6428A Configuring and Troubleshooting Windows Server 2008 Terminal Services

O F F I C I A L
M I C R O S O F T
L E A R N I N G
P R O D U C T
6428A
Configuring and Troubleshooting Windows Server 2008 Terminal Services
ii
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission received from any linked site. Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement of Microsoft of the site or the products contained therein. 2008 Microsoft Corporation. All rights reserved. Microsoft, and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners.
Product Number: 6428A Part Number: X17-41897 Released: 06/2008
MICROSOFT LICENSE TERMS OFFICIAL MICROSOFT LEARNING PRODUCTS - TRAINER EDITION Pre-Release and Final Release Versions
These license terms are an agreement between Microsoft Corporation and you. Please read them. They apply to the Licensed Content named above, which includes the media on which you received it, if any. The terms also apply to any Microsoft updates, supplements, Internet-based services, and support services
for this Licensed Content, unless other terms accompany those items. If so, those terms apply. By using the Licensed Content, you accept these terms. If you do not accept them, do not use the Licensed Content. If you comply with these license terms, you have the rights below.
1. DEFINITIONS. a. Academic Materials means the printed or electronic documentation such as manuals, workbooks, white papers, press releases, datasheets, and FAQs which may be included in the Licensed Content. b. Authorized Learning Center(s) means a Microsoft Certified Partner for Learning Solutions location, an IT Academy location, or such other entity as Microsoft may designate from time to time. c. Authorized Training Session(s) means those training sessions authorized by Microsoft and conducted at or through Authorized Learning Centers by a Trainer providing training to Students solely on Official Microsoft Learning Products (formerly known as Microsoft Official Curriculum or MOC) and Microsoft Dynamics Learning Products (formerly know as Microsoft Business Solutions Courseware). Each Authorized Training Session will provide training on the subject matter of one (1) Course. d. Course means one of the courses using Licensed Content offered by an Authorized Learning Center during an Authorized Training Session, each of which provides training on a particular Microsoft technology subject matter. e. Device(s) means a single computer, device, workstation, terminal, or other digital electronic or analog device. f.
Licensed Content means the materials accompanying these license terms. The Licensed Content may include, but is not limited to, the following elements: (i) Trainer Content, (ii) Student Content, (iii) classroom setup guide, and (iv) Software. There are different and separate components of the Licensed Content for each Course. Software means the Virtual Machines and Virtual Hard Disks, or other software applications that may be included with the Licensed Content. Student Content means the learning materials accompanying these license terms that are for use by Students and Trainers during an Authorized Training Session. Student Content may include labs, simulations, and courseware files for a Course. Trainer(s) means a) a person who is duly certified by Microsoft as a Microsoft Certified Trainer and b) such other individual as authorized in writing by Microsoft and has been engaged by an Authorized Learning Center to teach or instruct an Authorized Training Session to Students on its behalf.
g.
h. Student(s) means a student duly enrolled for an Authorized Training Session at your location. i.
j.
k. Trainer Content means the materials accompanying these license terms that are for use by Trainers and Students, as applicable, solely during an Authorized Training Session. Trainer Content may include Virtual Machines, Virtual Hard Disks, Microsoft PowerPoint files, instructor notes, and demonstration guides and script files for a Course. l.
Virtual Hard Disks means Microsoft Software that is comprised of virtualized hard disks (such as a base virtual hard disk or differencing disks) for a Virtual Machine that can be loaded onto a single computer or other device in order to allow end-users to run multiple operating systems concurrently. For the purposes of these license terms, Virtual Hard Disks will be considered Trainer Content.
m. Virtual Machine means a virtualized computing experience, created and accessed using Microsoft Virtual PC or Microsoft Virtual Server software that consists of a virtualized hardware environment, one or more Virtual Hard Disks,
and a configuration file setting the parameters of the virtualized hardware environment (e.g., RAM). For the purposes of these license terms, Virtual Hard Disks will be considered Trainer Content.
n.
you means the Authorized Learning Center or Trainer, as applicable, that has agreed to these license terms.
2. OVERVIEW.
Licensed Content. The Licensed Content includes Software, Academic Materials (online and electronic), Trainer Content, Student Content, classroom setup guide, and associated media. License Model. The Licensed Content is licensed on a per copy per Authorized Learning Center location or per Trainer basis.
3. INSTALLATION AND USE RIGHTS. a. Authorized Learning Centers and Trainers: For each Authorized Training Session, you may:
i. either install individual copies of the relevant Licensed Content on classroom Devices only for use by Students enrolled in and the Trainer delivering the Authorized Training Session, provided that the number of copies in use does not exceed the number of Students enrolled in and the Trainer delivering the Authorized Training Session, OR
ii. install one copy of the relevant Licensed Content on a network server only for access by classroom Devices and only for use by Students enrolled in and the Trainer delivering the Authorized Training Session, provided that the number of Devices accessing the Licensed Content on such server does not exceed the number of Students enrolled in and the Trainer delivering the Authorized Training Session. iii. and allow the Students enrolled in and the Trainer delivering the Authorized Training Session to use the Licensed Content that you install in accordance with (ii) or (ii) above during such Authorized Training Session in accordance with these license terms. i. Separation of Components. The components of the Licensed Content are licensed as a single unit. You may not separate the components and install them on different Devices.
ii. Third Party Programs. The Licensed Content may contain third party programs. These license terms will apply to the use of those third party programs, unless other terms accompany those programs.
b. Trainers:
i. Trainers may Use the Licensed Content that you install or that is installed by an Authorized Learning Center on a classroom Device to deliver an Authorized Training Session.
ii. Trainers may also Use a copy of the Licensed Content as follows:
A. Licensed Device. The licensed Device is the Device on which you Use the Licensed Content. You may install and Use one copy of the Licensed Content on the licensed Device solely for your own personal training Use and for preparation of an Authorized Training Session. B. Portable Device. You may install another copy on a portable device solely for your own personal training Use and for preparation of an Authorized Training Session. 4. PRE-RELEASE VERSIONS. If this is a pre-release (beta) version, in addition to the other provisions in this agreement, these terms also apply: a. Pre-Release Licensed Content. This Licensed Content is a pre-release version. It may not contain the same information and/or work the way a final version of the Licensed Content will. We may change it for the final, commercial version. We also may not release a commercial version. You will clearly and conspicuously inform any Students who participate in each Authorized Training Session of the foregoing; and, that you or Microsoft are under no obligation to provide them with any further content, including but not limited to the final released version of the Licensed Content for the Course. b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, you give to Microsoft, without charge, the right to use, share and commercialize your feedback in any way and for any purpose. You also give to third parties, without charge, any patent rights needed for their products, technologies and services to use or interface with any specific parts of a Microsoft software, Licensed Content, or service that includes the feedback. You will not give feedback that is subject to a license that requires Microsoft to license its software or documentation to third parties because we include your feedback in them. These rights survive this agreement. c. Confidential Information. The Licensed Content, including any viewer, user interface, features and documentation that may be included with the Licensed Content, is confidential and proprietary to Microsoft and its suppliers.
i.
Use. For five years after installation of the Licensed Content or its commercial release, whichever is first, you may not disclose confidential information to third parties. You may disclose confidential information only to your employees and consultants who need to know the information. You must have written agreements with them that protect the confidential information at least as much as this agreement. Survival. Your duty to protect confidential information survives this agreement.
ii.
iii. Exclusions. You may disclose confidential information in response to a judicial or governmental order. You must first give written notice to Microsoft to allow it to seek a protective order or otherwise protect the information. Confidential information does not include information that d. becomes publicly known through no wrongful act; you received from a third party who did not breach confidentiality obligations to Microsoft or its suppliers; or you developed independently.
Term. The term of this agreement for pre-release versions is (i) the date which Microsoft informs you is the end date for using the beta version, or (ii) the commercial release of the final release version of the Licensed Content, whichever is first (beta term). Use. You will cease using all copies of the beta version upon expiration or termination of the beta term, and will destroy all copies of same in the possession or under your control and/or in the possession or under the control of any Trainers who have received copies of the pre-released version. Copies. Microsoft will inform Authorized Learning Centers if they may make copies of the beta version (in either print and/or CD version) and distribute such copies to Students and/or Trainers. If Microsoft allows such distribution, you will follow any additional terms that Microsoft provides to you for such copies and distribution.
e.
f.
5. ADDITIONAL LICENSING REQUIREMENTS AND/OR USE RIGHTS.

a. Authorized Learning Centers and Trainers: i. Software.
ii. Virtual Hard Disks. The Licensed Content may contain versions of Microsoft XP, Microsoft Windows Vista, Windows Server 2003, Windows Server 2008, and Windows 2000 Advanced Server and/or other Microsoft products which are provided in Virtual Hard Disks. A. If the Virtual Hard Disks and the labs are launched through the Microsoft Learning Lab Launcher, then these terms apply: Time-Sensitive Software. If the Software is not reset, it will stop running based upon the time indicated on the install of the Virtual Machines (between 30 and 500 days after you install it). You will not receive notice before it stops running. You may not be able to access data used or information saved with the Virtual Machines when it stops running and may be forced to reset these Virtual Machines to their original state. You must remove the Software from the Devices at the end of each Authorized Training Session and reinstall and launch it prior to the beginning of the next Authorized Training Session. B. If the Virtual Hard Disks require a product key to launch, then these terms apply: Microsoft will deactivate the operating system associated with each Virtual Hard Disk. Before installing any Virtual Hard Disks on classroom Devices for use during an Authorized Training Session, you will obtain from Microsoft a product key for the operating system software for the Virtual Hard Disks and will activate such Software with Microsoft using such product key. C. These terms apply to all Virtual Machines and Virtual Hard Disks: You may only use the Virtual Machines and Virtual Hard Disks if you comply with the terms and conditions of this agreement and the following security requirements: o o You may not install Virtual Machines and Virtual Hard Disks on portable Devices or Devices that are accessible to other networks. You must remove Virtual Machines and Virtual Hard Disks from all classroom Devices at the end of each Authorized Training Session, except those held at Microsoft Certified Partners for Learning Solutions locations.
o o o o o
You must remove the differencing drive portions of the Virtual Hard Disks from all classroom Devices at the end of each Authorized Training Session at Microsoft Certified Partners for Learning Solutions locations. You will ensure that the Virtual Machines and Virtual Hard Disks are not copied or downloaded from Devices on which you installed them. You will strictly comply with all Microsoft instructions relating to installation, use, activation and deactivation, and security of Virtual Machines and Virtual Hard Disks. You may not modify the Virtual Machines and Virtual Hard Disks or any contents thereof. You may not reproduce or redistribute the Virtual Machines or Virtual Hard Disks.
ii. Classroom Setup Guide. You will assure any Licensed Content installed for use during an Authorized Training Session will be done in accordance with the classroom set-up guide for the Course.
iii. Media Elements and Templates. You may allow Trainers and Students to use images, clip art, animations, sounds, music, shapes, video clips and templates provided with the Licensed Content solely in an Authorized Training Session. If Trainers have their own copy of the Licensed Content, they may use Media Elements for their personal training use. iv. iv Evaluation Software. Any Software that is included in the Student Content designated as Evaluation Software may be used by Students solely for their personal training outside of the Authorized Training Session.
b. Trainers Only:
i. Use of PowerPoint Slide Deck Templates . The Trainer Content may include Microsoft PowerPoint slide decks. Trainers may use, copy and modify the PowerPoint slide decks only for providing an Authorized Training Session. If you elect to exercise the foregoing, you will agree or ensure Trainer agrees: (a) that modification of the slide decks will not constitute creation of obscene or scandalous works, as defined by federal law at the time the work is created; and (b) to comply with all other terms and conditions of this agreement.
ii. Use of Instructional Components in Trainer Content. For each Authorized Training Session, Trainers may customize and reproduce, in accordance with the MCT Agreement, those portions of the Licensed Content that are logically associated with instruction of the Authorized Training Session. If you elect to exercise the foregoing rights, you agree or ensure the Trainer agrees: (a) that any of these customizations or reproductions will only be used for providing an Authorized Training Session and (b) to comply with all other terms and conditions of this agreement. iii. Academic Materials. If the Licensed Content contains Academic Materials, you may copy and use the Academic Materials. You may not make any modifications to the Academic Materials and you may not print any book (either electronic or print version) in its entirety. If you reproduce any Academic Materials, you agree that:
The use of the Academic Materials will be only for your personal reference or training use You will not republish or post the Academic Materials on any network computer or broadcast in any media; You will include the Academic Materials original copyright notice, or a copyright notice to Microsofts benefit in the format provided below: Form of Notice: 2010 Reprinted for personal reference use only with permission by Microsoft Corporation. All rights reserved. Microsoft, Windows, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the US and/or other countries. Other product and company names mentioned herein may be the trademarks of their respective owners.
6. INTERNET-BASED SERVICES. Microsoft may provide Internet-based services with the Licensed Content. It may change or cancel them at any time. You may not use these services in any way that could harm them or impair anyone elses use of them. You may not use the services to try to gain unauthorized access to any service, data, account or network by any means. 7. SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some rights to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation, you may use the Licensed Content only as expressly permitted in this agreement. In doing so, you must comply with any technical limitations in the Licensed Content that only allow you to use it in certain ways. You may not
install more copies of the Licensed Content on classroom Devices than the number of Students and the Trainer in the Authorized Training Session; allow more classroom Devices to access the server than the number of Students enrolled in and the Trainer delivering the Authorized Training Session if the Licensed Content is installed on a network server; copy or reproduce the Licensed Content to any server or location for further reproduction or distribution; disclose the results of any benchmark tests of the Licensed Content to any third party without Microsofts prior written approval; work around any technical limitations in the Licensed Content; reverse engineer, decompile or disassemble the Licensed Content, except and only to the extent that applicable law expressly permits, despite this limitation; make more copies of the Licensed Content than specified in this agreement or allowed by applicable law, despite this limitation; publish the Licensed Content for others to copy; transfer the Licensed Content, in whole or in part, to a third party; access or use any Licensed Content for which you (i) are not providing a Course and/or (ii) have not been authorized by Microsoft to access and use; rent, lease or lend the Licensed Content; or use the Licensed Content for commercial hosting services or general business purposes. Rights to access the server software that may be included with the Licensed Content, including the Virtual Hard Disks does not give you any right to implement Microsoft patents or other Microsoft intellectual property in software or devices that may access the server.
8. EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and regulations. You must comply with all domestic and international export laws and regulations that apply to the Licensed Content. These laws include restrictions on destinations, end users and end use. For additional information, see www.microsoft.com/exporting. 9. NOT FOR RESALE SOFTWARE/LICENSED CONTENT. You may not sell software or Licensed Content marked as NFR or Not for Resale. 10. ACADEMIC EDITION. You must be a Qualified Educational User to use Licensed Content marked as Academic Edition or AE. If you do not know whether you are a Qualified Educational User, visit www.microsoft.com/education or contact the Microsoft affiliate serving your country. 11. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you fail to comply with the terms and conditions of these license terms. In the event your status as an Authorized Learning Center or Trainer a) expires, b) is voluntarily terminated by you, and/or c) is terminated by Microsoft, this agreement shall automatically terminate. Upon any termination of this agreement, you must destroy all copies of the Licensed Content and all of its component parts. 12. ENTIRE AGREEMENT. This agreement, and the terms for supplements, updates, Internet-based services and support services that you use, are the entire agreement for the Licensed Content and support services. 13. APPLICABLE LAW. a. United States. If you acquired the Licensed Content in the United States, Washington state law governs the interpretation of this agreement and applies to claims for breach of it, regardless of conflict of laws principles. The laws of the state where you live govern all other claims, including claims under state consumer protection laws, unfair competition laws, and in tort. b. Outside the United States. If you acquired the Licensed Content in any other country, the laws of that country apply. 14. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the laws of your country. You may also have rights with respect to the party from whom you acquired the Licensed Content. This agreement does not change your rights under the laws of your country if the laws of your country do not permit it to do so.
15. DISCLAIMER OF WARRANTY. The Licensed Content is licensed as-is. You bear the risk of using it. Microsoft gives no express warranties, guarantees or conditions. You may have additional consumer rights under your local laws which this agreement cannot change. To the extent permitted under your local laws, Microsoft excludes the implied warranties of merchantability, fitness for a particular purpose and noninfringement. 16. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER FROM MICROSOFT AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP TO U.S. $5.00. YOU CANNOT RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL, LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES.
This limitation applies to anything related to the Licensed Content, software, services, content (including code) on third party Internet sites, or third party programs; and claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence, or other tort to the extent permitted by applicable law.
It also applies even if Microsoft knew or should have known about the possibility of the damages. The above limitation or exclusion may not apply to you because your country may not allow the exclusion or limitation of incidental, consequential or other damages. Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in this agreement are provided below in French. Remarque : Ce le contenu sous licence tant distribu au Qubec, Canada, certaines des clauses dans ce contrat sont fournies ci-dessous en franais. EXONRATION DE GARANTIE. Le contenu sous licence vis par une licence est offert tel quel . Toute utilisation de ce contenu sous licence est votre seule risque et pril. Microsoft naccorde aucune autre garantie expresse. Vous pouv ez bnficier de droits additionnels en vertu du droit local sur la protection dues consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties implicites de qualit marchande, dadquation un usage partic ulier et dabsence de contrefaon sont exclues. LIMITATION DES DOMMAGES-INTRTS ET EXCLUSION DE RESPONSABILIT POUR LES DOMMAGES. Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de dommages directs uniquement hauteur de 5,00 $ US. Vous ne pouvez prtendre aucune indemnisation pour les autres dommages, y compris les dommages spciaux, indirects ou accessoires et pertes de bnfices. Cette limitation concerne: tout ce qui est reli au le contenu sous licence , aux services ou au contenu (y compris le code) figurant sur des sites Internet tiers ou dans des programmes tiers ; et les rclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilit stricte, de ngligence ou dune autre faute dans la limite autorise par la loi en vigueur.
Elle sapplique galement, mme si Microsoft connaissait ou devrait connatre lventualit dun tel dommage. Si votre pays nautorise pas lexclusion ou la limitation de responsabilit pour les dommages indirects , accessoires ou de quelque nature que ce soit, il se peut que la limitation ou lexclusion ci-dessus ne sappliquera pas votre gard. EFFET JURIDIQUE. Le prsent contrat dcrit certains droits juridiques. Vous pourriez avoir dautres droits prvus par les lois de votre pays. Le prsent contrat ne modifie pas les droits que vous confrent les lois de votre pays si celles-ci ne le permettent pas.
ix
Contents
Module 1: Configuring Terminal Services Core Functionality
Lesson 1: Configuring the TS Server Role Service Lesson 2: Configuring the TS Settings Lab: Configuring TS Core Functionality 1-3 1-15 1-19
Module 2: Configuring and Managing Terminal Services Licensing

Lesson 1: Configuring TS Licensing Lesson 2: Managing TS Licenses Lab: Demonstration: Configuring and Managing TS Licensing 2-3 2-10 2-14
Module 3: Configuring and Troubleshooting Terminal Services Connections

Lesson 1: Configuring the TS Connection Properties 3-3 Lesson 2: Configuring the TS Connection Properties by Using Group Policy 3-12 Lesson 3: Troubleshooting TS Connections 3-16 Lab: Configuring and Troubleshooting the TS Connections 3-18
Module 4: Configuring Terminal Services RemoteApp and Easy Print

Lesson 1: Installing Applications Lesson 2: Configuring RemoteApp Programs Lesson 3: Configuring Printers Lab: Configuring TS RemoteApp and Easy Print 4-3 4-6 4-14 4-18
Module 5: Configuring Terminal Services Web Access and Session Broker

Lesson 1: Installing TS Web Access Lesson 2: Configuring TS Session Broker Lab: Configuring TS Web Access and Session Broker 5-3 5-11 5-15
Module 6: Configuring and Troubleshooting Terminal Services Gateway

Lesson 1: Configuring TS Gateway Lesson 2: Monitoring and Troubleshooting TS Gateway Connections Lab: Configuring and Troubleshooting TS Gateway 6-3 6-10 6-15
Module 7: Managing and Monitoring Terminal Services

Lesson 1: Methods for Managing and Monitoring TS Lesson 2: Configuring Windows System Resource Manager for TS Lab: Managing and Monitoring TS 7-3 7-7 7-11
Lab Answer Keys
About This Course
xi
About This Course

This section provides you with a brief description of the course, audience, suggested prerequisites, and course objectives.
Course Description
This two-day instructor-led course introduces you to Microsoft Windows Server 2008 Terminal Services. The course prepares you for configuring and managing the TS rolesTS licensing, Gateway, and Web Accessas well as monitoring and troubleshooting a TS environment.
Audience
The primary audiences for this course include Technology Specialists in an enterprise environment as well as individuals who are assuming a new role requiring skills to manage connections served by a terminal server session over the intranet, extranet, and Internet.
Student Prerequisites
This course requires that you meet the following prerequisites: or Microsoft Windows Server 2003 Terminal Server experience in an enterprise environment as follows: Minimum of one year of experience in administering and supporting TS Minimum of one year of experience in administering and supporting Windows Server 2003 or Windows Server 2003 R2 Course 6420: Fundamentals of a Windows Server 2008 Network Infrastructure and Application Platform Course 6421: Configuring and Troubleshooting a Windows Server 2008 Network Infrastructure
Minimum of one year of experience in administering certificate services Network + certification
Course Objectives
After completing this course, students will be able to: Configure the TS role. Manage TS licensing. Configure TS connection properties by using the Terminal Services Configuration snap-in and Group Policy. Configure TS Easy Print and TS RemoteApp programs. Configure the TS Web Access role service. Configure the TS Session Broker role for a load-balanced TS farm. Configure and troubleshoot TS Gateway. Maintain TS connections post installation and configure Windows System Resource Manager (WSRM) for TS.
xii
About This Course
Course Outline
This section provides an outline of the course: Module 1, "Configuring Terminal Services Core Functionality" prepares you for installing and configuring the TS role. The module also introduces the new core functionality in TS, lists the considerations for using a standalone instance and a farm, and briefly explains how to configure the TS settings. Module 2, "Configuring and Managing Terminal Services Licensing" introduces you to TS Licensing and covers how the license server and terminal server need to be configured for issuing and managing licenses. The module also includes installing Per User and Per Device TS Client Access Licenses (CALs) on the license server as well as managing the licensing lifecycle. Module 3, "Configuring and Troubleshooting Terminal Services Connections" introduces the connection properties that can be set by using either the Terminal Services Configuration snap-in or Group Policy. Besides setting these properties, the module also covers configuring the authentication and encryption levels, Desktop Experience and Plug and Play (PnP) Device Redirection Framework, and Single Sign-On (SSO) for user profiles. The module ends with troubleshooting connectivity issues. Module 4, "Configuring Terminal Services RemoteApp and Easy Print" starts with discussing the types of applications that can be installed on the terminal server. The module then provides an overview of RemoteApp programs, advantages of using these programs, and the methods used to deploy them on the terminal server. Also covered in the module is TS Easy Print, which facilitates printer redirection over a TS session. Module 5, "Configuring Terminal Services Web Access and Session Broker" provides the steps for installing and configuring RemoteApp programs by using TS Web Access. The module also covers a separate role service, the TS Session Broker, which facilitates reconnection to an existing session in a loadbalanced TS farm. Module 6, "Configuring and Troubleshooting Terminal Services Gateway" explains how to install and configure the TS Gateway role service. The module also covers how to manage TS Connection Authorization Policies (CAPs) and TS Resource Authorization Policies (RAPs). Following a brief introduction to Network Access Protection (NAP), the module goes on to discuss troubleshooting TS Gateway. Module 7, "Managing and Monitoring Terminal Services" explains the tasks involved in managing and monitoring TS Connections. The module also introduces the enhanced features of WSRM and how to configure WSRM.
About This Course
xiii
Course Materials
The following materials are included with your kit: Course Handbook A succinct classroom learning guide that provides all the critical technical information in a crisp, tightly-focused format, which is just right for an effective in-class learning experience. Lessons: Guide you through the learning objectives and provide the key points that are critical to the success of the in-class learning experience. Labs: Provide a real-world, hands-on platform for you to apply the knowledge and skills learned in the module. Lab Answer Keys: Provide step-by-step lab solution guidance at your finger tips when its needed.
Course Companion Content on the http://www.microsoft.com/learning/companionmoc/ Site: Provides additional resources pertaining to this course. Lab Answer Keys: Provide step-by-step lab solution guidance at your finger tips when its needed. Resources: Include well-categorized additional resources that give you immediate access to the most up-to-date premium content on TechNet, MSDN, Microsoft Press Send Us Your Feedback Instructions: Provide you with an opportunity to send feedback on the all aspects of the course.
Student Course files on the http://www.microsoft.com/learning/companionmoc/ Site: Includes the Allfiles.exe, a self-extracting executable file that contains all the files required for the labs and demonstrations. Course evaluation At the end of the course, you will have the opportunity to complete an online evaluation to provide feedback on the course, training facility, and instructor.
To provide additional comments or feedback on the course, send e-mail to support@mscourseware.com. To inquire about the Microsoft Certification Program, send e-mail to mcphelp@microsoft.com.
xiv
About This Course
Virtual Machine Environment

This section provides the information for setting up the classroom environment to support the business scenario of the course.
Virtual Machine Configuration

In this course, you will use Microsoft Virtual Server 2005 to perform the labs.
Important: At the end of each lab, you must close the virtual machine and must not save any changes. To close a virtual machine without saving the changes, perform the following steps: 1. On the virtual machine, on the Action menu, click Close. 2. In the Close dialog box, in the What do you want the virtual machine to do? list, click Turn off and delete changes, and then click OK. The following table shows the role of each virtual machine used in this course: Virtual machine NYC-DC1 NYC-TS NYC-WEB Role A Domain Controller for woodgrovebank.com Terminal server with terminal services installed A member of the woodgrovebank.com domain
Software Configuration
The following software is installed on each VM: Windows Server 2008 Enterprise
Classroom Setup
Each classroom computer will have the same virtual machine configured in the same way.
Course Hardware Level

To ensure a satisfactory student experience, Microsoft Learning requires a minimum equipment configuration for trainer and student computers in all Microsoft Certified Partner for Learning Solutions (CPLS) classrooms in which Official Microsoft Learning Product courseware are taught.
Configuring Terminal Services Core Functionality
1-1
Module 1
Contents:
Lesson 1: Configuring the TS Server Role Service Lesson 2: Configuring the TS Settings Lab: Configuring TS Core Functionality 1-3 1-15 1-19
1-2
Co onfiguring and Troub bleshooting Windows s Server 2008 Termin nal Services
Modu ule Ove erview
TS S in Windows Server 2008 ha as been upgra aded to incorporate improve ed features tha at are especiall ly useful fo or organization ns with branch h offices. This module m introduces the new features f in TS and prepares you for in nstalling and co onfiguring the e TS server role e service. Th he module also o includes con nsiderations fo or using a stand dalone instanc ce and a farm, as well as con nfiguring th he TS settings.
1-3
L Lesson 1
C Configu ring the e TS Server Role Servi ice
TS S in Windows Server 2008 in ncludes new co ore functionality that provide es enhanced features to rem motely de eploy and acce ess application ns. This new co ore functionality includes Remote Desktop p Connection (RDC) ( 6. .1, Remote Desktop Connect tion Display im mprovements, and Plug and Play (PnP) dev vice redirection. Th he TS server ro ole service can be installed as a standalone e instance or in n a farm with multiple terminal se ervers.
1-4
TS Features s
Key Points
TS S in Windows Server 2008 al llows users to connect to a server running Windows-bas sed programs or the fu ull Windows de esktop. In n addition, Win ndows Server 2008 TS also provides: nd encrypted connection between remote e users and the e resources on a local network. A secure an Support for r Embedded Point of Service e (POS) device redirection. Support for r Network Acc cess Protection n (NAP) that en nforces networ rk authentication. A new role management tool and an im mproved scalable spooler. r Microsoft Int ternet Protocol version 6 (IPv v6) that enable es peer-to-pee er and mobile Support for applications. source Manager (WSRM) too ol to manage system resourc ces by using The Windows System Res r custom resou urce policies. preconfigured policies or
Q Question : Whic ch features of Windows Serv ver 2008 TS wil ll be useful in your organizat tion? Fo or more inform mation about TS features, see s "What's New in Termina al Services for r Windows Se erver 2008" on the Microso oft TechNet Web W site.
1-5
In nstalling th he TS Serv ver Role Se ervice
K Points Key
Yo ou can install the t TS server role r service by using the Serv ver Manager, if i no other TS role services, such s as TS S Gateway and d TS Licensing, , are installed on o the server. If a TS role ser rvice is already y installed on the t se erver, the Term minal Services check c box will be selected and dimmed. You Y then need to select the "To " in nstall the Terminal Server role server when Terminal Serv vices is already y installed" opt tion. Fo or more inform mation about installing the e TS server role e, see "Termin nal Server Inst tallation" on th he Microsoft TechNet T Web site.
1-6
Co onfiguring and Troubleshooting b Windows s Server 2008 Termin nal Services
A Authentica tion Mode es
K Points Key
Tw wo types of au uthentication modes m can be used on a term minal server: ntication supp ported by passw word, smart ca ard, Windows NT LAN Mana ager (NTLM), and User authen one-time password p (OTP) ) over encrypt ted channels supported by a y Kerberos and d Secure Socke ets Layer (SSL) or Transport Layer Host level authentication Security (TL LS) certificates
cation is mostl ly used for stand-alone syste ems on the net twork. The Ker rberos authent tication NTLM authentic rotocol provid des a more secure network connection than traditional authentication a methods. pr Yo ou can also co onfigure Single e Sign-On (SSO O) on the terminal server. SSO is an access method that allows a a client to gain ac ccess to multip ple systems wit th a single set of credentials s.
Note: Besides providing N p the Basic B authentic cation method d, Windows Server 2008 also o provides Network Level Authentication A n. If you select this method, only clients running Window ws Server 008 or Microso oft Windows Vista V with RDC version 6.0, or later, will be able to conne ect to the 20 te erminal server. Fo or more inform mation about authenticatio on modes, see e "Windows Se erver 2008 Tec chnical Re eview" and "S Single Sign-On n for Terminal l Services" on the Microsoft t TechNet Web site.
1-7
TS Core Functionality
Key Points
The following are the requirements for configuring TS core functionality on the client: High resolution monitors, such as super video graphics array (SVGA) or 1680 x 1050 or 1920 x 1200 Windows portable devices Embedded POS for .NET devices
The core functionality works with: RDC 6.0 available with Windows Vista and Microsoft Windows XP RDC 6.1available with Windows Server 2008
For more information about TS core functionality, see "Whats New in Terminal Services for Windows Server 2008" on the Microsoft TechNet Web site.
1-8
R Remote De esktop Con nnection 6.1
K Points Key
RDC 6.1: Is available with Windows Server 2008 and Windows Vista with SP1 1. emote Desktop Protocol (RD DP) 6.1 on the client comput ter. Supports Re
rator, you can remotely conn nect to a Wind dows Server 20 008-based serv ver by using th he new As an administr /a admin switch introduced in RDC R 6.1. RDC 6.1 does not support the /co onsole switch used u in Micros soft W Windows Server 2003. Howev ver, to connect t to a physical console sessio on on Window ws Server 2003-based se erver from Win ndows Vista SP P1, you can use e the mstsc.exe/admin comm mand. Fo or more inform mation about RDC, see "Terminal Service es Core Functi ionality" on th he Microsoft Te echNet Web site. s
1-9
R Remote De esktop Con nnection Display D
K Points Key
Bo oth RDC 6.0 an nd RDC 6.1 support higher-r resolution desktops and pro ovide for spann ning of multiple m monitors horizo ontally to form m a single large e desktop. Yo ou can also set a custom display resolution n in a .rdp file using the Rem moteApp Micro osoft Managem ment Co onsole (MMC) ) or at the com mmand prompt. To o set a custom m display resolu ution in a .rdp file by using a text editor, add or change the following se ettings:
desktopwidth:i:<width> desktopheight:i:<height> >
To o set a custom m display resolu ution at the co ommand prom mpt, use the ms stsc.exe comm mand as follows:
mstsc.exe /w w:<width> /h:<height>
In n the syntax, <width> and <height> are th he resolution valuesfor v exa ample, 1680 and 1050. Sp panning of a session across multiple m monitors requires: Same resolution on all the monitorsf for example, al ll monitors hav ving 1024 x 76 68 resolution a monitors Horizontal alignment of all ution of all mo onitors not to exceed e 4096 x 2048 Total resolu
ou can enable spanning of the t same sessio on across mult tiple monitors by changing the t settings in a .rdp Yo fil le or at the command prompt. To o set spanning g in a .rdp file using u a text ed ditor, add or modify m the follo owing setting:
Span:i:<num>
1-10
If <num> = 0, then monitor spanning is disabled and if <num> = 1, then monitor spanning is enabled. To set spanning at the command prompt, type the following command:
mstsc.exe /span
Question: In which scenarios, would custom display resolution and spanning help in an organization? For more information about RDC display, see "Remote Desktop Connection Display" on the Microsoft TechNet Web site.
1-11
R Remote De esktop Exp perience
K Points Key
In n Windows Ser rver 2008 TS, you y can further enhance the end-users experience of co onnecting to a remote de esktop with th he Desktop Exp perience feature. This feature e provides the e functionality of Windows Vista V su uch as Window ws Media Pla ayer 11, deskto op themes, and d photo management. Th he TS client co omputers with Windows Vista include the Windows W Aero o interface th hat shows: t glass window ws Translucent Customized d lightweight window w colors s Open windows in a three e-dimensional stack on the desktop d mations supporting the repositioning of wi indows Subtle anim
Note: The desktop composition feature using Windows Aero N A works fro om a Vista clien nt to a Vista te erminal se erver only. Windows Server 2008 also pro W ovides the ClearType featu ure that is now w supported ov ver RDP. This feature f w works by smoot thing the characters, thus making it easier r to read text on o LCD screens s. Because this s feature w not suppor was rted over RDP prior to Windo ows Server 200 08, text over TS T was displaye ed in low resolution. Th he smoothing of fonts is also o available on client comput ters having: Windows Vista V Windows Server 2003 wit th SP1 and SP2 2 and RDC 6.0 0 X with SP2 and RDC 6.0 Windows XP
1-12
Configuring and Troubleshooting u Window ws Server 2008 Termiinal Services
D Device Red direction
K Points Key
Th he new PnP Re edirection Fram mework provid ded in Window ws Server 2008 8 enhances the e PnP device re edirection over r RDP. The PnP P device redire ection, howeve er, is not availa able for nested d terminal serv ver co onnections. Fo or example, a client c compute er with a PnP device d is redire ected to a session with termi inal se erver 1. The client then conn nects to anothe er session with h terminal serv ver 2 from with hin the termina al server 1 session. The PnP P device will not be availab ble for this ses ssion with term minal server 2. Windows Serv ver 2008 al lso redirects de evices that use e POS for .NET T1.11. Note: POS redir N rection is not supported s if th he terminal ser rver has x86-b based version of o Windows Se erver 20 008. Yo ou can enable POS for .NET device redirec ction by editing the .rdp file used to conne ect to the term minal se erver as follow ws:
redirectposdevices:i <va alue>
In n the above syntax, if <value e> = 0, POS for .NET device redirection is disabled d and if f the <value> =1, it is en nabled. Fo or more inform mation about device redire ection, see "Plu ug and Play Device D Redirec ction for M Media Players and a Digital Ca ameras" and "Microsoft Point of Service for f .NET Devic ce Re edirection" on n the Microsoft TechNet Web W site.
1-13
In ntroductio on to a Sta andalone In nstance an nd a Farm
K Points Key
Th he TS sever role service can be installed on n a single serve er as a standal lone instance. Alternatively, you can im mplement a TS S farm compris sing multiple terminal server rs to facilitate load l balancing g in a large or rganization. Windows W Server 2008 provide es the TS Session Broker role e service that allows a administrators to o load balance e sessions betw ween terminal servers s in a far rm. TS Session Broker stores information related to o the state of a session. This information is s used to distribute the sessio ons evenly bet tween the term minal se ervers. Question: What problems do Q o you anticipat te if a standalo one instance is used as a term minal server in n an or rganization ha aving many bra anches?
1-14
Standalone e Instance vs. Farm
A standalone in nstance is used d in small organizations that require minim mum administr ration. This en nvironment us sually includes one terminal server that is accessed a by a few client com mputers. La arge organizat tions require a farm installation that caters s to many bran nches. This typ pe of environm ment re equires multiple terminal ser rvers that can be b easily acces ssed by many client computers.
1-15
L Lesson 2
C Configu ring the e TS Set ttings
After installing the t TS server role r service, yo ou can start co onfiguring the TS settings acc cording to you ur or rganizations requirements. r T take maxim To mum advantag ge of TS, you need to plan what type of ap pplications you u would require to run on th he terminal ser rver. You can even e configure e a specific pro ogram to o start when yo ou start a sessi ion on the term minal server. To T enhance the e performance e of the termin nal se erver, you can restrict the nu umber of simultaneous remo ote connection n sessions on the terminal se erver. Yo ou can configu ure these settings on TS by using u the Term minal Services Configuration C snap-in.
1-16
D Demonstra ation: Conf figuring S Start Progr ram on Connection
Q Question : Whic ch program wo ould you want t to launch at the t start of a TS T session in yo our organization?
1-17
R Restricting Remote Connection C n Sessions
K Points Key
It is a best pract tice to configu ure the maximu um number of f sessions that can connect to t the server by b using Group Policy. Any A modificatio ons in Group Policy P should be b validated be efore applying g them to users and co omputers. As an a administrator, you can inv voke Group Po olicy by using the Active Directory Users and Co omputers snap p-in on the computer that has h the domain n controller. N Note : The recom mmended pra actice is to limit users to one remote sessio on. Q Question : What kind of prob blems do users encounter wh hen there are too t many remo ote connection ns?
1-18
C Configuring g Other TS S Settings
K Points Key
Th he Terminal Se ervices Configu uration snap-in can be used to edit setting gs such as secu urity, session tim meouts, and encryption e leve els based on th he connection. . To configure RDP-Tcp Connections, you can use th he following ta abs in the RDP-Tcp Propertie es dialog box: General ttings Log On Set Sessions nt Environmen Security ntrol Remote con Client Settings dapter Network Ad
ome best practices for using g terminal servers: So Install only specific servic ces required in a branch offic ce environmen nt to minimize security risks. t TS session broker role se ervice that enables load balancing of sessio ons between te erminal Configure the servers in a farm. t license serv ver discovery mode m to ensur re that the terminal server ca an obtain the Configure the required lic cense from the e license server r.
Fo or more inform mation about configuring TS, T see "Windo ows Server 20 008 RC0 TS Ses ssion Broker Lo oad Balancing g Step-by-Step p Guide" and "Configuring License Settin ngs on a Terminal Se ervices" on the Microsoft TechNet Web site. s
1-19
L Lab: Con nfigurin ng TS Co ore Fun nctionality
O Overarching Scenario
Yo ou are the Win ndows Applica ation Platform Services techn nology specialist for Woodgrove Bank, which has a presence in America, Europe, the Middle East, Africa (EM MEA), and Asia a. Woodgrove Bank's inform mation te echnology (IT) department is s responsible for f maintaining g the database e, applications, , user authentication, Group Policy, an nd permissions. It is also resp ponsible for th he performanc ce of the server and enterprise in nfrastructure. Currently, you are a using simp ple RDP or any third party utility to control the remote co onsole. You install all pr rograms on all client compu uters, which is time t consumin ng. It is also difficult to main ntain and upgr rade all th he applications s on every indi ividual machin ne. Therefore, the t management has advise ed you to implement th he Windows Se erver 2008 TS environment. Installing TS would w increase productivity and a ensure optimal ut tilization of the network ban ndwidth to acc cess remote ap pplications. As a technology specialist in W Woodgrove Ban nks IT departm ment, you have e been tasked with installing g and configur ring the TS en nvironment.
1-20
Exercise 1: Installing and Configuring the TS Server Role Service

Scenario
You receive a service request based on an enterprise administrators design to deploy a standalone instance of TS with core functions. You have to select an authentication method that will ensure that users can securely access applications over the network. You also want to optimize the administrative tasks that can be done by configuring SSO and WSRM. The end users require that the local machines display the Windows Vista desktop during the TS session. To enable this functionality, you need to configure RDC 6.1. The enterprise administrator has also requested you to provide enhanced program performance for users at the branch offices who access centralized data stores.
Exercise Overview
In this exercise, you will install and configure the TS core functionality at the New York head office. The main tasks for this exercise are as follows: Start the 6428A-NYC-DC1-01 and 6428A-NYC-TS-01 virtual machines and log on to these machines as Administrator. 2. Install the TS server role service. 3. Configure authentication on the terminal server. 4. Configure the default credentials to be used on the terminal server. 5. Create a .rdp file and configure custom display. 6. Enable ClearType and Font smoothing. 7. Enable support for PnP redirection. 8. Install and configure WSRM. 9. Install the Desktop Experience. 10. Remotely connect to TS by using RDC. 1.
Task 1: Start the 6428A-NYC-DC1-01 and 6428A-NYC-TS-01 virtual machines and log on
these machines as Administrator
1. 2. Start 6428A-NYC-DC1-01 and log on with the default User ID WOODGROVEBANK\Administrator with the password Pa$$w0rd. Verify the membership in the local administrators group in the Active Directory User and Group.
Note: Wait for the domain controller virtual machine, 6428A-NYC-DC1-01, logon screen to appear before starting 6428A-NYC-TS-01 VM. 3. 4. Start 6428A-NYC-TS-01 and log on as WOODGROVEBANK\Administrator with the password Pa$$w0rd. Confirm that 6428A-NYC-TS-01 is a member of the Woodgrove.com domain under Computers in the Active Directory User and Group.
Task 2: Install the TS server role service

1. 2. 3. On 6428A-NYC-TS-01, start Server Manager from the Administrative Tools menu. Add the Terminal Services role in the Add Roles wizard. On the Terminal Services page, configure the Terminal Server: Authentication Method: Network Level Authentication setting for a terminal server Licensing Mode: Per-User
1-21
4.
Select User Groups Allowed Access to This Terminal Server: Add NYC_MarketingGG nested in NYC under WoodgroveBank.com.
Confirm the installation of the TS role service in the Server Manager.
Task 3: Configure authentication on the terminal server

1. 2. Start Terminal Services Configuration by using the tsconfig.msc command. In the RDP-Tcp Properties dialog box, configure the authentication method to be used as SSL (TLS 1.0).
Task 4: Configure the default credentials to be used on the terminal server

1. 2. Open the Local Group Policy Editor by using the gpedit.msc command. On the Credentials Delegation page, enable Allow Delegating Default Credentials and add the 6428A-NYC-TS-01 server.
Task 5: Create a .rdp file and configure custom display

1. 2. 3. 4. Create a .rdp file by using the TS RemoteApp Manager snap-in. In the RemoteApp Wizard, verify that the location of the .rdp file is C:\Program files\Packaged Programs\mstsc.rdp. Open the C:\Program files\Packaged Programs\mstsc.rdp file in a text editor. Specify the following custom display settings: desktopwidth:i = 1680 desktopheight:i = 1050 5. Enable monitor spanning by using Span:i:1.
Task 6: Enable ClearType and Font smoothing

1. 2. In Control Panel, under Appearance and Personalization, enable ClearType. Display the Remote Desktop Connection dialog box, and enable font smoothing on the Experience tab.
Task 7: Enable support for PnP redirection

1. 2. Display the Remote Desktop Connection dialog box. On the Options tab, under Local devices and resources, enable Devices that I plug in later.
Task 8: Install and configure WSRM

1. 2. 3. 4. Start Server Manager, under Features Summary, select Windows System Resource Manager. Install Windows System Resource Manager by using the wizard. Open the Windows System Resource Manager snap-in. In the Connect to computer dialog box, enable WSRM to administer the local computer.
Task 9: Install the Desktop Experience

1. 2. 3. Start Server Manager. Under Features Summary, select Desktop Experience. Install the Desktop Experience by using the wizard. Confirm the installation of the Desktop Experience.
Task 10: Remotely connect to TS by using RDC

1. 2. On 6428A-NYC-DC1-01, display the Remote Desktop Connection dialog box by using the mstsc command. Connect to NYC-TS by using the user ID WOODGROVEBANK\Baris and password Pa$$w0rd.
1-22
You will be connected to the terminal server remotely. Results: After this exercise, you should have configured the TS settings.
1-23
Exercise 2: Configuring the TS Settings

Scenario
You have been tasked with configuring the TS settings to streamline the infrastructure and secure the database and applications on the terminal server. For this, you need to specify a program to start when a user logs on, limit users to a single remote session, and set default permissions for built-in accounts. To further ensure load-balancing in a TS farm environment, you need to configure the Session Broker settings and create a policy for the retention of the temporary folder.
Exercise Overview
In this exercise, you will configure the TS settings and the session broker settings. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. Specify the program to start when a user logs on to a remote session. Configure the TS settings by using the Terminal Services Configuration snap-in. Modify the default permissions for built-in accounts. Configure the Session Broker settings. Shut down the virtual machines.
Task 1: Specify the program to start when a user logs on to a remote session
1. 2. 3. Start Terminal Services Configuration on 6428A-NYC-TS-01. Under Connections, select RDP-Tcp and then display the Properties dialog box. On the Environment tab, configure the Initial starting program setting as C:\Program Files\Packaged Programs\wordpad.
Task 2: Configure the TS settings by using the Terminal Services Configuration snap-in
In the Terminal Services Configuration snap-in, under the Edit Settings area, verify the following are selected: Restrict each user to a single session Delete Temporary folder on exit Use Temporary folders per session
Task 3: Modify the default permissions for built-in accounts

1. 2. 3. Start WMI Console by using the wmimgmt.msc command. Display the WMI Control Properties dialog box. On the Security tab, modify the Read Security permission for Baris Centinok and change it to Allow.
Task 4: Configure the Session Broker settings

1. 2. Start Terminal Services Configuration. In the Edit settings area, under TS Session Broker, select : 3. Member of farm in TS Session Broker Join a farm in TS Session Broker Participate in Session Broker Load-Balancing
Provide the server name as NYC-TS, the farm name as WoodGroveBank, and IP address as 10.10.0.23.
1-24
Task 5: Shut down the virtual machines

Turn off each virtual machine that is running and discard changes.
Note: After this exercise, you should have configured the TS settings.
1-25
Lab Review w
1-26
Configuring and Managing Terminal Services Licensing
2-1
Module 2
Contents:
Lesson 1: Configuring TS Licensing Lesson 2: Managing TS Licenses Lab Demonstration: Configuring and Managing TS Licensing 2-3 2-10 2-14
2-2
Module Overview
The TS licensing management system in Microsoft Windows Server 2008 includes some significant enhancements as compared to TS licensing in Microsoft Windows 2003. After the TS server role service is installed in Windows Server 2008, users and devices require TS client access licenses (CALs) to connect to the terminal server. The TS licensing role service on the terminal server obtains these TS CALs from a TS license server. This module introduces TS licensing and covers the steps to configure the license and terminal servers for issuing and managing licenses. The module also includes installing Per User and Per Device TS CALs on the license server as well as managing the licensing lifecycle.
2-3
Lesson 1
Configuring TS Licensing
The TS licensing role service is a license management system that manages TS CALs. You need to install the TS licensing role service on a server running Windows Server 2008. After installation, you are required to activate the license server. Only after activation, the license server can issue TS CALs to devices or users that want to connect to the terminal server. You can use the TS Licensing Manager snap-in to manage TS licensing.
2-4
TS Licensing Role
Key Points
In large organizations, the TS license server is different from the terminal server. An organization needs to deploy at least one license server to issue licenses to users and devices wanting to connect to the terminal server. A license server can concurrently serve many terminal servers.
Note: A terminal server running Windows Server 2008 cannot communicate with a license server running Windows Server 2003. A terminal server running Windows Server 2003 can, however, communicate with a license server running Windows Server 2008. For more information about the TS Licensing role, see "TS Licensing" on the Microsoft TechNet Web site.
2-5
TS Licensing Manager Snap-In
Key Points
The TS Licensing Manager snap-in requires minimum 10 MB of CPU memory for its transactions. The license database increases by 5 MB with the issuance of every 6,000 TS CALs. The license server is active only when it receives a request for a TS CAL from the terminal server. For more information about the TS Licensing Manager snap-in, see "TS Licensing" on the Microsoft TechNet Web site.
2-6
TS Client Access Licenses
Key Points
The two types of TS CALs, Per Device and Per User, are obtained as follows: 1. 2. 3. When a user or device connects to the terminal server, the terminal server first determines whether a TS CAL is required. If a TS CAL is required, then the terminal server requests the CAL from the license server. After receiving the TS CAL, the terminal server: Delivers the TS CAL to the client device in case of a Per Device TS CAL. Stores the information as part of the user account in the Active Directory Domain Services in case of a Per User TS CAL.
The Per Device TS CALs are issued statically to client machines, and the Per User TS CALs are issued to a users account and can be used from any device. Tracking the TS Per User CAL issuances is supported only in domain-joined scenarios. Active Directory Domain Services is used for tracking the Per User TS CALs. Note: Active Directory Domain Services can be based on either Windows Server 2008 or Windows Server 2003, and no updates to its schema are required for generating tracking reports of the Per User TS CALs.
2-7
Installing the TS Licensing Role Service
Key Points
The TS Licensing database should be located on the same computer on which the TS licensing role service is being installed. The TS Licensing Manager snap-in is automatically installed when you install the TS licensing role service. You can also manage your license servers from a remote computer running Windows Server 2008 by installing the TS Licensing Manager snap-in on that computer. You need to activate a license server only once. While waiting for the activation process to complete, the license server can issue temporary TS CALs that allow clients to use the terminal server for 120 days. In addition, you need to configure the TS license server discovery scope to help the terminal servers discover the license server. The three discovery scopes are: Workgroup Domain Forest
Note: To install the TS Licensing role service, you should be a member of the Administrators group. For more information about installing the TS Licensing role service, see "Activating a Terminal Services License Server" and "Terminal Services License Server Discovery" on the Microsoft TechNet Web site.
2-8
Configuring the Terminal Server for Licensing
Key Points
The TS licensing mode, Per Device or Per User, can be set: During the installation of the TS server role service. By using the Terminal Services Configuration snap-in. By using Group Policy.
The TS licensing discovery mode can be set: By using the Terminal Services Configuration snap-in. By using Group Policy. By using the automatic license discovery process where the terminal server contacts: First, the license servers configured by using the Terminal Services Configuration snap-in. Then, the license servers published in Active Directory Domain Services. Finally, the license servers installed on the domain controller within the same domain as the terminal server.
Note: The TS licensing mode on the terminal server should be the same as that on the license server. Note: A user connecting to a terminal server in a Per User licensing mode should have a TS Per User CAL. If the user does not have TS Per User CAL for the terminal server, the terminal server will contact the license server for the required Per User CAL. Question: Can you change the TS Per Device CAL to a TS Per User CAL on your license server?
2-9
For more information about configuring the terminal server for licensing, see "Configuring License Settings on a Terminal Server" on the Microsoft TechNet Web site.
2-10
Lesson 2
Managing TS Licenses
After installing and configuring the TS licensing role service, you need to manage the licensing lifecycle. For this, you will be required to track the issuance of the TS Per User CALs. You might also need to judiciously revoke device licenses and reallocate them, as required. While managing the license server, you can troubleshoot licensing issues related to the license server by using the Review Configuration snap-in.
2-11
Managing TS Client Access Licenses
To manage the TS licensing, you can perform the following tasks by using the TS Licensing Manager snapin: Change the properties such as the connection method used to communicate with the Microsoft Clearing House and the mandatory and optional information about your organization. Change the discovery scope: domain or forest. Review the configuration of the license server. Control the issuance of TS CALs. Track the issuance of TS CALs. Revoke the Per Device TS CALs. Deactivate and reactivate the license server. Locate the Microsoft ClearingHouse telephone number for your country or region to activate the license server.
Note: You cannot revoke a Per User TS CAL. After you have revoked a Per Device TS CAL, it will be immediately available for issuance to another device. You must not revoke licenses only to ensure that there are enough licenses available to support the requirement. Other generic tasks that you can perform to manage TS licensing are: Back up a TS license server Move TS licensing to a new server Uninstall the TS licensing role service
2-12
For more information about managing TS CALs, see "Managing TS Licensing" on the Microsoft TechNet Web site.
2-13
Troubleshooting Licenses
Key Points
You can use the Review Configuration tool to identify problems on the license server related to the: Discovery scope Issuance of the TS CALs to devices or users Tracking and reporting of the issuance of the TS CALs
You can use the Licensing Diagnosis tool to analyze the following information on the terminal server: Configuration of the terminal server License servers that the terminal server discovered Configuration information of the license servers Licensing issues with possible solutions
For more information about troubleshooting licenses, see "Troubleshooting TS Licensing Installation" and "Known Issues for TS Licensing Installation" on the Microsoft TechNet Web site.
2-14
Lab Demonstration: Configuring and Managing TS Licensing
Overarching Scenario
You have configured TS for Woodgrove Bank. To support the TS environment you need to install the TS licensing role. The TS licensing role will enable you to determine the TS client access licenses (CALs) that are required for each device or user to connect to the terminal server. You need to use this role to install, issue, and monitor the availability of TS CALs on a TS license server.
2-15
Demonstration: Configuring and Managing TS Licensing

The main tasks for configuring and managing TS licensing are as follows: 1. 2. 3. 4. 5. 6. Install the TS Licensing role. Add a new device to the HR group. Activate the license server and install TS Per Device CALs by using telephone. Specify the TS Per Device mode on the terminal server. Specify the TS licensing server discovery mode on the terminal server. Revoke a Per Device CALs and make it available for a new device.
Task 1: Install the TS Licensing Role

1. 2. 3. On the terminal server, start Server Manager and install the TS Licensing role service. On the Configure Discovery Scope for TS Licensing page, specify the discovery scope for TS Licensing as domain. On the Configure Discovery Scope for TS Licensing page, specify the default location of the TS Licensing database.
Task 2: Add a new device to the HR group

1. 2. On a client, add the computer you want to add to the domain WoodgroveBank.com on the Properties page of the computer. On the domain controller, add the computer to the HR group in the Active Directory Users and Computers snap-in.
Task 3: Activate the license server and install TS Per Device CALs by using telephone
1. 2. 3. 4. On the terminal server, activate the license server in the TS Licensing Manager snap-in. On the Connection Method page, select the connection method Telephone. On the Country or Region Selection page, select your country/region. Call Microsoft by using the telephone number that is displayed on the License Server Activation page, and then provide the Microsoft customer support representative with the Product ID that is displayed on your screen. The representative will also ask you to provide your name and the name of your company. The representative processes your request to activate the license server, and creates a unique ID for your license server. Activate the license server with the ID and select the option to install the licenses now. On the Obtain client license key pack page, use the telephone number that is displayed to call the Microsoft Clearinghouse, and give the representative your Terminal Services license server ID and the required information for the licensing program through which you purchased your TS CALs. The representative then processes your request to install TS CALs, and gives you a unique ID for the TS CALs. This unique ID is referred to as the license key pack ID. In the Install Licenses Wizard, on the Obtain client license key pack page, enter the license key pack ID provided by the representative into the boxes provided. The Terminal Services license server can now issue TS CALs to clients that connect to a terminal server.
5. 6.
7. 8.
Task 4: Specify the TS Per Device mode on the terminal server

On the terminal server, in the Terminal Services Configuration snap-in, under Licensing, specify the licensing mode as Per Device.
Task 5: Specify the TS licensing server discovery mode on the terminal server
On the terminal server, in the Terminal Services Configuration snap-in, under Licensing, specify the license server to be used.
2-16
Task 6: Revoke a Per Device CAL

1. 2. 3. On the license server, in the TS Licensing Manager snap-in, under NYC-TS, select Windows Server 2008 - Installed TS Per Device CALs. Select the TS Per Device CAL that you want to revoke. Revoke the TS CAL by using the Action menu.
The Status column for the TS Per Device CAL will show a status of Revoked when the TS Licensing Manager display is refreshed. Results: After this demonstration, you should have seen how to install the license server and add a device to the HR group. Then you saw how to activate the license server, and install TS CALs by using the telephone. Then you should have seen how to configure the Per Device mode and the licensing server discovery mode on the terminal server. Finally, you saw how to revoke a Per Device CAL.
2-17
Lab Review
2-18
Configuring and Troubleshooting Terminal Services Connections
3-1
Module 3
Contents:
Lesson 1: Configuring the TS Connection Properties Lesson 2: Configuring the TS Connection Properties by Using Group Policy Lesson 3: Troubleshooting TS Connections Lab: Configuring and Troubleshooting the TS Connections 3-3 3-12 3-16 3-18
3-2
Module Overview
After configuring TS Licensing on the terminal server, you need to set the TS connection properties on the terminal server as well as the clients. This module introduces the connection properties that can be set by using either the Terminal Services Configuration snap-in or Group Policy. Besides setting these properties, it is also important to configure the authentication and encryption levels for the TS connections between the terminal server and the clients. When configuring the client settings, you might also want to enhance the user experience by enabling the Desktop Experience and Plug and Play (PnP) Device Redirection Framework. In addition, configuring Single Sign-On (SSO) for user profiles can be helpful in reducing administrative effort. As an administrator, you will also need to perform some checks to identify and troubleshoot connectivity issues.
3-3
Lesson 1
Configuring the TS Connection Properties
You can use the Terminal Services Configuration snap-in to configure and administer TS connection properties such as the maximum number of simultaneous connections and time-out and reconnection settings. Using this snap-in, you can also configure authentication and encryption levels for clients to minimize security risks over remote connections. Also, configuring the Desktop Experience and enabling PnP device redirection help to enhance the user experience on TS.
3-4
Introduction to TS Properties
Key Points
In a TS environment, you can configure the TS properties such as the TS connection properties, device and resource redirection, remote session environments, session time limits, and user profiles. These TS properties can be configured both by administrators and standard users. The User Account Control (UAC) feature of Microsoft Windows Server 2008 displays a prompt for the credentials of an administrator or equivalent account. If you are logged on as an administrator, you will be provided with two access tokens: an administrator token and a standard user access token. The administrator token is used only when you attempt to perform administrative tasks. With the administrator token, you can change the system state, install software, turn off the firewall, install a service or drive, and configure the security policy. As a standard user, you are not allowed to perform the administrator tasks but you can install software on a per-user basis. The TS properties can apply to users or computers. For example, on a client, you can enable or disable user profiles. You can also configure connection properties for the computer, such as allowing a process to run over a slow network connection. On the server, you can configure settings for the computer, such as retain or delete temporary folders on exit. For users, you can configure settings that restrict them to a single remote session on the server. Question: Configuring which TS settings helps enhance the performance of the terminal server?
3-5
Introduction to the TS Connection Properties
Key Points
You can use either Group Policy or the Terminal Services Configuration snap-in to configure the TS connection properties on the terminal server and clients. The TS connection properties set by using Group Policy always override the settings configured by using the Terminal Services Configuration snap-in. The TS connection properties can be set for a specific user and at the server level. If both user and server settings are configured, the server settings take precedence. By using the Terminal Services Configuration snap-in, you can configure: A new connection Automatic logon to the server by a user Authentication of the terminal server
With respect to connection permissions, for each connection, you can: Add users and groups to permission lists Change the permissions of a user or group Remove users or groups from the permission lists
For more information about configuring TS connection properties, see "Configure Terminal Services Connections" on the Microsoft TechNet Web site.
3-6
Configuring the Maximum Number of Simultaneous Connections
Key Points
The default TS settings allow an unlimited number of sessions to connect to the server. This affects the performance of the terminal server as multiple sessions demand system resources. To improve performance, therefore, you can restrict the number of sessions. When using the Terminal Services Configuration snap-in to perform this procedure, you need to be a member of the administrators group on the local computer. For more information about configuring maximum number of simultaneous connections, see "Specify a maximum number of sessions that can connect to the server" on the Microsoft TechNet Web site.
3-7
Demonstration: Configuring the Time-Out and Reconnection Settings
Question: Which connection setting can result in the loss of data at the client side? For more information about configuring the time-out and reconnection settings, see "Configure Timeout and Reconnection Settings" on the Microsoft TechNet Web site.
3-8
Configuring Authentication and Encryption
Key Points
To configure the authentication and encryption levels for clients, you will require a certificate from a certification authority (CA). In Windows Server 2008, the terminal server uses native Remote Desktop Protocol (RDP) for encryption. However, RDP does not authenticate the identity of the terminal server. You, therefore, need to configure the terminal server and clients to use Transport Layer Security (TLS) 1.0 for server authentication and encryption of the terminal server communications.
Note: You can enable TLS only by using the Terminal Services Configuration snap-in. You cannot use Group Policy to enable TLS authentication. TLS authentication on a server requires: Microsoft Windows Server 2003 SP1 A computer certificate by using the Web or Certificate Request wizard
TLS authentication on a client requires: Microsoft Windows 2000 or Microsoft Windows XP RDP 5.2, or later Certificate of the certification authority (CA) that issued the server certificate in the clients Trusted Root Certification Authorities store
You can configure four levels of encryption by using the Terminal Services Configuration snap-in: Federal Information Processing Standard (FIPS)-compliant High
3-9
Client Compatible Low
Question: Which encryption level is most commonly used in organizations? For more information about configuring authentication and encryption, see "Configure Authentication and Encryption" on the Microsoft TechNet Web site.
3-10
Configuring the Desktop Experience
Key Points
To further enhance the users experience in TS, you can install and configure the Desktop Experience. For features such as Windows Media Player and Desktop Themes, you will have to enable audio redirection. The audio redirection setting is available on the Client Settings tab in the Properties page of the required connection in the Terminal Services Configuration snap-in. You can also use Group Policy to configure this setting. Note: The Sound Recorder feature of Microsoft Windows Vista is not supported by RDP. Desktop Experience does not enable any of the Windows Vista features automatically; you need to enable them manually. Question: Which scenarios require audio data to be shared between the terminal server and client? For more information about configuring the Desktop Experience, see "Remote Desktop Connection Display" on the Microsoft TechNet Web site.
3-11
Configuring the Plug and Play Device Redirection Framework
Key Points
You can control the PnP device redirection framework on the Client Settings tab in the Properties page of the required connection in the Terminal Services Configuration snap-in. To redirect devices that use Microsoft Point of Service (POS) for .NET 1.11: 1. 2. 3. Install POS for .NET 1.11. Install the .NET service objects or XML configuration files required by the POS for .NET device. Stop and start the Terminal Services UserMode Port Redirector service in the Terminal Services Configuration snap-in.
Note: POS for .NET 1.11 device redirection is only supported if the terminal server is running an x86based version of Windows Server 2008. For more information about device redirection, see "Terminal Server Plug and Play Device Redirection Framework in Vista and Longhorn" on the Microsoft TechNet Web site.
3-12
Lesson 2
Configuring the TS Connection Properties by Using Group Policy
As an administrator, you might prefer to configure some connection properties by using Group Policy. The Group Policy settings override the settings configured by using the Terminal Services Configuration snap-in. In addition to configuring TS connection properties, you can use Group Policy to configure the Single Sign-On (SSO) feature of Windows Server 2008. This feature helps reduce the administrative load significantly as it enables users to log on to multiple devices or services with a single set of credentials.
3-13
Using Group Policy to Configure the TS Connection Properties
Key Points
Although most TS connection properties can be set by using the Terminal Services Configuration snap-in, you might want to set these by using Group Policy. The choice of method can depend on the complexity of your TS environment. Using Group Policy is often considered to be a simpler approach to configuring TS, especially in an environment with multiple terminal servers and users. By using Group Policy, you can configure properties such as the maximum number of sessions, encryption level, automatic start program, remote control, time-out and reconnection, and some other client settings such as connection drives and printers. In addition, you can also configure the following settings: Specifying the interval for the session to be kept alive and keeping it consistent with the client state Removing the Disconnect item from the Shut Down dialog box Disabling smart card device redirection
Question: What will happen if you disable a Remote Desktop connection by using the Group Policy setting while a user is connected to the target computer? For more information about configuring TS properties by using Group Policy, see "Configure Group Policy Settings" on the Microsoft TechNet Web site.
3-14
Introduction to Single Sign-On
The security benefit provided by SSO is that a user needs to log on to the domain only once by using a password. Subsequently, the user will be authenticated on any server in the domain. For administrators, this feature minimizes the administrative effort required to maintain a user account. For more information about SSO, see "Single Sign-On for Terminal Services" on the Microsoft TechNet Web site.
3-15
Considerations for Configuring Single Sign-On
Key Points
As an administrator, for configuring SSO, you need to ensure that the client computers should be either Windows Vista-based or Windows Server 2008-based computers, and the users have appropriate rights to log on to both the client and server. SSO can also be used on the client computers and terminal server that are part of a domain. You also need to note that Windows Server 2008 provides Credential Security Service Provider (CredSSP) that supports SSO. By using this feature, you can securely save your credentials for later use. Note: SSO will not work on a server that cannot be authenticated by using Kerberos or Secure Sockets Layer (SSL) certificate. If the terminal server connection is using a TS Gateway server, then in some cases the credentials of the TS Gateway will override the SSO settings. For more information about considerations for configuring SSO, see "How to enable Single Sign-On for my Terminal Server connections" on the Microsoft Terminal Services Team Blog Web site.
3-16
Lesson 3
Troubleshooting the TS Connections
A number of connectivity issues can arise in a TS environment. While specific issues need to be handled by using specific methods, there are some troubleshooting steps that can help you determine common problems and rectify them.
3-17
Troubleshooting Connectivity Issues
Key Points
Depending on the connectivity problem, you can perform troubleshooting steps such as checking the RDP settings, analyzing event and error logs, and verifying licenses, policies, permissions, and encryption levels. In addition, you can perform the following troubleshooting steps: Use the Terminal Services Manager to view users connected to the terminal server. Identify and fix connectivity problems between the terminal server and domain controller by using the ping command. Use the ping command to determine connectivity problems with other computers. Start the Device Manager by using the devmgmt.msc command, and check the status of the network adapter. Check the network indicator lights on the computer and the hub or router. Also, check the network cabling. Check the firewall settings by using the Windows Firewall with the Advanced Security snap-in. Check the IPsec settings by using the IP Security Policy Management snap-in.
For example, if a user logon request is denied, as an administrator you can check if the Allow all connections option is selected on the General tab in the Terminal Services Configuration snap-in. Another common connectivity issue is the failure of authentication when a user tries to reconnect to the terminal server. In this case, you can verify the user accounts connected to the terminal server on the Users tab in the Terminal Services Configuration snap-in.
3-18
Lab: Configuring and Troubleshooting the TS Connections
You receive a service request from the enterprise administrator to configure the connection settings for TS. As an administrator, you need to configure connection permissions, SSO, client settings, and time-out and reconnection settings, as defined in the service request. These connection settings will enable you to efficiently manage connections to remote applications. To avoid overloading of the terminal server, you need to set permissions for all users and restrict the number of sessions.
3-19
Exercise 1: Configuring the TS Connection Properties

Scenario
The enterprise administrator is receiving many complaints about unauthorized users accessing the terminal server. Also some connections get disconnected automatically and users have a problem working with the applications on the terminal server. You receive a service request to modify the connection permissions of Baris, Bernard, and Anton.
Exercise Overview
In this exercise, you will configure the TS connection properties by using the Terminal Services Configuration snap-in. The main tasks for this exercise are as follows: 1. 2. Start the 6428A-NYC-DC1-01 and the 6428A-NYC-TS- 03 virtual machines and log on to these machines as Administrator. Configure the TS connection properties by using the Terminal Services Configuration snap-in.
Task 1: Start the 6428A-NYC-DC1-01 and 6428A-NYC-TS- 03 virtual machines and log
on to these machines as Administrator
1. 2. 3. Start 6428A-NYC-DC1-01 and log on with the default login ID WOODGROVEBANK\Administrator Start 6428A-NYC-TS-03 and log on as WOODGROVEBANK\Administrator by using the password Pa$$w0rd. Verify that TS is installed on the 6428A-NYC-TS-03 virtual machine.
Note: Wait for the domain controller, 6428A-NYC-DC1-01, logon screen to appear before starting the 6428A-NYC-TS-03 virtual machine.
Task 2: Configure the TS connection properties by using the Terminal Services

Configuration snap-in
1. 2. 3. On 6428A-NYC-TS-03, start the Terminal Services Configuration snap-in. Verify that the remote control setting for default users is selected on the Remote Control tab in the RDP-Tcp Properties dialog box. Configure the connection permissions for users as follows: Baris Cetinok: Deny permission to disconnect a connection Bernard Duerr: Allow all connection permissions Anton Kirilov: Allow permission to disconnect a connection
Results: After this exercise, you should have configured the connection properties.
3-20
Exercise 2: Configuring the TS Connection Properties by Using Server Group Policy

Scenario
You have been tasked with restricting the maximum number of terminal sessions to two and configuring the TS connection setting to automatically reconnect to the server. In addition, you need to configure the RDP client connection security and encryption levels on the server. You want to configure the connection settings by using the Group Policy editor. These settings are critical to the performance of the TS and they will override any other settings that users might have configured by using the Terminal Services Configuration snap-in.
Exercise Overview
In this exercise, you will configure the TS connection properties by using Group Policy. The main tasks for this exercise are as follows: 1. 2. Configure the TS connection properties. Verify that a maximum of two clients can connect to the terminal server.
Task 1: Configure the TS connection properties

1. 2. 3. On 6428-NYC-DC1-01, start Group Policy Management by using the gpmc.msc command. Create a new Group Policy Object (GPO) for the Marketing OU as GPO for TS Connection. Start the Group Policy Management Editor, and configure the following: TS Maximum Connections allowed: 2 Automatic reconnection: Enabled Set client connection encryption level: Enabled Encryption level: Client Compatible Set time limit for disconnected sessions: Enabled End a disconnected session: 5 minutes
Task 2: Verify that a maximum of two clients can connect to the terminal server
1. 2. 3. 4. 5. On 6428A-NYC-DC1-01, display the Remote Desktop Connection dialog box by using the mstsc command. Connect to Nyc-ts, log on as Baris with the password Pa$$w0rd. Log on as a second user, Bernard with the password Pa$$w0rd. Log on as a third user, Anton with the password Pa$$w0rd. Observe that Anton gets a failed logon message.
Results: After this exercise, you should have configured the TS connection properties by using server Group Policy.
3-21
Exercise 3: Configuring SSO by Using Client Group Policy

Scenario
As an administrator, you want to reduce your administrative tasks. Currently, you are spending a lot of time maintaining the user accounts that are connecting to the TS. You want to configure SSO to reduce the administrative effort.
Exercise Overview
The main task for this exercise is to configure SSO by using client Group Policy.
Task 1: Configure the SSO setting by using client Group Policy

1. 2. 3. 4. 5. On 6428A-NYC-DC1-01, start the Terminal Services Configuration snap-in by using the tsconfig.msc command. In the RDP-Tcp Properties dialog box, select Security Layer as SSL (TLS 1.0). Start the Local Group Policy Editor by using the gpedit.msc command. Select the option Allow Delegating Default Credentials. Add the server 6428A-NYC-TS- 03 to the list of servers in the Show Contents dialog box.
Results: After this exercise, you should have configured SSO by using client Group Policy.
3-22
Exercise 4: Troubleshooting Connectivity Issues

Scenario
Users in the organization are having problems connecting to the terminal server. A user Monika Buschmann is unable to log on because her password has expired. You need to reset her password. Another user Dana Birkby is unable to connect to the Remote Desktop. Verify her user permissions. After updating the users account settings, validate that the users can connect to the terminal server. Help Desk has verified that this is not a network connectivity issue from the client and that the firewall is also correctly configured.
Exercise Overview
In this exercise, you will troubleshoot connectivity issues. The main tasks for this exercise are as follows: 1. 2. 3. 4. Verify the RDP settings and check the event logs. Verify the user and group permissions and policy settings. Verify that the users are able to log on with the updated settings. Shut down the virtual machines.
Task 1: Verify the RDP settings and check the event logs
1. 2. 3. 4. On 6428A-NYC-TS-03, start TS RemoteApp Manager. Verify that the RDP Port for NYC-TS.WoodgroveBank.Com is 3389. Start Event Viewer by using the eventvwr command. Check the details under Application.
Task 2: Verify the user and group permissions and policy settings
1. 2. 3. 4. On 6428A-NYC-DC1-01, start the Active Directory Users and Computers snap-in. Under Marketing, reset the password for Monika Buschmann to Pass@word1. Start the Terminal Services Configuration snap-in, in the RDP-Tcp Properties dialog box, verify permission settings for Dana Birkby and modify the settings to enable her remote connection. Check that the Encryption Level is Client Compatible.
Task 3: Verify that users are able to log on with the updated settings
1. 2. 3. On 6428A-NYC-DC1-01, start Remote Desktop Connection by using the mstsc command. Connect to Nyc-ts and log on as Monika with the password as Pass@word1. Log on as the second user, Dana with the password as Pa$$w0rd.

1. 2. Turn off 6428A-NYC-DC1-01, and discard changes. Turn off 6428A-NYC-TS-03, and discard changes.
Results: After this exercise, you should have used troubleshooting techniques to resolve connectivity issues.
3-23
Lab Review
3-24
Configuring Terminal Services RemoteApp and Easy Print
4-1
Module 4
Contents:
Lesson 1: Installing Applications Lesson 2: Configuring RemoteApp Programs Lesson 3: Configuring Printers Lab: Configuring TS Resources 4-3 4-6 4-14 4-18
4-2
Module Overview
Before installing programs on the terminal server, it is important that you are familiar with the types of applications that can be installed and considerations for installing these applications. This module provides an overview of TS RemoteApp programs that can be remotely accessed through TS, advantages of using these programs, and the methods used to deploy them. The module also introduces TS Easy Print, which facilitates printer redirection over a TS session.
4-3
Lesson 1
Installing Applications
You can install any Windows-based application on a terminal server. However, running some of these applications might affect the performance of the terminal server. Therefore, it is important to bear in mind some key considerations for installing these applications.
4-4
Types of Applications
Key Points
Terminal servers support off-the-shelf, custom, and line of business (LOB) applications. You can also install applications that use application virtualization technologies. Application virtualization isolates an application from the underlying operating system. The application runs in a virtualized environment and does not need to be installed on or interact with the underlying operating system. Windows Server 2008 TS provides a functionality that facilitates central hosting of client applications by using a virtualization technique called presentation virtualization. Using this technique, the keyboard and mouse inputs are directed to the server, and the video output is sent to the client over a network connection.
4-5
Considerations for Installing Applications
Key Points
Although all Windows-based applications run on a terminal server, you need to remember that some 16bit applications require more RAM than others. These applications may affect the performance of other applications. Also note that all applications on the terminal server should be installed by using the Windows installer.
Note: Most programs have been tested for compatibility, and scripts are available for those that require some minor changes to the installation. These scripts are located in the System root, in the following path: \Application Compatibility Scripts\Install. You need to run these scripts after the installation of the program is completed. Note: It is recommended that you avoid installing Microsoft DOS-based applications in a TS environment because these applications require frequent keyboard checks that use a lot of CPU memory. Applications accessing INI files also cause problems in a TS environment, owing to the frequent changes in the INI files. For more information about considerations for installing applications, see "Build Your Skills: How to Optimize Apps to Run in Terminal Services" on TechRepublic.com Web site.
4-6
Lesson 2
Configuring RemoteApp Programs
TS RemoteApp programs are applications that can be accessed remotely through TS. Using RemoteApp programs, organizations can provide access to Windows-based applications from any location to any computer or user. These RemoteApp programs can be deployed by using TS Web Access, Windows installer package (.msi file), or Remote Desktop Protocol (.rdp file).
4-7
Introduction to TS RemoteApp Programs
Key Points
In Windows Server 2008 TS, a RemoteApp program is integrated with the client's desktop and runs in its own resizable window with its own entry on the taskbar. A RemoteApp program that uses a notification area icon displays the icon in the client's notification area. Using RemoteApp programs, the popup windows can be redirected to the local desktop and the local drives and printers can be redirected to appear in the RemoteApp program. Question: You want to access multiple programs running on the terminal server at the same time. How many terminal server sessions will be required to run multiple RemoteApp programs? For more information about TS RemoteApp programs, see Windows Server 2008 Terminal Services RemoteApp Step-by-Step Guide" on the Microsoft TechNet Web site.
4-8
Advantages of Using RemoteApp Programs
Key Points
Using TS RemoteApp programs minimizes the overall administrative effort, enhances user experience, and facilitates running different programs on multiple desktops. You can use TS RemoteApp programs in the following scenarios: For users who need to access applications from remote locations In an organization having many branches with limited local IT support and bandwidth In companies that have LOB applications, which need to be deployed on computers with different configurations For users who need to use different versions of a program For users who are mobile and need to work from different computers and/or locations
Question: What is the scenario in your organization and how will the implementation of RemoteApp programs assist you?
4-9
Methods for Deploying RemoteApp Programs
Key Points
Depending on the deployment method usedTS Web Access, .msi file, or .rdp fileyou can access RemoteApp programs by: Clicking a link to the program on a Web site Double-clicking a .rdp file created by the administrator through a file share Double-clicking a program icon created by an administrator on the desktop or in the Start menu of the client computer Double-clicking a file with a file name extension that is associated with the RemoteApp program through a file share
Questions: Can you access a RemoteApp program by using Internet Explorer?
4-10
Using TS Web Access to Deploy RemoteApp Programs
Key Points
TS Web Access provides access to RemoteApp programs through a Web page over the Internet or an intranet. When using TS Web Access to deploy RemoteApp programs, you first need to install the required RemoteApp programs and verify the remote connection settings on the terminal server. Then, you need to add the programs to the RemoteApp Programs list in the TS RemoteApp Manager. The TS RemoteApp Manager is then used to configure the following global settings that will apply to all RemoteApp programs: Terminal server TS Gateway Common Remote Desktop Protocol (RDP) Custom RDP Digital signature
You can then install the TS Web Access role service by using the Server Manager snap-in. If the TS Web Access server is different from the terminal server that hosts the RemoteApp programs, then you need to add the computer account of the TS Web Access server to the TS Web Access Computers security group on the terminal server. You can add the computer account by using the Computer Management administrative tool on the terminal server. Finally, you can specify the data source or the terminal server from which to populate the RemoteApp programs list. For this you can connect to the TS Web Access Web site. By using the Configuration tab on the site, you can enter the name of the terminal server that you want to use as the data source.
4-11
Note: You can use a digital signature to sign .rdp files for connecting RemoteApp programs to the terminal server. The client must be running RDC 6.1. Note: Windows Installer packages or MSI packages are made available by using a file share, Microsoft Systems Center Configuration Manager, or Active Directory software distribution. These methods enable you to make RemoteApp programs available to users without using TS Web Access. For more information about using TS Web Access for deploying RemoteApp programs, see Windows Server 2008 Terminal Services RemoteApp Step-by-Step Guide" on the Microsoft TechNet Web site.
4-12
Considerations for Connecting to TS Web Access
Key Points
Clients connecting to TS Web Access must be running Windows Server 2008, Windows Vista, or Windows XP and must have the TS ActiveX client control approved by a standard user. In case of any problems in connecting to TS Web Access from the client computer, you can use the Manage Add-ons tool available on the Tools menu of Internet Explorer. The add-on will be displayed as Microsoft Terminal Services Client Control. On Windows XP SP3, you might need to modify the registry to enable the ActiveX control. Note: RDC 6.1 is included in Vista SP1 and XP SP3.
4-13
Demonstration: Using an MSI File to Deploy RemoteApp Programs
Question: Why is it important to view the associated file name extensions for programs on the terminal server?
4-14
Lesson 3
Configuring Printers
TS Easy Print is a new feature in Windows Server 2008 TS. This feature enables users to print to the correct printer on the client computer from a RemoteApp program or from a remote desktop connection to a terminal server. TS Easy Print simplifies printer redirection as it requires only Group Policy to be configured.
4-15
TS Easy Print
Key Points
TS Easy Print redirects all print jobs from a TS session to the client computer without the need to install any printer driver on the terminal server. In addition, it provides enhanced enumeration performance by listing only the printers that are available for a particular session instead of all the redirected printers. Note: The Group Policy setting applies to both TS Easy Print and legacy fallback. TS Easy Print is the default behavior, however, it coexists with the legacy fallback behavior of Windows Server 2003 RTM. For more information about TS Easy Print, see "Terminal Services Printing" on the Microsoft TechNet Web site.
4-16
Considerations for Using TS Easy Print
Key Points
Client computers using TS Easy Print must be running either Windows Vista or Windows XP. If, however, these computers do not support Easy Print, then the local and network printer drivers will have to be installed on the terminal server. If you are using a third-party printer driver, then that driver needs to be signed by Windows Hardware Quality Labs (WHQL). The third-party printer driver should be compatible with Windows Server 2008 to run without any connectivity problems. On client computers that do not support TS Easy Print, printing defaults to the behavior in Windows 2003 and prior to Windows 2000.
4-17
Configuring Group Policy for Printer Redirection
Key Points
Windows Server 2008 has introduced a new Group Policy that is available in the Group Policy Management snap-in. The policy is located under the Administrative Templates\Windows Components\Terminal Services\Terminal Server\Printer Redirection node. The policy is named Redirect only the default client printer. The possible values for this Group Policy setting are: Enabled or Not Configured Disabled
By enabling this policy, you can ensure that only the TS clients default printer is redirected on the terminal server. This policy will function from any version of the TS client.
4-18
Lab: Configuring TS Resources
Woodgrove Bank is launching a new investment scheme to benefit the underprivileged. The management has prepared a presentation that needs to be distributed to all the members of the Marketing group. The IT department is responsible for deploying the presentation on the terminal server so that it is accessible to all the members of the Marketing group. As a technology specialist in Woodgrove Banks IT department, you have been tasked with installing Microsoft PowerPoint Viewer on the terminal server and making it available as a RemoteApp program. You also need to ensure that members are able to print the presentation if required.
4-19
Exercise 1: Configuring and Deploying TS RemoteApp Programs

Scenario
You receive a service request from the enterprise administrator to install PowerPoint Viewer on the terminal server. You need to create a RemoteApp program link to PowerPoint Viewer for the Marketing group because they need to use the application to view the presentation of the new investment scheme.
Exercise Overview
In this exercise, you will install TS Web Access and create a link to PowerPoint Viewer for the Marketing group. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. 6. 7. 8. 9. Start the 6428A-NYC-DC1-01 and 6428A-NYC-TS-03 virtual machines and log on to these machines as Administrator. Install the TS Web Access role service. Add the computer account of the TS Web Access server to the security group. Specify the data source. Install PowerPoint Viewer. Add the PowerPoint Viewer program in the RemoteApp Programs list. Configure an RDP file from the PowerPoint Viewer RemoteApp program. Determine if the RemoteApp program is enabled for TS Web Access. Configure the TS Web Access server to allow access from the Internet.
to these machines as Administrator
1. 2. Start 6428A-NYC-DC1-01 and log on as WoodgroveBank\Administrator using the password Pa$$w0rd. Start 6428A-NYC-TS-03 and log on as WoodgroveBank\Administrator using the password Pa$$w0rd.
Task 2: Install the TS Web Access role service

1. 2. On 6428A-NYC-TS-03, start Server Manager and display the Add Role Services link. Add the TS Web Access role service by using the Select Role Services page.
Task 3: Add the computer account of the TS Web Access server to the security group
1. 2. On 6428A-NYC-TS-03, start the Computer Management snap-in. Under the Local Users and Groups node, select the group TS Web Access Computers, and add the computer NYC-TS.
Task 4: Specify the data source

1. 2. 3. Connect to the TS Web Access Web site by using the URL http://NYC-TS/ts. Log on to the site as WoodgroveBank\Administrator using the password Pa$$w0rd. Use the Configuration tab on the title bar to name the terminal server as NYC-TS.
Task 5: Install PowerPoint Viewer

1. 2. 3. Display the command prompt and enter change user /install. Use Control Panel to install the application on the terminal server. Install the PowerPointViewer.exe from E:\Tools.
4-20
Task 6: Add the PowerPoint Viewer program in the RemoteApp Programs list
1. 2. 3. Start TS RemoteApp Manager. Use the RemoteApp wizard to add PowerPoint Viewer to the RemoteApp Programs list page. Verify that the RemoteApp program, Microsoft Office PowerPoint Viewer 2007, is available through TS Web Access.
Task 7: Configure an RDP file from the PowerPoint Viewer RemoteApp program
1. 2. In the TS RemoteApp Manager, in the RemoteApp Programs list, select Microsoft Office PowerPoint Viewer 2007. Create a .rdp file for Microsoft Office PowerPoint Viewer 2007 by using the RemoteApp Wizard and on the Specify Package Settings page, verify the following settings: Location of the program: C:\Program Files\Packaged Programs Terminal server: NYC-TS.WoodgroveBank.com Server authentication: Yes Port: 3389
Task 8: Determine if the RemoteApp program is enabled for TS Web Access

1. 2. 3. 4. On 6428A-NYC-TS-03, in the RemoteApp Programs list, verify that Microsoft Office PowerPoint Viewer 2007 is available through TS Web Access. Start Internet Explorer. Access the URL http:// NYC-TS/TS. Provide the user credentials as WoodGroveBank\Baris with the password Pa$$w0rd.
Task 9: Configure the TS Web Access server to allow access from the Internet
1. 2. On the 6428A-NYC-TS-03, start Internet Information Services (IIS) Manager. Enable Windows Authentication.
Results: After this exercise, you should have installed the PowerPoint program and created a link to C:\Program Files\Packaged Programs.
4-21
Exercise 2: Configuring TS Easy Print

Scenario
The Marketing group wants to print documents remotely. They might also want to print the investment scheme presentation. You receive a service request from the server administrator to ensure that TS Easy Print on the terminal server is used as the default printer driver on the client computers.
Exercise Overview
The main tasks for this exercise are as follows: 1. 2. Configure the printer redirection settings. Shut down the virtual machines.
Task 1: Configure the printer redirection settings

1. 2. 3. On 6428A-NYC-DC1-01 start Group Policy Management. Create a GPO, GPO for RDP link, for Marketing. Under Printer Redirection, enable: Use Terminal Services Easy Print printer driver first. Redirect only the default client printer.
Task 2: Shutdown the virtual machines

Turn off each virtual machine that is running and discard changes. Results: After this exercise, you should have configured TS Easy Print and the client print driver should have been redirected to TS.
4-22
Lab Review
Configuring Terminal Services Web Access and Session Broker
5-1
Module 5
Contents:
Lesson 1: Installing TS Web Access Lesson 2: Configuring TS Session Broker Lab: Configuring TS Web Access and Session Broker 5-3 5-11 5-15
5-2
Module Overview
TS Web Access is a role service that allows you to access TS RemoteApp programs on a Microsoft Windows Server 2008-based terminal server through a Web browser. This role service allows you to remotely connect to the desktop of any computer that provides Remote Desktop access. This module introduces TS Web Access and covers the considerations for installing this role service followed by the steps to install and configure RemoteApp programs by using TS Web Access. The module also describes the procedure to connect to the Remote Desktop Web by using TS Web Access. The module finally covers another role service, TS Session Broker, which facilitates reconnecting to an existing session in a load-balanced terminal server farm.
5-3
Lesson 1
Installing TS Web Access
With TS Web Access, you can easily access a list of RemoteApp programs from a Web site on the Internet or intranet. When you start a RemoteApp program, a TS session is started on the terminal server that hosts the application. The TS Web Access page includes the TS Web Access Web part that displays the list of RemoteApp programs. This Web part can be included on a customized Web page of an organization or can be incorporated in a Microsoft Windows SharePoint Services (WSS) Web site.
5-4
Introduction to TS Web Access
Key Points
TS Web Access in Windows Server 2008: Allows users to run multiple RemoteApp programs on the same terminal server in the same TS session Provides for centralized and easy remote administration and maintenance
TS Web Access in Windows Server 2008 also includes the Remote Desktop Web Connection feature, which enables users to connect to the desktop of remote computers. This feature is available as a Remote Desktop tab on the TS Web Access Web page. Remote Desktop Web Connection is installed as part of the TS Web Access role service and is not an optional component of Microsoft Internet Information Services (IIS) 7.0.
Note: TS Web Access does not route Remote Desktop Protocol (RDP) over the Internet. To connect to RemoteApp programs over the Internet, TS Gateway is used in conjunction with TS Web Access. For more information about TS Web Access, see Terminal Services Web Access (TS Web Access)" on the Microsoft TechNet Web site.
5-5
What's Different in Windows Server 2008 TS Web Access?
Key Points
TS Web Access in Windows Server 2008 replaces the TS Web Connection software available with Microsoft Windows Server 2003. An important point to note is that accessing TS Web Access does not require a separate ActiveX control to be downloaded. The required Active X control is included in Remote Desktop Connection (RDC) 6.1.
5-6
Considerations for Installing TS Web Access
Key Points
Before installing TS Web Access in Windows Server 2008, you need to ensure that the client computers are running either Windows Server 2008 or Microsoft Windows Vista with SP1. RDC 6.1, a necessary component for running TS Web Access, is included with Windows Server 2008 and Windows Vista with SP1.
5-7
Deploying the TS Web Access Web Part
Key Points
The list of RemoteApp programs that appears on the TS Web Access Web part is taken from a single terminal server that is specified by an administrator. This list is dynamically updated. You can deploy the Web part as part of a customized Web page by using an ActiveX control and Active Server Pages (ASP). To add the TS Web Access Web part to a WSS site, ensure that the server is running the release to manufacturing (RTM) version of Windows Server 2008 Standard. This feature does not work properly with Windows Server 2008 Release Candidate (RC)1. For more information about the steps used to add the TS Web Access Web part to a WSS Web site, see the document Customizing TS Web Access by Using Windows SharePoint Services" on the Microsoft Web site.
5-8
Installing and Configuring RemoteApp Programs by Using TS Web Access
To configure RemoteApp programs on the terminal server: 1. 2. Install the programs required on the terminal server. Verify existing remote connections or change remote connection settings as required.
To enable RemoteApp programs for TS web Access: 1. 2. Add the programs that you want to display in the RemoteApp Programs list. Configure the following: Terminal server deployment settings TS Gateway deployment settings RDP settings for RemoteApp connections Custom RDP settings for RemoteApp connections Digital signature to sign the .rdp files
To install TS Web Access on the server: 1. 2. 3. Install the TS Web Access role service. Populate the TS Web Access Computers security group. Specify the terminal server with the RemoteApp programs list on the TS Web Access Web part.
All remote programs on the terminal server or farm configured for TS Web Access appear on the TS Web Access Web site. Question: Which RemoteApp programs would you prefer to include on the TS Web Access Web part in your organization?
5-9
For more information about installing and configuring RemoteApp programs by using TS Web Access, see Windows Server 2008 Terminal Services RemoteApp Step-by-Step Guide on the Microsoft TechNet Web site.
5-10
Connecting to Remote Desktop Web by Using TS Web Access
Key Points
If you are an administrator, you can specify whether the Remote Desktop tab on the TS Access Web page is available to users by using the IIS Manager. You can also configure settings such as the TS Gateway server, authentication method, and default device and resource redirection options. By default, server authentication is enabled for the Remote Desktop Web connection. To connect to the remote computer: The computer must be configured to accept Remote Desktop connections. The user must be a member of the Remote Desktop Users group on the remote computer.
Note: You can also configure the settings for the Remote Desktop Web connection by changing the %windir%\Web\ts\Web.config file in Notepad. Question: What are the advantages of using the Remote Desktop Web connection in a branch scenario?
5-11
Lesson 2
Configuring TS Session Broker
In a farm environment, you can use the TS Session Broker role service to balance the load among the terminal servers. By using TS Session Broker, you can distribute the sessions such that the more powerful terminal servers take more load than the less powerful terminal servers.
5-12
Introduction to TS Session Broker
Key Points
In Windows Server 2008, TS Session Broker provides session-based load balancing as compared to connection-based Network Load Balancing (NLB) in Windows Server 2003. However, Windows Server 2008 continues to support third party NLB configurations of Windows 2003. TS Session Broker works through the following two phases: In the first phase, the connections are distributed to the terminal servers by using a load balancing mechanism such as Domain Name System (DNS) round robin. The terminal server in turn then queries TS Session Broker for redirection. In the second phase, the terminal server redirects the user connections to the terminal server specified by TS Session Broker.
Note: The TS Session Directory feature available in the previous versions is called TS Session Broker in Windows Server 2008. For more information about TS Session Broker, see "Windows Server 2008 TS Session Broker Load Balancing Step-by-Step Guide" on the Microsoft TechNet Web site.
5-13
Prerequisites for Configuring TS Session Broker
Key Points
Windows Server 2003 terminal servers cannot use the TS Session Broker load balancing feature. As a best practice, you should install the TS Session Broker role service on a back-end infrastructure server, such as a file server. This ensures that the service will not be affected when you need to perform maintenance on the terminal servers in the farm. To use the TS Session Broker role service, the terminal servers should be members of the Session Directory Computers local group. This group is located on the TS Session Broker server.
5-14
Demonstration: Configuring TS Session Broker
Question: You need to configure the IP addresses for reconnection. What precaution do you need to take to include the terminal servers running Windows Server 2003?
5-15
Lab: Configuring TS Web Access and Session Broker
The Marketing group of Woodgrove bank has prepared a presentation about a new product by using Microsoft PowerPoint. This presentation should be available on a Web site to all users of this group. The Finance group has also prepared a presentation on the current financial position of the organization. The management wants users from the Finance group to access this presentation from the WSS Web site. To manage all the traffic on the Web servers in the farm, the enterprise administrator wants to implement TS Session Broker.
5-16
Exercise 1: Configuring TS RemoteApp Programs for TS Web Access

Scenario
You receive a service request from the enterprise administrator to create a link to Microsoft Office PowerPoint Viewer 2007 on the terminal server. This link should be available to all users of the Marketing Group through a Web browser. To enable this, you need to create the link to PowerPoint Viewer that can be accessed through the TS Web Access Web site.
Exercise Overview
In this exercise, you will install and configure the TS Web Access role service on the terminal server and create a .msi file for PowerPoint Viewer. A link for this .msi file needs to be created so that the marketing group can access it through a Web browser. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. 6. Start the 6428A-NYC-DC1-01, 6428A-NYC-TS-05, and 6428A-NYC-WEB-05 virtual machines and log on to these machines as Administrator. Install the TS Web Access role service. Determine if the RemoteApp program is enabled for TS Web Access. Create an MSI file. Create a link to the TS RemoteApp program on the terminal server. Verify that the link is functional and available through the Web browser.
Task 1: Start the 6428A-NYC-DC1-01, 6428A-NYC-TS-05, and 6428A-NYC-WEB-05

virtual machines and log on to these machines as Administrator
1. 2. 3. Start 6428A-NYC-DC1-01, and log on as WoodgroveBank\Administrator by using the password Pa$$w0rd. Start 6428A-NYC-TS-05, and log on as WoodgroveBank\Administrator by using the password Pa$$w0rd. Start 6428A-NYC-WEB-05, and log on as WoodgroveBank\Administrator by using the password Pa$$w0rd.

1. 2. 3. 4. 5. 6. 7. In the Server Manager snap-in on 6428A-NYC-TS-05, under Role Summary, add the TS Web Access role service. Start the Computer Management snap-in. In the left pane on the Computer Management page, under the Local Users and Groups node, select TS Web Access Computers, and add the NYC-TS computer. Connect to the TS Web Access Web site by using the URL http://NYC-TS/ts. Log on to the site as Woodgrovebank\Administrator by using the password Pa$$w0rd. Add the site to trusted sites. Use the Configuration tab on the title bar to name the terminal server as NYC-TS.

1. 2. On 6428A-NYC-TS-05, start the TS RemoteApp Manager. In the RemoteApp Programs list, verify that Microsoft Office PowerPoint Viewer 2007 is available through TS Web Access.
Task 4: Create an MSI file

1. On 6428A-NYC-TS-05, start the TS RemoteApp Manager.
5-17
2. 3.
In the RemoteApp Programs list, select the program Microsoft Office PowerPoint Viewer 2007. In the Actions pane, select the option to create the Windows Installer package by using the RemoteApp Wizard.
Task 5: Create a link to the TS RemoteApp program on the terminal server

1. 2. 3. 4. 5. 6. In the TS RemoteApp Manager, in the RemoteApp Programs list, verify that a Yes value is displayed for TS Web Access next to Microsoft Office PowerPoint Viewer. Start Internet Explorer and type the URL as http://NYC-TS/ts. Display the Connect to nyc-ts dialog box, and provide the user credentials as WoodGroveBank\Bernard with password Pa$$w0rd. Add the URL to trusted sites. On 6428A-NYC-TS-05, start the Internet Information Services (IIS) Manager and specify the default Web site as TS. To configure TS Web Access server to allow access from the Internet, verify that Windows Authentication is enabled.
Task 6: Verify that the link in functional and available through the Web browser
1. 2. 3. 4. On 6428A-NYC-WEB-05, verify that you are logged on as WoodgroveBank\Administrator with the password Pa$$w0rd. Start Internet Explorer and type the URL as http://NYC-TS/ts. In the Connect to NYC-TS dialog box, provide the user name as WoodgroveBank\Bernard and password as Pa$$w0rd. Observe that Microsoft Office PowerPoint is listed in the remote application programs list.
Results: After this exercise, you should have installed TS Web Access on the terminal server, created an MSI file for the remote program, created a link to the remote program, and verified that the link is functional through Internet Explorer.
5-18
Exercise 2: Customizing TS Web Access by Using WSS

Scenario
The enterprise administrator has tasked you with customizing the TS Web Access Web part to provide a link to Microsoft PowerPoint Viewer and adding the Web part to a WSS Web site. Users from the Finance group should be able to access this link so that they can view the PowerPoint presentation put up by the group.
Exercise Overview
In this exercise, you will create a customized Web part and export it to a WSS Web site. The main tasks for this exercise are as follows: Add a Web Part to a WSS site.
Task 1: Add a Web Part to a WSS site

1. 2. 3. 4. On 6428A-NYC-WEB-05, visit the SharePoint 3.0 Central Administration Web site. Display the authentication dialog box, and connect to the WSS Site http://nyc-web:44341/ as WoodgroveBank\Administrator by using the password Pa$$w0rd. On the Home page of the Central Administration site, click Site Actions, and then select Edit Page from the drop-down list. On the Edit page, under the Resources section, add the Web part as a new link http://NYC-TS/ts link.
Results: After this exercise, you should have added a customized Web part by using TS Web Access, and exported it to a WSS site.
5-19
Exercise 3: Configuring TS Session Broker

Scenario
You receive a service request from the enterprise administrator to configure the TS Session Broker role service to manage all the TS Web Access servers in the farm.
Exercise Overview
In this exercise, you will install the TS Session Broker role service and configure the Session Broker settings for servers in a TS farm. The main tasks for this exercise are as follows: 1. 2. 3. 4. Install the TS Session Broker role service. Add each server in the farm to the Session Directory Computers local group. Configure the TS Session Broker settings by using Group Policy. Shut down the virtual machines.
Task 1: Install the TS Session Broker role service

1. 2. On 6428A-NYC-TS-05, start Server Manager. On the Select Role Services page, install the TS Session Broker role service.
Task 2: Add each server in the farm to the Session Directory Computers local group
1. 2. 3. Start the Computer Management snap-in. In the left pane, under Local Users and Groups, select the Session Directory Computers group. In the Select Users, Computers or Groups dialog box, in the Object Type dialog box, add the computer accounts NYC-WEB and NYC TS.
Task 3: Configure the TS Session Broker settings by using Group Policy

1. 2. 3. 4. On 6428A-NYC-DC1-01, start the Group Policy Management snap-in. In the left pane, under the NYC node, create a new GPO GPO for TS Web Access. In the right pane, on the Settings tab of GPO for TS Web Access, edit the computer configuration. Under the Computer Configuration node, click TS Session Broker, and configure the following settings: Join TS Session Broker policy: Enabled Configure TS Session Broker farm name: Enabled TS Session Broker server name: NYC-TS Use TS session Broker load balancing: Enabled

Turn off all virtual machines and discard changes. Results: After this exercise, you should have configured TS Session Broker load balancing for a farm.
5-20
Lab Review
Configuring and Troubleshooting Terminal Services Gateway
6-1
Module 6
Contents:
Lesson 1: Configuring TS Gateway Lesson 2: Monitoring and Troubleshooting TS Gateway Connections Lab: Configuring and Troubleshooting TS Gateway 6-3 6-10 6-15
6-2
Module Overview
TS Gateway is a role service that provides access to the terminal servers, computers running RemoteApp programs as well as the computers and servers that have Remote Desktop enabled. By using TS Gateway, remote users can access resources on an internal network with minimum security risks. This module covers configuring the TS Gateway role service as well as monitoring and troubleshooting the TS Gateway connections.
6-3
Lesson 1
Configuring TS Gateway
The installation and configuration of TS Gateway has some requirements. For example, you must obtain a trusted Secure Sockets Layer (SSL) certificate for the TS Gateway server to function. In addition, users can connect to internal resources by using TS Gateway only if they meet the conditions specified in a TS Connection Authorization Policy (CAP) or TS Resource Authorization Policy (RAP). By using TS CAPs or RAPs, you can manage the connections made through TS Gateway.
6-4
Introduction to TS Gateway
Key Points
TS Gateway uses Remote Desktop Protocol (RDP) tunneled over Hypertext Transfer Protocol over Secure Socket Layer (HTTPS). By using TS Gateway, you can make secure and encrypted connections between users on the Web and the remote production application computers. The connection is made by using port 443. This connection works even if the remote computers are located behind a network address translation (NAT) traversal-based router in a network. The TS Gateway secure remote connection can also be used by TS Web Access. By integrating TS Web Access with TS Gateway, you can ensure transport-level SSL security for all terminal server traffic. Remote users can also access RemoteApp programs through TS Gateway securely.
Note: TS Gateway does not require any additional configuration to provide access to resources behind a firewall in private networks or across NATs. For more information about the TS Gateway server, see "Terminal Services Gateway (TS Gateway)" on the Microsoft TechNet Web site.
6-5
Requirements for TS Gateway
Key Points
To install TS Gateway, you need to be a member of the administrator group on the server. You also need to obtain an SSL certificate from a trusted third party. Alternatively, you can obtain a selfsigned certificate. It is recommended that you use HTTPS with a certificate for TS Web Access. You can use the TS Web Access certificate if TS Gateway is installed on the same server as TS Web Access. You can also use wildcard SSL certificates. In addition, TS Gateway requires some role services and features to be installed and functioning. You can configure the TS Gateway server to use the TS CAPs that are stored on another server running the Network Policy Server (NPS) service. This NPS server can then be used to centrally administer and manage TS CAPs, thus improving the deployment of TS Gateway. Note: TS Gateway does not require any change in code when routing connections to a TS-based session with Microsoft Windows Server 2003, Microsoft Windows Vista, or Microsoft Windows XP-based computers.
6-6
Configuring TS Gateway
Key Points
You can configure TS Gateway by using the Server Manager snap-in. You can use an existing certificate for SSL encryption or create a self-signed certificate. You can also select an option that will allow you to obtain the certificate later. Note: If you select an existing certificate, only certificates that can be used to authenticate the TS Gateway server with the appropriate Enhanced Key Usage (EKU) will be displayed in the list of certificates. You need not map a self-signed certificate if you have created it by using: The Add Remove Roles Wizard during the installation of the TS Gateway role service The TS Gateway Manager after the installation of the TS Gateway role service
Question: When is it recommended to use self-signed certificates? For more information about configuring TS Gateway, see "Configuring the TS Gateway Core Scenario" on the Microsoft TechNet Web site.
6-7
Obtaining Certificates
Key Points
You can generate and submit a certificate request by using various methods depending on the policies and configuration of your organization. It is recommended that you use self-signed certificates for evaluation and testing purposes only. An organization can have the following certificates: A stand-alone or enterprise certificate authority (CA)-issued certificate that must be cosigned by a trusted public CA. This CA must participate in the Microsoft Root Certification Program Members program. You need to install this certificate on the TS Gateway server and then map the certificate. A certificate from a trusted public CA that participates in the Microsoft Root Certificate Program Members program. You need to install this certificate on the TS Gateway server and then map the certificate. A self-signed certificate for technical evaluation and testing purposes only. You must install this certificate in the Trusted Root Certification Authorities store on the client computer. You do not need to install this certificate or map it to the TS Gateway server.
Note: The Windows Server 2003 Certificate Services Web enrollment feature depends on an ActiveX control named Xenroll. Question: Which certificate enables users to connect from home computers and kiosks to a TS Gateway server?
6-8
TS Connection Authorization Policies
Key Points
TS CAPs enhance security by regulating access to TS Gateway and are stored on the network policy server. Using these policies, you can specify user groups, and optionally client computer groups, that can connect to the TS Gateway server. You can also specify conditions that a user needs to meet to connect to the serverfor example, whether a user should use a password or a smart card to access the server. TS CAPs can be created by using the TS Gateway Manager. Tasks involved in managing TS CAPs include: Enabling or disabling TS CAPs Modifying or removing a local TS CAP Specifying a new central TS CAP Evaluating the permissions of the user and computer groups that connect to TS Gateway
You can also use TS CAPs to specify which client device redirection should be enabled or disabled for specific groups. Devices can be disk drives or supported Plug and Play (PnP) devices. The suggested device redirection settings can only be enforced on client computers running Remote Desktop Connection (RDC). Note: The enforcing of device redirection feature on a client cannot provide guaranteed security even for RDC clients. For more information about TS CAPs, see "TS Gateway Overview" on the Microsoft TechNet Web site.
6-9
TS Resource Authorization Policies
Key Points
TS RAPs allow you to regulate access by specifying the internal network resources that users can connect to through TS Gateway. You can create a computer group and associate it with a TS RAP. You can also create a group of computer accounts in Active Directory and associate it with a TS RAP. When you associate a TS Gateway-managed computer group with a TS RAP, you can use both the fully qualified domain names (FQDNs) and NetBIOS names by adding them separately to the computer group. When you associate an Active Directory security group to a TS RAP, both FQDNs and NetBIOS computer names are automatically supported, if the computer to which you are connecting is in the same domain as the TS Gateway server. If the client computer is in a different domain from the TS Gateway server, then the FQDN of the client computer needs to be specified. If you want remote users to connect to a computer managed by TS Gateway by using either the computer name or the IP address, then you need to add the computer twice to the computer grouponce by the computer name and then by the IP address of the computer. Tasks involved in managing TS RAPs include: Enabling or disabling TS RAPs Modifying or removing a local TS RAP Specifying the computers that users can connect to through TS Gateway Configuring the TS clients to access resources on the network
Note: Remote users should meet the conditions specified in at least one TS CAP and one TS RAP to be able to connect to resources on the internal network through TS Gateway.
6-10
Lesson 2
Monitoring and Troubleshooting TS Gateway Connections
TS Gateway has monitoring capabilities that allow you to view the information about active connections from the TS clients to the internal network resources. Furthermore, the TS Gateway server can be configured to use Network Access Protection (NAP). NAP is a feature of Microsoft Windows Server 2008 that allows administrators to maintain computer health. Although TS Gateway provides these tools to monitor connections and enforce compliance with health requirement policies for network access, you will still need to resolve connectivity issues. You can use the TS Gateway Manager to troubleshoot the TS Gateway connections.
6-11
Monitoring Active Connections Through TS Gateway
Key Points
You can use the TS Gateway Manager to monitor the active connections from TS clients to network resources. You can specify the events to be logged, such as successful or unsuccessful connection attempts to an internal network computer through the TS Gateway server. When an event occurs, you can monitor the event by using the Windows Event Viewer. For more information about monitoring active connections by using the TS Gateway server, see "Monitoring Active Connections Through a TS Gateway Server" on the Microsoft TechNet Web site.
6-12
Network Access Protection
Key Points
Configuring TS Gateway to use NAP allows administrators to enforce system health requirements, security update requirements, required computer configurations, and other settings. NAP controls network resources based on the identity of a computer and compliance with corporate governance policy. NAP presents an application programming interface (API) that allows developers to create solutions for validation of health status, limitation of network access or communication, and ongoing compliance. In addition, NAP allows administrators to define granular levels of network access based on the identity of the client, the group the client belongs to, and the degree of compliance with corporate governance policy. Note: NAP does not prevent authorized users on a compliant computer from uploading malicious program to the network. For more information about NAP, see "Network Access Protection" on the Microsoft MSDN Web site.
6-13
Demonstration: Configuring Network Access Protection on TS Gateway
Question: Which operating systems are supported as NAP clients when TS Gateway server enforces NAP?
6-14
Troubleshooting TS Gateway
Key Points
To ensure that client computers successfully connect through TS Gateway, the TS Gateway server must be configured correctly. You need to ensure that the server is configured to use an appropriate SSLcompatible X.509 certificate, and the TS CAPs and RAPs are correctly configured. In addition, you need to: Check the authentication method used for the connection. Check the number of simultaneous connections being made. Check the traffic of ports used for TS on the firewall.
Question: If you get an error message displaying that the authentication method used by you is not supported, how will you change the authentication settings? For more information about troubleshooting connections, see "TS Gateway Server Connections" on the Microsoft TechNet Web site.
6-15
Lab: Configuring and Troubleshooting TS Gateway
The enterprise administrator of Woodgrove Bank wants you to configure TS Gateway so that remote users in the HR group can securely access the internal network resources of the organization. You need to install the TS Gateway role on the terminal server and create the connection and resource authorization policies for the HR group.
6-16
Exercise 1: Configuring and Monitoring TS Gateway

Scenario
You need to install the TS Gateway role service on the terminal server and install a self-signed certificate for the TS Gateway to function. You also need to create a CAP and a RAP for the HR group so that the members of the HR group are able to access the computers existing in the HR group.
Exercise Overview
In this exercise, you will install and configure the TS Gateway server role on the terminal server and create a CAP and a RAP for the HR group. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. 6. Start the 6428A-NYC-DC1-06 and 6428A-NYC-TS-05 virtual machines and log on to these machines as Administrator. Install the TS Gateway role. Install the certificate. Create a CAP for the HR group. Select the pre-configured Active Directory Security group HR. Create a RAP for the HR group.
1. 2. Start 6428A-NYC-DC1-06 and log on as WoodgroveBank\Administrator by using the password Pa$$w0rd. Start 6428A-NYC-TS-05 and log on as Administrator by using the password Pa$$w0rd.
Task 2: Install the TS Gateway role

1. 2. On 6428A-NYC-TS-05, start Server Manager and install the TS Gateway role service. On the Select Roles Services page, select the options to configure the server authentication certificate for SSL encryption and the authorization policies for TS Gateway, later.
Task 3: Install the certificate

1. 2. 3. 4. 5. 6. 7. Start TS Gateway Manager, under NYC-TS, create a self-signed for SSL encryption. Specify the certificate name as NYC-TS.WOODGROVEBANK.COM. Specify the certificate location as c:\certificate\NYS-TS.cer. Start the Certificates snap-in by using the MMC command. On the File menu, select Add/Remove Snap-in. Import the certificate from c:\certificate\NYC-TS.cer by using the Certificate Import Wizard. Start the TS Gateway Manager, and on the properties page of NYC-TS, install the certificate for NYCTS.woodgrovebank.com.
Task 4: Create a CAP for the HR group

1. 2. 3. On the TS Gateway Manager, under NYC-TS, create a new connection authorization policy as TS CAP. On the Requirements tab, under Supported Windows authentication methods verify that Password is selected. Add a group HR, and enable device redirection for all client devices for the group.
6-17
Task 5: Select the pre-configured Active Directory Security group HR

1. 2. Start Active Directory Users and Computers and select the HR group for WoodgroveBank.com. Select NYC-TS as the Object Type for Computers.
Task 6: Create a RAP for the HR group

1. 2. 3. On 6428A-NYC-TS-05 start the TS Gateway Manager, create Resource Authorization Policy as TS RAP. Add user group, HR and on the Computer Group tab, verify Select an existing Active Directory security group is selected. Select group HR, and on Allowed Ports tab, verify Allow connections only through TCP port 3389 is selected.
Results: After this exercise, you should have installed the TS Gateway Server role service and created a TS CAP and TS RAP for the HR group.
6-18
Exercise 2: Troubleshooting the TS Gateway Connections

Scenario
You receive a service request from the Help Desk that a user, Baris, is unable to connect to the network using TS Gateway. You need to verify that the TS Gateway Server certificate has not expired. You also need to verify that the TS Gateway configuration is correct. In addition, you need to check that the user exists in the HR group, which can access the TS Gateway Server. An additional service request is to include Bernard to the HR group.
Exercise Overview
In this exercise, you need to verify that the TS Gateway server certificate has not expired. You also need to check the TS CAP and RAP for the HR group. In addition, you need to verify the existence of the user Baris in the HR group and add a new user Bernard to the HR group. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. 6. 7. Verify that the TS Gateway Server certificate has not expired. Verify that the TS CAP is accurate. Verify that the TS RAP is accurate. Verify that the user Baris exists in the HR group. Add Bernard to the HR group. Verify that the TS RAP is functional. Shut down the virtual machines.
Task 1: Verify that the TS Gateway Server certificate has not expired
1. On 6428A-NYC-TS-05, in the TS Gateway Manager, in the properties page of NYC-TS, on the SSL Certificate tab, verify that Select an existing certificate for SSL encryption (recommended) is selected. Install the certificate for NYC-TS.woodgrovebank.com. Verify validity of certificate has not expired.
2. 3.
Task 2: Verify that the TS CAP is accurate

1. 2. 3. 4. 5. In the Server Manager, under NYC-TS, in Connection Authorization Policies select TS CAP policy. In the properties page of TS CAP, verify that the policy is enabled. Verify that the authentication method for Windows is Password. Verify that WOODGROVEBANK\HR group exists. Verify that Device redirection for all client devices is selected.
Task 3: Verify that the TS RAP is accurate

1. 2. 3. 4. 5. In the Server Manager, under NYC-TS in Resource Authorization Policies select TS RAP policy. In the TS RAP Policy Properties page, verify that the policy is enabled. Verify that WOODGROVEBANK\HR group exists. Under Select an existing Active Directory security group verify that WOODGROVEBANK\HR exists. On the Allowed Ports tab, verify that Allow connections only through TCP port 3389 is selected.
Task 4: Verify that the user Baris exists in the HR group

1. 2. On 6428A-NYC-DC1-06, start Active Directory Users and Computers. Under WoodgroveBank.com select HR Security group.
6-19
3.
In the properties of HR security group, verify user Baris Cetinok exists.
Task 5: Add Bernard to the HR group

1. 2. In the Active Directory Users and Computers snap-in, under WoodgroveBank.com, verify Users is selected. In the properties of HR security group, add a user Bernard Duerr.
Task 6: Verify that the TS RAP is functional

1. 2. 3. Install the certificate, NYC-TS.cer from \\NYC-TS\certificate using the Certificate Import Wizard. Open remote connection by using the MSTSC command. In Remote Desktop Connection, configure these TS Gateway Server settings as: 4. Server name: NYC-TS.woodgrovebank.com Logon method: Ask for password (NTLM)
Connect to NYC-TS, as Woodgrovebank\Baris with password Pa$$w0rd.

1. 2. Turn off 6428A-NYC-DC1-06 virtual machine and discard undo disk. Turn off 6428A-NYC-TS-05 virtual machine and discard changes.
Results: After this exercise, you should have verified that the configuration of TS Gateway is correct and the user Baris exists in the HR group. In addition, you should have added a new user Bernard to the HR group.
6-20
Lab Review
Managing and Monitoring Terminal Services
7-1
Module 7
Contents:
Lesson 1: Methods for Managing and Monitoring TS Lesson 2: Configuring Windows System Resource Manager for TS Lab: Managing and Monitoring TS 7-3 7-7 7-11
7-2
Modu ule Ove erview
As an administr rator using Mic crosoft Windows Server 20 008 TS, you ne eed to manage e and monitor TS co onnections to ensure smooth transactions between the terminal t serve er and the clien nt computers. This m module introdu uces the tasks involved i in ma anaging TS con nnections. It also describes some s of the to ools us sed to monitor TS connectio ons. Additionally, yo ou can use Win ndows System Resource Man nager (WSRM) to manage se erver processor re esources and memory m usage e. This module introduces the e features of WSRM W and how w to configure e W WSRM.
Managing and Monitorin ng Terminal Services
7-3
L Lesson 1
M Method ds for Managing M and Monitor ring TS
To o manage the TS connection ns, you need to o perform task ks such as remotely controlli ing user sessio ons and re esetting conne ections. The TS connections can c be monito ored by using tools t such as the TS Gateway y M Manager and th he Performanc ce and Reliability Monitor. Be esides managing and monitoring TS connections, you will w also need to perform trou ubleshooting steps s to re esolve client co onnectivity issu ues. These issu ues can be reso olved by review wing the error rs in the Event Viewer.
7-4
Managing the TS Con nnections
Key Points
To o remotely ma anage the TS connections, c yo ou need to be a member of the administra ators group. You can en nable, disable, rename, or de elete the TS co onnections.
Note: It is a sec N curity best prac ctice to manag ge TS connecti ions by using the t Run as com mmand th hrough the use er interface or at the comma and prompt, in nstead of logging on with ad dministrator cr redentials. Question: Whe Q en logged on as an administr rator, which se etting will you use to remote ely interact wit th a us sers session? Fo or more inform mation about managing co onnections, see e "Manage Te erminal Service es Connection ns" on th he Microsoft TechNet Web site.
7-5
M Monitoring g the TS Co onnections
K Points Key
Yo ou can use the e TS Gateway Manager M to au udit specific ev vents such as the unsuccessfu ul attempts to o co onnect to the TS T Gateway se erver by the cli ient. These eve ents can then be b monitored by using the Event E Viewer. Yo ou can monito or the TS Web Access outbou und traffic by using the Micr rosoft Intern net Security an nd Acceleration (IS SA) Server Man nagement tool, and check th he ISA Server lo og to determin ne which rule is de enying the out tbound traffic to the Interne et. Th he Performanc ce and Reliabil lity Monitor pr rovides the following new fe eatures in Wind dows Server 20 008: ector set that groups g portab ble data collect tors used with different performance monitoring A data colle scenarios rce View that provides p an en nhanced view of o the CPU, dis sk, network, an nd memory usage The Resour The Reliability Monitor th hat helps you to t diagnose po otential causes s of the instability of the syst tem
Fo or more inform mation about monitoring methods, m see "Troubleshoot " ting Web Access for In nternal Clients s," "Windows Server S "Longh horn" Perform mance and Reli iability Monito oring Stepby y-Step Guide, " and "Introd ducing Microsoft System Ce enter Operatio ons Manager 2007" 2 on M Microsoft Tech hNet Web site.
7-6
D Discussion: : Troublesh hooting th he Client Connectivit C ty Issues
Fo or more inform mation about troubleshoot ting client con nnectivity issues, see "TS Ga ateway Server Co onnections" on o the Microso oft TechNet Web W site.
7-7
L Lesson 2
Configuring Windows System C m Resou urce Manager for f T TS
With WSRM, yo W ou can manage e your resources such that all resources are e provided eve enly to all proc cesses. Alternatively, yo ou can make re esources availa able to high-p priority services s, applications s, or users.
7-8
In ntroductio on to Wind dows Syste em Resour rce Manager
K Points Key
Th he condition fo or WSRM to fu unction is that the combined d processor loa ad should be greater g than 70%. In ca ase of a conflic ct among proc cessor resource es, resource allocation polici ies are used to o ensure minim mum re esource availab bility. This avai ilability is base ed on the management profile defined by the administra ator. Question: You want to troubleshoot a proc Q cessor resource e problem. Wh hich tool in WS SRM can you use u to view the usage of hardware re esources and the t activity of system service es on the comp puter? Fo or more inform mation about WSRM, see "T Terminal Serv vices and Wind dows System Resource Man nager" on the Microso oft TechNet Web W site.
7-9
Features of f Windows s System Resource R M Manager
K Points Key
WSRM can be used W u to collect resource usag ge data from multiple m server rs and store it o on a single computer ru unning WSRM. . Th he benefits of using WSRM are: a Improved availability a of services s on a si ingle server th hrough dynamically managed d resources Improved accessibility a of the system for high-priority y users or administrators dur ring maximum m resource load
Fo or more inform mation about the features of o WSRM, see e "Overview of f Windows Sys stem Resource e M Manager" on th he Microsoft TechNet T Web site.
7-10
C Configuring g Window ws System Resource Manager M
K Points Key
Eq qual_Per_Session is the new and recomme ended resource e allocation po olicy for config guring WSRM in W Windows Server 2008 TS. While monitorin W ng the perform mance of the terminal server r, it is also reco ommended tha at you collect data be efore and afte er implementin ng the Equal_P Per_Session res source allocatio on policy. Th here are some e applications and a processes that dynamica ally change their own memo ory limits. As a best pr ractice, you sh hould not spec cify the memor ry limits in WSRM for such applications an nd processes. Yo ou must also note n that exces ssive limitation n of memory for f an application can slow down d the work king of th he application and increase disk d usage. Question: You want to set a limit Q l on the memory used by the different t processes on a system. Which fe eature of WSRM M will help you do this? Fo or more inform mation about configuring WSRM W using resource r allocation policies, , see "Creating g Re esource Mana agement Polic cies" and "Working with Resource Allocat tion Policies" on Microsoft Te echNet Web site s .
7-11
L Lab: Managing and Monitorin ng TS
O Overarching Scenario
Yo ou receive a se ervice request from the Netw work Operatio ons Center (NO OC) claiming th hat there is an ov verload of reso ource utilizatio on. Therefore, you have been n asked to con nfigure the NO OC technicians client co omputers to co onnect to TS through TS Gat teway and manage these co onnections. Th he enterprise administrator a has also tasked d you with inst talling WSRM on the TS. You u need to conf figure W WSRM to monit tor the perform mance of the terminal t server. You are also o required to configure the resource al llocation policies.
7-12
Exercise 1: Managing the TS Connections

Scenario
You are required to configure the NOC technicians client computer for a TS Gateway connection. To manage the remote connections, you have been asked to log off, disconnect, and reset all TS connections for your TS Gateway server. You also need to verify that the NOC technicians computer is properly configured by remotely controlling the user session.
Exercise Overview
In this exercise, you will configure the TS Gateway settings on the client computer. You will then disconnect the NOC technicians computer and reset the connection. The main tasks for this exercise are as follows: 1. 2. 3. 4. Start the 6428A-NYC-DC1-06 and 6428A-NYC-TS -07 virtual machines and log on to these machines as Administrator. Start the 6428A-NYC-WEB-05 virtual machine and log on as Susan. Configure the TS Gateway settings on the client. Manage the TS connections on the terminal server.
1. 2. Start 6428A-NYC-DC1-06 and log on as WoodgroveBank\Administrator by using the password Pa$$w0rd. Start 6428A-NYC-TS-07 and log on as WoodgroveBank\Administrator by using the password Pa$$w0rd.
Task 2: Start the 6428A-NYC-WEB-05 virtual machine and log on as Susan

Start 6428A-NYC-WEB-05, switch the user and log on as Susan who belongs to the NOC Department using the password pass@word1.
Task 3: Configure the TS Gateway settings on client

1. 2. To configure TS Gateway on 6428A-NYC-WEB-05, start Remote Desktop Connection. Configure the following settings in Options: 3. 4. TS Gateway server name as NYC-TS.Woodgrovebank.com Logon method as Ask for password (NTLM) Logon settings as NYC-TS
Connect to the terminal server NYC-TS. Log on as Woodgrovebank\Susan with the password pass@word1.
Task 2: Manage the TS connections on the terminal server

1. 2. 3. Log off all TS Gateway connections on 6428A-NYC-TS -07 by using Terminal Services Manager. Disconnect all TS Gateway connections. Reset all TS Gateway Connections.
Results: After this exercise, you should have configured the TS Gateway settings on the client and managed the TS connections remotely.
7-13
Exercise 2: Monitoring the TS Connections

Scenario
You receive a request from the enterprise administrator asking you to configure the TS connections. As an administrator, you need to limit the number of TS connections to 2. You also need to configure the refresh option of the connection. These settings will help you monitor the TS connections. In addition, you also need to specify the events to be logged for the TS Gateway connections.
Exercise Overview
In this exercise, you need to monitor TS connections by using the TS Gateway Manager and specify the TS Gateway events to be logged. The main tasks for this exercise are: 1. 2. 3. Connect to the remote computer. Monitor TS Gateway. Specify the TS Gateway events to be logged.
Task 1: Connect to the remote computer

1. 2. Connect to 6428A-NYC-TS -07 by using Remote Desktop Connection on 6428A-NYC-WEB-05. Log on as Woodgrovebank\Susan using the password pass@word1.
Task 2: Monitor TS Gateway

1. 2. 3. 4. 5. 6. On 6428A-NYC-TS -07, start TS Gateway Manager. On the NYC-TS node, monitor Susans session. Edit the connection by using the NYC_TS Properties dialog box. Limit the maximum number of simultaneous connections to 2. On the Actions panel, set the Automatic Refresh Options to 0:30:20. Disconnect Susans connection.
Task 3: Specify the TS Gateway events to be logged

1. 2. On the TS Gateway Manager snap-in, in the NYC-TS Properties dialog box, select the events to be audited for TS Gateway server. View the events in the Event Viewer.
Results: After this exercise, you should have monitored the TS Gateway connections and specified the events to be logged for TS Gateway.
7-14
Exercise 3: Configuring WSRM for TS

Scenario
You receive a service request from the enterprise administrator to install and configure WSRM for Terminal Services. You are asked to monitor the Equal_Per_Session resource allocation policy for TS. After observing the performance and generating a report for the per session policy, you need to implement the Equal_Per_User policy on TS.
Exercise Overview
The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. Install WSRM on TS. Configure the TS resource allocation policy for per session. Monitor TS performance by using Resource Monitor. Configure the TS resource allocation policy for per user. Shut down the virtual machines.
Task 1: Install WSRM on TS

1. 2. 3. 4. Start Server Manager on 6428A-NYC-TS-07, under Features Summary, select Windows System Resource Manager. Install WSRM by using the wizard. Open the Windows System Resource Manager snap-in. In the Connect to computer dialog box, select This computer.
Task 2: Configure the TS resource allocation policy for per session

In the Windows System Resource Manager snap-in, under the Resource Allocation Policies node, implement the per session resource-allocation policy.
Task 3: Monitor TS performance using Resource Monitor

1. 2. 3. 4. 5. 6. In the Windows System Resource Manager snap-in, display the Resource Monitor. Review the performance data. Display the Properties dialog box, and change the Graph to Report. In the Windows System Resource Manager Properties dialog box, configure the e-mail notification options as administrator@woodgrovebank.com. Use the SMTP server NYC-TS.woodgrovebank.com. Select two or more events under the Error, Warning, and Information nodes.
Task 4: Configure the TS resource allocation policy for per user

On the Windows System Resource Manager snap-in, under the Resource Allocation Policies node, implement the per user resource-allocation policy.

Turn off each virtual machine that is running and discard changes. Results: After this exercise, you should have configured WSRM, configured the resource allocation policies, and monitored the TS performance by using the Resource Monitor.
7-15
Lab Review w
7-16
Configuring and Trou ubleshooting Window ws Server 2008 Termiinal Services
Course Evaluati ion
Yo our evaluation n of this course e will help Microsoft underst tand the qualit ty of your learning experienc ce. Pl lease work wit th your training g provider to access the cou urse evaluation n form. Microsoft will ke M eep your answ wers to this sur rvey private an nd confidential l, and will use your response es to im mprove your fu uture learning experience. Yo our open and honest feedba ack is valuable e and appreciated.
Lab: Configuring TS Core Functionality
L1-1
Module 1: Configuring Terminal Services Core Functionality

Note: If you have already logged on to a virtual machine, skip the logon task for that particular virtual machine.
Exercise 1: Installing and Configuring the TS Server Role Service Exercise 2: Configuring the TS Settings Logon Information: Virtual Machine1: 6428A-NYC-DC1-01 Virtual Machine 2: 6428A-NYC-TS-01 User Name: Administrator/Baris Password: Pa$$w0rd
Estimated time: 65 minutes
Exercise 1: Installing and Configuring the TS Server Role Service

Exercise Overview
In this exercise, you will install and configure the TS core functionality at the New York head office. The main tasks for this exercise are as follows: Start the 6428A-NYC-DC1-01 and 6428A-NYC-TS-01 virtual machines and log on to these machines as Administrator. 2. Install the TS server role service. 3. Configure authentication on the terminal server. 4. Configure the default credentials to be used on the terminal server. 5. Create a .rdp file and configure custom display. 6. Enable ClearType and Font smoothing. 7. Enable support for PnP redirection. 8. Install and configure WSRM. 9. Install the Desktop Experience. 10. Remotely connect to TS by using RDC. 1.
1. Start 6428A-NYC-DC1-01 using the Lab Launcher tool. Wait for the virtual machine to start. The Recent Events section will display the messages of the events. 2. Log on with the default login ID WOODGROVEBANK\Administrator and the password Pa$$w0rd, and then click Go. The Server Manager snap-in is displayed.
L1-2
Note: Wait for the domain controller, 6428A-NYC-DC1-01, logon screen to appear before starting 6428A-NYC-TS-01 virtual machine. If the virtual machine is not properly shut down, the Shutdown Event Tracker dialog box will be displayed. Select the Security issue option from the drop-down list and click OK. 3. 4. 5. 6. Start 6428A-NYC-TS-01 using the Lab Launcher tool. Log on with the ID WOODGROVEBANK\administrator and password Pa$$w0rd.The Server Manager snap-in is displayed. On 6428A-NYC-DC1-01, click Start, point to Administrative Tools, click Active Directory Users and Computers. In the left pane, click the WoodgroveBank.com node, click Computers, and verify that NYC-TS is displayed in the right pane.
Task 2: Install the TS server role service

1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. On 6428A-NYC-TS-01, in Server Manager, in the left pane, right-click Roles, and then click Add Roles. In the Add Roles Wizard, on the Before You Begin page, click Next. On the Select Server Roles page, under Roles list, select the Terminal Services check box, and then click Next. On the Terminal Services page, click Next. On the Select Role Services page, select the Terminal Server check box, and then click Next. On the Uninstall and Reinstall Applications for Compatibility page, click Next. On the Specify Authentication Method for Terminal Server page, select Require Network Level Authentication option, and then click Next. On the Specify Licensing Mode, select Per User, and then click Next. On the Select User Groups Allowed Access To This Terminal Server page, click Add. In the Select Users, Computers, or Groups dialog box, verify that From this location box has WoodgroveBank.com.. In the Enter the object names to select{examples} box, type NYC_MarketingGG, click Check Names, click OK, and then click Next. On the Confirm Installation Selections page, click Install. On the Installation Progress page, note the installation progress. On completion of the installation, the Installation Results page is displayed. On the Installation Results page, you are prompted to restart the server to finish the installation process. Click Close. On the Add Roles Wizard message box, click Yes to restart the server. After the server restarts and you log on to the computer as WOODGROVEBANK\Administrator and password Pa$$w0rd, the Resume Configuration Wizard is displayed. On the Installation Progress page, note the installation progress. On completion of the installation, the Installation Results page is displayed. Observe that the installation of the Terminal Services has succeeded. Click Close. On the Server Manager link, scroll down to the Roles Summary section, click the Terminal Services link. On the Terminal Services page, scroll down to System Services section, and confirm that the Status for TS is Running. In the Role Services section, confirm that the Status for TS is Installed. Close the Server Manager.
17. 18. 19. 20. 21.
L1-3
Task 3: Configure authentication on the terminal server

1. 2. 3. Start the Terminal Services Configuration snap-in on 6428A-NYC-TS-01. Click Start, click Run, in the Open box type tsconfig.msc, and then click OK. On the Terminal Services Configuration page, in the middle pane, in the Connections section, under Connection Name, right-click RDP-Tcp, and then click Properties. In the RDP-Tcp Properties dialog box, on the General tab, in the Security layer box, select SSL (TLS 1.0) from the drop-down list box, and then click OK.
Task 4: Configure the default credentials to be used on the terminal server

1. 2. 3. 4. 5. 6. 7. 8. 9. On 6428A-NYC-TS-01, open the Local Group Policy Editor by using the gpedit.msc command.Click Start, in the Start Search box, type gpedit.msc, and then press ENTER. In the left pane, under the Computer Configuration node, open the Administrative Templates folder, then open the System folder, and then open the Credentials Delegation folder. In the right pane, under Setting, double-click Allow Delegating Default Credentials. In the Allow Delegating Default Credentials Properties dialog box, on the Setting tab, click Enabled, and then click Show. In the Show Contents dialog box, click Add to add servers to the list. In the Add Item dialog box, in the Enter the item to be added box, type NYC-TS, and then click OK.. Click OK to close the Show Contents dialog box. In the Allow Delegating Default Credentials Properties dialog box, click OK. Close the Local Group Policy Editor.
Task 5: Create a .rdp file and configure custom display

1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. To create .rdp file, click Start, click Administrative Tools, click Terminal Services, and then click TS RemoteApp Manager. On the TS RemoteApp Manager page, in the Actions pane, click Add RemoteApp Programs, and then click Next. In the RemoteApp Wizard page, select Remote Desktop Connection check box, and click Next. In the Review Settings page, click Finish. In TS RemoteApp Manager, scroll down to RemoteApp Programs, click Remote Desktop Connection, and then click Create .rdp file to display the RemoteApp Wizard page. In the RemoteApp Wizard page, click Next. Under the Specify Package Settings, verify the location of package is C:\Program Files\Packaged Programs, click Next. In the Review Settings page, click Finish. To configure the custom display, click Start, click Computer, and browse to C:\Program files\Packaged Programs\mstsc.rdp. Right-click the mstsc.rdp file, click Open With, double-click Other Programs, and then select Notepad. Click OK. At the bottom of the mstsc.rdp file, type desktopwidth:i:1680. Press ENTER. Then type desktopheight:i:1050. Press ENTER. Then type Span:i:1. Click File, and then click Save. Close the mstsc.rdp file. Close Packaged Programs.
Task 6: Enable ClearType and Font smoothing

1. 2. 3. Click Start, click Control Panel, and then in the left panel, click Control Panel Home. In Control Panel, click the Appearance and Personalization link. Under Personalization, click Change the color scheme.
L1-4
4. 5. 6. 7. 8. 9.
On the Appearance Settings page, on the Appearance tab, click Effects, and then select the Use the following method to smooth edges of screen fonts check box. Verify that ClearType is selected by default, and then click OK twice. Close the Control Panel\Appearance and Personalization screen. Click Start, point to All Programs, click Accessories, and then click Remote Desktop Connection. In the Remote Desktop Connection dialog box, click Options. In the Remote Desktop Connection dialog box, click the Experience tab, in the Performance section, select the Font smoothing check box.
Task 7: Enable support for PnP redirection

1. 2. 3. 4. In the Remote Desktop Connection dialog box, on the Local Resources tab, under Local devices and resources section, click More. Under Local devices and resources, expand the Supported Plug and Play devices node. Select the Devices that I plug in later check box, and then click OK. Close the Remote Desktop Connection dialog box.
Task 8: Install and configure WSRM

To start the Server Manager snap-in on 6428A-NYC-TS-01, click Start, point to Administrative Tools, and then click Server Manager. 2. In the Server Manager, scroll down to the Features Summary section, click the Add Features link. The Add Features Wizard page is displayed. 3. In the wizard, on the Select Features page, scroll down and select the Windows System Resource Manager check box. The Add Features Wizard message box is displayed informing you that Windows Internal Database also needs to be installed for Windows System Resource Manager (WSRM) to work properly. 4. Click Add Required Features, and then click Next. 5. On the Confirm Installation Selections page, click Install. 6. On the Installation Progress page, note the installation progress. On completion of the installation, the Installation Results page is displayed. 7. On the Installation Results page, confirm that the installation of Windows Internal Database and WSRM succeeded, and then click Close. 8. To start the WSRM snap-in, click Start, point to Administrative Tools, and then click Windows System Resource Manager. The WSRM snap-in is displayed. 9. In the Connect to computer dialog box, under Administer, verify that This Computer is selected, and then click Connect. This will enable the WRSM to administer the local computer." 10. Close WSRM [Windows System Resource Manager (local)]. 1.
Task 9: Install the Desktop Experience

1. 2. 3. 4. 5. To start the Server Manager snap-in on 6428A-NYC-TS-01, click Start, point to Administrative Tools, and then click Server Manager. In the Server Manager, scroll down to the Features Summary section, click the Add Features link. The Add Features Wizard page is displayed. In the wizard, on the Select Features page, select the Desktop Experience check box, and then click Next. On the Confirm Installation Selections page, observe the message that the server must be restarted after the installation of the Desktop Experience completes, and then click Install. On the Installation Progress page, note the installation progress. On completion of the installation, the Installation Results page is displayed.
L1-5
On the Installation Results page, you are prompted to restart the server to finish the installation process. Click Close. 7. On the Add Features Wizard message box, click Yes to restart the server. 8. After the server restarts and you log on to the computer as WOODGROVEBANK\Administrator with password Pa$$w0rd, the Resume Configuration Wizard is displayed. On the Installation Progress page, note the installation progress. On completion of the installation, the Installation Results page is displayed. 9. Observe that the installation of the Desktop Experience has succeeded. 10. Click Close. 11. Close the Server Manager.
6.
Task 10: Remotely connect to TS by using RDC

1. 2. 3. 4. 5. 6. On 6428A-NYC-DC1-01, open the Remote Desktop Connection. Click Start, and then type mstsc in the Start Search box, and then press ENTER. In the Remote Desktop Connection dialog box, in the Computer box, verify that NYC-TS is displayed by default, and then click Connect. The Windows Security dialog box is displayed. In the Windows Security dialog box, click Use another account. In the User name box, type WOODGROVEBANK\Baris. In the Password box, type Pa$$w0rd, and then click OK. The Remote Control screen is displayed. Close the remote connection. The Disconnect Terminal Services Session confirmation message box is displayed. Click OK.
Result: After this exercise, you should have installed and configured the TS server role service.
Exercise 2: Configuring the TS Settings

In this exercise, you will configure TS settings and the session broker settings.
Exercise Overview
The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. Specify the program to start when user logs on to a remote session. Configure the TS settings by using the Terminal Services Configuration snap-in. Modify the default permissions for built-in accounts. Configure the Session Broker settings. Shut down the virtual machines.
Task 1: Specify the program to start when user logs on to a remote session
1. Log on to 6428A-NYC-TS-01. Start Terminal Services Configuration on 6428A-NYC-TS-01. Click Start, point to Administrative Tools, point to Terminal Services, and then click Terminal Services Configuration. In the Terminal Services Configuration snap-in, in the middle pane, in the Connections section, under Connection Name, right-click RDP-Tcp, and then click Properties. In the RDP-Tcp Properties dialog box, click the Environment tab, under Initial program area, click Start the following program when the user logs on option. In Program path and file name box, type C:\Program Files\Packaged Programs\wordpad, and then click OK.
2. 3. 4.
L1-6
Task 2: Configure the TS settings by using the Terminal Services Configuration snap-in
1. In Terminal Services Configuration NYC-TS, in the middle panel, under the Edit Settings area, under the General section, double-click the Delete Temporary folders on exit option. The Properties dialog box is displayed. On the General tab, verify that the following check boxes are selected: Restrict each user to a single session Delete Temporary folders on exit Use Temporary folders per session
2.
Then click OK. 3. Close Terminal Services Configuration.
Task 3: Modify the default permissions for built-in accounts

1. 2. 3. 4. 5. 6. 7. Click Start, click Run and type wmimgmt.msc, and press ENTER. In the Root tree, right-click WMI Control(Local), and then click Properties. In the WMI Control (Local) Properties dialog box, click the Security tab, click Security. In the Security for Root dialog box, click Add. In the Select Users, Computers, or Groups dialog box, in the Enter the object names to select (Examples) box, type Baris, and then click Check Names. Click OK. Under Permissions for Baris Centinok, select the Allow check box for the Read Security permission, and then click OK. Click OK to close WMI Control.
Task 4: Configure the Session Broker Settings

1. 2. 3. 4. 5. 6. 7. 8. 9. Click Start, point to Administrative tools, point to Terminal Services, and then click Terminal Services Configuration. In the middle pane, in the Edit settings area, scroll down to the TS Session Broker section, doubleclick Member of farm in TS Session Broker. In the Properties page, on the TS Session Broker tab, select the Join a farm in TS Session Broker check box. In the TS Session Broker server name or IP address box, type NYC-TS. In the Farm name in TS Session Broker box, type WoodgroveBank. Select the Participate in Session Broker Load-Balancing check box. Verify that the Use IP address redirection (recommended) check box is enabled. Select the IP address 10.10.0.23 check box, and then click OK. The Terminal Services Configuration dialog box is displayed. Click Yes. Close Terminal Services Configuration.

1. 2. 3. Exit the Lab Launcher tool by clicking the close button. In the Close window, click Turn off machine and discard changes. Click OK.
Note: After you have completed the lab exercises closing the VMs and selecting undo disk is not required for hosted labs. Click the Quit button to exit.
Lab: Configuring and Troubleshooting TS Connections
L3-1
Module 3: Configuring and Troubleshooting Terminal Services Connections

Note: If you have already logged on to a virtual machine, skip the logon task for that particular virtual machine.
Exercise 1: Configuring the TS Connection Properties Exercise 2: Configuring the TS Connection Properties by Using Server Group Policy Exercise 3: Configuring SSO by Using Client Group Policy Exercise 4: Troubleshooting Connectivity Issues Logon Information: Virtual Machine1: 6428A-NYC-DC1-01 Virtual Machine 2: 6428A-NYC-TS-03 User Names: Administrator/Bernard/Baris/Anton/Monika/Dana Password 1: Pa$$w0rd Password 2: Pass@word1
Exercise 1: Configuring the TS Connection Properties

Exercise Overview
In this exercise, you will configure the TS connection properties by using the Terminal Services Configuration snapin. The main tasks for this exercise are as follows: 1. 2. Start the 6428A-NYC-DC1-01 and 6428A-NYC-TS- 03 virtual machines and log on to these machines as Administrator. Configure the TS connection properties by using the Terminal Services Configuration snap-in.
Task 1: Start the 6428A-NYC-DC1-01 and 6428A-NYC-TS- 03 virtual machines and log
on to these machines as Administrator
1. 2. Start 6428A-NYC-DC1-01 using the Lab Launcher tool. The login ID is displayed as WOODGROVEBANK\Administrator. Log on by using the password Pa$$w0rd, and then press ENTER.
Note: Wait for the domain controller 6428A-NYC-DC1-01 logon screen to appear before starting the 6428A-NYC-TS-03 virtual machine.
L3-2
3. 4. 5.
Start 6428A-NYC-TS-03 using the Lab Launcher tool. Log on as WoodgroveBank\Administrator using the password Pa$$w0rd, and then press ENTER. The Server Manager page is displayed by default. On 6428A-NYC-TS-03, verify that TS is installed on this virtual machine by performing the following steps: In the Server Manager, scroll down to the Roles Summary section, click the Terminal Services link. On the Terminal Services page, under System Services section, verify that the Status of Terminal Services is shown as Running. Under the Role Services section, verify that the Status of Terminal Server is shown as Installed. Close the Server Manager console.
Task 2: Configure the TS connection properties by using the Terminal Services

Configuration snap-in
1. 2. To start the Terminal Services Configuration snap-in on 6428A-NYC-TS-03, click Start, point to Administrative Tools, point to Terminal Services, and then click Terminal Services Configuration. Verify the remote control setting as follows: a. b. 3. In the middle pane, in the Connections section, under Connection Name, right-click RDP-Tcp, and then click Properties. In the RDP-Tcp Properties dialog box, click the Remote Control tab and verify that the Use remote control with default user settings option is selected.
To configure connection permissions: a b. c. d. e. f. In the RDP-Tcp Properties dialog box, click the Security tab. The Terminal Services Configuration message box is displayed. Click OK. Click the Advanced button below the Permissions for SYSTEM section. The Advanced Security Settings for RDP-Tcp dialog box is displayed. On the Permissions tab, in the Permission entries list, select the record for Baris Cetinok, and then click the Edit button. The Permission Entry for RDP-Tcp dialog box is displayed. On the Object tab, in the Permissions list, select the Deny check box for the Disconnect permission, and then click OK. In the Advanced Security Settings for RDP-Tcp dialog box, on the Permissions tab, in the Permission entries list, select the record for Bernard Duerr, and then click Edit. The Permission Entry for RDP-Tcp dialog box is displayed. On the Object tab, in the Permissions list, verify that the Allow check boxes for all permissions are selected, and then click OK. In the Advanced Security Settings for RDP-Tcp dialog box, on the Permissions tab, in the Permissions entries list, select the record for Anton Kirilov, and then click Edit. On the Object tab, in the Permissions list, select the Allow check box for the Disconnect permission and Deny check box for logon permission. A Windows Security Warning dialog box appears. Click Yes. Click OK to close the RDP-Tcp Properties dialog box.
g. h. i.
j. 4.
Close the Terminal Services Configuration snap-in. Results: After this exercise, you should have configured the connection properties.
L3-3
Exercise 2: Configuring the TS Connection Properties by Using Server Group Policy

Exercise Overview
In this exercise, you will configure the TS connection properties by using Group Policy. The main tasks for this exercise are as follows: 1. 2. Configure the TS connection properties. Verify that a maximum of two clients can connect to the terminal server.
Task 1: Configure the TS connection properties

1. 2. To open the Group Policy Management snap-in on 6428-NYC-DC1-01, click Start, click Run and in the Open box type gpmc.msc, and then click OK. In the Group Policy Management snap-in, ensure Forest: WoodgroveBank.com, Domains are expanded, WoodgroveBank.com, NYC nodes, then right-click Marketing, and then click Create a GPO in this domain, and Link it here. In the New GPO dialog box that is displayed, type the name of the policy as GPO for TS Connection, and then click OK. On the Marketing node, right-click the GPO for TS Connection link, and then click Edit. In the Group Policy Management Editor page, under the Computer Configuration node, expand Policies, expand Administrative Templates, expand Windows Components, click Terminal Services, and under the Terminal Server node, click Connections. In the right pane, under Setting, double-click Limit number of connections. In the Limit number of connections properties dialog box, on the Setting tab, select Enabled, in the TS Maximum Connections allowed box, select 2, and then click OK. In the right pane of the Group Policy Management Editor snap-in, under Setting, double-click Automatic reconnection. In the Automatic reconnection Properties dialog box, select Enabled, and then click OK. In the left pane of the Group Policy Management Editor snap-in, under Terminal Services node, expand the Terminal Server node, and then click Security. In the right pane of the Group Policy Management Editor snap-in, under Setting, double-click Set client connection encryption level. In the Set client connection encryption level Properties dialog box, select Enabled. From the Encryption level drop-down list, verify that Client Compatible is selected, and then click OK. In the left pane, under Terminal Services node, click Terminal Server, and then click Session Time Limits. In the right pane, double-click Set time limit for disconnected sessions. In the Set time limit for disconnected sessions Properties dialog box, select Enabled. In the End a disconnected session box, select 5 minutes from the drop-down list, and then click OK. Close the Group Policy Management Editor page. Close the Group Policy Management snap-in.
3. 4. 5.
6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19.
Note: Before performing the next tasks update group policy using gpupdate /force command in the command prompt of NYC-dc1.
L3-4
Task 2: Verify that a maximum of two clients can connect to the terminal server
1. 2. On 6428A-NYC-DC1-01, click Start, click Run, in the Open box type mstsc, and then click OK. In the Remote Desktop Connection dialog box, verify that the Computer box displays Nyc-ts, and then click Connect.
Note: If the Remote Desktop Connection is disconnected perform the following steps to create the remote connection: a. b. c. d. e. f. g. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. Open Control Panel. Double Click the Network and Sharing Center icon. Verify whether NYC-DC1 is connected to Unidentified network. Check the status of the Local Area Connection. In the Network and Sharing Center window, under Tasks, click Manage network connections. In the Network Connections window, right-click Local Area Connection, and then click Disable. Then right-click Local area Connection, and click Enable. Close the Network Connections window. In the Network and Sharing Center window, check whether NYC-DC is connected to WoodgroveBank.com.
In the Windows Security dialog box, click Use another account. Log on with the login ID WOODGROVEBANK\Baris using the password Pa$$w0rd, and then press ENTER. Minimize the Nyc-ts Remote Desktop connection. To log on as the second user, click Start, click Run, in the Open box type mstsc, and then click OK. In the Remote Desktop Connection dialog box, verify that the Computer is Nyc-ts, and then click Connect. In the Windows Security dialog box, click Use another account. Log on as WOODGROVEBANK\Bernard with the password as Pa$$w0rd and then press ENTER. Minimize the Nyc-ts Remote Desktop connection. To log on as the third user, click Start, click Run, in the Open box type mstsc, and then click OK. In the Remote Desktop Connection dialog box, verify that the Computer is Nyc-ts, and then click Connect. In the Windows Security dialog box, click Use another account, log on with the login ID WOODGROVEBANK\Anton using the password Pa$$w0rd, and then click OK. Observe that a message displaying The requested session access is denied appears on the screen. Click OK. Close all the remote connections. The Disconnect Terminal Services Session dialog box is displayed. Click OK.
Results: After this exercise, you should have configured the TS connection properties by using Server Group Policy.
Exercise 3: Configuring SSO by Using Client Group Policy

Exercise Overview
The main task for this exercise is to configure SSO by using client Group Policy.
Task 1: Configure the SSO setting by using client Group Policy

1. To open the Terminal Services Configuration snap-in on 6428A-NYC-DC1-01, click Start, click Run, in the Open box type tsconfig.msc, and then click OK.
L3-5
2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13.
In the middle pane, under Connections section, under Connection Name, right-click RDP-Tcp, and then click Properties. In the RDP-Tcp Properties dialog box, on the General tab, in the Security layer box, select SSL (TLS 1.0) from the drop-down list, and then click OK. Close the Terminal Services Configuration snap-in. To open the Local Group Policy Editor, click Start and in the Start Search box, type gpedit.msc, and then press ENTER. In the left pane, under the Computer Configuration node, expand the Administrative Templates node, expand System node, and then click Credentials Delegation. In the right pane, under Setting, double-click Allow Delegating Default Credentials. In the Allow Delegating Default Credentials Properties dialog box, on the Setting tab, click Enabled, and then click Show to add servers to the list. In the Show Contents dialog box, click Add to add servers to the list. In the Add Item dialog box, in the Enter the item to be added box, type 6428A-NYC-TS- 03, and then click OK. Click OK to close the Show Contents dialog box. In the Allow Delegating Default Credentials Properties dialog box, click OK. Close the Local Group Policy Editor.
Results: After this exercise, you should have configured SSO by using client Group Policy.
Exercise 4: Troubleshooting Connectivity Issues

Exercise Overview
In this exercise, you will troubleshoot connectivity issues. The main tasks for this exercise are as follows: 1. 2. 3. 4. Verify the RDP settings, and check the event logs. Verify the user and group permissions and policy settings. Verify that the users are able to log on with the updated settings. Shut down the virtual machines.
Task 1: Verify the RDP settings and check the event Logs
On 6428A-NYC-TS-03, click Start, point to Administrative Tools, point to Terminal Services, and then click TS RemoteApp Manager. 2. In the TS RemoteApp Manager page, under the Overview section for RDP Settings, click the Change link. 3. In the RemoteApp Deployment Settings dialog box, click the Terminal Server tab. 4. On the Terminal Server tab, ensure that the Server name box has NYC-TS.WoodgroveBank.com. 5. Ensure that the port number in RDP Port is 3389, and then click OK to close the RemoteApp Deployment Settings dialog box. 6. Close the TS RemoteApp Manager. 7. To display the Event Viewer dialog box, click Start, click Run, in the Open box type eventvwr, press ENTER. 8. In the Event Viewer dialog box, expand the Windows Logs node. 9. Click Application, and check the details of any error in the events. 10. Close Event Viewer. 1.
L3-6
Task 2: Verify the user and group permissions and policy settings
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. On 6428A-NYC-DC1-01, click Start, point to Administrative Tools, and then click Active Directory Users and Computers. In the left pane, under the WoodgroveBank.com node, expand the NYC node, and then click Marketing. In the right pane, right-click Monika Buschmann and then click Reset Password. In the Reset Password dialog box, in the New password box type Pass@word1. In the Confirm password box type Pass@word1, and then click OK. In the Active Directory Domain Services confirmation box, click OK. Close Active Directory Users and Computers snap-in. To start the Terminal Services Configuration snap-in on 6428A NYC-TS-03, click Start, point to Administrative Tools, point to Terminal Services, and then click Terminal Services Configuration. In the Connections section, under Connection Name, right-click RDP-Tcp, and then click Properties. In the RDP-Tcp Properties dialog box, click the Security tab. The Terminal Services Configuration message box is displayed. Click OK to close the message box. On the Security tab, under Group or user names section, select Dana Birkby. Click Advanced, select the record for Dana Birkby, click Edit and verify that the check box under Deny for Remote Control is not selected. If selected, clear the check box, and then click OK twice. In the RDP-Tcp Properties dialog box, click the General tab. In the Encryption level box, verify that the value is Client Compatible, and then click OK. Close the Terminal Services Configuration snap-in.
Task 3: Verify that the users are able to log on with the updated settings
1. 2. On 6428A-NYC-DC1-01, click Start, click Run, in the Open box type mstsc, and then click OK. In the Remote Desktop Connection dialog box, verify that the computer is Nyc-ts, and then click Connect.
Note: If the Remote Desktop Connection is disconnected, perform the following steps to create the remote connection: a. b. c. d. e. f. g. 3. 4. 5. 6. 7. Open Control Panel. Click the Network and Sharing Center icon. Verify that NYC-DC is connected to Unidentified network. Check the status of the Local Area Connection. In the Network and Sharing Center window, under Tasks, click Manage network connections. In the Network Connections window, right-click Local Area Connection, and then click Disable. Then, right-click Local area Connection and click Enable. Close the Network Connections window. In the Network and Sharing Center window, verify that NYC-DC is connected to WoodgroveBank.com.
In the Windows Security dialog box, click Use another account, log on as WOODGROVEBANK\Monika with the password as Pass@word1 and then click OK. To log off Monika, click Start, point to the arrow key next to the lock computer button, and then click Log off. To log on as the second user, click Start, click Run, type mstsc, and then click OK. In the Remote Desktop Connection dialog box, click Connect. In the Windows Security dialog box, click Use another account.
L3-7
8. Log on as WOODGROVEBANK\Dana with the password as Pa$$w0rd and then click OK. 9. Close the remote connection. 10. The Disconnect Terminal Services Session dialog box is displayed. Click OK.
Task4: Shut down the virtual machines

Results: After this exercise, you should have used troubleshooting techniques to resolve connectivity issues.
L3-8
Lab: Configuring TS RemoteApp and Easy Print
L4-1
Module 4: Configuring Terminal Services RemoteApp and Easy Print

Note: If you have already logged on to a virtual machine, skip the logon task for that particular virtual machine
Exercise 1: Configuring and Deploying TS RemoteApp Programs Exercise 2: Configuring TS Easy Print Logon Information: Virtual Machine1: 6428A-NYC-DC1-01 Virtual Machine 2: 6428A-NYC-TS-03 User Names: Administrator/Baris Password: Pa$$w0rd
Exercise 1: Configuring and Deploying TS RemoteApp Programs

Exercise Overview
In this exercise, you will install TS Web Access and create a link to Microsoft PowerPoint Viewer for the Marketing group. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. 6. 7. 8. 9. Start the 6428A-NYC-DC1-01 and 6428A-NYC-TS-03 virtual machines and log on to these machines as Administrator. Install the TS Web Access role service. Add the computer account of the TS Web Access server to the security group. Specify the data source. Install PowerPoint Viewer. Add the PowerPoint Viewer program in the RemoteApp Programs list. Configure an RDP file from the PowerPoint Viewer RemoteApp program. Determine if the RemoteApp program is enabled for TS Web Access. Configure the TS Web Access server to allow access from the Internet.
1. 2. Start 6428A-NYC-DC1-01 using the Lab Launcher tool. Log on using the default ID as WOODGROVEBANK\Administrator and password Pa$$w0rd. The Server Manager page is displayed by default.
Note: Wait for the domain controller 6428A-NYC-DC1-01 logon screen to appear before starting the 6428A-NYC-TS-03 virtual machine.
L4-2
3. 4.
Start 6428A-NYC-TS-03 using the Lab Launcher tool. Log on as WoodgroveBank\Administrator using the password Pa$$w0rd. The Server Manager page is displayed by default.

On 6428A-NYC-TS-03, in Server Manager, scroll down to the Roles Summary section, click the Terminal Services link. On Terminal Services, scroll down to Roles Services. 2. In the Role Services section, click the Add Role Services link. 3. On the Select Role Services page, select the TS Web Access check box. The Add Role Services dialog box is displayed. 4. Review the information about the required role services for Web Server (IIS) and click Add Required Role Services, and then click Next. 5. Review the Web Server (IIS) page, and then click Next. 6. On the Select Role Services page, you are prompted to select the role services that you want to install for IIS. Then, click Next. 7. On the Confirm Installation Selections page, click Install. 8. On the Installation progress page, note the installation progress. On completion of the installation, the Installation Results page is displayed. 9. On the Installation Results page, confirm that the installation of TS Web Access succeeded, and then click Close. 10. On the Server Manager page under Roles Services, confirm that TS Web Access is Installed. 11. Close the Server Manager. 1.
Task 3: Add the computer account of the TS Web Access server to the security group
1. 2. 3. 4. 5. 6. 7. 8. On 6428A-NYC-TS-03, click Start, point to Administrative Tools, and then click Computer Management. In the left pane, click the Local Users and Groups node, and then click the Groups node. In the middle pane, double-click the group name TS Web Access Computers. In the TS Web Access Computers Properties dialog box, to add members in the group, click the Add button. In the Select Users, Computers, or Groups dialog box, click Object Types. In the Object Types dialog box, select the Computers check box, and then click OK. In the Enter the object names to select {examples} box, type NYC-TS as the computer account of the TS Web Access server, click Check Names, and then click OK. Click OK to close the TS Web Access Computers Properties dialog box.
Task 4: Specify the data source

1. 2. 3. 4. 5. 6. To start Internet Explorer, click Start, click All Programs, and then click Internet Explorer. To connect to the TS Web Access Web site, in the URL box, type http://NYC-TS/ts. Click the go button. In the Connect to nyc-ts dialog box, log on to the site as WoodgroveBank\Administrator with the password Pa$$w0rd. A message box regarding the blocked content is displayed. To add the site as a trusted site, click the Add button. The Trusted sites message box is displayed. Click Add. Close the Trusted sites message box.
L4-3
Note: If you are already logged on to the computer, you are not prompted for the credentials. You need to add the Web site as a trusted Web site only the first time you access the site. 7. 8. 9. On the title bar, click the Configuration tab. On the right side of the page, in the Editor Zone area, in the TS Web Access Properties section, in the Terminal server name box, type NYC-TS. Click Apply to apply the changes.
Task 5: Install PowerPoint Viewer

Click Start, and then click Command Prompt. At the command prompt, type change user /install, press ENTER, and then close the window. Click Start, click Control Panel, and then double-click the Install Application on Terminal Server icon. 4. In the Install Program From Floppy Disk or CD-ROM wizard, click Next. 5. Click Browse. In the left pane, click Computer, and then browse to E:\Tools. 6. At the bottom of the page, in the Setup programs box, select All Files from the drop-down list. 7. Double-click PowerPointViewer.exe. 8. In the Run Installation Program page, click Next. 9. In the Microsoft Office PowerPoint Viewer 2007 license agreement page, select the check box to accept the license terms, and click Continue. 10. The Microsoft Office PowerPoint Viewer 2007 message box informing about the completion of the installation is displayed. Click OK. 11. On the Finish Admin Install page, click Finish. 1. 2. 3.
Task 6: Add the PowerPoint Viewer program in the RemoteApp Programs list
1. 2. 3. 4. 5. 6. 7. Start TS RemoteApp Manager on 6428A-NYC-TS-03. Click Start, point to Administrative Tools, point to Terminal Services, and then click TS RemoteApp Manager. In the Actions pane on the right, click Add RemoteApp Programs. On the Welcome to the RemoteApp Wizard page, click Next. On the Choose programs to add to the RemoteApp Programs list page, select the check box next to Microsoft Office PowerPoint Viewer 2007 program. Click Microsoft Office PowerPoint Viewer 2007 program, and then click Properties. In the RemoteApp Properties dialog box, verify that the RemoteApp program is available through TS Web Access check box is selected, click OK, and then click Next. On the Review Settings page, review the settings and then click Finish.
Task 7: Configure an RDP file from the PowerPoint Viewer RemoteApp program
1. 2. 3. 4. Scroll down to the RemoteApp Programs list and click Microsoft Office PowerPoint Viewer 2007. On the Actions pane under Microsoft PowerPoint Viewer 2007, click Create .rdp File. On the Welcome to the Remote App Wizard page, click Next. On the Specify Package Settings page: 5. Keep the default location to save the program as C:\Program Files\Packaged Programs. Verify that the terminal server setting is NYC-TS.WoodgroveBank.com. Verify that the required server authentication is set to Yes. Verify that the port is 3389.
Click Next.
L4-4
6.
On the Review Settings page, click Finish.

1. On 6428A-NYC-TS-03, in the RemoteApp Programs list, verify that a Yes value appears for TS Web Access next to Microsoft Office PowerPoint Viewer 2007 that you want to make available through TS Web Access. Click Start, click All Programs, and then click Internet Explorer. In URL box type http://NYC-TS/TS. In the Connect to nyc-ts dialog box, provide user credentials from the Marketing Group. In User name type WoodGroveBank\Baris and provide password Pa$$w0rd, and then click OK.
2. 3. 4.
Task 9: Configure the TS Web Access Server to allow access from the Internet
1. 2. On 6428A-NYC-TS-03, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager. In the left pane of Internet Information Services (IIS) Manager, Expand NYCTS(WOODGROVEBANK\Administrator) node, click the Sites node, click the Default Web Site node, and then click TS. In the middle pane, scroll down to IIS, double-click the Authentication icon. Verify Windows Authentication is set to Enabled. If it is not, right-click Windows Authentication, and then click Enable.
3. 4.
Results: After this exercise, you should have installed the PowerPoint program and created a link to
C:\Program Files\Packaged Programs.
Exercise 2: Configuring TS Easy Print

Exercise Overview
The main tasks for this exercise are as follows: 1. 2. Configure the printer redirection settings. Shut down the virtual machines.
Task 1: Configure the printer redirection settings

On 6428A-NYC-DC1-01, start the Group Policy Management snap-in. Click Start, point to Administrative Tools, and then click Group Policy Management. 2. In the left panel, under Group Policy Management, click Forest: WoodgroveBank.com, followed by Domains, WoodgroveBank.com, NYC nodes, and right click the Marketing node. 3. Click Create a GPO in this domain, and Link it here. 4. In the New GPO dialog box, under the Name box, type GPO for RDP Link, and then click OK. 5. In the left panel, Expand the Marketing node, right click GPO for RDP link, and then click Edit. 6. In the left panel on the Group Policy Management Editor page, under Computer Configuration, Expand Policies and Administrative Templates nodes, and then click the Windows Components node. 7. Under Windows Component,Double click the Terminal Services node, and then click the Terminal Server node. 8. In the left panel, double-click Printer Redirection. 9. In the right panel, double-click Use Terminal Services Easy Print printer driver first. 10. In the Use Terminal Services Easy Print printer driver first Properties dialog box, on the Setting tab, select Enabled, and then click OK. 11. In the right panel, double-click Redirect only the default client printer. 1.
L4-5
12. In the Redirect only the default client printer Properties dialog box, on the Setting tab, select Enabled, and then click OK.

Results: After this exercise, you should have configured TS Easy Print and the client print driver should have been redirected to TS.
L4-6
L5-1
Module 5: Configuring Terminal Services Web Access and Session Broker

Note: If you have already logged on to a virtual machine, skip the logon task for that particular virtual machine
Exercise 1: Configuring TS RemoteApp Programs for TS Web Access. Exercise 2: Customizing TS Web Access by Using WSS. Exercise 3: Configuring TS Session Broker. Logon Information: Virtual Machine1: 6428A-NYC-DC1-01 Virtual Machine 2: 6428A-NYC-TS-05 Virtual Machine 3: 6428A-NYC-WEB-05 User Name: Administrator\Bernard Password: Pa$$w0rd
Exercise 1: Configuring TS RemoteApp Programs for TS Web Access

Exercise Overview
In this exercise, you will install and configure the TS Web Access role service on the terminal server and create a .msi file for Microsoft Office PowerPoint Viewer. A link for this .msi file needs to be created so that the Marketing group can access it through a Web browser. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. 6. Start the 6428A-NYC-DC1-01, 6428A-NYC-TS-05, and 6428A-NYC-WEB-05 virtual machines and log on to these machines as Administrator. Install the TS Web Access role service. Determine if the RemoteApp program is enabled for TS Web Access. Create an MSI file. Create a link to the TS RemoteApp program on the terminal server. Verify that the link is functional and available through the Web browser.
Task 1: Start the 6428A-NYC-DC1-01, 6428A-NYC-TS-05, and 6428A-NYC-WEB-05

virtual machines and log on to these machines as Administrator
1. 2. 3. 4. Start 6428A-NYC-DC1-01using the Lab Launcher tool. Log on using the default WOODGROVEBANK\Administrator user ID and password Pa$$w0rd. Start 6428A-NYC-TS-05 using the Lab Launcher tool. Log on as WoodgroveBank\Administrator by using the password Pa$$w0rd.
L5-2
5. 6.
Start 6428A-NYC-WEB-05 using the Lab Launcher tool. Log on as WOODGROVEBANK\Administrator by using the password Pa$$w0rd.

1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23. 24. 25. 26. Click Start, and then Click Server Manager snap-in on 6428A-NYC-TS-05. In the snap-in, scroll down to Roles Summary, and click the Terminal Services link. Scroll down to Role Services, and click the Add Role Services link. On the Select Role Services page, select the TS Web Access check box. In the Add Role Services message box, click Add Required Role Services. On the Select Role Services page, click Next. On the Web Server (IIS) page, click Next. On the Select Role Services page, click Next. On the Confirm Installation Selections page, click Install. The Installation Progress page is displayed. Observe the progress indicator. On the Installation Results page, observe that the installation of TS Web Access succeeded, and then click Close. On the Server Manager page, under Role Services, verify that TS Web Access is installed. Close the Server Manager. On 6428A-NYC-TS-05, click Start, point to Administrative Tools, and then click Computer Management. In the left pane of the Computer Management window, click the Local Users and Groups node, and then click Groups. In the right pane, double-click TS Web Access Computers. In the TS Web Access Computers Properties dialog box, click Add to add members in the group. In the Select Users, Computers, or Groups dialog box, click Object Types. In the Object Types dialog box, select the Computers check box, and then click OK. In the Enter the object names to select (examples) box, type NYC-TS as the computer account of the TS Web Access server. Click Check Names, and then click OK. Click OK to close the TS Web Access Computers Properties dialog box. Click Start, click All Programs, and then click Internet Explorer. In the URL box, type http://NYC-TS/ts, and then press ENTER. In the Connect to nyc-ts dialog box, log on to the site by using WoodgroveBank\Administrator as the login ID and Pa$$w0rd as the password, and then click OK. A message box regarding blocked content is displayed. To add the site as a trusted site, click the Add button. The Trusted sites message box is displayed. Click Add. Close the Trusted sites message box.
Note: If you are already logged on to the computer, you are not prompted for the credentials. You need to add the Web site as a trusted Web site only the first time you access the site. 27. On the title bar, click the Configuration tab. 28. On the right side of the page, in the Editor Zone section, in the TS Web Access Properties section, in the Terminal server name box, type NYC-TS. 29. Click Apply to apply the changes.
L5-3

1. 2. 3. 4. 5. On 6428A-NYC-TS-05, click Start, point to Administrative Tools, point to Terminal Services, and then click TS RemoteApp Manager. Scroll down to the RemoteApp Programs list and verify that a Yes value appears for TS Web Access next to Microsoft Office PowerPoint Viewer 2007. Click Microsoft Office Power Point Viewer 2007. To enable a RemoteApp program for TS Web Access, on the Actions pane for Microsoft Office PowerPoint Viewer 2007, click Show in TS Web Access. Close the TS RemoteApp Manager.
Task 4: Create an MSI file

1. 2. 3. 4. 5. 6. 7. 8. On 6428A-NYC-TS-05, click Start, point to Administrative Tools, point to Terminal Services, and then click TS RemoteApp Manager. Scroll down to the RemoteApp Programs list, and click Microsoft Office PowerPoint Viewer 2007. In the Actions pane for Microsoft Office PowerPoint Viewer 2007, click Create Windows Installer package. On the Welcome to the RemoteApp Wizard page, click Next. On the Specify Package Settings page, click Next. On the Configure Distribution Package page, click Next. On the Review Settings page, click Finish. Close the Packaged Programs folder.
Task 5: Create a link to the TS RemoteApp program on the terminal server

1. 2. 3. 4. 5. 6. On the TS RemoteApp Manager page, in the RemoteApp Programs list, verify that a Yes value is displayed for TS Web Access next to Microsoft Office PowerPoint Viewer 2007. Click Start, click All Programs, and then click Internet Explorer. In the URL box, type http://NYC-TS/ts, and then click Go. In the Connect to nyc-ts dialog box, provide a user credential from the Marketing Group. In User name, type WoodGroveBank\Bernard and type the password as Pa$$w0rd, and then click OK. Configure the TS Web Access server to allow access from the Internet. On 6428A-NYC-TS-05, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager. In the left pane of Internet Information Services (IIS) Manager, expand the NYC-TS (WOODGROVEBANK\Administrator) node, expand the Sites node, expand the Default Web Site node, and then click TS. In the middle pane, scroll down to IIS, and double-click the Authentication icon. Select Status from the Group by drop-down list. Select Enabled for Windows Authentication.
7. 8.
Task 6: Verify that the link is functional and available through the Web browser
1. 2. 3. 4. 5. On 6428A-NYC-WEB-05, verify that you are logged on as Woodgrovebank\Administrator with the password Pa$$w0rd. Click Start, click All Programs, and then click Internet Explorer. In the URL box, type http://NYCTS/ts, and then click Go. In the Connect to nyc-ts dialog box, type the user name as WoodgroveBank\Bernard and the password as Pa$$w0rd. Then click OK. The Trusted Sites message box is displayed. Click Add. Close the Trusted Sites message box. Observe that Microsoft Office PowerPoint is listed in the remote application program list.
L5-4
Results: After this exercise, you should have installed TS Web Access on the terminal server, created an MSI file for the remote program, created a link to the remote program, and verified that the link is functional through Internet Explorer.
Exercise 2: Customizing TS Web Access by Using WSS

Exercise Overview
In this exercise, you will create a customized Web part and export it to a WSS Web site. The main task for this exercise is as follows: Add a Web part to a WSS site.
Task 1: Add a Web part to a WSS site

On 6428A-NYC-WEB-05, click Start, point to Administrative Tools, and then click SharePoint 3.0 Central Administration. 2. To connect to the WSS site http://nyc-web:44341/, in the authentication dialog boxError! Hyperlink reference not valid., type the user name as WoodgroveBank\Administrator and password as Pa$$w0rd. Then click OK. 3. On the Home page of the Central Administration site, click Site Actions, and then select Edit Page from the drop-down list. 4. On the Edit Page, in the center panel, click Add a Web Part. 5. On the Add Web Parts Webpage Dialog page, in the Add Web Parts to Left section, under the List and Libraries section, select the Resources check box, and then click Add. 6. On the Central Administration page, under the Resources section, click the Add new link link. 7. On the Resources: New Item page, in the URL box, type http://NYC-TS/ts. 8. In the Description box, type Link for TS Web Access Web Part, and then click OK. 9. Connect to NYC-ts and click Link for TS Web Access Web Part. The Connect to nyc-ts dialog box is displayed. 10. Log on to the site as WOODGROVEBANK\Administrator with the password Pa$$w0rd. Then click OK. The TS Web Access Web site with the remote applications list will be displayed. Results: After this exercise, you should have added a customized Web part by using TS Web Access, and exported it to a WSS site. 1.
Exercise 3: Configuring TS Session Broker

Exercise Overview
In this exercise, you will install the Session Broker role service and configure the TS Session Broker settings for servers in a TS farm. The main tasks for this exercise are as follows: 1. 2. 3. 4. Install the TS Session Broker role service. Add each server in the farm to the Session Directory Computers local group. Configure the TS Session Broker settings by using Group Policy. Shut down the virtual machines.
L5-5
Task 1: Install the TS Session Broker role service

1. 2. 3. 4. 5. 6. 7. On 6428A-NYC-TS-05, start Server Manager. Click Start, point to Administrative Tools, and then click Server Manager. Click Roles, scroll down to the Roles Summary section, click the Terminal Services link. On the Terminal Services page, scroll down to Role Services, and then click the Add Role Services link. On the Select Role Services page, select the TS Session Broker check box, and then click Next. On the Confirm Installation Selections page, click Install. The Installation Progress page is displayed. Observe the progress indicator. On the Installation Results page, confirm that the installation succeeded, and then click Close.
Task 2: Add each server in the farm to the Session Directory Computers local group
1. 2. 3. 4. 5. 6. 7. 8. Click Start, point to Administrative Tools, and then click Computer Management. In the left pane, click the Local Users and Groups node, and then click Groups. In the middle pane, right-click the Session Directory Computers group, and then click Properties. In the Session Directory Computer Properties dialog box, click Add. In the Select Users, Computers or Groups dialog box, click Object Types. In the Object Type dialog box, select the Computers check box, and then click OK. In the Enter the object names to select {examples} box, type NYC-WEB; NYC TS, and then click Check Names. Click OK twice. Close Computer Management.
Task 3: Configure the TS Session Broker settings by using Group Policy

1. 2. On 6428A-NYC-DC1-01, click Start, point to Administrative Tools, and then click Group Policy Management. In the Group Policy Management snap-in, in the left pane, ensure that Forest: WoodgroveBank.com node, followed by Domains and WoodgroveBank.com are expanded. Then, right-click the NYC node, and click Create a GPO in this domain, and Link it here. In the New GPO dialog box, in the Name box, type GPO for TS Web Access, and then click OK. In the left pane, expand the Group Policy Objects node, and click GPO for TS Web Access. In the right pane, click the Settings tab. Right-click Computer Configuration, and then click Edit. In the left pane, ensure the Computer Configuration node is expanded, expand the Policies node, expand Administrative Templates followed by the Windows Components, Terminal Services, Terminal Server nodes, and then click TS Session Broker. In the right pane, double-click the Join TS Session Broker policy setting. In the Join TS Session Broker Properties dialog box, click Enabled, and then click OK. Double-click the Configure TS Session Broker farm name policy setting. In the Configure TS Session Broker farm name Properties dialog box, click Enabled. In the TS Session Broker farm name box, type NYC-TS, and then click OK. Double-click the Use TS Session Broker load balancing policy setting. In the Use TS Session Broker load balancing Properties dialog box, click Enabled, and then click OK. Close the Group Policy Management editor.
3. 4. 5. 6. 7.
8. 9. 10. 11. 12. 13. 14. 15.

L5-6
Results: After this exercise, you should have configured TS Session Broker load balancing for a farm. Note: After you have completed the lab exercises closing the VMs and selecting undo disk is not required for hosted labs. Click the Quit button to exit.
L6-1
Module 6: Configuring and Troubleshooting Terminal Services Gateway

Note: If you have already logged on to a virtual machine, skip the logon task for that particular virtual machine. Exercise 1: Configuring and Monitoring TS Gateway Exercise 2: Troubleshooting the TS Gateway Connections Logon Information: Virtual Machine1: 6428A-NYC-DC1-01 Virtual Machine 2: 6428A-NYC-TS-05 User Name: Administrator Password: Pa$$w0rd
Exercise 1: Configuring and Monitoring TS Gateway

Exercise Overview
In this exercise, you will install and configure the TS Gateway server role on the terminal server and create a CAP and a RAP for the HR group. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. 6. Start the 6428A-NYC-DC1-06 and 6428A-NYC-TS-05 virtual machines and log on to these machines as Administrator. Install the TS Gateway role. Install the certificate. Create a CAP for the HR group. Select the pre-configured Active Directory Security group HR. Create a RAP for the HR group.
1. 2. 3. 4. Start 6428A-NYC-DC1-06 using the Lab Launcher tool. Log on as WOODGROVEBANK\Administrator by using the password Pa$$w0rd. The Server Manager snap-in is displayed. Start 6428A-NYC-TS-05 using the Lab Launcher tool. Log on as Administrator by using the password Pa$$w0rd. The Server Manager snap-in is displayed.
L6-2
Task 2: Install the TS Gateway role

1. 2. 3. 4. 5. 6. 7. 8. 9. On 6428A-NYC-TS-05, click Start, Server Manager in the Server Manager snap-in, click Roles, scroll down to Roles Summary, click the Terminal Services link. Scroll down to Role Services, click Add Role Services. On the Select Role Services page, select the TS Gateway check box. On the Select Role Services page, click Next. On the Choose a Server Authentication Certificate for SSL Encryption page, select Choose a certificate for SSL encryption later, and then click Next. On the Create Authorization Policies for TS Gateway page, select Later, and then click Next. On the Confirm Installation Selections page, click Install. The Installation Progress page is displayed. On the Installation Results page, observe that the installation for TS Gateway roles, role services, and features is successful, and then click Close. Close the Server Manager snap-in.
Task 3: Install the certificate

1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. Click Start, point to Administrative Tools, point to Terminal Services, and then click TS Gateway Manager. In the TS Gateway Manager console tree, right-click NYC-TS (Local), and then click Properties. On the NYC-TS Properties page, click the SSL Certificate tab, verify that the Create a self-signed certificate for SSL encryption option is selected, and then click Create Certificate. In the Create Self-Signed Certificate dialog box, under Certificate name verify that NYCTS.WoodgroveBank.com appears by default. Under Certificate location, delete the default location, type c:\certificate\NYC-TS.cer, and then click OK. A message box stating that TS Gateway has successfully created a self-signed certificate is displayed. Click OK twice. Close the TS Gateway Manager. To open the Certificates snap-in, click Start, click Run, type MMC, and then click OK. The Console1-[Console Root] window is displayed. On the File menu, click Add/Remove Snap-in. In the Add or Remove Snap-ins dialog box, under the Available snap-ins list, click Certificates, and then click Add. In the Certificates snap-in dialog box, select Computer account, and then click Next. In the Select Computer dialog box, verify that Local computer: (the computer this console is running on) is selected, and then click Finish. In the Add or Remove snap-ins dialog box, click OK. In the console dialog box, in the console tree, double-click the Certificates (Local Computer) node. Right-click the Trusted Root Certification Authorities folder, point to All Tasks, and then click Import. On the Certificate Import Wizard page, click Next. On the File to Import page, in the File name box type c:\certificate\NYC-TS.cer, and then click Next. On the Certificate Store page, click Next. On the Completing the Certificate Import Wizard page, click Finish. A message stating that the import was successful is displayed. Click OK. In the Console1-[Console Root] window, click File, and then click Exit. A message prompting you to save the console settings to Console1 is displayed. Click No.
L6-3
23. To open the TS Gateway Manager, click Start, point to Administrative Tools, point to Terminal Services, and then click TS Gateway Manager. 24. In the TS Gateway Manager console tree, right-click NYC-TS(Local), and then click Properties. 25. In the NYC-TS Properties dialog box, click the SSL Certificate tab, verify Select an existing certificate for SSL encryption (recommended) is selected, and then click Browse Certificates. 26. In the Install Certificate dialog box, click NYC-TS.WoodgroveBank.com, click Install, and then click OK.
Task 4: Create a CAP for the HR group

1. 2. 3. 4. 5. 6. 7. 8. 9. In the TS Gateway Manager console tree, expand the NYC-TS(Local) node, and then expand the Policies node. Under Policies, right-click the Connection Authorization Policies folder, point to Create New Policy, and then click Custom. In the New TS CAP dialog box, on the General tab, in Policy name, type TS CAP. Click the Requirements tab, under Supported Windows authentication methods, verify that Password is selected. Under User group membership (required), click Add Group. In the Select Groups dialog box, click Advanced, and then click Find Now. Under the Search Results section, scroll down and select the group name HR, click OK twice. In the New TS CAP dialog box, click the Device Redirection tab, verify that Enable device redirection for all client devices is selected, and then click OK. Close the TS Gateway Manager.
Task 5: Select the pre-configured Active Directory Security group HR

On 6428A-NYC-DC1-06, click Start, point to Administrative Tools, and then click Active Directory Users and Computers. 2. In the Active Directory Users and Computers console tree, under the WoodgroveBank.com node, ensure Users is selected. 3. In the right pane, click HR Security Group. 4. Right-click HR Security Group, click Properties. 5. In the HR Properties dialog box, click the Members tab, and then click Add. 6. In the Select Users, Contacts, Computers or Groups dialog box, click Object Types. 7. Select the Computers check box, and then click OK. 8. Click Advanced, and then click Find Now. 9. Under the Search Results section, scroll down to select the computer name as NYC-TS, click OK. Then click OK twice. 10. Close Active Directory Users and Computers. 1.
Task 6: Create a RAP for the HR group

1. 2. 3. 4. 5. 6. 7. Start the TS Gateway Manager on 6428A-NYC-TS-05. Click Start, point to Administrative Tools, point to Terminal Services, and then click TS Gateway Manager. In the console tree, open the NYC-TS (Local) folder. Open the Policies folder, and then right-click the Resource Authorization Policies folder, point to Create New Policy, and then click Custom. In the New TS RAP dialog box, on the General tab, in Policy name, type TS RAP. On the User Groups tab, click Add. In the Select Groups dialog box, click Advanced, click Find Now. Under the Search Results section, scroll down to select the group name HR, and then click OK twice.
L6-4
Click the Computer Group tab, verify Select an existing Active Directory security group is selected, and then click Browse. 9. In the Select Groups dialog box, click Advanced, and then click Find Now. 10. Under the Search Results section, scroll down to select group HR, and then click OK twice. 11. Click Allowed Ports tab, verify Allow connections only through TCP port 3389 is selected, and then click OK. Results: After this exercise, you should have installed the TS Gateway Server role service and created a TS CAP and TS RAP for the HR group.
8.
Exercise 2: Troubleshooting the TS Gateway Connections

Exercise Overview
In this exercise, you need to verify that the TS Gateway server certificate has not expired. You also need to check the TS CAP and RAP for the HR group. In addition, you need to verify the existence of the user Baris in the HR group and add a new user Bernard to the HR group. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. 6. 7. Verify that the TS Gateway Server certificate has not expired. Verify that the TS CAP is accurate. Verify that the TS RAP is accurate. Verify that the user Baris exists in the HR group. Add Bernard to the HR group. Verify that the TS RAP is functional. Shut down the virtual machines.
Task 1: Verify that the TS Gateway Server certificate has not expired
1. 2. 3. 4. 5. In the TS Gateway Manager, in the console tree, right-click NYC-TS (Local), and then click Properties. In the NYC-TS Properties dialog box, click the SSL Certificate tab, verify Select an existing certificate for SSL encryption (recommended) is selected, and then click Browse Certificates. In the Install Certificate dialog box, click NYC-TS.WoodgroveBank.com. Click View Certificate and verify that the validity of certificate has not expired in the valid from field. Click OK, click Cancel, and then click OK.
Task 2: Verify that the TS CAP is accurate

1. 2. 3. 4. 5. 6. In the console tree, under the NYC-TS (Local) node, under the Policies node, click Connection Authorization Policies. In the right pane, right-click TS CAP policy, and then click Properties. In the TS CAP Properties dialog box, on the General tab, verify that Enable this policy is selected. Click the Requirements tab. Under Supported Windows authentication methods, verify that Password is selected. Under User group membership (required), verify that WOODGROVEBANK\HR group exists. Click Device Redirection tab, verify Enable device redirection for all client devices is selected, and then click OK.
Task 3: Verify that the TS RAP is accurate

1. 2. In TS Gateway Manager, under the Policies node, click Resource Authorization Policies. In the right-pane, right-click TS RAP, and then click Properties.
L6-5
3. 4. 5. 6. 7.
In the TS RAP Properties dialog box, on the General tab, verify Enable this policy is selected. Click the User Groups tab and verify that the WOODGROVEBANK\HR group exists. Click the Computer Group tab, under Select an existing Active Directory security group, verify that WOODGROVEBANK\HR exists. Click Allowed Ports tab, verify Allow connections only through TCP port 3389 is selected, and then click OK. Close the TS Gateway Manager.
Task 4: Verify that the user Baris exists in the HR group

1. 2. 3. 4. 5. On 6428A-NYC-DC1-06, click Start, point to Administrative Tools, and then click Active Directory Users and Computers. In the Active Directory Users and Computers console tree, under WoodgroveBank.com, click Users. In the right pane, click HR Security Group. Right-click HR Security Group, click Properties. In the HR Properties dialog box, click the Members tab, verify user Baris Cetinok exists, and then click OK.
Task 5: Add Bernard to the HR group

1. 2. 3. 4. 5. 6. 7. In Active Directory Users and Computers, under WoodgroveBank.com, click Users. In the right pane, right-click HR Security group, and then click Properties. In the HR Properties dialog box, click the Members tab, and then click Add. In the Select Users, Contacts, Computers or Groups dialog box, click Advanced, and then click Find Now. Scroll down to select user name Bernard Duerr, click OK, In the Active Directory Domain Services dialog box, click OK twice. Close Active Directory Users and Computers.
Task 6: Verify that the TS RAP is functional

1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. On 6428A-NYC-DC1-06, click Start, click Run, type \\NYC-TS\certificate, and then click OK. In the Certificate (\\NYC-TS), select NYC-TS.cer. Right-click NYC-TS.cer, click Install Certificate. The Open file Security Warning dialog box is displayed, click Open. On the Welcome to the Certificate Import Wizard page, click Next. On the Certificate Store page, select Place all certificates in the following store, and then click Browse. In the Select Certificate Store dialog box, select Trusted Root Certification Authorities, click OK, and then click Next. On the Completing the Certificate Import Wizard page, click Finish. A message box that the import was successful is displayed, click OK. Close Certificate Explorer. On 6428A-NYC-DC1-06, click Start, click Run, type mstsc, and then click OK. In the Remote Desktop Connection dialog box, click Options, click the Advanced tab, and then click Settings. On the TS Gateway Server Settings page, select Use these TS Gateway Server settings. In the Server name box, type NYC-TS.woodgrovebank.com, in the Logon method box select Ask for password (NTLM) from the drop-down list, and then click OK. Click the General tab, in the Computer box, type NYC-TS, and then click Connect.
L6-6
16. In the Windows Security dialog box, type user name as Woodgrovebank\Baris and password as Pa$$w0rd, and then click OK. 17. Close Remote Desktop Connection.

Results: After this exercise, you should have verified that the configuration of TS Gateway is correct and the user Baris exists in the HR group. In addition, you should have added a new user Bernard to the HR group. Note: After you have completed the lab exercises closing the VMs and selecting undo disk is not required for hosted labs. Click the Quit button to exit.
Lab: Managing and Monitoring TS
L7-1
Module 7: Managing and Monitoring Terminal Services

Note: If you have already logged on to a virtual machine, skip the logon task for that particular virtual machine. Exercise 1: Managing the TS Connections Exercise 2: Monitoring the TS Connections Exercise 3: Configuring WSRM for TS Logon Information: Virtual Machine1: 6428A-NYC-DC1-06 Virtual Machine 2: 6428A-NYC-TS-07 Virtual Machine 3: 6428A-NYC-WEB-05 User Names: Administrator/Susan Password : Pa$$w0rd
Exercise 1: Managing the TS Connections

Exercise Overview
In this exercise, you will configure the TS Gateway settings on the client computer. You will then disconnect the NOC technicians computer and reset the connection. The main tasks for this exercise are as follows: 1. 2. 3. 4. Start the 6428A-NYC-DC1-06 and 6428A-NYC-TS -07 virtual machines and log on to these machines as Administrator. Start the 6428A-NYC-WEB-05 virtual machine and log on as Susan. Configure the TS Gateway settings on the client. Manage the TS connections on the terminal server.
1. 2. Start 6428A-NYC-DC1-06 using the Lab Launcher tool. The default login ID WOODGROVEBANK\Administrator is displayed. Log on with the password Pa$$w0rd.
Note: Wait for the domain controller, 6428A-NYC-DC1-06, logon screen to appear before starting 6428A-NYC-TS-07 virtual machine. 3. 4. Start 6428A-NYC-TS-07 using the Lab Launcher tool. Log on as WoodgroveBank\Administrator with the password Pa$$w0rd.
L7-2
5. 6. 7.
On 6428A-NYC-DC1-06, to verify the membership of the NYC-TS, click Start, point to Administrative Tools, and then click Active Directory users and Computers. In the left pane, click Computers node. In the right pane, verify that the computer name NYC-TS exists.
Task 2: Start the 6428A-NYC-WEB-05 virtual machine and log on as Susan

1. 2. Start 6428A-NYC-WEB-05 using the Lab Launcher tool. Log on as WoodgroveBank\Susan who belongs to the NOC Department by using the password Pa$$w0rd.
Task 3: Configure the TS Gateway settings on the client

To configure TS Gateway on 6428A-NYC-WEB-05, click Start, click All Programs, click Accessories, and then click Remote Desktop Connection. 2. In the Remote Desktop Connection dialog box, click Options, and then click the Advanced tab. 3. On the Advanced tab, under Connect from anywhere area, click Settings. 4. Under Connection settings, select Use these TS Gateway server settings. 5. In the Server name box, verify that the FQDN of TS Gateway Server is NYCTS.Woodgrovebank.com. 6. Under Logon method, verify that Ask for password (NTLM) from the drop-down list is selected 7. Verify that the Bypass TS Gateway server for local address check box is not selected. If selected, then clear the check box and then click OK. 8. Click the General tab. Under Logon settings, in the Computer box, type NYC-TS. 9. Click Save, and then click Connect. 10. In the Windows Security dialog box, enter the login ID as Woodgrovebank\Susan. Log on with the password Pa$$w0rd, and then click OK. Note: If the Remote Desktop Connection is disconnected, perform the following steps to create the remote connection: a. b. c. d. e. f. g. h. i. Log off WoodgroveBank\Susan on 6428A-NYC-WEB-05. Log on to 6428A-NYC-WEB-05 as Administrator with the password Pa$$w0rd. Open Control Panel. Click the Network and Sharing Center icon. Verify that NYC-WEB is connected to Unidentified network. Check the status of the Local Area Connection. In the Network and Sharing Center window, under Tasks, click Manage network connections. In the Network Connections window, right-click Local Area Connection, and then click Disable. Then, right-click Local area Connection and click Enable. Close the Network Connections window. In the Network and Sharing Center window, check whether NYC-WEB is connected to WoodgroveBank.com. 1.
11. Log off as administrator on 6428A-NYC-WEB-05 and log on as WoodgroveBank\Susan using the password Pa$$w0rd.
Task 4: Manage the TS connections on the terminal server

1. To log off all TS Gateway connections on 6428A-NYC-TS-07, click Start, point to Administrative Tools, point to Terminal Services, and then click Terminal Services Manager.
L7-3
a. b. c. d. e. 2.
In Terminal Services Manager, the Terminal Services Manager dialog box is displayed, click OK. In the left panel, select NYC-TS. In the middle panel, on the Users tab, observe that the RDP-Tcp#0 Session for Susan has the state as Active. In the middle panel, select the user Susan. In the right panel, under Actions, click Logoff. The Terminal Services Manager message box about the selected user getting logged off is displayed. Click OK. The RDC connection in 6428A-NYC-WEB-05 will also get disconnected. Perform steps 2 to 9 in Task 3 of this exercise to set up the RDC connection before moving on to the next steps.
Disconnect all TS Gateway connections. a. b. c. In 6428A-NYC-TS-07 in the middle panel, select the user Susan. In the right panel, under Actions, click Disconnect. The Terminal Services Manager message box about the selected user getting disconnected is displayed. Click OK. The RDC connection in 6428A-NYC-WEB-05 will also get disconnected. Perform steps 2 to 9 in Task 3 of this exercise to set up the RDC connection before moving on to the next steps.
3.
Reset all TS Gateway Connections. a. b. c. In the middle panel, select the user Susan. In the right panel, under Actions, click Reset. The Terminal Services Manager message box about the selected user getting reset is displayed. Click OK. The RDC connection in 6428A-NYC-WEB-05 will also get disconnected. Log off from 6428A-NYCWEB-05 and then log on again using WOODGROVEBANK\Administrator with the password Pa$$w0rd.
4.
Close the Terminal Services Manager.
Results: After this exercise, you should have configured the TS Gateway settings on the client and managed TS connections remotely.
Exercise 2: Monitoring the TS Connections

Exercise Overview
In this exercise, you need to monitor the TS connections by using the TS Gateway Manager and specify the TS Gateway events to be logged. The main tasks for this exercise are: 1. 2. 3. Connect to the remote computer. Monitor TS Gateway. Specify the TS Gateway events to be logged.
Task 1: Connect to the remote computer

1. 2. 3. To connect using TS Gateway on 6428A-NYC-WEB-05, click Start, click All Programs, click Accessories, and then click Remote Desktop Connection. In the Remote Desktop Connection dialog box, click Connect. In the Windows Security dialog box, the login ID is displayed as Woodgrovebank\Susan. Log on with the password Pa$$w0rd, and then click OK.
L7-4
Task 2: Monitor TS Gateway

1. 2. 3. 4. 5. 6. 7. 8. 9. On 6428A-NYC-TS-07, click Start, point to Administrative tools, point to Terminal Services, and then click TS Gateway Manager. In TS Gateway Manager, expand the NYC-TS node, and then click Monitoring. Select Susans session in the middle panel. In the Actions panel, under Monitoring, click Edit Connection. The NYC-TS Properties dialog box is displayed. Click Limit maximum allowed simultaneous connections to and select 2 in the spin box, and then click OK. In the Actions panel, under Monitoring, click Set Automatic Refresh Options. In the Set Automatic Refresh Options dialog box, verify Refresh automatically is selected, in the spin box verify 0:30:0 seconds is selected, and then click OK. In the middle panel, right-click Susan, click Disconnect This Connection. The TS Gateway message box about disconnecting from Susan Burk to the computer NYC-TS is displayed. Click Yes. The RDC connection in 6428A-NYC-WEB-05 will also get disconnected. Perform steps 2 to 9 in Task 3 of Exercise 1 to set up the RDC connection before moving on to the next steps.
Task 3: Specify the TS Gateway events to be logged

1. 2. 3. 4. 5. 6. 7. 8. 9. In the TS Gateway Manager of NYC-TS-07, right click NYC-TS (Local), and then click Properties. In the NYC-TS Properties dialog box, on the Auditing tab, select all the checkboxes that you want to monitor for TS Gateway, and then click OK. Close the TS Gateway Manager. To check the event log, click Start, click Administrative Tools, and click Event Viewer. On the Event Viewer page, in the middle panel, check the Overview and Summary page. Under Summary of Administrative Events, scroll down and click the Audit Success node. In the Actions panel, under Audit Success, click View All Instances of This Event. In the middle panel, under Summary page events, view the event logs. Close the Event Viewer.
Results: After this exercise, you should have monitored TS Gateway and specified the events to be logged for TS Gateway.
Exercise 3: Configuring WSRM for TS

Exercise Overview
The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. Install WSRM on TS. Configure the TS resource allocation policy for per session. Monitor TS performance by using Resource Monitor. Configure the TS resource allocation policy for per user. Shut down the virtual machines.
Task 1: Install WSRM on TS

1. 2. 3. To start the Server Manager snap-in on 6428A-NYC-TS-07, click Start, point to Administrative Tools, and then click Server Manager. In the Server Manager, scroll down to the Features Summary section, click the Add Features link. The Add Features Wizard page is displayed. In the Add Features Wizard, on the Select Features page, scroll down to select the Windows System Resource Manager check box. If the Add Features Wizard message box displays, informing
L7-5
4. 5. 6. 7. 8. 9.
you that Windows Internal Database also needs to be installed for WSRM to work properly click Add Required Features, and then click Next. On the Confirm Installation Selections page, click Install. On the Installation Progress page, note the installation progress. On completion of the installation, the Installation Results page is displayed. On the Installation Results page, confirm that the installation of Windows Internal Database and WSRM succeeded, and then click Close. Close the Server Manager. To start the WSRM snap-in, click Start, point to Administrative Tools, and then click Windows System Resource Manager. In the Connect to computer dialog box, under Administer, verify This computer is selected, and then click Connect to enable the WSRM to administer the local computer.
Task 2: Configure the TS resource allocation policy for per session

1. 2. 3. 4. To implement the Equal_Per_Session resource-allocation policy, on the Windows System Resource Manager snap-in, in the left pane, click the Resource Allocation Policies node. Right-click Equal_Per_Session and then click Set as Managing Policy. If the End Snap-In dialog box appears stating that snap-in is not responding, click Cancel. If a Warning dialog box is displayed informing you that the calendar will be disabled, click OK.
Task 3: Monitor TS performance by using Resource Monitor

1. 2. 3. 4. 5. 6. 7. On the Windows System Resource Manager snap-in, in the navigation tree, click Resource Monitor. Review the performance data. In the middle pane, on the toolbar, click Properties. In the Properties dialog box, click the Graph tab. On the Graph tab, in the View box, select Report from the drop-down list, and then click OK. Observe the report for Equal_Per_Session. To configure the notification options, in the left pane, right-click Windows System Resource Manager (Local), and then click Properties. The Windows System Resource Manager Properties dialog box is displayed. Click the Notification tab, select Enable e-mail notification. In Notify these e-mail aliases, type administrator@woodgrovebank.com. In Use this SMTP server, type NYC-TS.woodgrovebank.com. In Select the event log messages, select two or more events. To view the list of events for each category, click the Error node, followed by the Warning and Information nodes. Click each category, and then select two or more events in each category. When you have finished selecting the events, click OK.
8. 9. 10. 11. 12. 13.
Task 4: Configure the TS resource allocation policy for per user

1. 2. 3. To implement the Equal_Per_User resource-allocation policy, in the Windows System Resource Manager snap-in, in the console tree, click the Resource Allocation Policies node. Right-click Equal_Per_User{Manager} and then click Set as Managing Policy. If a dialog box appears informing you that the calendar will be disabled, click OK.

L7-6
Results: After this exercise, you should have configured WSRM, configured resource allocation policies, and monitored the TS performance by using the Resource Monitor.

6428A Configuring and Troubleshooting Windows Server 2008 Terminal Services

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

6428A Configuring and Troubleshooting Windows Server 2008 Terminal Services

Uploaded by

Copyright:

Available Formats

O F F I C I A L

Configuring and Troubleshooting Windows Server 2008 Terminal Services

Product Number: 6428A Part Number: X17-41897 Released: 06/2008

5. ADDITIONAL LICENSING REQUIREMENTS AND/OR USE RIGHTS.

Configuring and Troubleshooting Windows Server 2008 Terminal Services

Module 2: Configuring and Managing Terminal Services Licensing

Module 3: Configuring and Troubleshooting Terminal Services Connections

Module 4: Configuring Terminal Services RemoteApp and Easy Print

Module 5: Configuring Terminal Services Web Access and Session Broker

Module 6: Configuring and Troubleshooting Terminal Services Gateway

Module 7: Managing and Monitoring Terminal Services

Lab Answer Keys

Configuring and Troubleshooting Windows Server 2008 Terminal Services

About This Course

About This Course

Minimum of one year of experience in administering certificate services Network + certification

About This Course

About This Course

About This Course

Virtual Machine Environment

Virtual Machine Configuration

Course Hardware Level

Configuring Terminal Services Core Functionality

Modu ule Ove erview

Configuring Terminal Services Core Functionality

C Configu ring the e TS Server Role Servi ice

Configuring Terminal Services Core Functionality

In nstalling th he TS Serv ver Role Se ervice

Co onfiguring and Troubleshooting b Windows s Server 2008 Termin nal Services

A Authentica tion Mode es

Configuring Terminal Services Core Functionality

Co onfiguring and Troubleshooting b Windows s Server 2008 Termin nal Services

R Remote De esktop Con nnection 6.1

Configuring Terminal Services Core Functionality

R Remote De esktop Con nnection Display D

Configuring and Troubleshooting Windows Server 2008 Terminal Services

Configuring Terminal Services Core Functionality

R Remote De esktop Exp perience

Configuring and Troubleshooting u Window ws Server 2008 Termiinal Services

D Device Red direction

Configuring Terminal Services Core Functionality

In ntroductio on to a Sta andalone In nstance an nd a Farm

Configuring and Troubleshooting u Window ws Server 2008 Termiinal Services

Standalone e Instance vs. Farm

Configuring Terminal Services Core Functionality

C Configu ring the e TS Set ttings

Configuring and Troubleshooting u Window ws Server 2008 Termiinal Services

D Demonstra ation: Conf figuring S Start Progr ram on Connection

Configuring Terminal Services Core Functionality

R Restricting Remote Connection C n Sessions

Configuring and Troubleshooting u Window ws Server 2008 Termiinal Services

C Configuring g Other TS S Settings

Configuring Terminal Services Core Functionality

L Lab: Con nfigurin ng TS Co ore Fun nctionality

Configuring and Troubleshooting Windows Server 2008 Terminal Services

Exercise 1: Installing and Configuring the TS Server Role Service

Task 2: Install the TS server role service

Configuring Terminal Services Core Functionality

Confirm the installation of the TS role service in the Server Manager.

Task 3: Configure authentication on the terminal server

Task 4: Configure the default credentials to be used on the terminal server

Task 5: Create a .rdp file and configure custom display

Task 6: Enable ClearType and Font smoothing

Task 7: Enable support for PnP redirection