Rodney Buike - Founder and original lazy admin. MVP: System Center Cloud and Datacenter Management

Daniel Nerenberg - Lazy admin 2.0. MVP: Windows Expert - IT Pro

Disclaimer

These postings are provided "AS IS" with no warranties, and confers no rights. You assume all risk for your use.

Configure RDP over SSL with SelfSSL

Windows 2003 Service Pack 1 included a new feature, RDP over SSL. This feature will allow you to use TLS authentication and encryption with your RDP connections using SelfSSL to create the SSL certificate. It still uses RDP and TCP port 3389 so your firewall rules should not need to be modified.

Before we get started there are a few pre-requisites on both the server side and client side that need to be met first.


Server-side



  • The Terminal Server must run 2003 SP1

  • The Terminal Server must have a certificate from a Windows CA or a 3rd Party CA

The certificate must meet the following criteria



  • Certificate is a computer certificate

  • Certificate is for server authentication

  • Certificate must have a private key

  • Certificate is stored in the TS personal store

  • Certificate has a Crytographic Service Provider that can be used for TLS/SSL  

The client computer must

Continue reading Configure RDP over SSL with SelfSSL

Why 64-Bit is Good for Terminal Services

A while back I wrote an article for MSExchange.org on why 64-bit is good for Exchange 2007. 64-bit is good for more than just Exchange 2007 and SQL 2005, and this series will cover other scenarios that can benefit from 64-bit. Let’s look at terminal services first.

Probably the biggest limiting factor to terminal servers today is the virtual memory limits of a 32bit OS. No matter how much physical ram is present, and how many CPU cycles are available, once you hit the 2GB virtual memory limit, performance takes a nose dive. By moving to an x64 platform we are freed from this limitation (up from 2GB to 8TB) and we get access to much larger amounts of Page Table Entries (PTE) and larger paged and non-paged pools. In all three cases the limit is raised to 128GB. Of course you also have access to all the memory in

Continue reading Why 64-Bit is Good for Terminal Services

Terminal Services Licensing Primer

Probably one of the most confusing things ever created by mankind is Microsoft Licensing. In regards to Windows Server 2003, terminal services licensing has undergone some changes. Most notably is it no longer contains any built-in license like Windows 2000 Server did for 2000/XP clients.


Terminal Services licensing is comprised of three components, the Microsoft Clearinghouse, Windows 2003 Terminal Server Licensing Server and, of course, Windows 2003 Terminal Servers. The clearinghouse is used to activate license servers and to install/activate Client Access Licenses. The licensing server can be any version of Windows Server 2003 that has the Terminal Server Licensing Server installed, and it can be installed on the terminal server itself. The Terminal Services Licensing server stores all Terminal Services CAL tokens and then tracks the tokens once they have been issued. The licensing server must be available to the terminal servers and must be activated. If it has

Continue reading Terminal Services Licensing Primer

Setting TS Licensing Server with VBS

Terminal Server License servers are the servers responsible for the management of terminal services Client Access Licenses (CALs). Windows 2003 Terminal Servers will automaticaly detect the Windows 2003 server that is running the Terminal Services Licenesing Manger. There are times when you will need to override this, such as when you have Windows 2000 Terminal Servers, or when your Windows 2003 Terminal Server cannot detect the licensing server.

I have simplified the task of adding or removing the regisrty key to bypass the License Sever discovery process.

AddLS.vbs is a small VBS script that uses WMI to add the desired License Server NetBIOS name to the registry.

Usage: cscript AddLS.vbs [License Server NetBIOS Name]

RemoveLS.vbs is a small VBS script that uses WMI to remove the License Server from the registry.

Useage: cscript RemoveLS.vbs [License Server NetBIOS Name]

Continue reading Setting TS Licensing Server with VBS

Quick Tip: Editing a Terminal Server Users Registry

When working in a fat client environment and you need to make a change to a users local machine registry key you can connect to the remote registry and make your changes. In a thin client environment, all users share the HKey_LocalMachine key and each users HKey_Users key is listed individually by SID.

To determine which user the SID belongs to you can check the APPDATA key under HKey_UsersSIDVolatile Environment.


APPDATA REG_SZ C:Documents and Settings&username%Application Data


You can also find out what machine they are connecting from. The CLIENTNAME value will be the computername the user connected to the terminal server from.


CLIENTNAME REG_SZ Lazyadmin


If you are not working in a thin client enviroment, or need to convert SID to username you can also use SidToName. With this tool run the command: sidtoname SID – will resolve the username for the SID specified sidtoname SID

Continue reading Quick Tip: Editing a Terminal Server Users Registry

Quick Tip: Change Terminal Server Port

Windows 2000 Server, XP Pro and Windows Server 2003 all listen on TCP port 3389 for connections. There are times when you need to change this. Let’s say you have only one static IP but you have three servers/workstations you need to connect to. What do you do? Simple, change the listening port on the server or workstation to listen on a different port.

Open the registry with regedit and browse to:


HKLMSYSTEMCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp


Look for a subkey called PortNumber and change it from the default 3389 to the decimal value of the desired port. To connect on a different port you would enter a colon and the port number after the servername or IP in the RDP connection dialog box.


 

Quick Tip: 2003 Terminal Server Console Session

One of the cool new features of Windows Server 2003 is the ability to get a console session on the terminal server. Unlike Windows XP Pro which gives you the console when you connect via RDP, Windows Server 2003 starts a new session when you connect via RDP. There is a way to get the console session, here is how!

From a command prompt type


mstsc.exe /v:{servername or IP} /console


Press Enter and boom, you got the console session. It should be noted that like in XP, this will lock out the actual console if anyone is working there. There are a few more switches you can add to configure your console session, or any other session for that matter.


Terminal Server Performance Tweaks

I find myself responding to users about slow terminal server performance on a weekly, if not daily basis. Most of the time it can be attributed to user expectations and impatience, but there are some things that can be done to enhance the user experience and cut down on end user complaints. OK well that will never happen but you should apply these changes anyway :)

The first thing to do is to override some desktop settings to reduce the amount of screen refreshes, which lowers bandwidth used, which makes the TS respond “faster”. First we will remove Windows Resize Animation, when a user minimizes or maximizes a window it will be immediate, and not shrink slowly on its way down to the task bar. Open up the registry with regedit and browse to:


HKLMSYSTEMCurrentControlSetControlTerminal ServerWinStationsRDP-TcpUserOverrideControl PanelDesktop


And change these values:


Terminal Server Fallback Printer Driver

Windows Server 2003 SP1 introduces a new feature called Terminal Server Fallback Printer Drivers. Terminal Server Fallback Printer Driver allows you to default to a PCL or PS (or both) capable printer driver to use if the driver required by the client is not available.

On a 2003 SP1 Server, open the group policy editor and go to Computer Configuration | Administrative Templates | Windows Components | Terminal Services | Client/Server Data Redirection. Locate the item called Terminal Server Fallback Printer Driver Behavior.



By default, this option is disabled, if the client connects to the terminal server and the printer driver for thier local printer, preinter redirection will fail and the printer will not be available for the users session. Once enabled, when the client connects and the driver for their local printer cannot be found, the “Fallback” driver will be used. You havee four

Continue reading Terminal Server Fallback Printer Driver

Using RDP over SSL

Windows Server 2003 SP1 introduces a new feature to the mix, RDP over SSL. This feature will allow you to use TLS authentication and encryption with your RDP connections. It still uses RDP and TCP port 3389 so your firewall rules should not need to be modified.

Before we get started there are a few pre-requisites on both the server side and client side that need to be met first.


Server-side



  • The TS must run 2003 SP1

  • The TS must have a certificate from a Windows CA or a 3rd Party CA

The certificate must meet the following criteria      



  • Certificate is a computer certificate      

  • Certificate is for server authentication      

  • Certificate must have a private key      

  • Certificate is stored in the TS personal store      

  • Certificate has a Crytographic Service Provider that can be sued for TLS/SSL

Client-side criteria