuing and managing licenses. The module also includes installing Per User and Per Device TS CALs on the license server as well as managing the licensing lifecycle.
Configuring and Managing Terminal Services Licensing 2-3
Lesson 1 Configuring TS Licensing
The TS licensing role service is a license management system that manages TS CALs. You need to install the TS licensing role service on a server running Windows Server 2008. After installation, you are required to activate the license server. Only after activation, the license server can issue TS CALs to devices or users that want to connect to the terminal server.
You can use the TS Licensing Manager snap-in to manage TS licensing.
2-4 Configuring and Troubleshooting Windows Server 2008 Terminal Services
TS Licensing Role
Key Points In large organizations, the TS license server is different from the terminal server. An organization needs to deploy at least one license server to issue licenses to users and devices wanting to connect to the terminal server. A license server can concurrently serve many terminal servers.
Note: A terminal server running Windows Server 2008 cannot communicate with a license server running Windows Server 2003. A terminal server running Windows Server 2003 can, however, communicate with a license server running Windows Server 2008.
For more information about the TS Licensing role, see "TS Licensing" on the Microsoft TechNet Web site.
Configuring and Managing Terminal Services Licensing 2-5
TS Licensing Manager Snap-In
Key Points The TS Licensing Manager snap-in requires minimum 10 MB of CPU memory for its transactions. The license database increases by 5 MB with the issuance of every 6,000 TS CALs. The license server is active only when it receives a request for a TS CAL from the terminal server.
For more information about the TS Licensing Manager snap-in, see "TS Licensing" on the Microsoft TechNet Web site.
2-6 Configuring and Troubleshooting Windows Server 2008 Terminal Services
TS Client Access Licenses
Key Points The two types of TS CALs, Per Device and Per User, are obtained as follows:
1. When a user or device connects to the terminal server, the terminal server first determines whether a TS CAL is required.
2. If a TS CAL is required, then the terminal server requests the CAL from the license server. 3. After receiving the TS CAL, the terminal server:
• Delivers the TS CAL to the client device in case of a Per Device TS CAL.
• Stores the information as part of the user account in the Active Directory Domain Services in case of a Per User TS CAL.
The Per Device TS CALs are issued statically to client machines, and the Per User TS CALs are issued to a user’s account and can be used from any device.
Tracking the TS Per User CAL issuances is supported only in domain-joined scenarios. Active Directory Domain Services is used for tracking the Per User TS CALs.
Note: Active Directory Domain Services can be based on either Windows Server 2008 or Windows Server 2003, and no updates to its schema are required for generating tracking reports of the Per User TS CALs.
Configuring and Managing Terminal Services Licensing 2-7
Installing the TS Licensing Role Service
Key Points The TS Licensing database should be located on the same computer on which the TS licensing role service is being installed.
The TS Licensing Manager snap-in is automatically installed when you install the TS licensing role service. You can also manage your license servers from a remote computer running Windows Server 2008 by installing the TS Licensing Manager snap-in on that computer.
You need to activate a license server only once. While waiting for the activation process to complete, the license server can issue temporary TS CALs that allow clients to use the terminal server for 120 days.
In addition, you need to configure the TS license server discovery scope to help the terminal servers discover the license server. The three discovery scopes are:
• Workgroup
• Domain
• Forest
Note: To install the TS Licensing role service, you should be a member of the Administrators group.
For more information about installing the TS Licensing role service, see "Activating a Terminal Services License Server" and "Terminal Services License Server Discovery" on the Microsoft TechNet Web site.
2-8 Configuring and Troubleshooting Windows Server 2008 Terminal Services
Configuring the Terminal Server for Licensing
Key Points The TS licensing mode, Per Device or Per User, can be set:
• During the installation of the TS server role service.
• By using the Terminal Services Configuration snap-in.
• By using Group Policy.
The TS licensing discovery mode can be set:
• By using the Terminal Services Configuration snap-in.
• By using Group Policy.
• By using the automatic license discovery process where the terminal server contacts:
• First, the license servers configured by using the Terminal Services Configuration snap-in.
• Then, the license servers published in Active Directory Domain Services.
• Finally, the license servers installed on the domain controller within the same domain as the terminal server.
Note: The TS licensing mode on the terminal server should be the same as that on the license server.
Note: A user connecting to a terminal server in a Per User licensing mode should have a TS Per User CAL. If the user does not have TS Per User CAL for the terminal server, the terminal server will contact the license server for the required Per User CAL.
Question: Can you change the TS Per Device CAL to a TS Per User CAL on your license server?
Configuring and Managing Terminal Services Licensing 2-9
For more information about configuring the terminal server for licensing, see "Configuring License Settings on a Terminal Server" on the Microsoft TechNet Web site.
2-10 Configuring and Troubleshooting Windows Server 2008 Terminal Services
Lesson 2 Managing TS Licenses
After installing and configuring the TS licensing role service, you need to manage the licensing lifecycle. For this, you will be required to track the issuance of the TS Per User CALs.
You might also need to judiciously revoke device licenses and reallocate them, as required. While managing the license server, you can troubleshoot licensing issues related to the license server by using the Review Configuration snap-in.
Configuring and Managing Terminal Services Licensing 2-11
Managing TS Client Access Licenses
To manage the TS licensing, you can perform the following tasks by using the TS Licensing Manager snap-in:
• Change the properties such as the connection method used to communicate with the Microsoft Clearing House and the mandatory and optional information about your organization.
• Change the discovery scope: domain or forest.
• Review the configuration of the license server.
• Control the issuance of TS CALs.
• Track the issuance of TS CALs.
• Revoke the Per Device TS CALs.
• Deactivate and reactivate the license server.
• Locate the Microsoft ClearingHouse telephone number for your country or region to activate the license server.
Note: You cannot revoke a Per User TS CAL. After you have revoked a Per Device TS CAL, it will be immediately available for issuance to another device. You must not revoke licenses only to ensure that there are enough licenses available to support the requirement.
Other generic tasks that you can perform to manage TS licensing are:
• Back up a TS license server
• Move TS licensing to a new server
• Uninstall the TS licensing role service
2-12 Configuring and Troubleshooting Windows Server 2008 Terminal Services
For more information about managing TS CALs, see "Managing TS Licensing" on the Microsoft TechNet Web site.
Configuring and Managing Terminal Services Licensing 2-13
Troubleshooting Licenses
Key Points You can use the Review Configuration tool to identify problems on the license server related to the:
• Discovery scope
• Issuance of the TS CALs to devices or users
• Tracking and reporting of the issuance of the TS CALs
You can use the Licensing Diagnosis tool to analyze the following information on the terminal server:
• Configuration of the terminal server
• License servers that the terminal server discovered
• Configuration information of the license servers
• Licensing issues with possible solutions
For more information about troubleshooting licenses, see "Troubleshooting TS Licensing Installation" and "Known Issues for TS Licensing Installation" on the Microsoft TechNet Web site.
2-14 Configuring and Troubleshooting Windows Server 2008 Terminal Services
Lab Demonstration: Configuring and Managing TS Licensing
Overarching Scenario
You have configured TS for Woodgrove Bank. To support the TS environment you need to install the TS licensing role. The TS licensing role will enable you to determine the TS client access licenses (CALs) that are required for each device or user to connect to the terminal server. You need to use this role to install, issue, and monitor the availability of TS CALs on a TS license server.
Configuring and Managing Terminal Services Licensing 2-15
Demonstration: Configuring and Managing TS Licensing The main tasks for configuring and managing TS licensing are as follows:
1. Install the TS Licensing role. 2. Add a new device to the HR group. 3. Activate the license server and install TS Per Device CALs by using telephone. 4. Specify the TS Per Device mode on the terminal server. 5. Specify the TS licensing server discovery mode on the terminal server. 6. Revoke a Per Device CALs and make it available for a new device.
Task 1: Install the TS Licensing Role
1. On the terminal server, start Server Manager and install the TS Licensing role service. 2. On the Configure Discovery Scope for TS Licensing page, specify the discovery scope for
TS Licensing as domain. 3. On the Configure Discovery Scope for TS Licensing page, specify the default location of the
TS Licensing database.
Task 2: Add a new device to the HR group
1. On a client, add the computer you want to add to the domain WoodgroveBank.com on the Properties page of the computer.
2. On the domain controller, add the computer to the HR group in the Active Directory Users and Computers snap-in.
Task 3: Activate the license server and install TS Per Device CALs by using telephone
1. On the terminal server, activate the license server in the TS Licensing Manager snap-in. 2. On the Connection Method page, select the connection method Telephone. 3. On the Country or Region Selection page, select your country/region. 4. Call Microsoft by using the telephone number that is displayed on the License Server Activation page,
and then provide the Microsoft customer support representative with the Product ID that is displayed on your screen. The representative will also ask you to provide your name and the name of your company. The representative processes your request to activate the license server, and creates a unique ID for your license server.
5. Activate the license server with the ID and select the option to install the licenses now. 6. On the Obtain client license key pack page, use the telephone number that is displayed to call the
Microsoft Clearinghouse, and give the representative your Terminal Services license server ID and the required information for the licensing program through which you purchased your TS CALs. The representative then processes your request to install TS CALs, and gives you a unique ID for the TS CALs. This unique ID is referred to as the license key pack ID.
7. In the Install Licenses Wizard, on the Obtain client license key pack page, enter the license key pack ID provided by the representative into the boxes provided.
8. The Terminal Services license server can now issue TS CALs to clients that connect to a terminal server.
Task 4: Specify the TS Per Device mode on the terminal server • On the terminal server, in the Terminal Services Configuration snap-in, under Licensing, specify the
licensing mode as Per Device.
Task 5: Specify the TS licensing server discovery mode on the terminal server • On the terminal server, in the Terminal Services Configuration snap-in, under Licensing, specify the
license server to be used.
2-16 Configuring and Troubleshooting Windows Server 2008 Terminal Services
Task 6: Revoke a Per Device CAL
1. On the license server, in the TS Licensing Manager snap-in, under NYC-TS, select Windows Server 2008 - Installed TS Per Device CALs.
2. Select the TS Per Device CAL that you want to revoke. 3. Revoke the TS CAL by using the Action menu.
The Status column for the TS Per Device CAL will show a status of Revoked when the TS Licensing Manager display is refreshed.
Results: After this demonstration, you should have seen how to install the license server and add a device to the HR group. Then you saw how to activate the license server, and install TS CALs by using the telephone. Then you should have seen how to configure the Per Device mode and the licensing server discovery mode on the terminal server. Finally, you saw how to revoke a Per Device CAL.
Configuring and Managing Terminal Services Licensing 2-17
Lab Review
2-18 Configuring and Troubleshooting Windows Server 2008 Terminal Services
Configuring and Troubleshooting Terminal Services Connections 3-1
Module 3 Configuring and Troubleshooting Terminal Services Connections
Contents: Lesson 1: Configuring the TS Connection Properties 3-3
Lesson 2: Configuring the TS Connection Properties by Using Group Policy 3-12
Lesson 3: Troubleshooting TS Connections 3-16
Lab: Configuring and Troubleshooting the TS Connections 3-18
3-2 Configuring and Troubleshooting Windows Server 2008 Terminal Services
Module Overview
After configuring TS Licensing on the terminal server, you need to set the TS connection properties on the terminal server as well as the clients. This module introduces the connection properties that can be set by using either the Terminal Services Configuration snap-in or Group Policy.
Besides setting these properties, it is also important to configure the authentication and encryption levels for the TS connections between the terminal server and the clients.
When configuring the client settings, you might also want to enhance the user experience by enabling the Desktop Experience and Plug and Play (PnP) Device Redirection Framework.
In addition, configuring Single Sign-On (SSO) for user profiles can be helpful in reducing administrative effort.
As an administrator, you will also need to perform some checks to identify and troubleshoot connectivity issues.
Configuring and Troubleshooting Terminal Services Connections 3-3
Lesson 1 Configuring the TS Connection Properties
You can use the Terminal Services Configuration snap-in to configure and administer TS connection properties such as the maximum number of simultaneous connections and time-out and reconnection settings.
Using this snap-in, you can also configure authentication and encryption levels for clients to minimize security risks over remote connections. Also, configuring the Desktop Experience and enabling PnP device redirection help to enhance the user experience on TS.
3-4 Configuring and Troubleshooting Windows Server 2008 Terminal Services
Introduction to TS Properties
Key Points In a TS environment, you can configure the TS properties such as the TS connection properties, device and resource redirection, remote session environments, session time limits, and user profiles. These TS properties can be configured both by administrators and standard users. The User Account Control (UAC) feature of Microsoft Windows Server 2008 displays a prompt for the credentials of an administrator or equivalent account.
If you are logged on as an administrator, you will be provided with two access tokens: an administrator token and a standard user access token. The administrator token is used only when you attempt to perform administrative tasks.
With the administrator token, you can change the system state, install software, turn off the firewall, install a service or drive, and configure the security policy. As a standard user, you are not allowed to perform the administrator tasks but you can install software on a per-user basis.
The TS properties can apply to users or computers. For example, on a client, you can enable or disable user profiles. You can also configure connection properties for the computer, such as allowing a process to run over a slow network connection.
On the server, you can configure settings for the computer, such as retain or delete temporary folders on exit. For users, you can configure settings that restrict them to a single remote session on the server.
Question: Configuring which TS settings helps enhance the performance of the terminal server?
Configuring and Troubleshooting Terminal Services Connections 3-5
Introduction to the TS Connection Properties
Key Points You can use either Group Policy or the Terminal Services Configuration snap-in to configure the TS connection properties on the terminal server and clients. The TS connection properties set by using Group Policy always override the settings configured by using the Terminal Services Configuration snap-in.
The TS connection properties can be set for a specific user and at the server level. If both user and server settings are configured, the server settings take precedence.
By using the Terminal Services Configuration snap-in, you can configure:
• A new connection
• Automatic logon to the server by a user
• Authentication of the terminal server
With respect to connection permissions, for each connection, you can:
• Add users and groups to permission lists
• Change the permissions of a user or group
• Remove users or groups from the permission lists
For more information about configuring TS connection properties, see "Configure Terminal Services Connections" on the Microsoft TechNet Web site.
3-6 Configuring and Troubleshooting Windows Server 2008 Terminal Services
Configuring the Maximum Number of Simultaneous Connections
Key Points The default TS settings allow an unlimited number of sessions to connect to the server. This affects the performance of the terminal server as multiple sessions demand system resources. To improve performance, therefore, you can restrict the number of sessions.
When using the Terminal Services Configuration snap-in to perform this procedure, you need to be a member of the administrators group on the local computer.
For more information about configuring maximum number of simultaneous connections, see "Specify a maximum number of sessions that can connect to the server" on the Microsoft TechNet Web site.
Configuring and Troubleshooting Terminal Services Connections 3-7
Demonstration: Configuring the Time-Out and Reconnection Settings
Question: Which connection setting can result in the loss of data at the client side?
For more information about configuring the time-out and reconnection settings, see "Configure Time-out and Reconnection Settings" on the Microsoft TechNet Web site.
3-8 Configuring and Troubleshooting Windows Server 2008 Terminal Services
Configuring Authentication and Encryption
Key Points To configure the authentication and encryption levels for clients, you will require a certificate from a certification authority (CA).
In Windows Server 2008, the terminal server uses native Remote Desktop Protocol (RDP) for encryption. However, RDP does not authenticate the identity of the terminal server. You, therefore, need to configure the terminal server and clients to use Transport Layer Security (TLS) 1.0 for server authentication and encryption of the terminal server communications.
Note: You can enable TLS only by using the Terminal Services Configuration snap-in. You cannot use Group Policy to enable TLS authentication.
TLS authentication on a server requires:
• Microsoft Windows Server 2003 SP1
• A computer certificate by using the Web or Certificate Request wizard
TLS authentication on a client requires:
• Microsoft Windows 2000 or Microsoft Windows XP
• RDP 5.2, or later
• Certificate of the certification authority (CA) that issued the server certificate in the client’s Trusted Root Certification Authorities store
You can configure four levels of encryption by using the Terminal Services Configuration snap-in:
• Federal Information Processing Standard (FIPS)-compliant
• High
Configuring and Troubleshooting Terminal Services Connections 3-9
• Client Compatible
• Low
Question: Which encryption level is most commonly used in organizations?
For more information about configuring authentication and encryption, see "Configure Authentication and Encryption" on the Microsoft TechNet Web site.
3-10 Configuring and Troubleshooting Windows Server 2008 Terminal Services
Configuring the Desktop Experience
Key Points To further enhance the user’s experience in TS, you can install and configure the Desktop Experience. For features such as Windows Media® Player and Desktop Themes, you will have to enable audio redirection. The audio redirection setting is available on the Client Settings tab in the Properties page of the required connection in the Terminal Services Configuration snap-in. You can also use Group Policy to configure this setting.
Note: The Sound Recorder feature of Microsoft Windows Vista is not supported by RDP. Desktop Experience does not enable any of the Windows Vista features automatically; you need to enable them manually.
Question: Which scenarios require audio data to be shared between the terminal server and client?
For more information about configuring the Desktop Experience, see "Remote Desktop Connection Display" on the Microsoft TechNet Web site.
Configuring and Troubleshooting Terminal Services Connections 3-11
Configuring the Plug and Play Device Redirection Framework
Key Points You can control the PnP device redirection framework on the Client Settings tab in the Properties page of the required connection in the Terminal Services Configuration snap-in.
To redirect devices that use Microsoft Point of Service (POS) for .NET 1.11:
1. Install POS for .NET 1.11.
2. Install the .NET service objects or XML configuration files required by the POS for .NET device.
3. Stop and start the Terminal Services UserMode Port Redirector service in the Terminal Services Configuration snap-in.
Note: POS for .NET 1.11 device redirection is only supported if the terminal server is running an x86-based version of Windows Server 2008.
For more information about device redirection, see "Terminal Server Plug and Play Device Redirection Framework in Vista and Longhorn" on the Microsoft TechNet Web site.
3-12 Configuring and Troubleshooting Windows Server 2008 Terminal Services
Lesson 2 Configuring the TS Connection Properties by Using Group Policy
As an administrator, you might prefer to configure some connection properties by using Group Policy. The Group Policy settings override the settings configured by using the Terminal Services Configuration snap-in.
In addition to configuring TS connection properties, you can use Group Policy to configure the Single Sign-On (SSO) feature of Windows Server 2008. This feature helps reduce the administrative load significantly as it enables users to log on to multiple devices or services with a single set of credentials.
Configuring and Troubleshooting Terminal Services Connections 3-13
Using Group Policy to Configure the TS Connection Properties
Key Points Although most TS connection properties can be set by using the Terminal Services Configuration snap-in, you might want to set these by using Group Policy. The choice of method can depend on the complexity of your TS environment. Using Group Policy is often considered to be a simpler approach to configuring TS, especially in an environment with multiple terminal servers and users.
By using Group Policy, you can configure properties such as the maximum number of sessions, encryption level, automatic start program, remote control, time-out and reconnection, and some other client settings such as connection drives and printers. In addition, you can also configure the following settings:
• Specifying the interval for the session to be kept alive and keeping it consistent with the client state
• Removing the Disconnect item from the Shut Down dialog box
• Disabling smart card device redirection
Question: What will happen if you disable a Remote Desktop connection by using the Group Policy setting while a user is connected to the target computer?
For more information about configuring TS properties by using Group Policy, see "Configure Group Policy Settings" on the Microsoft TechNet Web site.
3-14 Configuring and Troubleshooting Windows Server 2008 Terminal Services
Introduction to Single Sign-On
The security benefit provided by SSO is that a user needs to log on to the domain only once by using a password. Subsequently, the user will be authenticated on any server in the domain. For administrators, this feature minimizes the administrative effort required to maintain a user account.
For more information about SSO, see "Single Sign-On for Terminal Services" on the Microsoft TechNet Web site.
Configuring and Troubleshooting Terminal Services Connections 3-15
Considerations for Configuring Single Sign-On
Key Points As an administrator, for configuring SSO, you need to ensure that the client computers should be either Windows Vista-based or Windows Server 2008-based computers, and the users have appropriate rights to log on to both the client and server. SSO can also be used on the client computers and terminal server that are part of a domain.
You also need to note that Windows Server 2008 provides Credential Security Service Provider (CredSSP) that supports SSO. By using this feature, you can securely save your credentials for later use.
Note: SSO will not work on a server that cannot be authenticated by using Kerberos or Secure Sockets Layer (SSL) certificate. If the terminal server connection is using a TS Gateway server, then in some cases the credentials of the TS Gateway will override the SSO settings.
For more information about considerations for configuring SSO, see "How to enable Single Sign-On for my Terminal Server connections" on the Microsoft Terminal Services Team Blog Web site.
3-16 Configuring and Troubleshooting Windows Server 2008 Terminal Services
Lesson 3 Troubleshooting the TS Connections
A number of connectivity issues can arise in a TS environment. While specific issues need to be handled by using specific methods, there are some troubleshooting steps that can help you determine common problems and rectify them.
Configuring and Troubleshooting Terminal Services Connections 3-17
Troubleshooting Connectivity Issues
Key Points Depending on the connectivity problem, you can perform troubleshooting steps such as checking the RDP settings, analyzing event and error logs, and verifying licenses, policies, permissions, and encryption levels.
In addition, you can perform the following troubleshooting steps:
• Use the Terminal Services Manager to view users connected to the terminal server.
• Identify and fix connectivity problems between the terminal server and domain controller by using the ping command.
• Use the ping command to determine connectivity problems with other computers.
• Start the Device Manager by using the devmgmt.msc command, and check the status of the network adapter.
• Check the network indicator lights on the computer and the hub or router. Also, check the network cabling.
• Check the firewall settings by using the Windows Firewall with the Advanced Security snap-in.
• Check the IPsec settings by using the IP Security Policy Management snap-in.
For example, if a user logon request is denied, as an administrator you can check if the Allow all connections option is selected on the General tab in the Terminal Services Configuration snap-in.
Another common connectivity issue is the failure of authentication when a user tries to reconnect to the terminal server. In this case, you can verify the user accounts connected to the terminal server on the Users tab in the Terminal Services Configuration snap-in.
3-18 Configuring and Troubleshooting Windows Server 2008 Terminal Services
Lab: Configuring and Troubleshooting the TS Connections
Overarching Scenario
You receive a service request from the enterprise administrator to configure the connection settings for TS. As an administrator, you need to configure connection permissions, SSO, client settings, and time-out and reconnection settings, as defined in the service request. These connection settings will enable you to efficiently manage connections to remote applications. To avoid overloading of the terminal server, you need to set permissions for all users and restrict the number of sessions.
Configuring and Troubleshooting Terminal Services Connections 3-19
Exercise 1: Configuring the TS Connection Properties
Scenario The enterprise administrator is receiving many complaints about unauthorized users accessing the terminal server. Also some connections get disconnected automatically and users have a problem working with the applications on the terminal server. You receive a service request to modify the connection permissions of Baris, Bernard, and Anton.
Exercise Overview In this exercise, you will configure the TS connection properties by using the Terminal Services Configuration snap-in.
The main tasks for this exercise are as follows:
1. Start the 6428A-NYC-DC1-01 and the 6428A-NYC-TS- 03 virtual machines and log on to these machines as Administrator.
2. Configure the TS connection properties by using the Terminal Services Configuration snap-in.
Task 1: Start the 6428A-NYC-DC1-01 and 6428A-NYC-TS- 03 virtual machines and log on to these machines as Administrator
1. Start 6428A-NYC-DC1-01 and log on with the default login ID WOODGROVEBANK\Administrator 2. Start 6428A-NYC-TS-03 and log on as WOODGROVEBANK\Administrator by using the password
Pa$$w0rd. 3. Verify that TS is installed on the 6428A-NYC-TS-03 virtual machine.
Note: Wait for the domain controller, 6428A-NYC-DC1-01, logon screen to appear before starting the 6428A-NYC-TS-03 virtual machine.
Task 2: Configure the TS connection properties by using the Terminal Services Configuration snap-in
1. On 6428A-NYC-TS-03, start the Terminal Services Configuration snap-in. 2. Verify that the remote control setting for default users is selected on the Remote Control tab in the
RDP-Tcp Properties dialog box. 3. Configure the connection permissions for users as follows:
• Baris Cetinok: Deny permission to disconnect a connection
• Bernard Duerr: Allow all connection permissions
• Anton Kirilov: Allow permission to disconnect a connection
Results: After this exercise, you should have configured the connection properties.
3-20 Configuring and Troubleshooting Windows Server 2008 Terminal Services
Exercise 2: Configuring the TS Connection Properties by Using Server Group Policy
Scenario You have been tasked with restricting the maximum number of terminal sessions to two and configuring the TS connection setting to automatically reconnect to the server. In addition, you need to configure the RDP client connection security and encryption levels on the server. You want to configure the connection settings by using the Group Policy editor. These settings are critical to the performance of the TS and they will override any other settings that users might have configured by using the Terminal Services Configuration snap-in.
Exercise Overview In this exercise, you will configure the TS connection properties by using Group Policy.
The main tasks for this exercise are as follows:
1. Configure the TS connection properties. 2. Verify that a maximum of two clients can connect to the terminal server.
Task 1: Configure the TS connection properties
1. On 6428-NYC-DC1-01, start Group Policy Management by using the gpmc.msc command. 2. Create a new Group Policy Object (GPO) for the Marketing OU as GPO for TS Connection. 3. Start the Group Policy Management Editor, and configure the following:
• TS Maximum Connections allowed: 2
• Automatic reconnection: Enabled
• Set client connection encryption level: Enabled
• Encryption level: Client Compatible
• Set time limit for disconnected sessions: Enabled
• End a disconnected session: 5 minutes
Task 2: Verify that a maximum of two clients can connect to the terminal server
1. On 6428A-NYC-DC1-01, display the Remote Desktop Connection dialog box by using the mstsc command.
2. Connect to Nyc-ts, log on as Baris with the password Pa$$w0rd. 3. Log on as a second user, Bernard with the password Pa$$w0rd. 4. Log on as a third user, Anton with the password Pa$$w0rd. 5. Observe that Anton gets a failed logon message.
Results: After this exercise, you should have configured the TS connection properties by using server Group Policy.
Configuring and Troubleshooting Terminal Services Connections 3-21
Exercise 3: Configuring SSO by Using Client Group Policy
Scenario As an administrator, you want to reduce your administrative tasks. Currently, you are spending a lot of time maintaining the user accounts that are connecting to the TS. You want to configure SSO to reduce the administrative effort.
Exercise Overview
The main task for this exercise is to configure SSO by using client Group Policy.
Task 1: Configure the SSO setting by using client Group Policy
1. On 6428A-NYC-DC1-01, start the Terminal Services Configuration snap-in by using the tsconfig.msc command.
2. In the RDP-Tcp Properties dialog box, select Security Layer as SSL (TLS 1.0). 3. Start the Local Group Policy Editor by using the gpedit.msc command. 4. Select the option Allow Delegating Default Credentials. 5. Add the server 6428A-NYC-TS- 03 to the list of servers in the Show Contents dialog box.
Results: After this exercise, you should have configured SSO by using client Group Policy.
3-22 Configuring and Troubleshooting Windows Server 2008 Terminal Services
Exercise 4: Troubleshooting Connectivity Issues
Scenario Users in the organization are having problems connecting to the terminal server. A user Monika Buschmann is unable to log on because her password has expired. You need to reset her password. Another user Dana Birkby is unable to connect to the Remote Desktop. Verify her user permissions. After updating the users account settings, validate that the users can connect to the terminal server. Help Desk has verified that this is not a network connectivity issue from the client and that the firewall is also correctly configured.
Exercise Overview
In this exercise, you will troubleshoot connectivity issues.
The main tasks for this exercise are as follows:
1. Verify the RDP settings and check the event logs. 2. Verify the user and group permissions and policy settings. 3. Verify that the users are able to log on with the updated settings. 4. Shut down the virtual machines.
Task 1: Verify the RDP settings and check the event logs
1. On 6428A-NYC-TS-03, start TS RemoteApp Manager. 2. Verify that the RDP Port for NYC-TS.WoodgroveBank.Com is 3389. 3. Start Event Viewer by using the eventvwr command. 4. Check the details under Application.
Task 2: Verify the user and group permissions and policy settings
1. On 6428A-NYC-DC1-01, start the Active Directory Users and Computers snap-in. 2. Under Marketing, reset the password for Monika Buschmann to Pass@word1. 3. Start the Terminal Services Configuration snap-in, in the RDP-Tcp Properties dialog box, verify
permission settings for Dana Birkby and modify the settings to enable her remote connection. 4. Check that the Encryption Level is Client Compatible.
Task 3: Verify that users are able to log on with the updated settings
1. On 6428A-NYC-DC1-01, start Remote Desktop Connection by using the mstsc command. 2. Connect to Nyc-ts and log on as Monika with the password as Pass@word1. 3. Log on as the second user, Dana with the password as Pa$$w0rd.
Task 4: Shut down the virtual machines
1. Turn off 6428A-NYC-DC1-01, and discard changes. 2. Turn off 6428A-NYC-TS-03, and discard changes.
Results: After this exercise, you should have used troubleshooting techniques to resolve connectivity issues.
Configuring and Troubleshooting Terminal Services Connections 3-23
Lab Review
3-24 Configuring and Troubleshooting Windows Server 2008 Terminal Services
Configuring Terminal Services RemoteApp and Easy Print 4-1
Module 4 Configuring Terminal Services RemoteApp and Easy Print
Contents: Lesson 1: Installing Applications 4-3
Lesson 2: Configuring RemoteApp Programs 4-6
Lesson 3: Configuring Printers 4-14
Lab: Configuring TS Resources 4-18
4-2 Configuring and Troubleshooting Windows Server 2008 Terminal Services
Module Overview
Before installing programs on the terminal server, it is important that you are familiar with the types of applications that can be installed and considerations for installing these applications. This module provides an overview of TS RemoteApp programs that can be remotely accessed through TS, advantages of using these programs, and the methods used to deploy them.
The module also introduces TS Easy Print, which facilitates printer redirection over a TS session.
Configuring Terminal Services RemoteApp and Easy Print 4-3
Lesson 1 Installing Applications
You can install any Windows-based application on a terminal server. However, running some of these applications might affect the performance of the terminal server. Therefore, it is important to bear in mind some key considerations for installing these applications.
4-4 Configuring and Troubleshooting Windows Server 2008 Terminal Services
Types of Applications
Key Points Terminal servers support off-the-shelf, custom, and line of business (LOB) applications. You can also install applications that use application virtualization technologies.
Application virtualization isolates an application from the underlying operating system. The application runs in a virtualized environment and does not need to be installed on or interact with the underlying operating system.
Windows Server 2008 TS provides a functionality that facilitates central hosting of client applications by using a virtualization technique called presentation virtualization. Using this technique, the keyboard and mouse inputs are directed to the server, and the video output is sent to the client over a network connection.
Configuring Terminal Services RemoteApp and Easy Print 4-5
Considerations for Installing Applications
Key Points Although all Windows-based applications run on a terminal server, you need to remember that some 16-bit applications require more RAM than others. These applications may affect the performance of other applications.
Also note that all applications on the terminal server should be installed by using the Windows installer.
Note: Most programs have been tested for compatibility, and scripts are available for those that require some minor changes to the installation. These scripts are located in the System root, in the following path: \Application Compatibility Scripts\Install. You need to run these scripts after the installation of the program is completed.
Note: It is recommended that you avoid installing Microsoft DOS-based applications in a TS environment because these applications require frequent keyboard checks that use a lot of CPU memory. Applications accessing INI files also cause problems in a TS environment, owing to the frequent changes in the INI files.
For more information about considerations for installing applications, see "Build Your Skills: How to Optimize Apps to Run in Terminal Services" on TechRepublic.com Web site.
4-6 Configuring and Troubleshooting Windows Server 2008 Terminal Services
Lesson 2 Configuring RemoteApp Programs
TS RemoteApp programs are applications that can be accessed remotely through TS. Using RemoteApp programs, organizations can provide access to Windows-based applications from any location to any computer or user.
These RemoteApp programs can be deployed by using TS Web Access, Windows installer package (.msi file), or Remote Desktop Protocol (.rdp file).
Configuring Terminal Services RemoteApp and Easy Print 4-7
Introduction to TS RemoteApp Programs
Key Points In Windows Server 2008 TS, a RemoteApp program is integrated with the client's desktop and runs in its own resizable window with its own entry on the taskbar. A RemoteApp program that uses a notification area icon displays the icon in the client's notification area.
Using RemoteApp programs, the popup windows can be redirected to the local desktop and the local drives and printers can be redirected to appear in the RemoteApp program.
Question: You want to access multiple programs running on the terminal server at the same time. How many terminal server sessions will be required to run multiple RemoteApp programs?
For more information about TS RemoteApp programs, see “Windows Server 2008 Terminal Services RemoteApp Step-by-Step Guide" on the Microsoft TechNet Web site.
4-8 Configuring and Troubleshooting Windows Server 2008 Terminal Services
Advantages of Using RemoteApp Programs
Key Points Using TS RemoteApp programs minimizes the overall administrative effort, enhances user experience, and facilitates running different programs on multiple desktops.
You can use TS RemoteApp programs in the following scenarios:
• For users who need to access applications from remote locations
• In an organization having many branches with limited local IT support and bandwidth
• In companies that have LOB applications, which need to be deployed on computers with different configurations
• For users who need to use different versions of a program
• For users who are mobile and need to work from different computers and/or locations
Question: What is the scenario in your organization and how will the implementation of RemoteApp programs assist you?
Configuring Terminal Services RemoteApp and Easy Print 4-9
Methods for Deploying RemoteApp Programs
Key Points Depending on the deployment method used—TS Web Access, .msi file, or .rdp file—you can access RemoteApp programs by:
• Clicking a link to the program on a Web site
• Double-clicking a .rdp file created by the administrator through a file share
• Double-clicking a program icon created by an administrator on the desktop or in the Start menu of the client computer
• Double-clicking a file with a file name extension that is associated with the RemoteApp program through a file share
Questions: Can you access a RemoteApp program by using Internet Explorer?
4-10 Configuring and Troubleshooting Windows Server 2008 Terminal Services
Using TS Web Access to Deploy RemoteApp Programs
Key Points TS Web Access provides access to RemoteApp programs through a Web page over the Internet or an intranet.
When using TS Web Access to deploy RemoteApp programs, you first need to install the required RemoteApp programs and verify the remote connection settings on the terminal server. Then, you need to add the programs to the RemoteApp Programs list in the TS RemoteApp Manager. The TS RemoteApp Manager is then used to configure the following global settings that will apply to all RemoteApp programs:
• Terminal server
• TS Gateway
• Common Remote Desktop Protocol (RDP)
• Custom RDP
• Digital signature
You can then install the TS Web Access role service by using the Server Manager snap-in.
If the TS Web Access server is different from the terminal server that hosts the RemoteApp programs, then you need to add the computer account of the TS Web Access server to the TS Web Access Computers security group on the terminal server. You can add the computer account by using the Computer Management administrative tool on the terminal server.
Finally, you can specify the data source or the terminal server from which to populate the RemoteApp programs list. For this you can connect to the TS Web Access Web site. By using the Configuration tab on the site, you can enter the name of the terminal server that you want to use as the data source.
Configuring Terminal Services RemoteApp and Easy Print 4-11
Note: You can use a digital signature to sign .rdp files for connecting RemoteApp programs to the terminal server. The client must be running RDC 6.1.
Note: Windows Installer packages or MSI packages are made available by using a file share, Microsoft Systems Center Configuration Manager, or Active Directory software distribution. These methods enable you to make RemoteApp programs available to users without using TS Web Access.
For more information about using TS Web Access for deploying RemoteApp programs, see “Windows Server 2008 Terminal Services RemoteApp Step-by-Step Guide" on the Microsoft TechNet Web site.
4-12 Configuring and Troubleshooting Windows Server 2008 Terminal Services
Considerations for Connecting to TS Web Access
Key Points Clients connecting to TS Web Access must be running Windows Server 2008, Windows Vista, or Windows XP and must have the TS ActiveX client control approved by a standard user.
In case of any problems in connecting to TS Web Access from the client computer, you can use the Manage Add-ons tool available on the Tools menu of Internet Explorer. The add-on will be displayed as Microsoft Terminal Services Client Control.
On Windows XP SP3, you might need to modify the registry to enable the ActiveX control.
Note: RDC 6.1 is included in Vista SP1 and XP SP3.
Configuring Terminal Services RemoteApp and Easy Print 4-13
Demonstration: Using an MSI File to Deploy RemoteApp Programs
Question: Why is it important to view the associated file name extensions for programs on the terminal server?
4-14 Configuring and Troubleshooting Windows Server 2008 Terminal Services
Lesson 3 Configuring Printers
TS Easy Print is a new feature in Windows Server 2008 TS. This feature enables users to print to the correct printer on the client computer from a RemoteApp program or from a remote desktop connection to a terminal server. TS Easy Print simplifies printer redirection as it requires only Group Policy to be configured.
Configuring Terminal Services RemoteApp and Easy Print 4-15
TS Easy Print
Key Points TS Easy Print redirects all print jobs from a TS session to the client computer without the need to install any printer driver on the terminal server.
In addition, it provides enhanced enumeration performance by listing only the printers that are available for a particular session instead of all the redirected printers.
Note: The Group Policy setting applies to both TS Easy Print and legacy fallback. TS Easy Print is the default behavior, however, it coexists with the legacy fallback behavior of Windows Server 2003 RTM.
For more information about TS Easy Print, see "Terminal Services Printing" on the Microsoft TechNet Web site.
4-16 Configuring and Troubleshooting Windows Server 2008 Terminal Services
Considerations for Using TS Easy Print
Key Points Client computers using TS Easy Print must be running either Windows Vista or Windows XP. If, however, these computers do not support Easy Print, then the local and network printer drivers will have to be installed on the terminal server. If you are using a third-party printer driver, then that driver needs to be signed by Windows Hardware Quality Labs (WHQL). The third-party printer driver should be compatible with Windows Server 2008 to run without any connectivity problems.
On client computers that do not support TS Easy Print, printing defaults to the behavior in Windows 2003 and prior to Windows 2000.
Configuring Terminal Services RemoteApp and Easy Print 4-17
Configuring Group Policy for Printer Redirection
Key Points Windows Server 2008 has introduced a new Group Policy that is available in the Group Policy Management snap-in. The policy is located under the Administrative Templates\Windows Components\Terminal Services\Terminal Server\Printer Redirection node. The policy is named Redirect only the default client printer.
The possible values for this Group Policy setting are:
• Enabled or Not Configured
• Disabled
By enabling this policy, you can ensure that only the TS client’s default printer is redirected on the
terminal server. This policy will function from any version of the TS client.
4-18 Configuring and Troubleshooting Windows Server 2008 Terminal Services
Lab: Configuring TS Resources
Overarching Scenario Woodgrove Bank is launching a new investment scheme to benefit the underprivileged. The management has prepared a presentation that needs to be distributed to all the members of the Marketing group. The IT department is responsible for deploying the presentation on the terminal server so that it is accessible to all the members of the Marketing group.
As a technology specialist in Woodgrove Bank’s IT department, you have been tasked with installing Microsoft PowerPoint Viewer on the terminal server and making it available as a RemoteApp program. You also need to ensure that members are able to print the presentation if required.
Configuring Terminal Services RemoteApp and Easy Print 4-19
Exercise 1: Configuring and Deploying TS RemoteApp Programs
Scenario You receive a service request from the enterprise administrator to install PowerPoint Viewer on the terminal server. You need to create a RemoteApp program link to PowerPoint Viewer for the Marketing group because they need to use the application to view the presentation of the new investment scheme.
Exercise Overview In this exercise, you will install TS Web Access and create a link to PowerPoint Viewer for the Marketing group.
The main tasks for this exercise are as follows:
1. Start the 6428A-NYC-DC1-01 and 6428A-NYC-TS-03 virtual machines and log on to these machines as Administrator.
2. Install the TS Web Access role service. 3. Add the computer account of the TS Web Access server to the security group. 4. Specify the data source. 5. Install PowerPoint Viewer. 6. Add the PowerPoint Viewer program in the RemoteApp Programs list. 7. Configure an RDP file from the PowerPoint Viewer RemoteApp program. 8. Determine if the RemoteApp program is enabled for TS Web Access. 9. Configure the TS Web Access server to allow access from the Internet.
Task 1: Start the 6428A-NYC-DC1-01 and 6428A-NYC-TS-03 virtual machines and log on to these machines as Administrator
1. Start 6428A-NYC-DC1-01 and log on as WoodgroveBank\Administrator using the password Pa$$w0rd.
2. Start 6428A-NYC-TS-03 and log on as WoodgroveBank\Administrator using the password Pa$$w0rd.
Task 2: Install the TS Web Access role service
1. On 6428A-NYC-TS-03, start Server Manager and display the Add Role Services link. 2. Add the TS Web Access role service by using the Select Role Services page.
Task 3: Add the computer account of the TS Web Access server to the security group
1. On 6428A-NYC-TS-03, start the Computer Management snap-in. 2. Under the Local Users and Groups node, select the group TS Web Access Computers, and add the
computer NYC-TS.
Task 4: Specify the data source
1. Connect to the TS Web Access Web site by using the URL http://NYC-TS/ts. 2. Log on to the site as WoodgroveBank\Administrator using the password Pa$$w0rd. 3. Use the Configuration tab on the title bar to name the terminal server as NYC-TS.
Task 5: Install PowerPoint Viewer
1. Display the command prompt and enter change user /install. 2. Use Control Panel to install the application on the terminal server. 3. Install the PowerPointViewer.exe from E:\Tools.
4-20 Configuring and Troubleshooting Windows Server 2008 Terminal Services
Task 6: Add the PowerPoint Viewer program in the RemoteApp Programs list
1. Start TS RemoteApp Manager. 2. Use the RemoteApp wizard to add PowerPoint Viewer to the RemoteApp Programs list page. 3. Verify that the RemoteApp program, Microsoft Office PowerPoint Viewer 2007, is available
through TS Web Access.
Task 7: Configure an RDP file from the PowerPoint Viewer RemoteApp program
1. In the TS RemoteApp Manager, in the RemoteApp Programs list, select Microsoft Office PowerPoint Viewer 2007.
2. Create a .rdp file for Microsoft Office PowerPoint Viewer 2007 by using the RemoteApp Wizard and on the Specify Package Settings page, verify the following settings:
• Location of the program: C:\Program Files\Packaged Programs
• Terminal server: NYC-TS.WoodgroveBank.com
• Server authentication: Yes
• Port: 3389
Task 8: Determine if the RemoteApp program is enabled for TS Web Access
1. On 6428A-NYC-TS-03, in the RemoteApp Programs list, verify that Microsoft Office PowerPoint Viewer 2007 is available through TS Web Access.
2. Start Internet Explorer. 3. Access the URL http:// NYC-TS/TS. 4. Provide the user credentials as WoodGroveBank\Baris with the password Pa$$w0rd.
Task 9: Configure the TS Web Access server to allow access from the Internet
1. On the 6428A-NYC-TS-03, start Internet Information Services (IIS) Manager. 2. Enable Windows Authentication.
Results: After this exercise, you should have installed the PowerPoint program and created a link to C:\Program Files\Packaged Programs.
Configuring Terminal Services RemoteApp and Easy Print 4-21
Exercise 2: Configuring TS Easy Print
Scenario The Marketing group wants to print documents remotely. They might also want to print the investment scheme presentation. You receive a service request from the server administrator to ensure that TS Easy Print on the terminal server is used as the default printer driver on the client computers.
Exercise Overview
The main tasks for this exercise are as follows:
1. Configure the printer redirection settings. 2. Shut down the virtual machines.
Task 1: Configure the printer redirection settings
1. On 6428A-NYC-DC1-01 start Group Policy Management. 2. Create a GPO, GPO for RDP link, for Marketing. 3. Under Printer Redirection, enable:
• Use Terminal Services Easy Print printer driver first.
• Redirect only the default client printer.
Task 2: Shutdown the virtual machines • Turn off each virtual machine that is running and discard changes.
Results: After this exercise, you should have configured TS Easy Print and the client print driver should have been redirected to TS.
4-22 Configuring and Troubleshooting Windows Server 2008 Terminal Services
Lab Review
Configuring Terminal Services Web Access and Session Broker 5-1
Module 5 Configuring Terminal Services Web Access and Session Broker
Contents: Lesson 1: Installing TS Web Access 5-3
Lesson 2: Configuring TS Session Broker 5-11
Lab: Configuring TS Web Access and Session Broker 5-15
5-2 Configuring and Troubleshooting Windows Server 2008 Terminal Services
Module Overview
TS Web Access is a role service that allows you to access TS RemoteApp™ programs on a Microsoft Windows Server 2008-based terminal server through a Web browser. This role service allows you to remotely connect to the desktop of any computer that provides Remote Desktop access.
This module introduces TS Web Access and covers the considerations for installing this role service followed by the steps to install and configure RemoteApp programs by using TS Web Access. The module also describes the procedure to connect to the Remote Desktop Web by using TS Web Access.
The module finally covers another role service, TS Session Broker, which facilitates reconnecting to an existing session in a load-balanced terminal server farm.
Configuring Terminal Services Web Access and Session Broker 5-3
Lesson 1 Installing TS Web Access
With TS Web Access, you can easily access a list of RemoteApp programs from a Web site on the Internet or intranet. When you start a RemoteApp program, a TS session is started on the terminal server that hosts the application.
The TS Web Access page includes the TS Web Access Web part that displays the list of RemoteApp programs. This Web part can be included on a customized Web page of an organization or can be incorporated in a Microsoft Windows SharePoint Services (WSS) Web site.
5-4 Configuring and Troubleshooting Windows Server 2008 Terminal Services
Introduction to TS Web Access
Key Points TS Web Access in Windows Server 2008:
• Allows users to run multiple RemoteApp programs on the same terminal server in the same TS session
• Provides for centralized and easy remote administration and maintenance
TS Web Access in Windows Server 2008 also includes the Remote Desktop Web Connection feature, which enables users to connect to the desktop of remote computers.
This feature is available as a Remote Desktop tab on the TS Web Access Web page. Remote Desktop Web Connection is installed as part of the TS Web Access role service and is not an optional component of Microsoft Internet Information Services (IIS) 7.0.
Note: TS Web Access does not route Remote Desktop Protocol (RDP) over the Internet. To connect to RemoteApp programs over the Internet, TS Gateway is used in conjunction with TS Web Access.
For more information about TS Web Access, see “Terminal Services Web Access (TS Web Access)" on the Microsoft TechNet Web site.
Configuring Terminal Services Web Access and Session Broker 5-5
What's Different in Windows Server 2008 TS Web Access?
Key Points TS Web Access in Windows Server 2008 replaces the TS Web Connection software available with Microsoft Windows Server 2003. An important point to note is that accessing TS Web Access does not require a separate ActiveX control to be downloaded. The required Active X control is included in Remote Desktop Connection (RDC) 6.1.
5-6 Configuring and Troubleshooting Windows Server 2008 Terminal Services
Considerations for Installing TS Web Access
Key Points Before installing TS Web Access in Windows Server 2008, you need to ensure that the client computers are running either Windows Server 2008 or Microsoft Windows Vista with SP1.
RDC 6.1, a necessary component for running TS Web Access, is included with Windows Server 2008 and Windows Vista with SP1.
Configuring Terminal Services Web Access and Session Broker 5-7
Deploying the TS Web Access Web Part
Key Points The list of RemoteApp programs that appears on the TS Web Access Web part is taken from a single terminal server that is specified by an administrator. This list is dynamically updated.
You can deploy the Web part as part of a customized Web page by using an ActiveX control and Active Server Pages (ASP).
To add the TS Web Access Web part to a WSS site, ensure that the server is running the release to manufacturing (RTM) version of Windows Server 2008 Standard. This feature does not work properly with Windows Server 2008 Release Candidate (RC)1.
For more information about the steps used to add the TS Web Access Web part to a WSS Web site, see the document “Customizing TS Web Access by Using Windows SharePoint Services" on the Microsoft Web site.
5-8 Configuring and Troubleshooting Windows Server 2008 Terminal Services
Installing and Configuring RemoteApp Programs by Using TS Web Access
To configure RemoteApp programs on the terminal server:
1. Install the programs required on the terminal server. 2. Verify existing remote connections or change remote connection settings as required.
To enable RemoteApp programs for TS web Access:
1. Add the programs that you want to display in the RemoteApp Programs list. 2. Configure the following:
• Terminal server deployment settings
• TS Gateway deployment settings
• RDP settings for RemoteApp connections
• Custom RDP settings for RemoteApp connections
• Digital signature to sign the .rdp files
To install TS Web Access on the server:
1. Install the TS Web Access role service. 2. Populate the TS Web Access Computers security group. 3. Specify the terminal server with the RemoteApp programs list on the TS Web Access Web part.
All remote programs on the terminal server or farm configured for TS Web Access appear on the TS Web Access Web site.
Question: Which RemoteApp programs would you prefer to include on the TS Web Access Web part in your organization?
Configuring Terminal Services Web Access and Session Broker 5-9
For more information about installing and configuring RemoteApp programs by using TS Web Access, see “Windows Server 2008 Terminal Services RemoteApp Step-by-Step Guide” on the Microsoft TechNet Web site.
5-10 Configuring and Troubleshooting Windows Server 2008 Terminal Services
Connecting to Remote Desktop Web by Using TS Web Access
Key Points If you are an administrator, you can specify whether the Remote Desktop tab on the TS Access Web page is available to users by using the IIS Manager. You can also configure settings such as the TS Gateway server, authentication method, and default device and resource redirection options.
By default, server authentication is enabled for the Remote Desktop Web connection.
To connect to the remote computer:
• The computer must be configured to accept Remote Desktop connections.
• The user must be a member of the Remote Desktop Users group on the remote computer.
Note: You can also configure the settings for the Remote Desktop Web connection by changing the %windir%\Web\ts\Web.config file in Notepad.
Question: What are the advantages of using the Remote Desktop Web connection in a branch scenario?
Configuring Terminal Services Web Access and Session Broker 5-11
Lesson 2 Configuring TS Session Broker
In a farm environment, you can use the TS Session Broker role service to balance the load among the terminal servers. By using TS Session Broker, you can distribute the sessions such that the more powerful terminal servers take more load than the less powerful terminal servers.
5-12 Configuring and Troubleshooting Windows Server 2008 Terminal Services
Introduction to TS Session Broker
Key Points In Windows Server 2008, TS Session Broker provides session-based load balancing as compared to connection-based Network Load Balancing (NLB) in Windows Server 2003. However, Windows Server 2008 continues to support third party NLB configurations of Windows 2003.
TS Session Broker works through the following two phases:
• In the first phase, the connections are distributed to the terminal servers by using a load balancing mechanism such as Domain Name System (DNS) round robin. The terminal server in turn then queries TS Session Broker for redirection.
• In the second phase, the terminal server redirects the user connections to the terminal server specified by TS Session Broker.
Note: The TS Session Directory feature available in the previous versions is called TS Session Broker in Windows Server 2008.
For more information about TS Session Broker, see "Windows Server 2008 TS Session Broker Load Balancing Step-by-Step Guide" on the Microsoft TechNet Web site.
Configuring Terminal Services Web Access and Session Broker 5-13
Prerequisites for Configuring TS Session Broker
Key Points Windows Server 2003 terminal servers cannot use the TS Session Broker load balancing feature.
As a best practice, you should install the TS Session Broker role service on a back-end infrastructure server, such as a file server. This ensures that the service will not be affected when you need to perform maintenance on the terminal servers in the farm.
To use the TS Session Broker role service, the terminal servers should be members of the Session Directory Computers local group. This group is located on the TS Session Broker server.
5-14 Configuring and Troubleshooting Windows Server 2008 Terminal Services
Demonstration: Configuring TS Session Broker
Question: You need to configure the IP addresses for reconnection. What precaution do you need to take to include the terminal servers running Windows Server 2003?
Configuring Terminal Services Web Access and Session Broker 5-15
Lab: Configuring TS Web Access and Session Broker
Overarching Scenario The Marketing group of Woodgrove bank has prepared a presentation about a new product by using Microsoft PowerPoint. This presentation should be available on a Web site to all users of this group. The Finance group has also prepared a presentation on the current financial position of the organization. The management wants users from the Finance group to access this presentation from the WSS Web site.
To manage all the traffic on the Web servers in the farm, the enterprise administrator wants to implement TS Session Broker.
5-16 Configuring and Troubleshooting Windows Server 2008 Terminal Services
Exercise 1: Configuring TS RemoteApp Programs for TS Web Access
Scenario You receive a service request from the enterprise administrator to create a link to Microsoft Office PowerPoint Viewer 2007 on the terminal server. This link should be available to all users of the Marketing Group through a Web browser. To enable this, you need to create the link to PowerPoint Viewer that can be accessed through the TS Web Access Web site.
Exercise Overview In this exercise, you will install and configure the TS Web Access role service on the terminal server and create a .msi file for PowerPoint Viewer. A link for this .msi file needs to be created so that the marketing group can access it through a Web browser.
The main tasks for this exercise are as follows:
1. Start the 6428A-NYC-DC1-01, 6428A-NYC-TS-05, and 6428A-NYC-WEB-05 virtual machines and log on to these machines as Administrator.
2. Install the TS Web Access role service. 3. Determine if the RemoteApp program is enabled for TS Web Access. 4. Create an MSI file. 5. Create a link to the TS RemoteApp program on the terminal server. 6. Verify that the link is functional and available through the Web browser.
Task 1: Start the 6428A-NYC-DC1-01, 6428A-NYC-TS-05, and 6428A-NYC-WEB-05 virtual machines and log on to these machines as Administrator
1. Start 6428A-NYC-DC1-01, and log on as WoodgroveBank\Administrator by using the password Pa$$w0rd.
2. Start 6428A-NYC-TS-05, and log on as WoodgroveBank\Administrator by using the password Pa$$w0rd.
3. Start 6428A-NYC-WEB-05, and log on as WoodgroveBank\Administrator by using the password Pa$$w0rd.
Task 2: Install the TS Web Access role service
1. In the Server Manager snap-in on 6428A-NYC-TS-05, under Role Summary, add the TS Web Access role service.
2. Start the Computer Management snap-in. 3. In the left pane on the Computer Management page, under the Local Users and Groups node,
select TS Web Access Computers, and add the NYC-TS computer. 4. Connect to the TS Web Access Web site by using the URL http://NYC-TS/ts. 5. Log on to the site as Woodgrovebank\Administrator by using the password Pa$$w0rd. 6. Add the site to trusted sites. 7. Use the Configuration tab on the title bar to name the terminal server as NYC-TS.
Task 3: Determine if the RemoteApp program is enabled for TS Web Access
1. On 6428A-NYC-TS-05, start the TS RemoteApp Manager. 2. In the RemoteApp Programs list, verify that Microsoft Office PowerPoint Viewer 2007 is available
through TS Web Access.
Task 4: Create an MSI file
1. On 6428A-NYC-TS-05, start the TS RemoteApp Manager.
Configuring Terminal Services Web Access and Session Broker 5-17
2. In the RemoteApp Programs list, select the program Microsoft Office PowerPoint Viewer 2007. 3. In the Actions pane, select the option to create the Windows Installer package by using the
RemoteApp Wizard.
Task 5: Create a link to the TS RemoteApp program on the terminal server
1. In the TS RemoteApp Manager, in the RemoteApp Programs list, verify that a Yes value is displayed for TS Web Access next to Microsoft Office PowerPoint Viewer.
2. Start Internet Explorer and type the URL as http://NYC-TS/ts. 3. Display the Connect to nyc-ts dialog box, and provide the user credentials as
WoodGroveBank\Bernard with password Pa$$w0rd. 4. Add the URL to trusted sites. 5. On 6428A-NYC-TS-05, start the Internet Information Services (IIS) Manager and specify the
default Web site as TS. 6. To configure TS Web Access server to allow access from the Internet, verify that Windows
Authentication is enabled.
Task 6: Verify that the link in functional and available through the Web browser
1. On 6428A-NYC-WEB-05, verify that you are logged on as WoodgroveBank\Administrator with the password Pa$$w0rd.
2. Start Internet Explorer and type the URL as http://NYC-TS/ts. 3. In the Connect to NYC-TS dialog box, provide the user name as WoodgroveBank\Bernard and
password as Pa$$w0rd. 4. Observe that Microsoft Office PowerPoint is listed in the remote application programs list.
Results: After this exercise, you should have installed TS Web Access on the terminal server, created an MSI file for the remote program, created a link to the remote program, and verified that the link is functional through Internet Explorer.
5-18 Configuring and Troubleshooting Windows Server 2008 Terminal Services
Exercise 2: Customizing TS Web Access by Using WSS
Scenario The enterprise administrator has tasked you with customizing the TS Web Access Web part to provide a link to Microsoft PowerPoint Viewer and adding the Web part to a WSS Web site. Users from the Finance group should be able to access this link so that they can view the PowerPoint presentation put up by the group.
Exercise Overview In this exercise, you will create a customized Web part and export it to a WSS Web site.
The main tasks for this exercise are as follows:
• Add a Web Part to a WSS site.
Task 1: Add a Web Part to a WSS site
1. On 6428A-NYC-WEB-05, visit the SharePoint 3.0 Central Administration Web site. 2. Display the authentication dialog box, and connect to the WSS Site http://nyc-web:44341/ as
WoodgroveBank\Administrator by using the password Pa$$w0rd. 3. On the Home page of the Central Administration site, click Site Actions, and then select Edit Page
from the drop-down list. 4. On the Edit page, under the Resources section, add the Web part as a new link http://NYC-TS/ts
link.
Results: After this exercise, you should have added a customized Web part by using TS Web Access, and exported it to a WSS site.
Configuring Terminal Services Web Access and Session Broker 5-19
Exercise 3: Configuring TS Session Broker
Scenario You receive a service request from the enterprise administrator to configure the TS Session Broker role service to manage all the TS Web Access servers in the farm.
Exercise Overview In this exercise, you will install the TS Session Broker role service and configure the Session Broker settings for servers in a TS farm.
The main tasks for this exercise are as follows:
1. Install the TS Session Broker role service. 2. Add each server in the farm to the Session Directory Computers local group. 3. Configure the TS Session Broker settings by using Group Policy. 4. Shut down the virtual machines.
Task 1: Install the TS Session Broker role service
1. On 6428A-NYC-TS-05, start Server Manager. 2. On the Select Role Services page, install the TS Session Broker role service.
Task 2: Add each server in the farm to the Session Directory Computers local group
1. Start the Computer Management snap-in. 2. In the left pane, under Local Users and Groups, select the Session Directory Computers group. 3. In the Select Users, Computers or Groups dialog box, in the Object Type dialog box, add the
computer accounts NYC-WEB and NYC –TS.
Task 3: Configure the TS Session Broker settings by using Group Policy
1. On 6428A-NYC-DC1-01, start the Group Policy Management snap-in. 2. In the left pane, under the NYC node, create a new GPO GPO for TS Web Access. 3. In the right pane, on the Settings tab of GPO for TS Web Access, edit the computer configuration. 4. Under the Computer Configuration node, click TS Session Broker, and configure the following
settings:
• Join TS Session Broker policy: Enabled
• Configure TS Session Broker farm name: Enabled
• TS Session Broker server name: NYC-TS
• Use TS session Broker load balancing: Enabled
Task 4: Shut down the virtual machines • Turn off all virtual machines and discard changes.
Results: After this exercise, you should have configured TS Session Broker load balancing for a farm.
5-20 Configuring and Troubleshooting Windows Server 2008 Terminal Services
Lab Review
Configuring and Troubleshooting Terminal Services Gateway 6-1
Module 6 Configuring and Troubleshooting Terminal Services Gateway
Contents: Lesson 1: Configuring TS Gateway 6-3
Lesson 2: Monitoring and Troubleshooting TS Gateway Connections 6-10
Lab: Configuring and Troubleshooting TS Gateway 6-15
6-2 Configuring and Troubleshooting Windows Server 2008 Terminal Services
Module Overview
TS Gateway is a role service that provides access to the terminal servers, computers running RemoteApp programs as well as the computers and servers that have Remote Desktop enabled.
By using TS Gateway, remote users can access resources on an internal network with minimum security risks.
This module covers configuring the TS Gateway role service as well as monitoring and troubleshooting the TS Gateway connections.
Configuring and Troubleshooting Terminal Services Gateway 6-3
Lesson 1 Configuring TS Gateway
The installation and configuration of TS Gateway has some requirements. For example, you must obtain a trusted Secure Sockets Layer (SSL) certificate for the TS Gateway server to function.
In addition, users can connect to internal resources by using TS Gateway only if they meet the conditions specified in a TS Connection Authorization Policy (CAP) or TS Resource Authorization Policy (RAP).
By using TS CAPs or RAPs, you can manage the connections made through TS Gateway.
6-4 Configuring and Troubleshooting Windows Server 2008 Terminal Services
Introduction to TS Gateway
Key Points TS Gateway uses Remote Desktop Protocol (RDP) tunneled over Hypertext Transfer Protocol over Secure Socket Layer (HTTPS). By using TS Gateway, you can make secure and encrypted connections between users on the Web and the remote production application computers. The connection is made by using port 443. This connection works even if the remote computers are located behind a network address translation (NAT) traversal-based router in a network.
The TS Gateway secure remote connection can also be used by TS Web Access. By integrating TS Web Access with TS Gateway, you can ensure transport-level SSL security for all terminal server traffic. Remote users can also access RemoteApp programs through TS Gateway securely.
Note: TS Gateway does not require any additional configuration to provide access to resources behind a firewall in private networks or across NATs.
For more information about the TS Gateway server, see "Terminal Services Gateway (TS Gateway)" on the Microsoft TechNet Web site.
Configuring and Troubleshooting Terminal Services Gateway 6-5
Requirements for TS Gateway
Key Points To install TS Gateway, you need to be a member of the administrator group on the server.
You also need to obtain an SSL certificate from a trusted third party. Alternatively, you can obtain a self-signed certificate.
It is recommended that you use HTTPS with a certificate for TS Web Access. You can use the TS Web Access certificate if TS Gateway is installed on the same server as TS Web Access. You can also use wildcard SSL certificates.
In addition, TS Gateway requires some role services and features to be installed and functioning.
You can configure the TS Gateway server to use the TS CAPs that are stored on another server running the Network Policy Server (NPS) service. This NPS server can then be used to centrally administer and manage TS CAPs, thus improving the deployment of TS Gateway.
Note: TS Gateway does not require any change in code when routing connections to a TS-based session with Microsoft Windows Server 2003, Microsoft Windows Vista, or Microsoft Windows XP-based computers.
6-6 Configuring and Troubleshooting Windows Server 2008 Terminal Services
Configuring TS Gateway
Key Points You can configure TS Gateway by using the Server Manager snap-in. You can use an existing certificate for SSL encryption or create a self-signed certificate. You can also select an option that will allow you to obtain the certificate later.
Note: If you select an existing certificate, only certificates that can be used to authenticate the TS Gateway server with the appropriate Enhanced Key Usage (EKU) will be displayed in the list of certificates.
You need not map a self-signed certificate if you have created it by using:
• The Add Remove Roles Wizard during the installation of the TS Gateway role service
• The TS Gateway Manager after the installation of the TS Gateway role service
Question: When is it recommended to use self-signed certificates?
For more information about configuring TS Gateway, see "Configuring the TS Gateway Core Scenario" on the Microsoft TechNet Web site.
Configuring and Troubleshooting Terminal Services Gateway 6-7
Obtaining Certificates
Key Points You can generate and submit a certificate request by using various methods depending on the policies and configuration of your organization. It is recommended that you use self-signed certificates for evaluation and testing purposes only.
An organization can have the following certificates:
• A stand-alone or enterprise certificate authority (CA)-issued certificate that must be cosigned by a trusted public CA. This CA must participate in the Microsoft Root Certification Program Members program. You need to install this certificate on the TS Gateway server and then map the certificate.
• A certificate from a trusted public CA that participates in the Microsoft Root Certificate Program Members program. You need to install this certificate on the TS Gateway server and then map the certificate.
• A self-signed certificate for technical evaluation and testing purposes only. You must install this certificate in the Trusted Root Certification Authorities store on the client computer. You do not need to install this certificate or map it to the TS Gateway server.
Note: The Windows Server 2003 Certificate Services Web enrollment feature depends on an ActiveX control named Xenroll.
Question: Which certificate enables users to connect from home computers and kiosks to a TS Gateway server?
6-8 Configuring and Troubleshooting Windows Server 2008 Terminal Services
TS Connection Authorization Policies
Key Points TS CAPs enhance security by regulating access to TS Gateway and are stored on the network policy server. Using these policies, you can specify user groups, and optionally client computer groups, that can connect to the TS Gateway server. You can also specify conditions that a user needs to meet to connect to the server—for example, whether a user should use a password or a smart card to access the server. TS CAPs can be created by using the TS Gateway Manager.
Tasks involved in managing TS CAPs include:
• Enabling or disabling TS CAPs
• Modifying or removing a local TS CAP
• Specifying a new central TS CAP
• Evaluating the permissions of the user and computer groups that connect to TS Gateway
You can also use TS CAPs to specify which client device redirection should be enabled or disabled for specific groups. Devices can be disk drives or supported Plug and Play (PnP) devices.
The suggested device redirection settings can only be enforced on client computers running Remote Desktop Connection (RDC).
Note: The enforcing of device redirection feature on a client cannot provide guaranteed security even for RDC clients.
For more information about TS CAPs, see "TS Gateway Overview" on the Microsoft TechNet Web site.
Configuring and Troubleshooting Terminal Services Gateway 6-9
TS Resource Authorization Policies
Key Points TS RAPs allow you to regulate access by specifying the internal network resources that users can connect to through TS Gateway. You can create a computer group and associate it with a TS RAP. You can also create a group of computer accounts in Active Directory and associate it with a TS RAP.
When you associate a TS Gateway-managed computer group with a TS RAP, you can use both the fully qualified domain names (FQDNs) and NetBIOS names by adding them separately to the computer group.
When you associate an Active Directory security group to a TS RAP, both FQDNs and NetBIOS computer names are automatically supported, if the computer to which you are connecting is in the same domain as the TS Gateway server. If the client computer is in a different domain from the TS Gateway server, then the FQDN of the client computer needs to be specified.
If you want remote users to connect to a computer managed by TS Gateway by using either the computer name or the IP address, then you need to add the computer twice to the computer group—once by the computer name and then by the IP address of the computer.
Tasks involved in managing TS RAPs include:
• Enabling or disabling TS RAPs
• Modifying or removing a local TS RAP
• Specifying the computers that users can connect to through TS Gateway
• Configuring the TS clients to access resources on the network
Note: Remote users should meet the conditions specified in at least one TS CAP and one TS RAP to be able to connect to resources on the internal network through TS Gateway.
6-10 Configuring and Troubleshooting Windows Server 2008 Terminal Services
Lesson 2 Monitoring and Troubleshooting TS Gateway Connections
TS Gateway has monitoring capabilities that allow you to view the information about active connections from the TS clients to the internal network resources. Furthermore, the TS Gateway server can be configured to use Network Access Protection (NAP). NAP is a feature of Microsoft Windows Server 2008 that allows administrators to maintain computer health.
Although TS Gateway provides these tools to monitor connections and enforce compliance with health requirement policies for network access, you will still need to resolve connectivity issues. You can use the TS Gateway Manager to troubleshoot the TS Gateway connections.
Configuring and Troubleshooting Terminal Services Gateway 6-11
Monitoring Active Connections Through TS Gateway
Key Points You can use the TS Gateway Manager to monitor the active connections from TS clients to network resources.
You can specify the events to be logged, such as successful or unsuccessful connection attempts to an internal network computer through the TS Gateway server. When an event occurs, you can monitor the event by using the Windows Event Viewer.
For more information about monitoring active connections by using the TS Gateway server, see "Monitoring Active Connections Through a TS Gateway Server" on the Microsoft TechNet Web site.
6-12 Configuring and Troubleshooting Windows Server 2008 Terminal Services
Network Access Protection
Key Points Configuring TS Gateway to use NAP allows administrators to enforce system health requirements, security update requirements, required computer configurations, and other settings.
NAP controls network resources based on the identity of a computer and compliance with corporate governance policy.
NAP presents an application programming interface (API) that allows developers to create solutions for validation of health status, limitation of network access or communication, and ongoing compliance.
In addition, NAP allows administrators to define granular levels of network access based on the identity of the client, the group the client belongs to, and the degree of compliance with corporate governance policy.
Note: NAP does not prevent authorized users on a compliant computer from uploading malicious program to the network.
For more information about NAP, see "Network Access Protection" on the Microsoft MSDN Web site.
Configuring and Troubleshooting Terminal Services Gateway 6-13
Demonstration: Configuring Network Access Protection on TS Gateway
Question: Which operating systems are supported as NAP clients when TS Gateway server enforces NAP?
6-14 Configuring and Troubleshooting Windows Server 2008 Terminal Services
Troubleshooting TS Gateway
Key Points To ensure that client computers successfully connect through TS Gateway, the TS Gateway server must be configured correctly. You need to ensure that the server is configured to use an appropriate SSL-compatible X.509 certificate, and the TS CAPs and RAPs are correctly configured.
In addition, you need to:
• Check the authentication method used for the connection.
• Check the number of simultaneous connections being made.
• Check the traffic of ports used for TS on the firewall.
Question: If you get an error message displaying that the authentication method used by you is not supported, how will you change the authentication settings?
For more information about troubleshooting connections, see "TS Gateway Server Connections" on the Microsoft TechNet Web site.
Configuring and Troubleshooting Terminal Services Gateway 6-15
Lab: Configuring and Troubleshooting TS Gateway
Overarching Scenario The enterprise administrator of Woodgrove Bank wants you to configure TS Gateway so that remote users in the HR group can securely access the internal network resources of the organization. You need to install the TS Gateway role on the terminal server and create the connection and resource authorization policies for the HR group.
6-16 Configuring and Troubleshooting Windows Server 2008 Terminal Services
Exercise 1: Configuring and Monitoring TS Gateway
Scenario You need to install the TS Gateway role service on the terminal server and install a self-signed certificate for the TS Gateway to function. You also need to create a CAP and a RAP for the HR group so that the members of the HR group are able to access the computers existing in the HR group.
Exercise Overview
In this exercise, you will install and configure the TS Gateway server role on the terminal server and create a CAP and a RAP for the HR group.
The main tasks for this exercise are as follows:
1. Start the 6428A-NYC-DC1-06 and 6428A-NYC-TS-05 virtual machines and log on to these machines as Administrator.
2. Install the TS Gateway role. 3. Install the certificate. 4. Create a CAP for the HR group. 5. Select the pre-configured Active Directory Security group HR. 6. Create a RAP for the HR group.
Task 1: Start the 6428A-NYC-DC1-06 and 6428A-NYC-TS-05 virtual machines and log on to these machines as Administrator
1. Start 6428A-NYC-DC1-06 and log on as WoodgroveBank\Administrator by using the password Pa$$w0rd.
2. Start 6428A-NYC-TS-05 and log on as Administrator by using the password Pa$$w0rd.
Task 2: Install the TS Gateway role
1. On 6428A-NYC-TS-05, start Server Manager and install the TS Gateway role service. 2. On the Select Roles Services page, select the options to configure the server authentication
certificate for SSL encryption and the authorization policies for TS Gateway, later.
Task 3: Install the certificate
1. Start TS Gateway Manager, under NYC-TS, create a self-signed for SSL encryption. 2. Specify the certificate name as NYC-TS.WOODGROVEBANK.COM. 3. Specify the certificate location as c:\certificate\NYS-TS.cer. 4. Start the Certificates snap-in by using the MMC command. 5. On the File menu, select Add/Remove Snap-in. 6. Import the certificate from c:\certificate\NYC-TS.cer by using the Certificate Import Wizard. 7. Start the TS Gateway Manager, and on the properties page of NYC-TS, install the certificate for NYC-
TS.woodgrovebank.com.
Task 4: Create a CAP for the HR group
1. On the TS Gateway Manager, under NYC-TS, create a new connection authorization policy as TS CAP.
2. On the Requirements tab, under Supported Windows authentication methods verify that Password is selected.
3. Add a group HR, and enable device redirection for all client devices for the group.
Configuring and Troubleshooting Terminal Services Gateway 6-17
Task 5: Select the pre-configured Active Directory Security group HR
1. Start Active Directory Users and Computers and select the HR group for WoodgroveBank.com. 2. Select NYC-TS as the Object Type for Computers.
Task 6: Create a RAP for the HR group
1. On 6428A-NYC-TS-05 start the TS Gateway Manager, create Resource Authorization Policy as TS RAP.
2. Add user group, HR and on the Computer Group tab, verify Select an existing Active Directory security group is selected.
3. Select group HR, and on Allowed Ports tab, verify Allow connections only through TCP port 3389 is selected.
Results: After this exercise, you should have installed the TS Gateway Server role service and created a TS CAP and TS RAP for the HR group.
6-18 Configuring and Troubleshooting Windows Server 2008 Terminal Services
Exercise 2: Troubleshooting the TS Gateway Connections
Scenario You receive a service request from the Help Desk that a user, Baris, is unable to connect to the network using TS Gateway. You need to verify that the TS Gateway Server certificate has not expired. You also need to verify that the TS Gateway configuration is correct. In addition, you need to check that the user exists in the HR group, which can access the TS Gateway Server. An additional service request is to include Bernard to the HR group.
Exercise Overview In this exercise, you need to verify that the TS Gateway server certificate has not expired. You also need to check the TS CAP and RAP for the HR group. In addition, you need to verify the existence of the user Baris in the HR group and add a new user Bernard to the HR group.
The main tasks for this exercise are as follows:
1. Verify that the TS Gateway Server certificate has not expired. 2. Verify that the TS CAP is accurate. 3. Verify that the TS RAP is accurate. 4. Verify that the user Baris exists in the HR group. 5. Add Bernard to the HR group. 6. Verify that the TS RAP is functional. 7. Shut down the virtual machines.
Task 1: Verify that the TS Gateway Server certificate has not expired
1. On 6428A-NYC-TS-05, in the TS Gateway Manager, in the properties page of NYC-TS, on the SSL Certificate tab, verify that Select an existing certificate for SSL encryption (recommended) is selected.
2. Install the certificate for NYC-TS.woodgrovebank.com. 3. Verify validity of certificate has not expired.
Task 2: Verify that the TS CAP is accurate
1. In the Server Manager, under NYC-TS, in Connection Authorization Policies select TS CAP policy. 2. In the properties page of TS CAP, verify that the policy is enabled. 3. Verify that the authentication method for Windows is Password. 4. Verify that WOODGROVEBANK\HR group exists. 5. Verify that Device redirection for all client devices is selected.
Task 3: Verify that the TS RAP is accurate
1. In the Server Manager, under NYC-TS in Resource Authorization Policies select TS RAP policy. 2. In the TS RAP Policy Properties page, verify that the policy is enabled. 3. Verify that WOODGROVEBANK\HR group exists. 4. Under Select an existing Active Directory security group verify that WOODGROVEBANK\HR
exists. 5. On the Allowed Ports tab, verify that Allow connections only through TCP port 3389 is selected.
Task 4: Verify that the user Baris exists in the HR group
1. On 6428A-NYC-DC1-06, start Active Directory Users and Computers. 2. Under WoodgroveBank.com select HR Security group.
Configuring and Troubleshooting Terminal Services Gateway 6-19
3. In the properties of HR security group, verify user Baris Cetinok exists.
Task 5: Add Bernard to the HR group
1. In the Active Directory Users and Computers snap-in, under WoodgroveBank.com, verify Users is selected.
2. In the properties of HR security group, add a user Bernard Duerr.
Task 6: Verify that the TS RAP is functional
1. Install the certificate, NYC-TS.cer from \\NYC-TS\certificate using the Certificate Import Wizard. 2. Open remote connection by using the MSTSC command. 3. In Remote Desktop Connection, configure these TS Gateway Server settings as:
• Server name: NYC-TS.woodgrovebank.com
• Logon method: Ask for password (NTLM)
4. Connect to NYC-TS, as Woodgrovebank\Baris with password Pa$$w0rd.
Task 7: Shut down the virtual machines
1. Turn off 6428A-NYC-DC1-06 virtual machine and discard undo disk. 2. Turn off 6428A-NYC-TS-05 virtual machine and discard changes.
Results: After this exercise, you should have verified that the configuration of TS Gateway is correct and the user Baris exists in the HR group. In addition, you should have added a new user Bernard to the HR group.
6-20 Configuring and Troubleshooting Windows Server 2008 Terminal Services
Lab Review
Managing and Monitoring Terminal Services 7-1
Module 7 Managing and Monitoring Terminal Services
Contents: Lesson 1: Methods for Managing and Monitoring TS 7-3
Lesson 2: Configuring Windows System Resource Manager for TS 7-7
Lab: Managing and Monitoring TS 7-11
7-2 Coonfiguring and Troubbleshooting Windowss Server 2008 Terminnal Services
Moduule Oveerview
Acomus
s an administronnections to
module introdused to monito
rator using Micensure smoot
uces the tasks ir TS connectio
crosoft Windoh transactions involved in maons.
ws Server® 20between the t
anaging TS con
008 TS, you neterminal servennections. It a
eed to manageer and the clienlso describes s
e and monitor nt computers. some of the to
TS This
ools
AreW
dditionally, yoesources and m
WSRM.
ou can use Winmemory usage
ndows System e. This module
Resource Manintroduces the
nager (WSRM)e features of W
to manage seWSRM and how
erver processow to configure
r e
Managing and Monitorinng Terminal Services 7-3
LM
ToreM
Bere
Lesson 1 Method
o manage the esetting conne
Manager and th
esides managiesolve client co
ds for M
TS connectionections. The TShe Performanc
ng and monitonnectivity issu
Managing and MMonitorring TS
ns, you need to connections c
ce and Reliabil
o perform taskcan be monitoity Monitor.
ks such as remored by using t
otely controllitools such as t
ing user sessiohe TS Gateway
ons and y
oring TS connues. These issu
ections, you wues can be reso
will also need tolved by review
o perform trouwing the error
ubleshooting srs in the Event
steps to Viewer.
7-4 Coonfiguring and Troubbleshooting Windowss Server 2008 Terminnal Services
MManaging the TS Connnections
KKey Points
Toeno remotely manable, disable,
anage the TS c rename, or de
connections, yoelete the TS co
ou need to be onnections.
a member of the administraators group. YYou can
Nthcr
Q
Note: It is a sechrough the useredentials.
Question: Whe
curity best pracer interface or
e
ctice to managat the comma
ge TS connectiand prompt, in
ions by using tnstead of logg
the Run as coming on with ad
mmand dministrator
n logged on aas an administrrator, which seetting will you use to remoteely interact witth a usser’s session?
Foor more informmation about managing coonnections, seee "Manage Teerminal Servicees Connectionns" on site. thhe Microsoft TTechNet Web
Managing and Monitorinng Terminal Services 7-5
M
K
YocoV
YoAde
Th
Monitoring
Key Points
ou can use theonnect to the Tiewer.
ou can monitocceleration (ISenying the out
he Performanc
•
•
•
FoInbyM
A data collescenarios
The Resour
The Reliabi
or more informnternal Clientsy-Step Guide,
Microsoft Tech
g the TS Co
e TS Gateway MTS Gateway se
or the TS Web SA) Server Mantbound traffic
ce and Reliabil
ector set that g
rce View that p
lity Monitor th
mation about s," "Windows S " and "Introd
hNet Web site.
onnection
Manager to auerver by the cli
Access outbounagement tool
to the Interne
lity Monitor pr
s
udit specific evient. These eve
und traffic by , and check th
et.
rovides the fol
groups portab
provides an en
hat helps you t
monitoring mServer "Longh
ducing Micros.
ble data collect
nhanced view o
to diagnose po
methods, see "horn" Performoft System Ce
vents such as tents can then b
using the Micrhe ISA Server lo
lowing new fe
tors used with
of the CPU, dis
otential causes
"Troubleshootmance and Relienter Operatio
he unsuccessfube monitored
rosoft® Internog to determin
eatures in Wind
ul attempts toby using the E
net Security anne which rule
dows Server 20
o Event
nd is
008:
different performance monitoring
sk, network, annd memory usage
ility of the systs of the instab tem
ting Web Acciability Monitoons Manager 2
ess for oring Step-2007" on
7-6 Coonfiguring and Trou
D
b
Discussion:
bleshooting Windowss Server 2008 Terminnal Services
: Troubleshhooting thhe Client C
FoCo
or more informonnections" o
mation about on the Microso
troubleshootoft TechNet W
Connectivitty Issues
ting client conWeb site.
nnectivity issues, see "TS Gaateway Server
Managing and Monitorinng Terminal Services 7-7
LCT
WA
Lesson 2 ConfiguTS
With WSRM, yolternatively, yo
ring W
ou can manageou can make re
indows
e your resourcesources availa
System
es such that aable to high-p
m Resou
ll resources arepriority services
urce Ma
e provided eves, applications
nager f
enly to all procs, or users.
for
cesses.
7-8 Coonfiguring and Trou
In
K
Thcare
Qvi
Foo
b
ntroductio
Key Points
he condition foase of a conflicesource availab
Question: You ew the usage
bleshooting Windowss Server 2008 Terminnal Services
on to Wind
or WSRM to fuct among procbility. This avai
want to troubof hardware re
dows Syste
unction is thatcessor resourceilability is base
leshoot a procesources and t
em Resour
the combinedes, resource aled on the man
cessor resourcethe activity of
rce Manag
d processor loalocation policiagement prof
e problem. Whsystem service
er
ad should be gies are used toile defined by
hich tool in WSes on the comp
greater than 7o ensure minim
the administra
SRM can you uputer?
0%. In mum ator.
use to
or more informn the Microso
mation about oft TechNet W
WSRM, see "TWeb site.
Terminal Servvices and Winddows System RResource Mannager"
Managing and Monitorinng Terminal Services 7-9
F
K
Wru
Th
eatures of
Key Points
WSRM can be uunning WSRM.
he benefits of
•
•
FoM
Improved a
Improved aresource lo
or more informManager" on th
f Windows
used to collect.
using WSRM a
availability of s
accessibility of ad
mation about he Microsoft T
s System R
resource usag
are:
Resource M
ge data from m
Manager
multiple server
services on a si
the system fo
the features oTechNet Web
ingle server th
r high-priority
of WSRM, see site.
hrough dynam
y users or adm
e "Overview of
rs and store it o
on a single computer
ically managedd resources
inistrators durring maximumm
f Windows Sysstem Resourcee
7-10 CConfiguring and Tro
C
K
EqW
Wbe
Thpr
Yoth
Qfe
FoReTe
u
Configuring
Key Points
qual_Per_SessiWindows Serve
While monitorinefore and afte
here are someractice, you sh
ou must also nhe application
Question: You eature of WSRM
ubleshooting Windowws Server 2008 Termiinal Services
g Window
on is the new r 2008 TS.
ng the performer implementin
e applications ahould not spec
note that excesand increase d
want to set a lM will help yo
ws System
and recomme
mance of the tng the Equal_P
and processes cify the memor
ssive limitationdisk usage.
limit on the mu do this?
Resource M
ended resource
erminal serverPer_Session res
that dynamicary limits in WS
n of memory f
emory used b
Manager
e allocation po
r, it is also recosource allocatio
ally change thRM for such a
for an applicat
y the different
or more informesource ManaechNet Web s
mation about agement Policsite.
configuring Wcies" and "Wo
WSRM using rrking with Re
resource allocsource Allocat
olicy for config
ommended thaon policy.
eir own memopplications an
ion can slow d
t processes on
guring WSRM
at you collect
ory limits. As a nd processes.
down the work
a system. Wh
in
data
best
king of
ich
ation policies,tion Policies"
, see "Creatingon Microsoft
g
Managing and Monitorinng Terminal Services 7-11
L
O
Yoovco
ThWal
Lab: Ma
Overarching
ou receive a severload of resoomputers to co
he enterprise aWSRM to monitllocation polic
naging
Scenario
ervice request ource utilizatioonnect to TS t
administrator tor the performies.
and M
from the Netwon. Therefore, hrough TS Gat
has also taskedmance of the t
onitorin
work Operatioyou have beenteway and ma
d you with instterminal serve
ng TS
ons Center (NOn asked to connage these co
talling WSRM r. You are also
OC) claiming thnfigure the NOonnections.
on the TS. Youo required to c
hat there is an OC technicians
u need to confonfigure the r
’ client
figure esource
7-12 Configuring and Troubleshooting Windows Server 2008 Terminal Services
Exercise 1: Managing the TS Connections
Scenario
You are required to configure the NOC technician’s client computer for a TS Gateway connection. To manage the remote connections, you have been asked to log off, disconnect, and reset all TS connections for your TS Gateway server. You also need to verify that the NOC technician’s computer is properly configured by remotely controlling the user session.
Exercise Overview
In this exercise, you will configure the TS Gateway settings on the client computer. You will then disconnect the NOC technician’s computer and reset the connection.
The main tasks for this exercise are as follows:
1. Start the 6428A-NYC-DC1-06 and 6428A-NYC-TS -07 virtual machines and log on to these machines as Administrator.
2. Start the 6428A-NYC-WEB-05 virtual machine and log on as Susan. 3. Configure the TS Gateway settings on the client. 4. Manage the TS connections on the terminal server.
Task 1: Start the 6428A-NYC-DC1-06 and 6428A-NYC-TS-07 virtual machines and log on to these machines as Administrator
1. Start 6428A-NYC-DC1-06 and log on as WoodgroveBank\Administrator by using the password Pa$$w0rd.
2. Start 6428A-NYC-TS-07 and log on as WoodgroveBank\Administrator by using the password Pa$$w0rd.
Task 2: Start the 6428A-NYC-WEB-05 virtual machine and log on as Susan • Start 6428A-NYC-WEB-05, switch the user and log on as Susan who belongs to the NOC Department
using the password pass@word1.
Task 3: Configure the TS Gateway settings on client
1. To configure TS Gateway on 6428A-NYC-WEB-05, start Remote Desktop Connection. 2. Configure the following settings in Options:
• TS Gateway server name as NYC-TS.Woodgrovebank.com
• Logon method as Ask for password (NTLM)
• Logon settings as NYC-TS
3. Connect to the terminal server NYC-TS. 4. Log on as Woodgrovebank\Susan with the password pass@word1.
Task 2: Manage the TS connections on the terminal server
1. Log off all TS Gateway connections on 6428A-NYC-TS -07 by using Terminal Services Manager. 2. Disconnect all TS Gateway connections. 3. Reset all TS Gateway Connections.
Results: After this exercise, you should have configured the TS Gateway settings on the client and managed the TS connections remotely.
Managing and Monitoring Terminal Services 7-13
Exercise 2: Monitoring the TS Connections
Scenario
You receive a request from the enterprise administrator asking you to configure the TS connections. As an administrator, you need to limit the number of TS connections to 2. You also need to configure the refresh option of the connection. These settings will help you monitor the TS connections. In addition, you also need to specify the events to be logged for the TS Gateway connections.
Exercise Overview
In this exercise, you need to monitor TS connections by using the TS Gateway Manager and specify the TS Gateway events to be logged.
The main tasks for this exercise are:
1. Connect to the remote computer. 2. Monitor TS Gateway. 3. Specify the TS Gateway events to be logged.
Task 1: Connect to the remote computer
1. Connect to 6428A-NYC-TS -07 by using Remote Desktop Connection on 6428A-NYC-WEB-05. 2. Log on as Woodgrovebank\Susan using the password pass@word1.
Task 2: Monitor TS Gateway
1. On 6428A-NYC-TS -07, start TS Gateway Manager. 2. On the NYC-TS node, monitor Susan’s session. 3. Edit the connection by using the NYC_TS Properties dialog box. 4. Limit the maximum number of simultaneous connections to 2. 5. On the Actions panel, set the Automatic Refresh Options to 0:30:20. 6. Disconnect Susan’s connection.
Task 3: Specify the TS Gateway events to be logged
1. On the TS Gateway Manager snap-in, in the NYC-TS Properties dialog box, select the events to be audited for TS Gateway server.
2. View the events in the Event Viewer.
Results: After this exercise, you should have monitored the TS Gateway connections and specified the events to be logged for TS Gateway.
7-14 Configuring and Troubleshooting Windows Server 2008 Terminal Services
Exercise 3: Configuring WSRM for TS
Scenario
You receive a service request from the enterprise administrator to install and configure WSRM for Terminal Services. You are asked to monitor the Equal_Per_Session resource allocation policy for TS. After observing the performance and generating a report for the per session policy, you need to implement the Equal_Per_User policy on TS.
Exercise Overview
The main tasks for this exercise are as follows:
1. Install WSRM on TS. 2. Configure the TS resource allocation policy for per session. 3. Monitor TS performance by using Resource Monitor. 4. Configure the TS resource allocation policy for per user. 5. Shut down the virtual machines.
Task 1: Install WSRM on TS
1. Start Server Manager on 6428A-NYC-TS-07, under Features Summary, select Windows System Resource Manager.
2. Install WSRM by using the wizard. 3. Open the Windows System Resource Manager snap-in. 4. In the Connect to computer dialog box, select This computer.
Task 2: Configure the TS resource allocation policy for per session • In the Windows System Resource Manager snap-in, under the Resource Allocation Policies node,
implement the per session resource-allocation policy.
Task 3: Monitor TS performance using Resource Monitor
1. In the Windows System Resource Manager snap-in, display the Resource Monitor. 2. Review the performance data. 3. Display the Properties dialog box, and change the Graph to Report. 4. In the Windows System Resource Manager Properties dialog box, configure the e-mail notification
options as [email protected]. 5. Use the SMTP server NYC-TS.woodgrovebank.com. 6. Select two or more events under the Error, Warning, and Information nodes.
Task 4: Configure the TS resource allocation policy for per user • On the Windows System Resource Manager snap-in, under the Resource Allocation Policies
node, implement the per user resource-allocation policy.
Task 5: Shut down the virtual machines • Turn off each virtual machine that is running and discard changes.
Results: After this exercise, you should have configured WSRM, configured the resource allocation policies, and monitored the TS performance by using the Resource Monitor.
Managing and Monitorinng Terminal Services 7-15
Lab Revieww
7-16 CConfiguring and Trouubleshooting Windowws Server 2008 Termiinal Services
CCourse EEvaluatiion
Yoour evaluationn of this coursee will help Microsoft understtand the qualitty of your learning experiencce.
Pllease work witth your trainingg provider to aaccess the couurse evaluationn form.
MimMicrosoft will kemprove your fu
eep your answuture learning
wers to this surexperience. Yo
rvey private anour open and
nd confidentialhonest feedba
l, and will use ack is valuable
your responsee and apprecia
es to ted.
Lab: Configuring TS Core Functionality L1-1
Module 1: Configuring Terminal Services Core Functionality
Lab: Configuring TS Core Functionality Note: If you have already logged on to a virtual machine, skip the logon task for that particular virtual
machine.
Exercise 1: Installing and Configuring the TS Server Role Service
Exercise 2: Configuring the TS Settings
Logon Information:
• Virtual Machine1: 6428A-NYC-DC1-01
• Virtual Machine 2: 6428A-NYC-TS-01
• User Name: Administrator/Baris
• Password: Pa$$w0rd
Estimated time: 65 minutes
Exercise 1: Installing and Configuring the TS Server Role Service
Exercise Overview In this exercise, you will install and configure the TS core functionality at the New York head office.
The main tasks for this exercise are as follows:
1. Start the 6428A-NYC-DC1-01 and 6428A-NYC-TS-01 virtual machines and log on to these machines as Administrator.
2. Install the TS server role service. 3. Configure authentication on the terminal server. 4. Configure the default credentials to be used on the terminal server. 5. Create a .rdp file and configure custom display. 6. Enable ClearType and Font smoothing. 7. Enable support for PnP redirection. 8. Install and configure WSRM. 9. Install the Desktop Experience. 10. Remotely connect to TS by using RDC.
Task 1: Start the 6428A-NYC-DC1-01 and 6428A-NYC-TS-01 virtual machines and log on to these machines as Administrator
1. Start 6428A-NYC-DC1-01 using the Lab Launcher tool.
Wait for the virtual machine to start. The Recent Events section will display the messages of the events.
2. Log on with the default login ID WOODGROVEBANK\Administrator and the password Pa$$w0rd, and then click Go. The Server Manager snap-in is displayed.
L1-2 Lab: Configuring TS Core Functionality
Note: Wait for the domain controller, 6428A-NYC-DC1-01, logon screen to appear before starting 6428A-NYC-TS-01 virtual machine. If the virtual machine is not properly shut down, the Shutdown Event Tracker dialog box will be displayed. Select the Security issue option from the drop-down list and click OK.
3. Start 6428A-NYC-TS-01 using the Lab Launcher tool. 4. Log on with the ID WOODGROVEBANK\administrator and password Pa$$w0rd.The Server
Manager snap-in is displayed. 5. On 6428A-NYC-DC1-01, click Start, point to Administrative Tools, click Active Directory Users and
Computers. 6. In the left pane, click the WoodgroveBank.com node, click Computers, and verify that NYC-TS is
displayed in the right pane.
Task 2: Install the TS server role service
1. On 6428A-NYC-TS-01, in Server Manager, in the left pane, right-click Roles, and then click Add Roles.
2. In the Add Roles Wizard, on the Before You Begin page, click Next. 3. On the Select Server Roles page, under Roles list, select the Terminal Services check box, and then
click Next. 4. On the Terminal Services page, click Next. 5. On the Select Role Services page, select the Terminal Server check box, and then click Next. 6. On the Uninstall and Reinstall Applications for Compatibility page, click Next. 7. On the Specify Authentication Method for Terminal Server page, select Require Network Level
Authentication option, and then click Next. 8. On the Specify Licensing Mode, select Per User, and then click Next. 9. On the Select User Groups Allowed Access To This Terminal Server page, click Add. 10. In the Select Users, Computers, or Groups dialog box, verify that From this location box has
WoodgroveBank.com.. 11. In the Enter the object names to select{examples} box, type NYC_MarketingGG, click Check
Names, click OK, and then click Next. 12. On the Confirm Installation Selections page, click Install. 13. On the Installation Progress page, note the installation progress. On completion of the installation,
the Installation Results page is displayed. 14. On the Installation Results page, you are prompted to restart the server to finish the installation
process. Click Close. 15. On the Add Roles Wizard message box, click Yes to restart the server. 16. After the server restarts and you log on to the computer as WOODGROVEBANK\Administrator and
password Pa$$w0rd, the Resume Configuration Wizard is displayed. On the Installation Progress page, note the installation progress. On completion of the installation, the Installation Results page is displayed.
17. Observe that the installation of the Terminal Services has succeeded. Click Close. 18. On the Server Manager link, scroll down to the Roles Summary section, click the Terminal Services
link. 19. On the Terminal Services page, scroll down to System Services section, and confirm that the Status
for TS is Running. 20. In the Role Services section, confirm that the Status for TS is Installed. 21. Close the Server Manager.
Lab: Configuring TS Core Functionality L1-3
Task 3: Configure authentication on the terminal server
1. Start the Terminal Services Configuration snap-in on 6428A-NYC-TS-01. Click Start, click Run, in the Open box type tsconfig.msc, and then click OK.
2. On the Terminal Services Configuration page, in the middle pane, in the Connections section, under Connection Name, right-click RDP-Tcp, and then click Properties.
3. In the RDP-Tcp Properties dialog box, on the General tab, in the Security layer box, select SSL (TLS 1.0) from the drop-down list box, and then click OK.
Task 4: Configure the default credentials to be used on the terminal server
1. On 6428A-NYC-TS-01, open the Local Group Policy Editor by using the gpedit.msc command.Click Start, in the Start Search box, type gpedit.msc, and then press ENTER.
2. In the left pane, under the Computer Configuration node, open the Administrative Templates folder, then open the System folder, and then open the Credentials Delegation folder.
3. In the right pane, under Setting, double-click Allow Delegating Default Credentials. 4. In the Allow Delegating Default Credentials Properties dialog box, on the Setting tab, click
Enabled, and then click Show. 5. In the Show Contents dialog box, click Add to add servers to the list. 6. In the Add Item dialog box, in the Enter the item to be added box, type NYC-TS, and then click OK.. 7. Click OK to close the Show Contents dialog box. 8. In the Allow Delegating Default Credentials Properties dialog box, click OK. 9. Close the Local Group Policy Editor.
Task 5: Create a .rdp file and configure custom display
1. To create .rdp file, click Start, click Administrative Tools, click Terminal Services, and then click TS RemoteApp Manager.
2. On the TS RemoteApp Manager page, in the Actions pane, click Add RemoteApp Programs, and then click Next.
3. In the RemoteApp Wizard page, select Remote Desktop Connection check box, and click Next. 4. In the Review Settings page, click Finish. 5. In TS RemoteApp Manager, scroll down to RemoteApp Programs, click Remote Desktop Connection,
and then click Create .rdp file to display the RemoteApp Wizard page. 6. In the RemoteApp Wizard page, click Next. 7. Under the Specify Package Settings, verify the location of package is C:\Program Files\Packaged
Programs, click Next. 8. In the Review Settings page, click Finish. 9. To configure the custom display, click Start, click Computer, and browse to C:\Program
files\Packaged Programs\mstsc.rdp. 10. Right-click the mstsc.rdp file, click Open With, double-click Other Programs, and then select
Notepad. Click OK. 11. At the bottom of the mstsc.rdp file, type desktopwidth:i:1680. Press ENTER. 12. Then type desktopheight:i:1050. Press ENTER. 13. Then type Span:i:1. 14. Click File, and then click Save. Close the mstsc.rdp file. 15. Close Packaged Programs.
Task 6: Enable ClearType and Font smoothing
1. Click Start, click Control Panel, and then in the left panel, click Control Panel Home. 2. In Control Panel, click the Appearance and Personalization link. 3. Under Personalization, click Change the color scheme.
L1-4 Lab: Configuring TS Core Functionality
4. On the Appearance Settings page, on the Appearance tab, click Effects, and then select the Use the following method to smooth edges of screen fonts check box.
5. Verify that ClearType is selected by default, and then click OK twice. 6. Close the Control Panel\Appearance and Personalization screen. 7. Click Start, point to All Programs, click Accessories, and then click Remote Desktop Connection. 8. In the Remote Desktop Connection dialog box, click Options. 9. In the Remote Desktop Connection dialog box, click the Experience tab, in the Performance
section, select the Font smoothing check box.
Task 7: Enable support for PnP redirection
1. In the Remote Desktop Connection dialog box, on the Local Resources tab, under Local devices and resources section, click More.
2. Under Local devices and resources, expand the Supported Plug and Play devices node. 3. Select the Devices that I plug in later check box, and then click OK. 4. Close the Remote Desktop Connection dialog box.
Task 8: Install and configure WSRM
1. To start the Server Manager snap-in on 6428A-NYC-TS-01, click Start, point to Administrative Tools, and then click Server Manager.
2. In the Server Manager, scroll down to the Features Summary section, click the Add Features link. The Add Features Wizard page is displayed.
3. In the wizard, on the Select Features page, scroll down and select the Windows System Resource Manager check box. The Add Features Wizard message box is displayed informing you that Windows Internal Database also needs to be installed for Windows System Resource Manager (WSRM) to work properly.
4. Click Add Required Features, and then click Next. 5. On the Confirm Installation Selections page, click Install. 6. On the Installation Progress page, note the installation progress. On completion of the installation,
the Installation Results page is displayed. 7. On the Installation Results page, confirm that the installation of Windows Internal Database and
WSRM succeeded, and then click Close. 8. To start the WSRM snap-in, click Start, point to Administrative Tools, and then click Windows
System Resource Manager. The WSRM snap-in is displayed. 9. In the Connect to computer dialog box, under Administer, verify that This Computer is selected,
and then click Connect. This will enable the WRSM to administer the local computer." 10. Close WSRM [Windows System Resource Manager (local)].
Task 9: Install the Desktop Experience
1. To start the Server Manager snap-in on 6428A-NYC-TS-01, click Start, point to Administrative Tools, and then click Server Manager.
2. In the Server Manager, scroll down to the Features Summary section, click the Add Features link. The Add Features Wizard page is displayed.
3. In the wizard, on the Select Features page, select the Desktop Experience check box, and then click Next.
4. On the Confirm Installation Selections page, observe the message that the server must be restarted after the installation of the Desktop Experience completes, and then click Install.
5. On the Installation Progress page, note the installation progress. On completion of the installation, the Installation Results page is displayed.
Lab: Configuring TS Core Functionality L1-5
6. On the Installation Results page, you are prompted to restart the server to finish the installation process. Click Close.
7. On the Add Features Wizard message box, click Yes to restart the server. 8. After the server restarts and you log on to the computer as WOODGROVEBANK\Administrator with
password Pa$$w0rd, the Resume Configuration Wizard is displayed. On the Installation Progress page, note the installation progress. On completion of the installation, the Installation Results page is displayed.
9. Observe that the installation of the Desktop Experience has succeeded. 10. Click Close. 11. Close the Server Manager.
Task 10: Remotely connect to TS by using RDC
1. On 6428A-NYC-DC1-01, open the Remote Desktop Connection. Click Start, and then type mstsc in the Start Search box, and then press ENTER.
2. In the Remote Desktop Connection dialog box, in the Computer box, verify that NYC-TS is displayed by default, and then click Connect. The Windows Security dialog box is displayed.
3. In the Windows Security dialog box, click Use another account. 4. In the User name box, type WOODGROVEBANK\Baris. 5. In the Password box, type Pa$$w0rd, and then click OK. The Remote Control screen is displayed. 6. Close the remote connection. The Disconnect Terminal Services Session confirmation message box is
displayed. Click OK.
Result: After this exercise, you should have installed and configured the TS server role service.
Exercise 2: Configuring the TS Settings In this exercise, you will configure TS settings and the session broker settings.
Exercise Overview The main tasks for this exercise are as follows:
1. Specify the program to start when user logs on to a remote session. 2. Configure the TS settings by using the Terminal Services Configuration snap-in. 3. Modify the default permissions for built-in accounts. 4. Configure the Session Broker settings. 5. Shut down the virtual machines.
Task 1: Specify the program to start when user logs on to a remote session
1. Log on to 6428A-NYC-TS-01. Start Terminal Services Configuration on 6428A-NYC-TS-01. Click Start, point to Administrative Tools, point to Terminal Services, and then click Terminal Services Configuration.
2. In the Terminal Services Configuration snap-in, in the middle pane, in the Connections section, under Connection Name, right-click RDP-Tcp, and then click Properties.
3. In the RDP-Tcp Properties dialog box, click the Environment tab, under Initial program area, click Start the following program when the user logs on option.
4. In Program path and file name box, type C:\Program Files\Packaged Programs\wordpad, and then click OK.
L1-6 Lab: Configuring TS Core Functionality
Task 2: Configure the TS settings by using the Terminal Services Configuration snap-in
1. In Terminal Services Configuration NYC-TS, in the middle panel, under the Edit Settings area, under the General section, double-click the Delete Temporary folders on exit option. The Properties dialog box is displayed.
2. On the General tab, verify that the following check boxes are selected:
• Restrict each user to a single session
• Delete Temporary folders on exit
• Use Temporary folders per session
Then click OK.
3. Close Terminal Services Configuration.
Task 3: Modify the default permissions for built-in accounts
1. Click Start, click Run and type wmimgmt.msc, and press ENTER. 2. In the Root tree, right-click WMI Control(Local), and then click Properties. 3. In the WMI Control (Local) Properties dialog box, click the Security tab, click Security. 4. In the Security for Root dialog box, click Add. 5. In the Select Users, Computers, or Groups dialog box, in the Enter the object names to select
(Examples) box, type Baris, and then click Check Names. Click OK. 6. Under Permissions for Baris Centinok, select the Allow check box for the Read Security
permission, and then click OK. 7. Click OK to close WMI Control.
Task 4: Configure the Session Broker Settings
1. Click Start, point to Administrative tools, point to Terminal Services, and then click Terminal Services Configuration.
2. In the middle pane, in the Edit settings area, scroll down to the TS Session Broker section, double-click Member of farm in TS Session Broker.
3. In the Properties page, on the TS Session Broker tab, select the Join a farm in TS Session Broker check box.
4. In the TS Session Broker server name or IP address box, type NYC-TS. 5. In the Farm name in TS Session Broker box, type WoodgroveBank. 6. Select the Participate in Session Broker Load-Balancing check box. 7. Verify that the Use IP address redirection (recommended) check box is enabled. 8. Select the IP address 10.10.0.23 check box, and then click OK. 9. The Terminal Services Configuration dialog box is displayed. Click Yes. Close Terminal Services
Configuration.
Task 5: Shut down the virtual machines
1. Exit the Lab Launcher tool by clicking the close button. 2. In the Close window, click Turn off machine and discard changes.
3. Click OK.
Note: After you have completed the lab exercises closing the VM’s and selecting undo disk is not required
for hosted labs. Click the Quit button to exit.
Lab: Configuring and Troubleshooting TS Connections L3-1
Module 3: Configuring and Troubleshooting Terminal Services Connections
Lab: Configuring and Troubleshooting TS Connections Note: If you have already logged on to a virtual machine, skip the logon task for that particular virtual
machine. Exercise 1: Configuring the TS Connection Properties
Exercise 2: Configuring the TS Connection Properties by Using Server Group Policy
Exercise 3: Configuring SSO by Using Client Group Policy
Exercise 4: Troubleshooting Connectivity Issues
Logon Information:
• Virtual Machine1: 6428A-NYC-DC1-01
• Virtual Machine 2: 6428A-NYC-TS-03
• User Names: Administrator/Bernard/Baris/Anton/Monika/Dana
• Password 1: Pa$$w0rd • Password 2: Pass@word1
Estimated time: 70 minutes
Exercise 1: Configuring the TS Connection Properties
Exercise Overview In this exercise, you will configure the TS connection properties by using the Terminal Services Configuration snap-in.
The main tasks for this exercise are as follows:
1. Start the 6428A-NYC-DC1-01 and 6428A-NYC-TS- 03 virtual machines and log on to these machines as Administrator.
2. Configure the TS connection properties by using the Terminal Services Configuration snap-in.
Task 1: Start the 6428A-NYC-DC1-01 and 6428A-NYC-TS- 03 virtual machines and log on to these machines as Administrator
1. Start 6428A-NYC-DC1-01 using the Lab Launcher tool.
2. The login ID is displayed as WOODGROVEBANK\Administrator. Log on by using the password
Pa$$w0rd, and then press ENTER.
Note: Wait for the domain controller 6428A-NYC-DC1-01 logon screen to appear before starting the 6428A-NYC-TS-03 virtual machine.
L3-2 Lab: Configuring and Troubleshooting TS Connections
3. Start 6428A-NYC-TS-03 using the Lab Launcher tool.
4. Log on as WoodgroveBank\Administrator using the password Pa$$w0rd, and then press ENTER.
The Server Manager page is displayed by default.
5. On 6428A-NYC-TS-03, verify that TS is installed on this virtual machine by performing the following
steps:
• In the Server Manager, scroll down to the Roles Summary section, click the Terminal Services link.
• On the Terminal Services page, under System Services section, verify that the Status of Terminal Services is shown as Running.
• Under the Role Services section, verify that the Status of Terminal Server is shown as Installed.
• Close the Server Manager console.
Task 2: Configure the TS connection properties by using the Terminal Services Configuration snap-in
1. To start the Terminal Services Configuration snap-in on 6428A-NYC-TS-03, click Start, point to Administrative Tools, point to Terminal Services, and then click Terminal Services Configuration.
2. Verify the remote control setting as follows:
a. In the middle pane, in the Connections section, under Connection Name, right-click RDP-Tcp, and then click Properties.
b. In the RDP-Tcp Properties dialog box, click the Remote Control tab and verify that the Use remote control with default user settings option is selected.
3. To configure connection permissions:
a In the RDP-Tcp Properties dialog box, click the Security tab. b. The Terminal Services Configuration message box is displayed. Click OK. c. Click the Advanced button below the Permissions for SYSTEM section. The Advanced Security
Settings for RDP-Tcp dialog box is displayed. d. On the Permissions tab, in the Permission entries list, select the record for Baris Cetinok, and
then click the Edit button. The Permission Entry for RDP-Tcp dialog box is displayed. e. On the Object tab, in the Permissions list, select the Deny check box for the Disconnect
permission, and then click OK. f. In the Advanced Security Settings for RDP-Tcp dialog box, on the Permissions tab, in the
Permission entries list, select the record for Bernard Duerr, and then click Edit. The Permission Entry for RDP-Tcp dialog box is displayed.
g. On the Object tab, in the Permissions list, verify that the Allow check boxes for all permissions are selected, and then click OK.
h. In the Advanced Security Settings for RDP-Tcp dialog box, on the Permissions tab, in the Permissions entries list, select the record for Anton Kirilov, and then click Edit.
i. On the Object tab, in the Permissions list, select the Allow check box for the Disconnect permission and Deny check box for logon permission. A Windows Security Warning dialog box appears. Click Yes.
j. Click OK to close the RDP-Tcp Properties dialog box.
4. Close the Terminal Services Configuration snap-in.
Results: After this exercise, you should have configured the connection properties.
Lab: Configuring and Troubleshooting TS Connections L3-3
Exercise 2: Configuring the TS Connection Properties by Using Server Group Policy
Exercise Overview
In this exercise, you will configure the TS connection properties by using Group Policy.
The main tasks for this exercise are as follows:
1. Configure the TS connection properties. 2. Verify that a maximum of two clients can connect to the terminal server.
Task 1: Configure the TS connection properties
1. To open the Group Policy Management snap-in on 6428-NYC-DC1-01, click Start, click Run and in the Open box type gpmc.msc, and then click OK.
2. In the Group Policy Management snap-in, ensure Forest: WoodgroveBank.com, Domains are expanded, WoodgroveBank.com, NYC nodes, then right-click Marketing, and then click Create a GPO in this domain, and Link it here.
3. In the New GPO dialog box that is displayed, type the name of the policy as GPO for TS Connection, and then click OK.
4. On the Marketing node, right-click the GPO for TS Connection link, and then click Edit. 5. In the Group Policy Management Editor page, under the Computer Configuration node, expand
Policies, expand Administrative Templates, expand Windows Components, click Terminal Services, and under the Terminal Server node, click Connections.
6. In the right pane, under Setting, double-click Limit number of connections. 7. In the Limit number of connections properties dialog box, on the Setting tab, select Enabled, in
the TS Maximum Connections allowed box, select 2, and then click OK. 8. In the right pane of the Group Policy Management Editor snap-in, under Setting, double-click
Automatic reconnection. 9. In the Automatic reconnection Properties dialog box, select Enabled, and then click OK. 10. In the left pane of the Group Policy Management Editor snap-in, under Terminal Services node,
expand the Terminal Server node, and then click Security. 11. In the right pane of the Group Policy Management Editor snap-in, under Setting, double-click Set
client connection encryption level. 12. In the Set client connection encryption level Properties dialog box, select Enabled. 13. From the Encryption level drop-down list, verify that Client Compatible is selected, and then click
OK. 14. In the left pane, under Terminal Services node, click Terminal Server, and then click Session Time
Limits. 15. In the right pane, double-click Set time limit for disconnected sessions. 16. In the Set time limit for disconnected sessions Properties dialog box, select Enabled. 17. In the End a disconnected session box, select 5 minutes from the drop-down list, and then click
OK. 18. Close the Group Policy Management Editor page. 19. Close the Group Policy Management snap-in.
Note: Before performing the next tasks update group policy using gpupdate /force command in the command prompt of NYC-dc1.
L3-4 Lab: Configuring and Troubleshooting TS Connections
Task 2: Verify that a maximum of two clients can connect to the terminal server
1. On 6428A-NYC-DC1-01, click Start, click Run, in the Open box type mstsc, and then click OK. 2. In the Remote Desktop Connection dialog box, verify that the Computer box displays Nyc-ts, and
then click Connect.
Note: If the Remote Desktop Connection is disconnected perform the following steps to create the remote connection:
a. Open Control Panel. b. Double Click the Network and Sharing Center icon. Verify whether NYC-DC1 is connected to
Unidentified network. c. Check the status of the Local Area Connection. d. In the Network and Sharing Center window, under Tasks, click Manage network connections. e. In the Network Connections window, right-click Local Area Connection, and then click
Disable. f. Then right-click Local area Connection, and click Enable. g. Close the Network Connections window. In the Network and Sharing Center window, check
whether NYC-DC is connected to WoodgroveBank.com.
3. In the Windows Security dialog box, click Use another account. Log on with the login ID WOODGROVEBANK\Baris using the password Pa$$w0rd, and then press ENTER.
4. Minimize the Nyc-ts Remote Desktop connection. 5. To log on as the second user, click Start, click Run, in the Open box type mstsc, and then click OK. 6. In the Remote Desktop Connection dialog box, verify that the Computer is Nyc-ts, and then click
Connect. 7. In the Windows Security dialog box, click Use another account. 8. Log on as WOODGROVEBANK\Bernard with the password as Pa$$w0rd and then press ENTER. 9. Minimize the Nyc-ts Remote Desktop connection. 10. To log on as the third user, click Start, click Run, in the Open box type mstsc, and then click OK. 11. In the Remote Desktop Connection dialog box, verify that the Computer is Nyc-ts, and then click
Connect. 12. In the Windows Security dialog box, click Use another account, log on with the login ID
WOODGROVEBANK\Anton using the password Pa$$w0rd, and then click OK. 13. Observe that a message displaying “The requested session access is denied” appears on the screen.
Click OK. 14. Close all the remote connections. 15. The Disconnect Terminal Services Session dialog box is displayed. Click OK.
Results: After this exercise, you should have configured the TS connection properties by using Server Group Policy.
Exercise 3: Configuring SSO by Using Client Group Policy
Exercise Overview
The main task for this exercise is to configure SSO by using client Group Policy.
Task 1: Configure the SSO setting by using client Group Policy
1. To open the Terminal Services Configuration snap-in on 6428A-NYC-DC1-01, click Start, click Run, in the Open box type tsconfig.msc, and then click OK.
Lab: Configuring and Troubleshooting TS Connections L3-5
2. In the middle pane, under Connections section, under Connection Name, right-click RDP-Tcp, and then click Properties.
3. In the RDP-Tcp Properties dialog box, on the General tab, in the Security layer box, select SSL (TLS 1.0) from the drop-down list, and then click OK.
4. Close the Terminal Services Configuration snap-in. 5. To open the Local Group Policy Editor, click Start and in the Start Search box, type gpedit.msc,
and then press ENTER. 6. In the left pane, under the Computer Configuration node, expand the Administrative Templates
node, expand System node, and then click Credentials Delegation. 7. In the right pane, under Setting, double-click Allow Delegating Default Credentials. 8. In the Allow Delegating Default Credentials Properties dialog box, on the Setting tab, click
Enabled, and then click Show to add servers to the list. 9. In the Show Contents dialog box, click Add to add servers to the list. 10. In the Add Item dialog box, in the Enter the item to be added box, type 6428A-NYC-TS- 03, and
then click OK. 11. Click OK to close the Show Contents dialog box. 12. In the Allow Delegating Default Credentials Properties dialog box, click OK. 13. Close the Local Group Policy Editor.
Results: After this exercise, you should have configured SSO by using client Group Policy.
Exercise 4: Troubleshooting Connectivity Issues
Exercise Overview
In this exercise, you will troubleshoot connectivity issues.
The main tasks for this exercise are as follows:
1. Verify the RDP settings, and check the event logs. 2. Verify the user and group permissions and policy settings. 3. Verify that the users are able to log on with the updated settings. 4. Shut down the virtual machines.
Task 1: Verify the RDP settings and check the event Logs
1. On 6428A-NYC-TS-03, click Start, point to Administrative Tools, point to Terminal Services, and then click TS RemoteApp Manager.
2. In the TS RemoteApp Manager page, under the Overview section for RDP Settings, click the Change link.
3. In the RemoteApp Deployment Settings dialog box, click the Terminal Server tab. 4. On the Terminal Server tab, ensure that the Server name box has NYC-TS.WoodgroveBank.com. 5. Ensure that the port number in RDP Port is 3389, and then click OK to close the RemoteApp
Deployment Settings dialog box. 6. Close the TS RemoteApp Manager. 7. To display the Event Viewer dialog box, click Start, click Run, in the Open box type eventvwr, press
ENTER. 8. In the Event Viewer dialog box, expand the Windows Logs node. 9. Click Application, and check the details of any error in the events. 10. Close Event Viewer.
L3-6 Lab: Configuring and Troubleshooting TS Connections
Task 2: Verify the user and group permissions and policy settings
1. On 6428A-NYC-DC1-01, click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
2. In the left pane, under the WoodgroveBank.com node, expand the NYC node, and then click Marketing.
3. In the right pane, right-click Monika Buschmann and then click Reset Password. 4. In the Reset Password dialog box, in the New password box type Pass@word1. 5. In the Confirm password box type Pass@word1, and then click OK. 6. In the Active Directory Domain Services confirmation box, click OK. 7. Close Active Directory Users and Computers snap-in. 8. To start the Terminal Services Configuration snap-in on 6428A NYC-TS-03, click Start, point to
Administrative Tools, point to Terminal Services, and then click Terminal Services Configuration. 9. In the Connections section, under Connection Name, right-click RDP-Tcp, and then click
Properties. 10. In the RDP-Tcp Properties dialog box, click the Security tab. The Terminal Services Configuration
message box is displayed. Click OK to close the message box. 11. On the Security tab, under Group or user names section, select Dana Birkby. 12. Click Advanced, select the record for Dana Birkby, click Edit and verify that the check box under
Deny for Remote Control is not selected. If selected, clear the check box, and then click OK twice. 13. In the RDP-Tcp Properties dialog box, click the General tab. 14. In the Encryption level box, verify that the value is Client Compatible, and then click OK. 15. Close the Terminal Services Configuration snap-in.
Task 3: Verify that the users are able to log on with the updated settings
1. On 6428A-NYC-DC1-01, click Start, click Run, in the Open box type mstsc, and then click OK. 2. In the Remote Desktop Connection dialog box, verify that the computer is Nyc-ts, and then click
Connect.
Note: If the Remote Desktop Connection is disconnected, perform the following steps to create the remote connection:
a. Open Control Panel. b. Click the Network and Sharing Center icon. Verify that NYC-DC is connected to Unidentified
network. c. Check the status of the Local Area Connection. d. In the Network and Sharing Center window, under Tasks, click Manage network connections. e. In the Network Connections window, right-click Local Area Connection, and then click Disable. f. Then, right-click Local area Connection and click Enable. g. Close the Network Connections window. In the Network and Sharing Center window, verify that
NYC-DC is connected to WoodgroveBank.com.
3. In the Windows Security dialog box, click Use another account, log on as WOODGROVEBANK\Monika with the password as Pass@word1 and then click OK.
4. To log off Monika, click Start, point to the arrow key next to the lock computer button, and then click Log off.
5. To log on as the second user, click Start, click Run, type mstsc, and then click OK. 6. In the Remote Desktop Connection dialog box, click Connect. 7. In the Windows Security dialog box, click Use another account.
Lab: Configuring and Troubleshooting TS Connections L3-7
8. Log on as WOODGROVEBANK\Dana with the password as Pa$$w0rd and then click OK. 9. Close the remote connection. 10. The Disconnect Terminal Services Session dialog box is displayed. Click OK.
Task4: Shut down the virtual machines
1. Exit the Lab Launcher tool by clicking the close button. 2. In the Close window, click Turn off machine and discard changes. 3. Click OK.
Results: After this exercise, you should have used troubleshooting techniques to resolve connectivity issues.
Note: After you have completed the lab exercises closing the VM’s and selecting undo disk is not required for hosted labs. Click the Quit button to exit.
L3-8 Lab: Configuring and Troubleshooting TS Connections
Lab: Configuring TS RemoteApp and Easy Print L4-1
Module 4: Configuring Terminal Services RemoteApp and Easy Print
Lab: Configuring TS RemoteApp and Easy Print Note: If you have already logged on to a virtual machine, skip the logon task for that particular virtual
machine. Exercise 1: Configuring and Deploying TS RemoteApp Programs
Exercise 2: Configuring TS Easy Print
Logon Information:
• Virtual Machine1: 6428A-NYC-DC1-01
• Virtual Machine 2: 6428A-NYC-TS-03
• User Names: Administrator/Baris
• Password: Pa$$w0rd
Estimated time: 45 minutes
Exercise 1: Configuring and Deploying TS RemoteApp Programs
Exercise Overview In this exercise, you will install TS Web Access and create a link to Microsoft® PowerPoint Viewer for the Marketing group.
The main tasks for this exercise are as follows:
1. Start the 6428A-NYC-DC1-01 and 6428A-NYC-TS-03 virtual machines and log on to these machines as Administrator.
2. Install the TS Web Access role service. 3. Add the computer account of the TS Web Access server to the security group. 4. Specify the data source. 5. Install PowerPoint Viewer. 6. Add the PowerPoint Viewer program in the RemoteApp Programs list. 7. Configure an RDP file from the PowerPoint Viewer RemoteApp program. 8. Determine if the RemoteApp program is enabled for TS Web Access. 9. Configure the TS Web Access server to allow access from the Internet.
Task 1: Start the 6428A-NYC-DC1-01 and 6428A-NYC-TS-03 virtual machines and log on to these machines as Administrator
1. Start 6428A-NYC-DC1-01 using the Lab Launcher tool. 2. Log on using the default ID as WOODGROVEBANK\Administrator and password Pa$$w0rd. The
Server Manager page is displayed by default.
Note: Wait for the domain controller 6428A-NYC-DC1-01 logon screen to appear before starting the 6428A-NYC-TS-03 virtual machine.
L4-2 Lab: Configuring TS RemoteApp and Easy Print
3. Start 6428A-NYC-TS-03 using the Lab Launcher tool. 4. Log on as WoodgroveBank\Administrator using the password Pa$$w0rd. The Server Manager
page is displayed by default.
Task 2: Install the TS Web Access role service
1. On 6428A-NYC-TS-03, in Server Manager, scroll down to the Roles Summary section, click the Terminal Services link. On Terminal Services, scroll down to Roles Services.
2. In the Role Services section, click the Add Role Services link. 3. On the Select Role Services page, select the TS Web Access check box. The Add Role Services
dialog box is displayed. 4. Review the information about the required role services for Web Server (IIS) and click Add Required
Role Services, and then click Next. 5. Review the Web Server (IIS) page, and then click Next. 6. On the Select Role Services page, you are prompted to select the role services that you want to
install for IIS. Then, click Next. 7. On the Confirm Installation Selections page, click Install. 8. On the Installation progress page, note the installation progress. On completion of the installation,
the Installation Results page is displayed. 9. On the Installation Results page, confirm that the installation of TS Web Access succeeded, and then
click Close. 10. On the Server Manager page under Roles Services, confirm that TS Web Access is Installed. 11. Close the Server Manager.
Task 3: Add the computer account of the TS Web Access server to the security group
1. On 6428A-NYC-TS-03, click Start, point to Administrative Tools, and then click Computer Management.
2. In the left pane, click the Local Users and Groups node, and then click the Groups node. 3. In the middle pane, double-click the group name TS Web Access Computers. 4. In the TS Web Access Computers Properties dialog box, to add members in the group, click the
Add button. 5. In the Select Users, Computers, or Groups dialog box, click Object Types. 6. In the Object Types dialog box, select the Computers check box, and then click OK. 7. In the Enter the object names to select {examples} box, type NYC-TS as the computer account of
the TS Web Access server, click Check Names, and then click OK. 8. Click OK to close the TS Web Access Computers Properties dialog box.
Task 4: Specify the data source
1. To start Internet Explorer, click Start, click All Programs, and then click Internet Explorer. 2. To connect to the TS Web Access Web site, in the URL box, type http://NYC-TS/ts. Click the go
button. 3. In the Connect to nyc-ts dialog box, log on to the site as WoodgroveBank\Administrator with the
password Pa$$w0rd. 4. A message box regarding the blocked content is displayed. To add the site as a trusted site, click the
Add button. 5. The Trusted sites message box is displayed. Click Add. 6. Close the Trusted sites message box.
Lab: Configuring TS RemoteApp and Easy Print L4-3
Note: If you are already logged on to the computer, you are not prompted for the credentials. You need to add the Web site as a trusted Web site only the first time you access the site.
7. On the title bar, click the Configuration tab. 8. On the right side of the page, in the Editor Zone area, in the TS Web Access Properties section, in
the Terminal server name box, type NYC-TS. 9. Click Apply to apply the changes.
Task 5: Install PowerPoint Viewer
1. Click Start, and then click Command Prompt. 2. At the command prompt, type change user /install, press ENTER, and then close the window. 3. Click Start, click Control Panel, and then double-click the Install Application on Terminal Server
icon. 4. In the Install Program From Floppy Disk or CD-ROM wizard, click Next. 5. Click Browse. In the left pane, click Computer, and then browse to E:\Tools. 6. At the bottom of the page, in the Setup programs box, select All Files from the drop-down list. 7. Double-click PowerPointViewer.exe. 8. In the Run Installation Program page, click Next. 9. In the Microsoft Office PowerPoint Viewer 2007 license agreement page, select the check box to
accept the license terms, and click Continue. 10. The Microsoft Office PowerPoint Viewer 2007 message box informing about the completion of
the installation is displayed. Click OK. 11. On the Finish Admin Install page, click Finish.
Task 6: Add the PowerPoint Viewer program in the RemoteApp Programs list
1. Start TS RemoteApp Manager on 6428A-NYC-TS-03. Click Start, point to Administrative Tools, point to Terminal Services, and then click TS RemoteApp Manager.
2. In the Actions pane on the right, click Add RemoteApp Programs. 3. On the Welcome to the RemoteApp Wizard page, click Next. 4. On the Choose programs to add to the RemoteApp Programs list page, select the check box next
to Microsoft Office PowerPoint Viewer 2007 program. 5. Click Microsoft Office PowerPoint Viewer 2007 program, and then click Properties. 6. In the RemoteApp Properties dialog box, verify that the RemoteApp program is available
through TS Web Access check box is selected, click OK, and then click Next. 7. On the Review Settings page, review the settings and then click Finish.
Task 7: Configure an RDP file from the PowerPoint Viewer RemoteApp program
1. Scroll down to the RemoteApp Programs list and click Microsoft Office PowerPoint Viewer 2007. 2. On the Actions pane under Microsoft PowerPoint Viewer 2007, click Create .rdp File. 3. On the Welcome to the Remote App Wizard page, click Next. 4. On the Specify Package Settings page:
• Keep the default location to save the program as C:\Program Files\Packaged Programs.
• Verify that the terminal server setting is NYC-TS.WoodgroveBank.com.
• Verify that the required server authentication is set to Yes.
• Verify that the port is 3389.
5. Click Next.
L4-4 Lab: Configuring TS RemoteApp and Easy Print
6. On the Review Settings page, click Finish.
Task 8: Determine if the RemoteApp program is enabled for TS Web Access
1. On 6428A-NYC-TS-03, in the RemoteApp Programs list, verify that a Yes value appears for TS Web Access next to Microsoft Office PowerPoint Viewer 2007 that you want to make available through TS Web Access.
2. Click Start, click All Programs, and then click Internet Explorer. 3. In URL box type http://NYC-TS/TS. 4. In the Connect to nyc-ts dialog box, provide user credentials from the Marketing Group. In User
name type WoodGroveBank\Baris and provide password Pa$$w0rd, and then click OK.
Task 9: Configure the TS Web Access Server to allow access from the Internet
1. On 6428A-NYC-TS-03, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
2. In the left pane of Internet Information Services (IIS) Manager, Expand NYC-TS(WOODGROVEBANK\Administrator) node, click the Sites node, click the Default Web Site node, and then click TS.
3. In the middle pane, scroll down to IIS, double-click the Authentication icon. 4. Verify Windows Authentication is set to Enabled. If it is not, right-click Windows Authentication,
and then click Enable.
Results: After this exercise, you should have installed the PowerPoint program and created a link to C:\Program Files\Packaged Programs.
Exercise 2: Configuring TS Easy Print
Exercise Overview
The main tasks for this exercise are as follows:
1. Configure the printer redirection settings. 2. Shut down the virtual machines.
Task 1: Configure the printer redirection settings
1. On 6428A-NYC-DC1-01, start the Group Policy Management snap-in. Click Start, point to Administrative Tools, and then click Group Policy Management.
2. In the left panel, under Group Policy Management, click Forest: WoodgroveBank.com, followed by Domains, WoodgroveBank.com, NYC nodes, and right click the Marketing node.
3. Click Create a GPO in this domain, and Link it here. 4. In the New GPO dialog box, under the Name box, type GPO for RDP Link, and then click OK. 5. In the left panel, Expand the Marketing node, right click GPO for RDP link, and then click Edit. 6. In the left panel on the Group Policy Management Editor page, under Computer Configuration,
Expand Policies and Administrative Templates nodes, and then click the Windows Components node.
7. Under Windows Component,Double click the Terminal Services node, and then click the Terminal Server node.
8. In the left panel, double-click Printer Redirection. 9. In the right panel, double-click Use Terminal Services Easy Print printer driver first. 10. In the Use Terminal Services Easy Print printer driver first Properties dialog box, on the Setting
tab, select Enabled, and then click OK. 11. In the right panel, double-click Redirect only the default client printer.
Lab: Configuring TS RemoteApp and Easy Print L4-5
12. In the Redirect only the default client printer Properties dialog box, on the Setting tab, select Enabled, and then click OK.
Task 2: Shut down the virtual machines
1. Exit the Lab Launcher tool by clicking the close button. 2. In the Close window, click Turn off machine and discard changes. 3. Click OK.
Results: After this exercise, you should have configured TS Easy Print and the client print driver should have been redirected to TS.
Note: After you have completed the lab exercises closing the VM’s and selecting undo disk is not required for hosted labs. Click the Quit button to exit.
L4-6 Lab: Configuring TS RemoteApp and Easy Print
Lab: Configuring TS Web Access and Session Broker L5-1
Module 5: Configuring Terminal Services Web Access and Session Broker Lab: Configuring TS Web Access and Session Broker Note: If you have already logged on to a virtual machine, skip the logon task for that particular virtual
machine. Exercise 1: Configuring TS RemoteApp Programs for TS Web Access.
Exercise 2: Customizing TS Web Access by Using WSS.
Exercise 3: Configuring TS Session Broker.
Logon Information:
• Virtual Machine1: 6428A-NYC-DC1-01
• Virtual Machine 2: 6428A-NYC-TS-05
• Virtual Machine 3: 6428A-NYC-WEB-05
• User Name: Administrator\Bernard
• Password: Pa$$w0rd
Estimated time: 60 minutes
Exercise 1: Configuring TS RemoteApp Programs for TS Web Access
Exercise Overview
In this exercise, you will install and configure the TS Web Access role service on the terminal server and create a .msi file for Microsoft® Office PowerPoint Viewer. A link for this .msi file needs to be created so that the Marketing group can access it through a Web browser.
The main tasks for this exercise are as follows:
1. Start the 6428A-NYC-DC1-01, 6428A-NYC-TS-05, and 6428A-NYC-WEB-05 virtual machines and log on to these machines as Administrator.
2. Install the TS Web Access role service. 3. Determine if the RemoteApp program is enabled for TS Web Access. 4. Create an MSI file. 5. Create a link to the TS RemoteApp program on the terminal server. 6. Verify that the link is functional and available through the Web browser.
Task 1: Start the 6428A-NYC-DC1-01, 6428A-NYC-TS-05, and 6428A-NYC-WEB-05 virtual machines and log on to these machines as Administrator
1. Start 6428A-NYC-DC1-01using the Lab Launcher tool. 2. Log on using the default WOODGROVEBANK\Administrator user ID and password Pa$$w0rd. 3. Start 6428A-NYC-TS-05 using the Lab Launcher tool. 4. Log on as WoodgroveBank\Administrator by using the password Pa$$w0rd.
L5-2 Lab: Configuring TS Web Access and Session Broker
5. Start 6428A-NYC-WEB-05 using the Lab Launcher tool. 6. Log on as WOODGROVEBANK\Administrator by using the password Pa$$w0rd.
Task 2: Install the TS Web Access role service
1. Click Start, and then Click Server Manager snap-in on 6428A-NYC-TS-05. In the snap-in, scroll down to Roles Summary, and click the Terminal Services link.
2. Scroll down to Role Services, and click the Add Role Services link. 3. On the Select Role Services page, select the TS Web Access check box. 4. In the Add Role Services message box, click Add Required Role Services. 5. On the Select Role Services page, click Next. 6. On the Web Server (IIS) page, click Next. 7. On the Select Role Services page, click Next. 8. On the Confirm Installation Selections page, click Install. 9. The Installation Progress page is displayed. Observe the progress indicator. 10. On the Installation Results page, observe that the installation of TS Web Access succeeded, and then
click Close. 11. On the Server Manager page, under Role Services, verify that TS Web Access is installed. 12. Close the Server Manager. 13. On 6428A-NYC-TS-05, click Start, point to Administrative Tools, and then click Computer
Management. 14. In the left pane of the Computer Management window, click the Local Users and Groups node,
and then click Groups. 15. In the right pane, double-click TS Web Access Computers. 16. In the TS Web Access Computers Properties dialog box, click Add to add members in the group. 17. In the Select Users, Computers, or Groups dialog box, click Object Types. 18. In the Object Types dialog box, select the Computers check box, and then click OK. 19. In the Enter the object names to select (examples) box, type NYC-TS as the computer account of
the TS Web Access server. Click Check Names, and then click OK. 20. Click OK to close the TS Web Access Computers Properties dialog box. 21. Click Start, click All Programs, and then click Internet Explorer. 22. In the URL box, type http://NYC-TS/ts, and then press ENTER. 23. In the Connect to nyc-ts dialog box, log on to the site by using WoodgroveBank\Administrator as
the login ID and Pa$$w0rd as the password, and then click OK. 24. A message box regarding blocked content is displayed. To add the site as a trusted site, click the Add
button. 25. The Trusted sites message box is displayed. Click Add. 26. Close the Trusted sites message box.
Note: If you are already logged on to the computer, you are not prompted for the credentials. You need to add the Web site as a trusted Web site only the first time you access the site.
27. On the title bar, click the Configuration tab. 28. On the right side of the page, in the Editor Zone section, in the TS Web Access Properties section,
in the Terminal server name box, type NYC-TS. 29. Click Apply to apply the changes.
Lab: Configuring TS Web Access and Session Broker L5-3
Task 3: Determine if the RemoteApp program is enabled for TS Web Access
1. On 6428A-NYC-TS-05, click Start, point to Administrative Tools, point to Terminal Services, and then click TS RemoteApp Manager.
2. Scroll down to the RemoteApp Programs list and verify that a Yes value appears for TS Web Access next to Microsoft Office PowerPoint Viewer 2007.
3. Click Microsoft Office Power Point Viewer 2007. 4. To enable a RemoteApp program for TS Web Access, on the Actions pane for Microsoft Office
PowerPoint Viewer 2007, click Show in TS Web Access. 5. Close the TS RemoteApp Manager.
Task 4: Create an MSI file
1. On 6428A-NYC-TS-05, click Start, point to Administrative Tools, point to Terminal Services, and then click TS RemoteApp Manager.
2. Scroll down to the RemoteApp Programs list, and click Microsoft Office PowerPoint Viewer 2007. 3. In the Actions pane for Microsoft Office PowerPoint Viewer 2007, click Create Windows Installer
package. 4. On the Welcome to the RemoteApp Wizard page, click Next. 5. On the Specify Package Settings page, click Next. 6. On the Configure Distribution Package page, click Next. 7. On the Review Settings page, click Finish. 8. Close the Packaged Programs folder.
Task 5: Create a link to the TS RemoteApp program on the terminal server
1. On the TS RemoteApp Manager page, in the RemoteApp Programs list, verify that a Yes value is displayed for TS Web Access next to Microsoft Office PowerPoint Viewer 2007.
2. Click Start, click All Programs, and then click Internet Explorer. 3. In the URL box, type http://NYC-TS/ts, and then click Go. 4. In the Connect to nyc-ts dialog box, provide a user credential from the Marketing Group. In User
name, type WoodGroveBank\Bernard and type the password as Pa$$w0rd, and then click OK. 5. Configure the TS Web Access server to allow access from the Internet. On 6428A-NYC-TS-05, click
Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager. 6. In the left pane of Internet Information Services (IIS) Manager, expand the NYC-TS
(WOODGROVEBANK\Administrator) node, expand the Sites node, expand the Default Web Site node, and then click TS.
7. In the middle pane, scroll down to IIS, and double-click the Authentication icon. 8. Select Status from the Group by drop-down list. Select Enabled for Windows Authentication.
Task 6: Verify that the link is functional and available through the Web browser
1. On 6428A-NYC-WEB-05, verify that you are logged on as Woodgrovebank\Administrator with the password Pa$$w0rd.
2. Click Start, click All Programs, and then click Internet Explorer. In the URL box, type http://NYC-TS/ts, and then click Go.
3. In the Connect to nyc-ts dialog box, type the user name as WoodgroveBank\Bernard and the password as Pa$$w0rd. Then click OK.
4. The Trusted Sites message box is displayed. Click Add. Close the Trusted Sites message box. 5. Observe that Microsoft Office PowerPoint is listed in the remote application program list.
L5-4 Lab: Configuring TS Web Access and Session Broker
Results: After this exercise, you should have installed TS Web Access on the terminal server, created an MSI file for the remote program, created a link to the remote program, and verified that the link is functional through Internet Explorer.
Exercise 2: Customizing TS Web Access by Using WSS
Exercise Overview
In this exercise, you will create a customized Web part and export it to a WSS Web site.
The main task for this exercise is as follows:
• Add a Web part to a WSS site.
Task 1: Add a Web part to a WSS site
1. On 6428A-NYC-WEB-05, click Start, point to Administrative Tools, and then click SharePoint 3.0 Central Administration.
2. To connect to the WSS site http://nyc-web:44341/, in the authentication dialog boxError! Hyperlink reference not valid., type the user name as WoodgroveBank\Administrator and password as Pa$$w0rd. Then click OK.
3. On the Home page of the Central Administration site, click Site Actions, and then select Edit Page from the drop-down list.
4. On the Edit Page, in the center panel, click Add a Web Part. 5. On the Add Web Parts – Webpage Dialog page, in the Add Web Parts to Left section, under the
List and Libraries section, select the Resources check box, and then click Add. 6. On the Central Administration page, under the Resources section, click the Add new link link. 7. On the Resources: New Item page, in the URL box, type http://NYC-TS/ts. 8. In the Description box, type Link for TS Web Access Web Part, and then click OK. 9. Connect to NYC-ts and click Link for TS Web Access Web Part. The Connect to nyc-ts dialog box is
displayed. 10. Log on to the site as WOODGROVEBANK\Administrator with the password Pa$$w0rd. Then click
OK.
The TS Web Access Web site with the remote applications list will be displayed.
Results: After this exercise, you should have added a customized Web part by using TS Web Access, and exported it to a WSS site.
Exercise 3: Configuring TS Session Broker
Exercise Overview In this exercise, you will install the Session Broker role service and configure the TS Session Broker settings for servers in a TS farm.
The main tasks for this exercise are as follows:
1. Install the TS Session Broker role service. 2. Add each server in the farm to the Session Directory Computers local group. 3. Configure the TS Session Broker settings by using Group Policy. 4. Shut down the virtual machines.
Lab: Configuring TS Web Access and Session Broker L5-5
Task 1: Install the TS Session Broker role service
1. On 6428A-NYC-TS-05, start Server Manager. Click Start, point to Administrative Tools, and then click Server Manager.
2. Click Roles, scroll down to the Roles Summary section, click the Terminal Services link. 3. On the Terminal Services page, scroll down to Role Services, and then click the Add Role Services
link. 4. On the Select Role Services page, select the TS Session Broker check box, and then click Next. 5. On the Confirm Installation Selections page, click Install. 6. The Installation Progress page is displayed. Observe the progress indicator. 7. On the Installation Results page, confirm that the installation succeeded, and then click Close.
Task 2: Add each server in the farm to the Session Directory Computers local group
1. Click Start, point to Administrative Tools, and then click Computer Management. 2. In the left pane, click the Local Users and Groups node, and then click Groups. 3. In the middle pane, right-click the Session Directory Computers group, and then click Properties. 4. In the Session Directory Computer Properties dialog box, click Add. 5. In the Select Users, Computers or Groups dialog box, click Object Types. 6. In the Object Type dialog box, select the Computers check box, and then click OK. 7. In the Enter the object names to select {examples} box, type NYC-WEB; NYC –TS, and then click
Check Names. Click OK twice. 8. Close Computer Management.
Task 3: Configure the TS Session Broker settings by using Group Policy
1. On 6428A-NYC-DC1-01, click Start, point to Administrative Tools, and then click Group Policy Management.
2. In the Group Policy Management snap-in, in the left pane, ensure that Forest: WoodgroveBank.com node, followed by Domains and WoodgroveBank.com are expanded. Then, right-click the NYC node, and click Create a GPO in this domain, and Link it here.
3. In the New GPO dialog box, in the Name box, type GPO for TS Web Access, and then click OK. 4. In the left pane, expand the Group Policy Objects node, and click GPO for TS Web Access. 5. In the right pane, click the Settings tab. 6. Right-click Computer Configuration, and then click Edit. 7. In the left pane, ensure the Computer Configuration node is expanded, expand the Policies node,
expand Administrative Templates followed by the Windows Components, Terminal Services, Terminal Server nodes, and then click TS Session Broker.
8. In the right pane, double-click the Join TS Session Broker policy setting. 9. In the Join TS Session Broker Properties dialog box, click Enabled, and then click OK. 10. Double-click the Configure TS Session Broker farm name policy setting. 11. In the Configure TS Session Broker farm name Properties dialog box, click Enabled. 12. In the TS Session Broker farm name box, type NYC-TS, and then click OK. 13. Double-click the Use TS Session Broker load balancing policy setting. 14. In the Use TS Session Broker load balancing Properties dialog box, click Enabled, and then click
OK. 15. Close the Group Policy Management editor.
Task 4: Shut down the virtual machines
1. Exit the Lab Launcher tool by clicking the close button. 2. In the Close window, click Turn off machine and discard changes. 3. Click OK.
L5-6 Lab: Configuring TS Web Access and Session Broker
Results: After this exercise, you should have configured TS Session Broker load balancing for a farm.
Note: After you have completed the lab exercises closing the VM’s and selecting undo disk is not required for hosted labs. Click the Quit button to exit.
Lab: Configuring and Troubleshooting TS Gateway L6-1
Module 6: Configuring and Troubleshooting Terminal Services Gateway
Lab: Configuring and Troubleshooting TS Gateway Note: If you have already logged on to a virtual machine, skip the logon task for that particular virtual machine.
Exercise 1: Configuring and Monitoring TS Gateway
Exercise 2: Troubleshooting the TS Gateway Connections
Logon Information:
• Virtual Machine1: 6428A-NYC-DC1-01
• Virtual Machine 2: 6428A-NYC-TS-05
• User Name: Administrator
• Password: Pa$$w0rd
Estimated time: 60 minutes
Exercise 1: Configuring and Monitoring TS Gateway
Exercise Overview In this exercise, you will install and configure the TS Gateway server role on the terminal server and create a CAP and a RAP for the HR group.
The main tasks for this exercise are as follows:
1. Start the 6428A-NYC-DC1-06 and 6428A-NYC-TS-05 virtual machines and log on to these machines as Administrator.
2. Install the TS Gateway role. 3. Install the certificate. 4. Create a CAP for the HR group. 5. Select the pre-configured Active Directory Security group HR. 6. Create a RAP for the HR group.
Task 1: Start the 6428A-NYC-DC1-06 and 6428A-NYC-TS-05 virtual machines and log on to these machines as Administrator
1. Start 6428A-NYC-DC1-06 using the Lab Launcher tool. 2. Log on as WOODGROVEBANK\Administrator by using the password Pa$$w0rd. The Server
Manager snap-in is displayed. 3. Start 6428A-NYC-TS-05 using the Lab Launcher tool. 4. Log on as Administrator by using the password Pa$$w0rd. The Server Manager snap-in is displayed.
L6-2 Lab: Configuring and Troubleshooting TS Gateway
Task 2: Install the TS Gateway role
1. On 6428A-NYC-TS-05, click Start, Server Manager in the Server Manager snap-in, click Roles, scroll down to Roles Summary, click the Terminal Services link.
2. Scroll down to Role Services, click Add Role Services. 3. On the Select Role Services page, select the TS Gateway check box. 4. On the Select Role Services page, click Next. 5. On the Choose a Server Authentication Certificate for SSL Encryption page, select Choose a
certificate for SSL encryption later, and then click Next. 6. On the Create Authorization Policies for TS Gateway page, select Later, and then click Next. 7. On the Confirm Installation Selections page, click Install. The Installation Progress page is
displayed. 8. On the Installation Results page, observe that the installation for TS Gateway roles, role services, and
features is successful, and then click Close. 9. Close the Server Manager snap-in.
Task 3: Install the certificate
1. Click Start, point to Administrative Tools, point to Terminal Services, and then click TS Gateway Manager.
2. In the TS Gateway Manager console tree, right-click NYC-TS (Local), and then click Properties. 3. On the NYC-TS Properties page, click the SSL Certificate tab, verify that the Create a self-signed
certificate for SSL encryption option is selected, and then click Create Certificate. 4. In the Create Self-Signed Certificate dialog box, under Certificate name verify that NYC-
TS.WoodgroveBank.com appears by default. 5. Under Certificate location, delete the default location, type c:\certificate\NYC-TS.cer, and then
click OK. 6. A message box stating that TS Gateway has successfully created a self-signed certificate is displayed.
Click OK twice. 7. Close the TS Gateway Manager. 8. To open the Certificates snap-in, click Start, click Run, type MMC, and then click OK. The
Console1-[Console Root] window is displayed. 9. On the File menu, click Add/Remove Snap-in. 10. In the Add or Remove Snap-ins dialog box, under the Available snap-ins list, click Certificates, and
then click Add. 11. In the Certificates snap-in dialog box, select Computer account, and then click Next. 12. In the Select Computer dialog box, verify that Local computer: (the computer this console is
running on) is selected, and then click Finish. 13. In the Add or Remove snap-ins dialog box, click OK. 14. In the console dialog box, in the console tree, double-click the Certificates (Local Computer) node. 15. Right-click the Trusted Root Certification Authorities folder, point to All Tasks, and then click
Import. 16. On the Certificate Import Wizard page, click Next. 17. On the File to Import page, in the File name box type c:\certificate\NYC-TS.cer, and then click
Next. 18. On the Certificate Store page, click Next. 19. On the Completing the Certificate Import Wizard page, click Finish. 20. A message stating that the import was successful is displayed. Click OK. 21. In the Console1-[Console Root] window, click File, and then click Exit. 22. A message prompting you to save the console settings to Console1 is displayed. Click No.
Lab: Configuring and Troubleshooting TS Gateway L6-3
23. To open the TS Gateway Manager, click Start, point to Administrative Tools, point to Terminal Services, and then click TS Gateway Manager.
24. In the TS Gateway Manager console tree, right-click NYC-TS(Local), and then click Properties. 25. In the NYC-TS Properties dialog box, click the SSL Certificate tab, verify Select an existing
certificate for SSL encryption (recommended) is selected, and then click Browse Certificates. 26. In the Install Certificate dialog box, click NYC-TS.WoodgroveBank.com, click Install, and then click
OK.
Task 4: Create a CAP for the HR group
1. In the TS Gateway Manager console tree, expand the NYC-TS(Local) node, and then expand the Policies node.
2. Under Policies, right-click the Connection Authorization Policies folder, point to Create New Policy, and then click Custom.
3. In the New TS CAP dialog box, on the General tab, in Policy name, type TS CAP. 4. Click the Requirements tab, under Supported Windows authentication methods, verify that
Password is selected. 5. Under User group membership (required), click Add Group. 6. In the Select Groups dialog box, click Advanced, and then click Find Now. 7. Under the Search Results section, scroll down and select the group name HR, click OK twice. 8. In the New TS CAP dialog box, click the Device Redirection tab, verify that Enable device
redirection for all client devices is selected, and then click OK. 9. Close the TS Gateway Manager.
Task 5: Select the pre-configured Active Directory Security group HR
1. On 6428A-NYC-DC1-06, click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
2. In the Active Directory Users and Computers console tree, under the WoodgroveBank.com node, ensure Users is selected.
3. In the right pane, click HR Security Group. 4. Right-click HR Security Group, click Properties. 5. In the HR Properties dialog box, click the Members tab, and then click Add. 6. In the Select Users, Contacts, Computers or Groups dialog box, click Object Types. 7. Select the Computers check box, and then click OK. 8. Click Advanced, and then click Find Now. 9. Under the Search Results section, scroll down to select the computer name as NYC-TS, click OK.
Then click OK twice. 10. Close Active Directory Users and Computers.
Task 6: Create a RAP for the HR group
1. Start the TS Gateway Manager on 6428A-NYC-TS-05. Click Start, point to Administrative Tools, point to Terminal Services, and then click TS Gateway Manager.
2. In the console tree, open the NYC-TS (Local) folder. 3. Open the Policies folder, and then right-click the Resource Authorization Policies folder, point to
Create New Policy, and then click Custom. 4. In the New TS RAP dialog box, on the General tab, in Policy name, type TS RAP. 5. On the User Groups tab, click Add. 6. In the Select Groups dialog box, click Advanced, click Find Now. 7. Under the Search Results section, scroll down to select the group name HR, and then click OK twice.
L6-4 Lab: Configuring and Troubleshooting TS Gateway
8. Click the Computer Group tab, verify Select an existing Active Directory security group is selected, and then click Browse.
9. In the Select Groups dialog box, click Advanced, and then click Find Now. 10. Under the Search Results section, scroll down to select group HR, and then click OK twice. 11. Click Allowed Ports tab, verify Allow connections only through TCP port 3389 is selected, and
then click OK.
Results: After this exercise, you should have installed the TS Gateway Server role service and created a TS CAP and TS RAP for the HR group.
Exercise 2: Troubleshooting the TS Gateway Connections
Exercise Overview In this exercise, you need to verify that the TS Gateway server certificate has not expired. You also need to check the TS CAP and RAP for the HR group. In addition, you need to verify the existence of the user Baris in the HR group and add a new user Bernard to the HR group.
The main tasks for this exercise are as follows:
1. Verify that the TS Gateway Server certificate has not expired. 2. Verify that the TS CAP is accurate. 3. Verify that the TS RAP is accurate. 4. Verify that the user Baris exists in the HR group. 5. Add Bernard to the HR group. 6. Verify that the TS RAP is functional. 7. Shut down the virtual machines.
Task 1: Verify that the TS Gateway Server certificate has not expired
1. In the TS Gateway Manager, in the console tree, right-click NYC-TS (Local), and then click Properties.
2. In the NYC-TS Properties dialog box, click the SSL Certificate tab, verify Select an existing certificate for SSL encryption (recommended) is selected, and then click Browse Certificates.
3. In the Install Certificate dialog box, click NYC-TS.WoodgroveBank.com. 4. Click View Certificate and verify that the validity of certificate has not expired in the valid from field. 5. Click OK, click Cancel, and then click OK.
Task 2: Verify that the TS CAP is accurate
1. In the console tree, under the NYC-TS (Local) node, under the Policies node, click Connection Authorization Policies.
2. In the right pane, right-click TS CAP policy, and then click Properties. 3. In the TS CAP Properties dialog box, on the General tab, verify that Enable this policy is selected. 4. Click the Requirements tab. Under Supported Windows authentication methods, verify that
Password is selected. 5. Under User group membership (required), verify that WOODGROVEBANK\HR group exists. 6. Click Device Redirection tab, verify Enable device redirection for all client devices is selected, and
then click OK.
Task 3: Verify that the TS RAP is accurate
1. In TS Gateway Manager, under the Policies node, click Resource Authorization Policies. 2. In the right-pane, right-click TS RAP, and then click Properties.
Lab: Configuring and Troubleshooting TS Gateway L6-5
3. In the TS RAP Properties dialog box, on the General tab, verify Enable this policy is selected. 4. Click the User Groups tab and verify that the WOODGROVEBANK\HR group exists. 5. Click the Computer Group tab, under Select an existing Active Directory security group, verify
that WOODGROVEBANK\HR exists. 6. Click Allowed Ports tab, verify Allow connections only through TCP port 3389 is selected, and
then click OK. 7. Close the TS Gateway Manager.
Task 4: Verify that the user Baris exists in the HR group
1. On 6428A-NYC-DC1-06, click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
2. In the Active Directory Users and Computers console tree, under WoodgroveBank.com, click Users.
3. In the right pane, click HR Security Group. 4. Right-click HR Security Group, click Properties. 5. In the HR Properties dialog box, click the Members tab, verify user Baris Cetinok exists, and then
click OK.
Task 5: Add Bernard to the HR group
1. In Active Directory Users and Computers, under WoodgroveBank.com, click Users. 2. In the right pane, right-click HR Security group, and then click Properties. 3. In the HR Properties dialog box, click the Members tab, and then click Add. 4. In the Select Users, Contacts, Computers or Groups dialog box, click Advanced, and then click
Find Now. 5. Scroll down to select user name Bernard Duerr, click OK, 6. In the Active Directory Domain Services dialog box, click OK twice. 7. Close Active Directory Users and Computers.
Task 6: Verify that the TS RAP is functional
1. On 6428A-NYC-DC1-06, click Start, click Run, type \\NYC-TS\certificate, and then click OK. 2. In the Certificate (\\NYC-TS), select NYC-TS.cer. 3. Right-click NYC-TS.cer, click Install Certificate. 4. The Open file – Security Warning dialog box is displayed, click Open. 5. On the Welcome to the Certificate Import Wizard page, click Next. 6. On the Certificate Store page, select Place all certificates in the following store, and then click
Browse. 7. In the Select Certificate Store dialog box, select Trusted Root Certification Authorities, click OK,
and then click Next. 8. On the Completing the Certificate Import Wizard page, click Finish. 9. A message box that the import was successful is displayed, click OK. 10. Close Certificate Explorer. 11. On 6428A-NYC-DC1-06, click Start, click Run, type mstsc, and then click OK. 12. In the Remote Desktop Connection dialog box, click Options, click the Advanced tab, and then
click Settings. 13. On the TS Gateway Server Settings page, select Use these TS Gateway Server settings. 14. In the Server name box, type NYC-TS.woodgrovebank.com, in the Logon method box select Ask
for password (NTLM) from the drop-down list, and then click OK. 15. Click the General tab, in the Computer box, type NYC-TS, and then click Connect.
L6-6 Lab: Configuring and Troubleshooting TS Gateway
16. In the Windows Security dialog box, type user name as Woodgrovebank\Baris and password as Pa$$w0rd, and then click OK.
17. Close Remote Desktop Connection.
Task 7: Shut down the virtual machines
1. Exit the Lab Launcher tool by clicking the close button. 2. In the Close window, click Turn off machine and discard changes. 3. Click OK.
Results: After this exercise, you should have verified that the configuration of TS Gateway is correct and the user Baris exists in the HR group. In addition, you should have added a new user Bernard to the HR group.
Note: After you have completed the lab exercises closing the VM’s and selecting undo disk is not required for hosted labs. Click the Quit button to exit.
Lab: Managing and Monitoring TS L7-1
Module 7: Managing and Monitoring Terminal Services
Lab: Managing and Monitoring TS Note: If you have already logged on to a virtual machine, skip the logon task for that particular virtual machine.
Exercise 1: Managing the TS Connections
Exercise 2: Monitoring the TS Connections
Exercise 3: Configuring WSRM for TS
Logon Information:
• Virtual Machine1: 6428A-NYC-DC1-06
• Virtual Machine 2: 6428A-NYC-TS-07
• Virtual Machine 3: 6428A-NYC-WEB-05
• User Names: Administrator/Susan
• Password : Pa$$w0rd Estimated time: 60 minutes
Exercise 1: Managing the TS Connections
Exercise Overview In this exercise, you will configure the TS Gateway settings on the client computer. You will then disconnect the NOC technician’s computer and reset the connection.
The main tasks for this exercise are as follows:
1. Start the 6428A-NYC-DC1-06 and 6428A-NYC-TS -07 virtual machines and log on to these machines as Administrator.
2. Start the 6428A-NYC-WEB-05 virtual machine and log on as Susan. 3. Configure the TS Gateway settings on the client. 4. Manage the TS connections on the terminal server.
Task 1: Start the 6428A-NYC-DC1-06 and 6428A-NYC-TS-07 virtual machines and log on to these machines as Administrator
1. Start 6428A-NYC-DC1-06 using the Lab Launcher tool. 2. The default login ID WOODGROVEBANK\Administrator is displayed. Log on with the password
Pa$$w0rd.
Note: Wait for the domain controller, 6428A-NYC-DC1-06, logon screen to appear before starting 6428A-NYC-TS-07 virtual machine.
3. Start 6428A-NYC-TS-07 using the Lab Launcher tool. 4. Log on as WoodgroveBank\Administrator with the password Pa$$w0rd.
L7-2 Lab: Managing and Monitoring TS
5. On 6428A-NYC-DC1-06, to verify the membership of the NYC-TS, click Start, point to Administrative Tools, and then click Active Directory users and Computers.
6. In the left pane, click Computers node. 7. In the right pane, verify that the computer name NYC-TS exists.
Task 2: Start the 6428A-NYC-WEB-05 virtual machine and log on as Susan
1. Start 6428A-NYC-WEB-05 using the Lab Launcher tool. 2. Log on as WoodgroveBank\Susan who belongs to the NOC Department by using the password
Pa$$w0rd.
Task 3: Configure the TS Gateway settings on the client
1. To configure TS Gateway on 6428A-NYC-WEB-05, click Start, click All Programs, click Accessories, and then click Remote Desktop Connection.
2. In the Remote Desktop Connection dialog box, click Options, and then click the Advanced tab. 3. On the Advanced tab, under Connect from anywhere area, click Settings. 4. Under Connection settings, select Use these TS Gateway server settings. 5. In the Server name box, verify that the FQDN of TS Gateway Server is NYC-
TS.Woodgrovebank.com. 6. Under Logon method, verify that Ask for password (NTLM) from the drop-down list is selected 7. Verify that the Bypass TS Gateway server for local address check box is not selected. If selected,
then clear the check box and then click OK. 8. Click the General tab. Under Logon settings, in the Computer box, type NYC-TS. 9. Click Save, and then click Connect. 10. In the Windows Security dialog box, enter the login ID as Woodgrovebank\Susan. Log on with the
password Pa$$w0rd, and then click OK.
Note: If the Remote Desktop Connection is disconnected, perform the following steps to create the remote connection:
a. Log off WoodgroveBank\Susan on 6428A-NYC-WEB-05. b. Log on to 6428A-NYC-WEB-05 as Administrator with the password Pa$$w0rd. c. Open Control Panel. d. Click the Network and Sharing Center icon. Verify that NYC-WEB is connected to Unidentified
network. e. Check the status of the Local Area Connection. f. In the Network and Sharing Center window, under Tasks, click Manage network connections. g. In the Network Connections window, right-click Local Area Connection, and then click
Disable. h. Then, right-click Local area Connection and click Enable. i. Close the Network Connections window. In the Network and Sharing Center window, check
whether NYC-WEB is connected to WoodgroveBank.com.
11. Log off as administrator on 6428A-NYC-WEB-05 and log on as WoodgroveBank\Susan using the password Pa$$w0rd.
Task 4: Manage the TS connections on the terminal server
1. To log off all TS Gateway connections on 6428A-NYC-TS-07, click Start, point to Administrative Tools, point to Terminal Services, and then click Terminal Services Manager.
Lab: Managing and Monitoring TS L7-3
a. In Terminal Services Manager, the Terminal Services Manager dialog box is displayed, click OK. In the left panel, select NYC-TS.
b. In the middle panel, on the Users tab, observe that the RDP-Tcp#0 Session for Susan has the state as Active.
c. In the middle panel, select the user Susan. In the right panel, under Actions, click Logoff. d. The Terminal Services Manager message box about the selected user getting logged off is
displayed. Click OK. e. The RDC connection in 6428A-NYC-WEB-05 will also get disconnected. Perform steps 2 to 9 in
Task 3 of this exercise to set up the RDC connection before moving on to the next steps.
2. Disconnect all TS Gateway connections.
a. In 6428A-NYC-TS-07 in the middle panel, select the user Susan. In the right panel, under Actions, click Disconnect.
b. The Terminal Services Manager message box about the selected user getting disconnected is displayed. Click OK.
c. The RDC connection in 6428A-NYC-WEB-05 will also get disconnected. Perform steps 2 to 9 in Task 3 of this exercise to set up the RDC connection before moving on to the next steps.
3. Reset all TS Gateway Connections.
a. In the middle panel, select the user Susan. In the right panel, under Actions, click Reset. b. The Terminal Services Manager message box about the selected user getting reset is displayed.
Click OK. c. The RDC connection in 6428A-NYC-WEB-05 will also get disconnected. Log off from 6428A-NYC-
WEB-05 and then log on again using WOODGROVEBANK\Administrator with the password Pa$$w0rd.
4. Close the Terminal Services Manager.
Results: After this exercise, you should have configured the TS Gateway settings on the client and managed TS connections remotely.
Exercise 2: Monitoring the TS Connections
Exercise Overview In this exercise, you need to monitor the TS connections by using the TS Gateway Manager and specify the TS Gateway events to be logged.
The main tasks for this exercise are:
1. Connect to the remote computer. 2. Monitor TS Gateway. 3. Specify the TS Gateway events to be logged.
Task 1: Connect to the remote computer
1. To connect using TS Gateway on 6428A-NYC-WEB-05, click Start, click All Programs, click Accessories, and then click Remote Desktop Connection.
2. In the Remote Desktop Connection dialog box, click Connect. 3. In the Windows Security dialog box, the login ID is displayed as Woodgrovebank\Susan. Log on
with the password Pa$$w0rd, and then click OK.
L7-4 Lab: Managing and Monitoring TS
Task 2: Monitor TS Gateway
1. On 6428A-NYC-TS-07, click Start, point to Administrative tools, point to Terminal Services, and then click TS Gateway Manager.
2. In TS Gateway Manager, expand the NYC-TS node, and then click Monitoring. 3. Select Susan’s session in the middle panel. 4. In the Actions panel, under Monitoring, click Edit Connection. The NYC-TS Properties dialog box
is displayed. 5. Click Limit maximum allowed simultaneous connections to and select 2 in the spin box, and then
click OK. 6. In the Actions panel, under Monitoring, click Set Automatic Refresh Options. 7. In the Set Automatic Refresh Options dialog box, verify Refresh automatically is selected, in the
spin box verify 0:30:0 seconds is selected, and then click OK. 8. In the middle panel, right-click Susan, click Disconnect This Connection. The TS Gateway message
box about disconnecting from Susan Burk to the computer NYC-TS is displayed. Click Yes. 9. The RDC connection in 6428A-NYC-WEB-05 will also get disconnected. Perform steps 2 to 9 in Task 3
of Exercise 1 to set up the RDC connection before moving on to the next steps.
Task 3: Specify the TS Gateway events to be logged
1. In the TS Gateway Manager of NYC-TS-07, right click NYC-TS (Local), and then click Properties. 2. In the NYC-TS Properties dialog box, on the Auditing tab, select all the checkboxes that you want
to monitor for TS Gateway, and then click OK. 3. Close the TS Gateway Manager. 4. To check the event log, click Start, click Administrative Tools, and click Event Viewer. 5. On the Event Viewer page, in the middle panel, check the Overview and Summary page. 6. Under Summary of Administrative Events, scroll down and click the Audit Success node. 7. In the Actions panel, under Audit Success, click View All Instances of This Event. 8. In the middle panel, under Summary page events, view the event logs. 9. Close the Event Viewer.
Results: After this exercise, you should have monitored TS Gateway and specified the events to be logged for TS Gateway.
Exercise 3: Configuring WSRM for TS
Exercise Overview
The main tasks for this exercise are as follows:
1. Install WSRM on TS. 2. Configure the TS resource allocation policy for per session. 3. Monitor TS performance by using Resource Monitor. 4. Configure the TS resource allocation policy for per user. 5. Shut down the virtual machines.
Task 1: Install WSRM on TS
1. To start the Server Manager snap-in on 6428A-NYC-TS-07, click Start, point to Administrative Tools, and then click Server Manager.
2. In the Server Manager, scroll down to the Features Summary section, click the Add Features link. The Add Features Wizard page is displayed.
3. In the Add Features Wizard, on the Select Features page, scroll down to select the Windows System Resource Manager check box. If the Add Features Wizard message box displays, informing
Lab: Managing and Monitoring TS L7-5
you that Windows Internal Database also needs to be installed for WSRM to work properly click Add Required Features, and then click Next.
4. On the Confirm Installation Selections page, click Install. 5. On the Installation Progress page, note the installation progress. On completion of the installation,
the Installation Results page is displayed. 6. On the Installation Results page, confirm that the installation of Windows Internal Database and
WSRM succeeded, and then click Close. 7. Close the Server Manager. 8. To start the WSRM snap-in, click Start, point to Administrative Tools, and then click Windows
System Resource Manager. 9. In the Connect to computer dialog box, under Administer, verify This computer is selected, and
then click Connect to enable the WSRM to administer the local computer.
Task 2: Configure the TS resource allocation policy for per session
1. To implement the Equal_Per_Session resource-allocation policy, on the Windows System Resource Manager snap-in, in the left pane, click the Resource Allocation Policies node.
2. Right-click Equal_Per_Session and then click Set as Managing Policy. 3. If the End Snap-In dialog box appears stating that snap-in is not responding, click Cancel. 4. If a Warning dialog box is displayed informing you that the calendar will be disabled, click OK.
Task 3: Monitor TS performance by using Resource Monitor
1. On the Windows System Resource Manager snap-in, in the navigation tree, click Resource Monitor.
2. Review the performance data. 3. In the middle pane, on the toolbar, click Properties. 4. In the Properties dialog box, click the Graph tab. 5. On the Graph tab, in the View box, select Report from the drop-down list, and then click OK. 6. Observe the report for Equal_Per_Session. 7. To configure the notification options, in the left pane, right-click Windows System Resource
Manager (Local), and then click Properties. The Windows System Resource Manager Properties dialog box is displayed.
8. Click the Notification tab, select Enable e-mail notification. 9. In Notify these e-mail aliases, type [email protected]. 10. In Use this SMTP server, type NYC-TS.woodgrovebank.com. 11. In Select the event log messages, select two or more events. To view the list of events for each
category, click the Error node, followed by the Warning and Information nodes. 12. Click each category, and then select two or more events in each category. 13. When you have finished selecting the events, click OK.
Task 4: Configure the TS resource allocation policy for per user
1. To implement the Equal_Per_User resource-allocation policy, in the Windows System Resource Manager snap-in, in the console tree, click the Resource Allocation Policies node.
2. Right-click Equal_Per_User{Manager} and then click Set as Managing Policy. 3. If a dialog box appears informing you that the calendar will be disabled, click OK.
Task 5: Shut down the virtual machines
1. Exit the Lab Launcher tool by clicking the close button. 2. In the Close window, click Turn off machine and discard changes. 3. Click OK.
L7-6 Lab: Managing and Monitoring TS
Results: After this exercise, you should have configured WSRM, configured resource allocation policies, and monitored the TS performance by using the Resource Monitor.
Note: After you have completed the lab exercises closing the VM’s and selecting undo disk is not required for hosted labs. Click the Quit button to exit.