[an error occurred while processing this directive]

 


Exploring 2000 - Terminal Services in Windows 2000
(Sep 1999)
John Savill continues his exploration of Windows 2000.
.

house
[an error occurred while processing this directive]

This article is based on NT 5.0, Beta 3.


I will concentrate on what’s new and changed in Windows 2000 and how to install the terminal services component.

Two become One

The first major change is there is no Windows 2000 Terminal Server Edition as there is with NT 4.0. It is now just one product, Windows 2000 Server (or Advanced Server or Datacentre). Terminal services is now an optional component of Windows 2000 and can be installed and removed the in the same way as any other service, for example DNS. However, there are issues that make constant installing and removing of the component a bad idea.

One obvious advantage with the integration of the standard Windows 2000 build is that there are no more specialised terminal server edition service packs and hotfixes. Users of the 4.0 TSE have to wait longer for special versions of all services packs and fixes that work on Terminal Server Edition. Now there will just one service pack which will encompass the terminal server technology.

Installing the Terminal Services Component


The Terminal Services component can be installed during installation of Windows 2000 or at a later time. Here follows a step by step guide to installing on an existing Windows 2000 installation: If you upgrade 4.0 Terminal Server Edition then the terminal services component will automatically be installed. However, you can not upgrade directly from Citrix Winframe (based on the NT 3.51 product) to Windows 2000 with terminal services. You would first need to upgrade to 4.0 TSE then upgrade to Windows 2000.

Windows components wizard - adding terminal services1. Start the Add/Remove Programs control panel applet (Start – Settings – Control Panel – Add/Remove Programs).
2. Select ‘Add/Remove Windows Components’ in the left-hand window pane.
3. The components wizard will start, click Next.
4. Check the ‘Terminal Services’ and ‘Terminal Services Licensing’ options. Click Next
5. You will be asked to select the mode of the terminal server, Remote Administration Mode or Application Server Mode (I will discuss these in detail next). Make your choice and click Next. If you select Application mode you will need to configure the licenses within 90 days.
6. You will be warned that currently installed applications may not work correctly. Click Next.
7. If you selected to install License Server you will be asked if the license server is for
- The entire enterprise forest
- Current domain or workgroup
You also need to enter a location to install the license server database (%windir%\System32\Lserver by default). Click Next.
8. Services and files will be installed and click Finish when the wizard has completed.
9. Once complete you need to reboot the server.

You are now ready to service RPC terminal server client requests - easy.

During installation you are required to choose an installation mode of remote administration or application server. This is because under the 4.0 edition, TSE was used on servers that were, for example, IIS servers as it made remote administration much easier. The problem is that normally a server is configured so background tasks take priority, however on a terminal server edition foreground applications take priority which lead to a performance degradation of around 15% on an IIS server.

What Microsoft has created two modes and when you select Remote Administration mode the old service based scheduling is used so all processes have the same quantum size (quantum is the amount of time a process gets each cycle) and background service performance is not degraded. If you select Application Server then application scheduling is used so foreground applications have larger quantums. There are other differences: If you install the Remote Administration mode then you can only have two concurrent connections and they must be Administrators (although you can change this), with Application Server mode you can have as many as you have licenses.

Anyone who uses Terminal Server should be familiar with ‘change user /install’, if not, shame on you). When you install software on a terminal server you need to put the machine in a special mode so that any changes to the user profile/system are recorded in such a way that they are also applied to all other users of the terminal server. This is done by putting the server in to Install mode. Once you finish installing the software you can then put the server back into execution mode by using command ‘change user /execute’. There is a much easier way, if you install applications via the Add/Remove programs control panel applet the system is automatically set to the correct mode.

Windows 2000 terminal server component now stops you installing software if you are not in installation mode as shown in figure 2.

Configuring your terminal services user profileHowever, beta customers found this unnecessary for Remote Admin servers as different users don’t ‘use’ the applications on the servers and thus installation profile changes do not need to be replicated to any other users. You therefore don’t need to change installation mode and the dialog is not displayed. Originally terminal services was thought as a free thrown in service to Windows 2000. However, if you install in Application mode you have 90 days to purchase a Terminal Services license and so while the software is bundled with 2000, to use it past 90 days you need the licenses. This does not apply if you install with the Remote Administration option.

The Remote Desktop Protocol (RDP) has also been improved to allow client side bitmap caching thus saving vital bandwidth and thanks to this and other protocol optimisations there is - 15% bandwidth reduction from 4.0 TSE.

As well as the old support clients, Windows NT (Intel and Alpha), Windows 9x and 3.11, Microsoft has added support for the HPC-Pro platform which uses Windows CE and I’ve configured thin clients using CE from Boundless with no problems at all.

Shadowing


Users and Administrators may be familiar with the software which allows an Administrator to take control of a users desktop in order to, for example, install software or fix a problem. The Citrix Metaframe add-on for 4.0 TSE enabled Administrators to take control or view users sessions without the need for third party software.

Windows 2000 terminal server component now allows shadowing in this session without the need for the MetaFrame add-on.

By default Administrators have the ability to shadow other users sessions providing the user agrees to have their session controlled/viewed. By default the ability to remote control a user’s session is defined on the user object on the ‘Remote Control’ tab and the default is to enable remote control providing the users gives permission. It’s possible to override these user settings by editing the configuration of the RDP connection using the ‘Terminal Services Configuration’ MMC snap-in. Under the connections branch, right click on the ‘RDP-Tcp’ connection and select properties. Select the ‘Remote Control’ tab and by default it will say to use the users settings, however selecting one of the other options allows you to set the remote control to whatever your please.

RDP - tcp propertiesHere the user is not asked if they agree to be shadowed.

In order to remote control a session you must be logged on as a terminal server session, you can’t remote control from the console (MetaFrame allows you to do this).

Once you have logged in as an Administrator to remote control a session just:

  1. Start the Terminal Services Manager.
  2. Right click on the remote users session and select ‘Remote Control’.
  3. You will be asked for a key sequence which will allow you to stop controlling a session and return to their own terminal server session.
  4. The user to be controlled is asked if they agree and if they click yes then you have control of their session. Their session does not display in a window; rather your session "switches" to theirs.
  5. To end remote control press the key sequence you defined.

Windows 2000 is very hot on multi-lingual and there will be a special ‘multi-lingual’ version of 2000 which supports all the different languages and enables different users on the same machine to use different languages for dialogs, help etc. without restarting the machine. Windows 2000 Terminal Server also supports this and its possible to have users connected to a terminal server to be using mixtures of English, Chinese, German, French all at the same time.

User account enhancements


A new built-in group has been added in 2000 called ‘Terminal Services Users’ which works in a similar way to the ‘Interactive Users Group’ and when a user logs on via Terminal Services they are part of this groups. The Terminal Services Users group SID can then be applied to files, folders, anything with an ACL and allow only people logged on via Terminal Services access. You could also test for this group membership during login script etc. to perform different actions.

On top of the ‘Remote Control’ tab for users, three extra tabs are added. As shown in figure 3, ‘Terminal Services Profile’ allows an alternative profile and local path to be specified when connecting via terminal server. The ‘Environment’ tab allows you to specify a program to automatically run when you login via Terminal Services and options to connect to client drives and printers.

Finally the ‘Sessions’ tab allows times to be set before active and idle sessions are disconnected and how long after a session is disconnect before it is totally closed.

Load distribution and the alternatives


On the Windows 2000 Advanced server product load distribution can be utilised whereby a cluster of up to 32 servers can be configured and client connections will be distributed depending on the load of each server. There are problems with clusters of terminal servers. If you connect to a cluster and then disconnect your session you will not be able to reconnect as this time your session may be directed to a different server. This is one of the key areas Microsoft at looking at improving for future versions of Windows 2000.

An alternative to clusters is to use DNS round robin which allows multiple IP addresses to be specified for a single host and each time a client requests host resolution the IP address list is send in a shuffled order. The RDP client then attempts to connect to each IP listed until the connection is successful. Third party solutions such as those from NCD, Cubix and Citrix offer additions to the core terminal services provided by Microsoft. The last offering from Citrix offered the ICA (Independent Computer Architecture) protocol which was going to be included in core Windows 2000 until Citrix refused to grant Microsoft licensing rights (so I hear).

You can download a beta of MetaFrame 1.8a which is designed for Windows 2000 and seems to work fine. You have to pay $29 (approx. 18) for the honour of beta testing their software, or $49 (approx. 30) if you want a CD mailed to you. The Metaframe add-on has some great features including the Java and ActiveX clients which allow you to create web pages which contain terminal server sessions and so users can connect to a URL and then connect to machines without needing any client software. The Citrix client supports connections over both RDP and ICA and has the advantage of automatically updating the client software when it detects a newer version is available. Microsoft plans to have this feature in a future version.

Terminal Services is definitely worth a look and even if you decide its not useful for users, installing on the servers in Remote Admin mode will allow you to gain a direct console window in the event of a failure. This is useful if the servers are on a different floor, building or even country. For the future we can expect to see better distribution metrics, high-colour support, sound redirection and automatic RDP client updates (among other things), but for the time being bolt-ons such as MetaFrame will still be considered core components

.

[an error occurred while processing this directive]