Chapter2:ConfiguringTerminalServices

TheTerminalServices(TS)serverroleenablesuserstoconnecttotheserverandrunspecificgraphicalapplications,ortousethefullWindows
desktop.Thiscapabilityisusefulinavarietyofscenarios,forexample,tocentralizeadministrationofapplications;toexercisegreatercontrol
overwhatusersareabletodowithanapplication;toenableusersofanyoftheplatformthatsupporttheremotedesktopwebclienttoaccess
aWindowsdesktoporWindowsbasedapplications.TScanlowersupportcostsbecauseyouonlyhavetomaintainandupgradethe
applicationonafewserversratherthanhundredsorthousandsofendusercomputers.Itcanfacilitatenewtypesofsolutionssuchasallowing
mobileuserstosecurelyaccessaWindowsdesktopthatislocatedonthecorporatenetworkusingnothingmorethanawebbrowser.Inthis
chapteryouwilllearnto:
ConfigureWindowsServer2008TerminalServicesRemoteApp(TSRemoteApp).
ConfigureTerminalServicesGateway.
ConfigureTerminalServicesloadbalancing.
ConfigureandmonitorTerminalServicesresources.
ConfigureTerminalServiceslicensing.
ConfigureTerminalServicesclientconnections.
ConfigureTerminalServicesserveroptions.
ConfigureWindowsServer2008TerminalServicesRemoteApp(TSRemoteApp)
TSRemoteAppprogramsappeartoberunningontheenduserscomputer:eachhasitsownresizeablewindowandeachappearsasanitem
ontheTaskbar,buttheyareactuallyrunningonaTSserver.TheuserdoesnothaveaccesstothefullWindowsdesktopontheTSserver,just
specificapplications.TheapplicationscanbeaccessedthroughthefullTSclientorusingtheActiveXbasedclientthatrunswithinaweb
browser.
InstallingTerminalServices
Thereare5TSroleservices,itisveryimportantthatyouunderstandthefunctionofeachandhowtheyinteractwithoneanother.Onlythe
TerminalServerroleserviceisrequiredtoenablebasicRemoteAppfunctionalitybutinstallallfiveonaserverinyourpracticelabalongwith
anydependentserverroles.Thefiveroleservicesare:
TerminalServerTScorefunctionalityisprovidedbythisroleserviceincludingtheabilitytohostmultipleWindowsdesktop
sessionsforremoteusers.
TSLicensingUsedforinstalling,issuing,andmonitoringtheclientaccesslicenses(CALs)thatarerequiredforeachuserordeviceto
connecttoaterminalserver.
TSSessionBrokerProvidessessionloadbalancingacrossafarmofTSservers,ensuresthatclientsarereconnectedtotheirexisting
sessionafterabriefinterruption.
TSGatewayEnablesauthorizedusersworkingremotelytoconnecttoTSserversonthecorporatenetwork.Thisroleservice
requirestheWebServerandNetworkPolicyandAccessServicesserverroles.
TSWebAccessEnablesuserstoaccessTSthroughawebsiteusingawebbrowserandtheActiveXbasedTSclientThisroleservice
requirestheWebServerserverrole.
Theinstallationwizardwillpromptyoutoprovidealotofinformation,proceedthroughthewizardasfollows:
1. OntheSpecifyAuthenticationMethodforTerminalServerpageoftheinstallationwizardspecifyRequireNetworkLevel
AuthenticationandclickNext.ThisprovidesahigherlevelofsecuritybyrequiringTSclientstoauthenticatesoonerduringthe
processofestablishingaconnectiontotheTSserver.ThisrequiresthattheclientsberunningRemoteDesktopConnection(RDC)6.0
andanoperatingsystem(OS)thatsupportstheCredentialSecuritySupportProvider(CredSSP)protocol,whichmeansWindowsVista
andWindowsServer2008orWindowsXPwithServicePack3.
2. OntheSpecifyLicensingModepageselectConfigureLaterandclickNext.UnderstandingTSlicensingisanimportantpartof
preparingfortheexam,thereforeitscoveredinitsownsectionlaterinthechapter.
3. Acceptthedefaultsforthenexttwopagesofthewizard,ontheChooseaServerAuthenticationCertificateforSSLEncryptionselect
ChooseanexistingcertificateforSSLEncryptionifoneisavailable,otherwisechoseCreateaselfsignedcertificateforSSL
Encryption,clickNext.
4. OntheCreateAuthorizationPolicyforTSGatewaypagespecifythatyouwillcreatethepolicieslater,authorizationpolicieswillbe
coveredlaterinthischapter.
5. Acceptthedefaultsfortheremainingpagesofthewizardandcompletetheinstallation.Atthispointyoumayneedtorestartthe
server.
ForaproductionTSserveryouwouldnowinstalltheapplicationsthatenduserswillbeabletorun,youcanforegothatprocessinyour
practicelab.
ConfiguringRemoteAppPrograms
ShortcutstotheTSmanagementtoolswerecreatedinafoldercalledTerminalServiceswascreatedintheAdministrativeToolsfolder.Forthe
restofthechapter,whenIwillaskyoutolaunchanyoftheTStoolsIwillnotspecifythefoldernameiftheshortcutislocatedintheTerminal
Servicesfolder.ToaddapplicationstotheRemoteAppprogramslistopenTSRemoteAppManager,anddothefollowing:
1. ClickAddRemoteAppProgramsintheActionspane,andclickNextwhenthewizardlaunches.
2. SincewehavenotaddedanyenduserapplicationsselectCalculatorandWordpadfromthelistofprogramsandclickNext.
3. ClickFinishtocompletethewizard.
Nowyouhavetodecidehowtomaketheprogramsavailabletousers.YoucanrightclickoneachintheRemoteAppProgramslisttosee
severaloptions,asshowninfigure1:
ShowinTSWebAccesstohavetheapplicationslistedontheTSWebAccesswebsite.
Create.rdpFiletogenerateashortcuttotheRDCclientapplicationthatincludesconnectioninformation.Whenauseropensthe
shortcuttheRDCclientwillconnecttotheTSserverandopentheRemoteAppprogram.RemoteDesktopProtocol(RDP)isthe
networkprotocolusedforTScommunication.Youcandistributethe.rdpfilebypostingonasharednetworkfolderorcopyingitto
eachuserscomputer.
CreateWindowsInstallerPackagewillalsocreateashortcuttotheRDCclientwiththenecessaryconnectionsettings,however,
whenthepackageisinstalledafewotherchangescanbemadesuchasaddingashortcuttotheStartmenu.Youcandistributethe
packageusinggrouppolicyorwhateversoftwaremanagementprogramyouuse.

Figure1:ConfiguringRemoteAppDeployment.

ConfiguringTerminalServicesWebAccess
RightclickeachprogramandspecifyShowinTSWebAccess,thenopenTSWebAccessAdministration.Thereare3tabsvisible:The
RemoteAppProgramstabcontainsthelistofavailableprograms,clickingononelaunchesthebrowserbasedTSclient.TheRemoteDesktop
tabcanbeusedtolaunchthebrowserbasedTSclientwithaccesstoafullWindowsdesktop,iftheTSserverisconfiguredtoallowthattypeof
connection.TheConfigurationTabisusedtospecifywhichTSservertheTSWebAccessserverwillconnectto.NotethatiftheTSWebAccess
andTSserverhostingtheRemoteAppprogramsareseparatesystemsthenyoumustaddthecomputeraccountoftheformertotheTSWeb
AccessComputerssecuritygrouponthelater.WhenuserswhodonothaveadministrativeprivilegesconnecttotheTSWebAccessserver
theywillonlyseethefirsttwotabs,asshowninfigure2.ThedefaultURLsarehttp://<hostname>/tsandhttps://<hostname>/ts,where
<hostname>isthefullyqualifieddomainname(FQDN)oftheTSWebAccessserver.

Figure2:ConnectingtoaTSWebAccesswebsite.

TechNetVirtualLabs:TerminalServicesandVirtualizationComingTogether
Fordecadessoftwarecompanieshavegivenawayevaluationversionsoftheirproductstohelpshowpotentialcustomersthevalueoftheir
solutions.Microsofthasbeendoingthistoo,manufacturingDVDsandpackagingtheminslimcardboardenvelopesnotterriblyexpensive,I
thinkitshardertoactuallygetthediscsintothehandsoftherightpeople.Evenwhenaninfluentialpersonhasthediscthereislittlecertainty
thatshewillspendanhourormoreinstallingandconfiguringtheproductsothatshecanevaluateit.Microsofthastwoprogramsthathelpto
overcometheseissues.

TechNetVirtualHardDisks(VHDs)arepreconfiguredvirtualmachinesthatyoucandownloadandlaunchwithinVirtualPCorHyperV,itsa
greatwaytofamiliarizeyourselfwithMicrosoftslatestsoftwaresolutions.VHDsareavailableformanyMicrosoftproducts,thedrawbackis
thatthedownloadsareverylarge.Ittakesmeadayortwotodownloadmultigigabytefiles.
TechNetVirtualLabsiseveneasiertouse,youmerelyselectascenarioandthenaccesstheserversremotelyusingyourwebbrowser.What
happensinthebackgroundintriguesme.IwasneverinvolvedindesigningorbuildinganyofthevirtuallabssoIdonotknowpreciselywhat
theunderlyingarchitectureisbutitseasytodeducethemajorelements.TryoneoutandyouwillseewhatImean.Afteryousignupforyour
firstlabyouarepromptedtoinstallanActiveXcontrol,thenyouwaitafewminuteswhileyourlabisbeingbuilt.Isuspectthatapre
configuredVHDiscopiedforyouruse,andthenlaunchedonaserverrunningHyperV,andthatyouconnecttoyourownpersonalvirtual
machineusinganActiveXRDPclientthathasbeencustomizedforTechNet.WhenyoufinishyourVHDisdeleted,nomatterhowbadlyyou
hackupyourlabitwillnotimpactotherpeopleaccessingthesite.Takealookatbothoftheseprogramsforyourself:
TechNetVirtualHardDisks.
TechNetVirtualLabs.
ConfigureTerminalServicesGateway
TheTSGatewayisdesignedsinglepurposeSecureSocketLayer(SSL)VirtualPrivateNetwork(VPN)thatcanbeusedtograntremoteusers
secureaccesstoTSservers.UsersconnectusingwhateverRDCclienttheyprefer,theRDPtrafficisencapsulatedinHypertextTransport
Protocol(HTTP),whichisprotectedbySSL/TransportLayerSecurity(TLS).TSGatewaysincreasesecuritybyensuringclientsonlyhaveaccessto
thespecificTSserverstheyrequirefortheirjobwithouttheneedtoconfigurefullVPNconnectivity.AcertificatemustbeinstalledontheTS
GatewayServer,itisusedforSSL/TLS,youprobablyhaveaselfsignedcertificateinstalledinyourpracticelab,inaproductionenvironment
youshoulduseacertificategeneratedbyaCertificateAuthority(CA)trustedbythecomputersthatwillbeusedtoaccesstheTSGateway,
otherwiseuserswillencounterbrowserwarningsaboutacertificatewhichcannotbevalidated.TheTSGatewayservermustbelongtoan
ActiveDirectorydomainifyouconfigureauthorizationpoliciesthatrequireusersorclientcomputerstobedomainmembers,orifyouare
deployingaloadbalancedserverfarm.
Thenextstepistoconfigureauthorizationpolicies.Therearetwokindsofpolicies,youneedtoconfigureatleastoneofeach:Terminal
Servicesconnectionauthenticationpolicies(TSCAP)andTerminalServicesresourceauthenticationpolicies(TSRAP).ATSCAPspecifieswho
canconnecttotheTSGatewayserver.Youcanfurtherrestrictinboundconnectionsbyothercriteriasuchaswhethertheircomputerisa
memberofaninternalActiveDirectorydomainorwhethertoallowresourceredirectionforPlugandPlaydevices.ATSRAPdefineswhat
internalresourcestheuserscanaccessthroughtheTSGatewayserver.TocreatethesepoliciesopenTSGatewayManagerandclickonthe
serverinthenavigationtree,thendothefollowing:
1. ExpandtheTSGatewayserverinthenavigationtree,expandthePoliciesfolder,rightclicktheConnectionAuthorizationPolicies
folder,selectCreateNewPolicy,thenclickCustom.
2. OntheGeneraltab,enteranameforthepolicyandensurethatEnablethispolicyisselected.
3. ClicktheRequirementstab,enablethedesiredauthenticationmethod,thenclickAddGrouptoselectwhichgroupsofuserswillbe
allowedtoconnect,asshowninfigure3.Optionally,youcanalsospecifywhichgroupsofcomputersareallowed.

4.

5.

Figure3:DefiningtheTSCAPRequirements.

ClicktheDeviceRedirectiontab,youcanspecifywhetherornotdeviceredirectionisallowed.Keepinmindthefactthatthe
enforcementofthispolicyoccursontheclientcomputersodonotthinkofitasarobustsecuritysetting,adeterminedusermaybe
abletobypassit.
ClickOKtofinishcreatingtheTSCAP.

6.
7.
8.
9.

RightclicktheResourceAuthorizationPoliciesfolder,selectCreateNewPolicy,thenclickCustom.
OntheGeneraltab,enteranameforthepolicy,ensurethatEnablethispolicyisselected,andenteradescriptionifdesired.
ClicktheUserGroupstabtodefinewhichuserscanconnect.
ClicktheComputertabtospecifytheinternalcomputersthatcanconnectto.Therearethreeoptions:
a. EnterthenameofadomainsecuritygroupthatincludesthecomputeraccountsfortheappropriateTSservers.
b. Createalocalgroupandaddthenamesofthecomputersasshowninfigure4.

Figure4:ConfiguringaNewTSGatewayComputerGroup.

c. Allowuserstoconnecttoanyinternalresource.
10. IftheTSserversareconfiguredtousecustomTCPportsclicktheAllowedPorttabstospecifytheportnumbers.ClickOKtofinish
creatingtheTSRAP.
ThereareafewotherconfigurablesettingsforTSGatewayservers.RightclicktheserverinthenavigationtreeandselectPropertiestoview
them.Youcanlimitthenumberofsimultaneousconnections,selectadifferentSSLcertificate,configureaTSgatewayserverfarm,andmake
otherchangesusingtheserverspropertiesdialogbox.ToviewactiveconnectionsselecttheMonitoringfolderinthenavigationtree.
UsingTSGatewaywithInternetSecurityandAccelerationServer
InternetSecurityandAccelerationServer(ISA)canenhancethesecurityforaserverrunningtheTSGatewayroleservicebecauseitcaninspect
incomingtrafficbeforeforwardingit.InthisconfigurationtheISAserverisconfiguredasanSSLbridge,thatis,ISAhandlestheestablishment
andmaintenanceoftheSSLtunnelsothatitcanviewthedecryptednetworkpackets.InthisarchitecturetheclientsestablishandSSL
connectionwiththeISAserver,theISAserverdecryptsandinspectsthetraffic,thentheISAserverforwardsacceptabletraffictotheTS
Gateway.TheconnectionbetweentheISAserverandtheTSGatewaycanrunoverHTTP,forgreatersecurityimplementSSLbetweenthese
serverstoo.
ToimplementSSLbridgingexporttheSSLcertificatefromtheTSGatewayserver,copyittotheISAServer,theninstallthecertificateontheISA
Server.CreateawebpublishingruleontheISAservertoenableaccesstotheTSGatewayserver.Whencreatingthewebpublishingruleyou
canspecifywhethertouseHTTPSHTTPbridgingorHTTPSHTTPSbridging.Exportandimportingthecertificateisalittlecomplicated,todoso
performthefollowing:
1.OntheTSGatewayserver,opentheMicrosoftManagementConsolebyclickingStartandthenenteringmmc.
2.YoumustmanuallyaddtheCertificatessnapin,clickFile,thenclickAdd/RemoveSnapin.
3.SelectCertificatesandclickAdd.
4.SpecifyComputeraccountandclickNext.
5.SelectthelocalcomputerandclickFinish.
6.Inthenavigationtree,expandCertificates(LocalComputer),expandPersonal,thenclickCertificates.
7.RightclicktheTSGatewaycertificate,selectAllTasks,andclickExport.Ifyouareunsurewhichcertificatetoexportviewtheirproperties
todeterminewhichmeetstheTSGatewayrequirements.
8.Completethewizardtoexportthecertificate.
9.CopythecertificatetotheISAserver.
10.OntheISAserver,repeatsteps1through6.
11.RightclickonPersonal,selectAllTasks,andclickImport.
12.Usethewizardtospecifythecopiedfile,whenpromptedtospecifythecertificatestoreselectAutomaticallyselectthecertificatestore
basedonthetypeofcertificate.
13.Finishthewizardtocompletetheimportationprocess.

Tip:rememberthatthedefaultfileextensionforcertificatesis.cer,butiftheprivatekeyisalsoexportedthedefaultextensionis.pfxinstead.
ConfigureTerminalServicesLoadBalancing
TSSessionBrokerprovidesloadbalancingforTSservers,thatis,clientsareevenlydistributedacrossthefarmofserverstominimizetheriskof
anybecomingoverloaded.ItmaintainssessionstatedataincludingwhichuserisassociatedwitheachsessionIDandthenameoftheserver
servicingthesession.ThismeansthatuserscanautomaticallybereconnectedtotheirexistingTSsessionshouldtheirconnectionterminate
unexpectedly.
Thearchitectureisstraightforward:someloadbalancingmethodisimplementedindependentlyofTS,twoormoreTSservers,andtheTS
SessionBrokerserver.RoundRobinDNSisthesimplestloadbalancingmethod,theDNSrecordthatpointstotheTSserverfarmhasalistof
addresses,oneforeachserverinthefarm.TheDNSserverrespondstoqueriesbycyclingthroughtheaddressessequentially.Aftertheclient
retrievestheaddressfromtheDNSserveritestablishesanconnectiontotheinitialTSserver.TheinitialTSserverqueriestheTSSessionBroker
servertodeterminewhichTSservertheclientwilluse.Theinitialserverthenredirectstheclienttousetheassignedserver.Theclientthen
establishesafullTSsessiontotheassignedserverandthatserverinformstheTSSessionBrokerofitsnewclientconnection.Thisconceptis
illustratedinfigure5.

Figure5:UsingRoundRobinDNSwithTSSessionBroker.

WhenusingDNSroundrobintodistributeconnectionsthenyoumustconfigureDNSrecordsforeachserverinthefarm.However,anyload
balancingmethodcanbeused,includingtheNetworkLoadBalancingService(NLBS)availablewithWindowsServer2008.Forinformation
aboutNLBSseeDeployingServers.MicrosoftpublishedadetailedguideforloadbalancingterminalserviceswithNLBScalledNetworkLoad
BalancingStepbyStepGuide:ConfiguringNetworkLoadBalancingwithTerminalServices.
TheprocessofinstallingandconfiguringtheTSserverfarmandtheTSSessionBrokerisasfollows:
1. InstallandconfiguretheTSserverrole,desiredroleservices,anduserapplicationsoneachTSserverinthefarm.
2. InstalltheTSSessionBrokerroleserviceonanotherserver.
3. OntheTSSessionBrokerserver,addeachTSserverinthefarmtothelocalSessionDirectoryComputersgroup.
a. OpenComputerManagement,expandSystemToolsinthenavigationtree,thenexpandLocalUsersandGroups,and
selecttheGroupsfolder.
b. DoubleclicktheSessionDirectoryComputersgroupinthedetailspane.
c. ClickAdd,thenclickObjectTypes,enabletheComputerscheckboxandclickOK,asshowninfigure6.
d.

Figure6:EnablingtheSelectionofComputerAccounts.

4.

ConfigureeachTSserverinthefarmusingTerminalServicesConfiguration:
a. DoubleclickMemberoffarminTSSessionBrokerandselecttheTSSessionBrokertab.
b. SpecifyingthenameorIPaddressoftheTSSessionBrokerserverunderTSSessionBrokerservernameorIPaddress.
c. SpecifythenameofthefarmunderFarmnameinTSSessionBroker.
d. EnableParticipateinSessionBrokerLoadBalancing.
e. AdjustweightifdesiredbychangingthevalueofRelativeweightofthisserverinthefarm.
f. SpecifytheIPaddresstobeusedforreconnectionandclickOK,asshowninfigure7.

Figure7:ConfiguringTSSessionBrokerSettings.

MostTSSessionBrokersettingscanbeconfiguredthroughgrouppolicyatthefollowinglocation:ComputerConfiguration\Administrative
Templates\WindowsComponents\TerminalServices\TSSessionBroker.GrouppolicycansimplifyconfiguringmultipleTSSessionBroker
serverswithidenticalsettings.ThetwosettingsthatcannotbeconfiguredviagrouppolicyaretheIPaddressestobeusedforreconnection
andtherelativeweightofeachserver.FormoreinformationaboutusinggrouppolicyseeCreatingandMaintainingActiveDirectoryObjects.
DoesMicrosoftInnovate?
SomepunditssharplycriticizeMicrosoftfornotinnovatingbutrathergrowingitstechnologyportfoliothroughacquisitionsandcopyingother
firmsideas.Inmypersonalopinion,whileitistruethatmanyMicrosofttechnologiesbecameMicrosoftsafterthecompanypurchasedthe
firmorlicensedoneoftheirproductsthecompanyishardlyuniqueinthisregard.Itisalsotruethatwhenanothercompanyopensanew
marketsometimesMicrosoftwillbegintocompeteaggressivelywiththemayearortwolater,butagain,numerouscompaniesdothis.Ithink
theTerminalServicestechnologyisaninterestingcasethatbringstogetherseveralexamplesrelatingtotheseaccusations.
Formedin1989,CitrixSystemslicensedsourcecodeforWindowsNT3.51in1992,uponwhichtheybuiltWinFrame.Releasedin1995,
WinFramewastheirmostsuccessfulproductthusfar.ThefirmwasstrugglingtosurvivewhenMicrosoftinvestedsignificantlyinthecompany
andlicensedthetechnologythatbecameWindowsNT4.0TerminalServerEdition,whichwasreleasedin1997.Microsoftpurchasedanother
company,T.share,fortheRDPusedforcommunicationbetweenTSserversandclients.Citrixhasdonequitewelloverthepast20yearsby
continuingtomaintainamutuallybeneficialrelationshipwithMicrosoft.CitrixretainedtherighttoextenduponMicrosoftsTSbased
products.
SofaryouseeexamplesofMicrosoftnotdevelopingtheirowntechnologyfromthegroundup,butthestoryisfarfromcomplete.Microsoft
wentontoimprovethecoretechnologyandbuildmanyothersolutionsbaseduponit.SinceacquiringthetechnologyMicrosofthasadded
loadbalancing,RemoteAppapplications,TSGateway,andsophisticateddeviceredirection.Microsofthasalsocreatedwholenewsolutions
basedonTSsuchasRemoteAssistancewhereuserssharetheirdesktopwithanotherremoteuserwhocanhelpresolveproblems.Theswitch
usercapabilityinWindowsXP,WindowsVista,andWindowsServer2008isanotherTSbasedfeature.WindowsMeetingSpaceisalsobased
onTS.
ConfigureTerminalServicesLicensing
ThepurposeoftheTSLicensingroleserviceistohelptrackclientaccesslicenses(CALs).Itensuresthatyourorganizationdoesnotviolateits
purchaseagreementsbyhavingmoreclientsconnecttotheTSserversthanthenumberoflicensespurchased.WhenaclientconnectstheTS
servercheckstoseeifaCALisrequired,ifoneisneededtheTSserverwillrequestitfromtheTSLicensingserver.Ifoneisavailablethelicense
serverwillissueit.TwosimultaneousRemoteDesktopsessionsareallowedforremoteadministrationwithoutrequiringCALsoralicense

server.CALscanbetrackedbyeitheruserormachine.Thereisalsoa120graceperiodthatallowsunlimitedclientconnectivitywithout
requiringactivationofthelicenseserverorinstallationofCALs.
Beforethelicenseserverwillbeginissuinglicensesyoumustactivateit.OpenTSLicensingManager,rightclickontheserverinthenavigation
tree,andselectActivateServertolaunchtheActivateServerWizard.Thewizardprovidesthreeactivationmethods.Thesimplestis
Automaticconnection;thelicenseserverrequiresongoingInternetconnectivitytousethismethod.TheWebBrowsermethodallowsyouto
activatefromanothercomputerthathasInternetconnectivity,thelicenseserverdoesnotrequiresuchconnectivityinthiscase.The
telephonemethodallowsyoudoactivatebycontactingaMicrosoftcustomerservicerepresentative.OnceactivatedyoucaninstallCALsbut
youmustvalidatethemusingoneofthesethreemethods.ToinstallCALsrightclickontheTSLicensingserverinthenavigationpane,select
InstallLicenses,andcompletethewizard.
YouconfigurethelicensingmodeoneachTSserverusingTerminalServicesConfiguration.TodosodoubleclickonTerminalServiceslicensing
modeinthedetailspaneandthenselectPerDeviceorPerUser.YoucanalsospecifyalicenseserverfortheTSservertouse,orallowitto
automaticallydiscoveralicenseserver,asshowninfigure8.Ifthesechoicesaredimmeditsbecausetheyhavebeenconfiguredviagroup
policy.NotethatperuserCALtrackingisonlysupportedwhentheserversandusersaremembersofanActiveDirectorydomain.Also,the
licenseservermustbeamemberoftheTerminalServerLicenseServersgroupinActiveDirectory,itshouldhavebeenaddedtothegroup
automaticallyduringinstallationoftheroleservice.

Figure8:ConfiguringLicensingforTerminalServices.

YoucanusetheLicensingDiagnosistooltotroubleshootlicensingissues.TolaunchthetoolopenTerminalServicesConfigurationandclickon
Licensing Diagnosis in the navigation tree. Information about the servers configuration and license status will appear in the details pane.
Consider my test server for example, as you can see in figure 9 I face two problems, the license server is not activated and no CALs are
available.

Figure9:DiagnosingLicensingIssues.

EachCALisvalidforbetween52and89days,thenumberofdaysisdeterminedrandomlywhentheCALisissued.WhenaCALisduetoexpire
in7daystheTSserverwillattempttorenewit,again,forbetween52and89days.Ifitcannotconnecttothelicenseserveritwillattemptto

renewtheCALeachtimetheclientlogson.WhenaCALexpiresitisreturnedtothepoolofavailablelicenses.Thishelpsthelicenseserverto
automaticallyrecoverPerDeviceCALsthatarelostwhenthedeviceisnolongerinuseorwhenitsoperatingsystemisreinstalled.Ifthelicense
serveritselfislostthenyoushouldtrytorecoveritusingthemostrecentbackup.Ifnobackupisavailablethenyoumustreinstalltheserver,
reactivateit,andcontactthelicenseclearinghousetohavethemissuereplacementCALs.
ConfigureandMonitorTerminalServicesResources
YoumaywanttolimithowmuchmemoryorCPUtimeaparticularapplicationcanconsumeonanyserverthatneedstosupportmanyusers
whoaccessseveraldifferentapplications.ThisisparticularlyimportantonTSserverssustaininglargenumbersofsimultaneoususersessions,a
singleuserwhoconsumesalargeportionofsystemresourceswillnegativelyimpactalloftheotherusers.Thereisapowerfultoolfor
controllingresourceusageinWindowsServer2008:WindowsSystemResourceManager(WSRM)AsnotedinMaintainingtheActiveDirectory
Environment,WindowsSystemResourceManagerisanoptionalfeatureofWindowsServer2008.TakeaquicklookattheUsingWindows
SystemResourceManagersectioninthatchaptertoinstallthetoolontheTSserverinyourpracticelab.
WSRMusesresourceallocationpoliciestocontroltheuseofcomputerresources.WSRMincludestwopoliciesdesignedforTerminalServices.
Equal_Per_UserProcessesareclusteredbyuser,eachclusterhasaccesstothesameproportionofsystemresourcesregardlessof
howmanyapplicationsarerunning.
Equal_Per_SessionProcessesareclusteredbyTSsessions,eachsessionhasaccesstothesameproportionofsystemresources.
ToimplementtheEqual_Per_Sessionresourceallocationpolicydothefollowing:
1. OpenWindowsSystemResourceManagerfromtheAdministrativeToolsfolderandspecifyThisComputerwhenpromptedto
connecttoacomputer.
2. ExpandtheResourceAllocationPoliciesnodeinthenavigationtree.
3. RightclickEqual_Per_SessionandclickSetasManagingPolicy.
4. IfaconfirmationdialogboxappearsclickOK.
AfterconfiguringWSRMpoliciesyoushouldobserveperformanceoftheTSservertoverifythattheimpactispositive.ClickontheResource
Monitornodeinthenavigationtreetogetstarted.ClicktheAddCountersbutton(thegreenplussymbol)andselecttheTerminalServices
Sessioncountersfromthelistofavailablecounters,clickAdd,thenclickOK,asshowninfigure10.Theseincludedozensofcounters,youcan
hidesomefromthegraphbydeselectingtheircheckboxundertheShowcolumn.Otherperformancecountersthatwillhelpyouassessthe
performanceimpactoftheresourceallocationpolicyfromahigherlevelarethoserelatedtoprocessorandmemoryutilization.Youcanreview
theUsingReliabilityandPerformanceMonitorsectioninMaintainingtheActiveDirectoryEnvironmenttorefreshyourmemoryonhowtouse
performancecounters.

Figure10:AddingTerminalServicesSessionPerformanceCounters.

ConfigureTerminalServicesClientConnections
Therearemanyclientconfigurationsettingsavailable,broadlyspeaking,theyaremanagedinthreedifferentlocations.Mostclientsettingscan
beconfiguredontheclientcomputers.MostclientsettingscanalsobemanagedinActiveDirectoryusinggrouppolicy,afewadditional
settingscanbeconfiguredontheuseraccountobjects.SomesettingscanbemanagedontheTSservers.
ConfiguringClientSettingsontheClient

TherearethreewaysforclientstoconnecttoTSservers.RemoteDesktopConnection(RDC)istheprimaryway.Thereareseveralmethodsfor
invokingRDCincludingclickingtheshortcutfromtheStartmenu,doubleclickingacustomized.RDPfile,orbyenteringmstsc.exeata
commandprompt.YoucanalsoconnectusingtheActiveXbasedclientasdiscussedearlierinthechapter.ThethirdwayistousetheRemote
DesktopsMMCsnapin.ThissnapinisincludedwithWindowsServer2008,youcaninstallitonWindowsVistabydownloadingandinstalling
theMicrosoftRemoteServerAdministrationToolsforWindowsVista.Thissnapinisdesignedforadministratorswhohavetoconnectto
numerousserversusingtheRDCbutdontwanttocluttertheirdesktopwithshortcutsforeach.YourightclickontheRemoteDesktopsnode
inthenavigationtreeandselectAddnewconnectiontoaddaservertothelistofserversinthenavigationtree.Yourightclickonanyofthe
serversandselectConnecttoopenaTSsessionintherighthandpane,asshowninfigure11.

Figure11:UsingtheRemoteDesktopsSnapIn.

AftercreatingaconnectioninRemoteDesktopsyoucanrightclickonitandselectPropertiestocustomizeit.Therearethreetabsforsaving
logoncredentials,specifyingthedesktopsize,configuringdriveredirectionandmakingafewotherchanges.Thereareadditional
customizationoptionsavailablewhenyouuseRDC,clickOptionstoseethetabsthatgrantaccesstoallofthem,asshowninfigure12.

Figure12:CustomizingtheRemoteDesktopConnection.

YoucanimproveperformancebyreducingthescreensizeandloweringthecolordepthontheDisplaytab.Youcanfurtheroptimize
performancebydisablingthegraphicalfeaturesavailableontheExperiencetab.TheLocalResourcestabiswhereyouconfigurewhetherto
bringsoundfromtheremotecomputertotheclient,howtohandleWindowskeycombinations,andwhatlocalresourcesontheclientto
makeavailableontheserver.Thislastoptionisparticularlyimportantbecauseithassecurityimplications.Ifyouconnecttoaserverunderthe
controlofsomeonewhowantstodoyouharmandyouchoosetomakeyourlocaldiskdrivesavailableontheremoteserverthatmalicious
personmaybeabletofigureouthowtoaccessfilesonyourlocalcomputerwithoutyourpermission.Itwouldbeacomplicatedattack,soits
notanissueinmostsituations,howeveritmaybeafeatureyouwishtodisableinhighsecurityenvironments.TheProgramstabiswhereyou

configurethenameandworkingdirectoryforanapplicationtolaunchafterconnectingtotheTSserver.Youcanconfigureserver
authenticationandTSgatewaysettingsontheAdvancedtab.
ConfiguringClientSettingsinActiveDirectory
TherearetwoplacestoconfigureclientsettingsinActiveDirectory.Youcanmodifyacoupleofsettingsbyeditingthepropertiesofeachuser
accountobject.TodosoopenActiveDirectoryUsersandComputers,navigatetothedesiredcontainer,rightclickontheaccountyouwishto
modifyandselectProperties.YoucanconfigurethepathtotheTSuserprofileandtheTShomefolder,asshowninfigure13.

Figure13:ConfiguringtheTerminalServicesProfileforanAccount.

Note:youcanalsoconfiguretheprofileandhomefolderpathsforlocalaccountsbyeditingthepropertiesoftheaccountintheLocalUsers
andGroupssnapin.
Whenmanaginglargenumbersofusersgrouppolicyisamoreconvenientwaytoconfigureallofthesesettings.Thesesettingsareavailablein
thegrouppolicyeditoratComputerConfiguration\AdministrativeTemplates\WindowsComponents\TerminalServices.Forexample,below
thislocation,navigatetoTerminalServer\DeviceandResourceRedirectiontodisabledriveredirectionandtomanageotherrelatedsettings.
Notewellthatsomeofthesettingsareserveroptionswhileothersareclientoptions,readtheirdescriptionscarefullytoensurethatyou
understandwhichsettingsapplytoclients.UserspecificsettingsforTerminalServicescanbefoundatUserConfiguration\Administrative
Templates\WindowsComponents\TerminalServices.
ConfiguringClientSettingsontheServer

ToconfigureclientsettingsontheTSserveropenTerminalServicesConfiguration,rightclickonRDPtcpbelowConnectionsinthedetails
pane,selectProperties,andclicktheClientSettingstab,asshowninfigure14.Youcanconfiguredeviceredirectionandcolordepth,however
thesesettingsareenforcedontheclient.Althoughtheynormallytakeprecedenceoverthesettingsconfiguredontheclientadetermineduser
withadministrativeprivilegesmaybeabletobypassthem.Ofcourse,onlythemembersoftheinformationtechnologystaffwhoactuallyneed
administrativeprivilegeshavethem,right?Right?


Figure14:ConfiguringClientSettingsontheTSServer.

Important:WhenusersconnecttoadefaultinstallationofaserverviaTerminalServicessomeaspectsofthedesktopandapplications
availablewilllookdifferent.ToensureasmootherexperienceforendusersinstalltheDesktopExperiencefeatureusingServerManager.This
willinstallapplicationsandfeaturestheywillbefamiliarwithfromWindowsVistasuchasWindowsMediaPlayerandWindowsCalender.
ConfigureTerminalServicesServerOptions
ToconfigureTSserversettingsopenTerminalServicesConfiguration,rightclickonRDPtcpbelowConnectionsinthedetailspane,andselect
Properties.YouconfigureencryptionandauthenticationontheGeneraltab,themostsecurevaluesaretouseSSL(TLS1.0)forthesecurity
layerwithandencryptionlevelofFIPSCompliantandNetworkLevelAuthenticationenabled,asshowninfigure15.However,usingthese
valueswillcauseproblemswitholderversionsofRDC.

Figure15:ConfiguringTerminalServicesEncryption.

UsetheLogonSettingstabtohaveallincomingconnectionslogonwiththesameaccount,howeverusethissettingwithcautionasit
increasestheriskofanunauthorizedpersonaccessingtheserver.YoucanconfiguresessionlimitsontheSessionstabsothatdisconnected
sessions,idle,oractivesessionsareterminatedafterthespecifiedtime.Thiscanhelpensurethatmemoryisnotwastedonsessionsthatare
notbeingused.TheEnvironmenttabisusedtospecifyaprogramtobelaunchedautomaticallyforeachuserwhentheyconnect.Youcan
configurewhetherremotecontrolisallowed,andifsowhethertheusermustgrantpermissionontheRemoteControltab.Remotecontrolis
veryusefulwhentroubleshootingortrainingusers,howeveramaliciousadministratorcouldusethisfeaturetosurreptitiouslyobserve
anotheremployeeworkingwithsensitivedata.Thisconcernshouldbelowonyourlistofprioritiesthough,ifyougiveadministrativeprivileges
topeoplewhoarenottrustworthythenyouhavemuchbiggerproblemsthentoworryaboutthanTSremotecontrol.Youcandefinewhich
networkadapterswilllistenforRDPconnectionrequestsandlimitthenumberofsimultaneousconnectionsontheNetworkAdaptertab.

TherearetwowaystospecifywhichusersareabletologintotheTSserverviaRDP:byconfiguringthegroupsandaccountsontheSecuritytab
ofthisdialogbox,asshowninfigure16,orbyadjustingmembershipintheRemoteDesktopUsersgroup.Thesecondmethodisthepreferred
onebecauseitissimplerandlesslikelytoleadtomisconfiguration.

Figure16:ViewingRDPPermissions.

Whenmanaginglargenumbersofserversgrouppolicyisamoreconvenientwaytoconfigurethesesettings.Youcanfindtheminthegroup
policyeditoratComputerConfiguration\AdministrativeTemplates\WindowsComponents\TerminalServices.Rememberthatsomeofthe
settingsareserveroptionswhileothersareclientoptions,readtheirdescriptionscarefullytoensurethatyouunderstandwhichsettingsapply
toservers.
ManagingActiveSessions
ToviewandmanageactivesessionsopenTerminalServicesManager.RightclickontheTerminalServicesManagernodeinthenavigation
treetoaddmoreserverstothemanagementlistandtoorganizethemintocustomgroups.Selectaserverinthenavigationtreetoviewthe
activesessions.Therearethreetabsinthedetailspane,makesuretheUserstabisselected.Youcanrightclickonasessiontodisconnectit,
takeremotecontrol,resetit,sendtheuserapopupmessage,andforcetheusertologoff.ClicktheSessionstabtoseethelistofsessionsand
theircurrentstatus,rightclickonanytoperformthesametasksnotedforusers.TheProcessestabdisplaysalloftherunningprocessesonthe
TSserverincludingwhichaccountwasusedtoexecuteit.ItissimilartoTaskManager,butyoucanalsoviewprocessesonremoteterminal
servers.RightclickonaprocessandselectEndProcesstoforciblyterminateit.
Summary
Inmyopinion,TerminalServicesisoneofthebestfeaturesinWindowsServer2008.Itisawesomeformanagingremoteservers,especiallyfor
systemsadministratorswhoarenotcomfortableusingthecommandpromptandwritingscripts.Itsalsoagreatwaytocentralizemanagement
ofenduserapplications.Regardingexampreparation,thistechnologymakesupaconsiderableproportionofthecontentanditsimportant
thatyouhaveasolidunderstandingofhowtoimplement,manage,andtroubleshootit.
ChapterReview
Thissectionpresentsalistofreviewquestionsdesignedtohelpreinforcetheknowledgepresentedearlierinthechapter.Topersuadeyouto
explorethemanagementtoolsmoredeeplyafewquestionsmayrequireyoutoexaminethosetoolsfurtherratherthanrereadingthechapter.
Questions

1.

2.

3.

4.

5.

6.

7.

8.

9.

UserscomplainthattheRDCwindowtakesuptoomuchspaceontheirWindowsdesktop.Theyonlyneedtoaccessacoupleof
programsontheTSserver,buttheystartmenuandotheruserinterfaceelementsofterminalservicesandtheRDCwastevaluable
realestate.Whatshouldyoudotohelptheusers?
a. TelltheuserstorunRDCinfullscreenmode.
b. TelltheuserstoreducethescreenresolutionwithintheirRDCsession.
c. InstallanadditionalmonitorforeachuserscomputersothattheycanmovetheRDCwindowtoitsownmonitor.
d. DeployTSRemoteAppforeachapplication.
WhichTerminalServicesroleservicemakesitpossibletodistributeincomingconnectionrequestsacrossseveralTSservers?
a. TSWebAccess.
b. TSGateway.
c. TerminalServer.
d. TSSessionBroker.
e. NetworkLoadBalancing.
IfalicensingmodeandlicenseserverhavenotbeenspecifiedhowmanyconnectionsdoesTSallow?
a. 0
b. 1
c. 2
d. 3
e. Unlimited.
YoudeployaserverwithboththeTerminalServicesandTSWebAccessroleservices.YoucreateseveralRemoteAppprogramson
theserverandconfigurethemtobeshowninTSWebAccess.Youwantremoteuserstobeabletotheapplicationswithouthavingto
establishadedicatedVPNconnectionsocreateanaccessruleontheperimeterfirewallallowingTCPports80and443totheserver.
WhichtwoofthefollowinganswerswilltheremoteuserstoaccesstheRemoteAppprograms?(choose2)
a. CreateanotheraccessruleonthefirewallrulethatallowsportTCPport3389totheserver.
b. InstalltheTSGatewayroleontheserverandconfigureappropriateaccesspolicies.
c. InstalltheTSSessionBrokerrole.
d. DeploytwoadditionalserverswiththeTerminalServicesserverrole,configurethemidenticallytothefirstserver,
configureroundrobinDNStodistributeincomingaccessrequestsacrossallthreeservers.
YoudeployafarmofTSserversandaTSSessionBrokerserver.Everythingworksgreat,nowyouwanttoenableaccessforremote
userswiththeminimuminvestmentofadditionalresources.TheremoteuserswillneedtoaccesstheTSserversfromjustaboutany
locationimaginablethathasInternetconnectivity.Whatstepsremain?(choose2)
a. InstallanInternetSecurityandAcceleration(ISA)server.
b. CreaterulesforTCPport3389thatallowincomingtraffictoaccessthefarmofTSservers.
c. InstallTSGatewayonaserver.
d. ConfigureappropriateTSResourceAuthorizationPolicies(TSRAP)andTSConnectionAuthorizationPolicies(TSCAP).
e. CreateapublishingruleforTerminalServicesthatpointstothefarmofTSservers.
YouinstallTerminalServicesandconfigureittoallowaccessfordomainuserswhoareontheinternalnetwork.WindowsVista
clientsareabletoestablishconnectionsandlogontotheWindowsdesktopusingRDCbutWindowsXPclientsareunableto.What
shouldyoudotoresolvethisquickly?
a. ConfiguretheTSserversothatitwillallowconnectionsfromcomputersthatdonotsupportNetworkLevelAuthentication.
b. UpgradetheWindowsXPcomputerstoWindowsVista.
c. InstallServicePack3ontheWindowsXPcomputers.
d. InstallthelatestversionofRDContheWindowsXPclients.
YoudeployaTSserverfarmwithaTSSessionBrokerServerandWindowsNetworkLoadBalancing.YoudeployaTSGatewayserver
thatpointstotheserverfarmandconfigureappropriateaddressrecordsontheinternalandexternalDNSservers.Usersareableto
accesstheTSserverfarmfromthecorporatenetworkhowevertheyareunabletodosowhenworkingremotely.Whatarethemost
likelyreasonsfortheproblem?(pick2)
a. TheWindowsFirewallwithAdvancedSecurityontheTSservershasnotbeenconfiguredtoallowRDPtrafficfromtheTS
Gatewayserver.
b. TheperimeterfirewallhasnotbeenconfiguredtoallowinboundHTTPtraffictoreachtheTSGatewayserver.
c. TheTSRAPandTSCAPpolicieshavenotbeenconfigured.
d. TheusersarenotmembersoftheRemoteDesktopUsersgroupontheTSservers.
e. TheWindowsFirewallwithAdvancedSecurityontheTSservershasnotbeenconfiguredtoallowRDPtrafficfromthe
remoteusers.
Youdeployandconfigure4TSserversinafarmwithaTSSessionBrokerServer.YouinstallandconfigureWindowsNetworkLoad
Balancingastheloadbalancingmethod.Afterseveralweeksyourealizethatoneserveristakingabout70%oftheconnectionsandis
alwaysrunninglowonsystemresourceswhiletheotherthreeservershaveabout10%eachandhaveagreatdealofCPUpowerand
systemmemorytospare.Whatshouldyoudotoensureallfourserversarebeingusedefficiently?
a. Installadditionalmemoryandprocessorsinthebusiestserver.
b. InstalladditionalTSserversinthefarmuntilthebusiestserverisnolongeroverwhelmed.
c. Instructtheuserstoconnectdirectlytothethreelessbusyserversbyspecifyingtheiraddressesratherthantheaddress
sharedbythefarm.
d. Checktherelativeweightconfigurationofeachserverinthefarmtoensurethattheyaresetappropriately.
Whatarethe3waystoactivateTSLicensingservers?(choose3)
a. OvertheInternetfromthelicensingserver.
b. Bytelephone.
c. Bymail.
d. Bytelegraph.
e. OvertheInternetfromanothercomputer.
f. Bypurchasingclientaccesslicensesfromyourauthorizedreseller.

10. YouhaveconfiguredyourTSserverstouseperuserlicensing.WhatshouldyoudotorecoverCALsfromuserswhohaveleftthe
organization?
a. Youcannot,youmustpurchaseadditionalCALs.
b. Donothing.
c. OpenTSLicensingManagerontheserverrunningtheTSLicensingserverrole,rightclickontheserverinthenavigation
treeandselectRecoverExpiredLicenses.
d. OpenTerminalServicesConfigurationoneachTSserver,rightclickonRDPTcpinthedetailspain,selectProperties,and
clickReleaseExpiredLicenses.
11. YouisrequiredtoenabletheremotecontrolfeatureofTerminalServices?
a. ThefeaturemustbeenabledoneachusersRDCclient.
b. ThefeaturemustbeenabledontheTSserver.
c. AvalidSSLcertificatemustbeinstalledontheTSserver.
d. ThefeatureisnolongeravailableinWindowsServer2008.
e. DownloadanddeploytheadvancedRDCclient.
12. WhatarevalidmethodstocontrolwhichusersareabletoaccessTerminalServices?(choose2)
a. ConfiguremembershipinthelocalRemoteDesktopUsersgroup.
b. ConfiguremembershipinthedomainRemoteDesktopUsersglobalgroup.
c. ModifypermissionsontheRDPTcpconnectionforeachTSserverusingTerminalServicesConfiguration.
d. ConfigurepoliciesusingWindowsSystemResourceManager.
e. OnlyinstallCALsontheclientcomputersthatyouwanttobeabletoaccessTerminalServices.
Answers
1. Discorrect.TSRemoteAppwascreatedspecificallytohelpwiththissituationandtomakeusingTSlesscomplexforusers.NeitherA
norBadequatelyresolvetheproblem,andwhileCmaybethemostappealingtotheusersitsalsomoreexpensive.
2. Discorrect,althoughNLBScouldbeusedastheloadbalancingmethodinconjunctionwithTSSessionBroker
3. Ciscorrect,TSallowstwoconnectionsforremoteadministration.
4. AandBarecorrect,allowingport80meansthatHTTPtrafficcantransitthefirewallbuttheRDPtrafficrequiresTCPport3389.You
couldeitheropenthatportorusetheTSGatewayserverroletoencapsulatetheRDPtrafficinHTTPS,whichrequiresTPCport443by
default.
5. CandDarecorrect,deployingTSGatewaywouldbelessexpensivethandeployingISAServerorafullVPNandTSGatewayisableto
traverseawiderangeofnetworksincludingthosethatusenetworkaddresstranslation(NAT)andproxyservers.TSGatewayrequires
TSRAPandTSCAPpoliciestospecifywhatinboundconnectionsareallowedandwhatresourcescanbeaccessed.
6. Aiscorrect,WindowsXPdoesnotsupportNetworkLevelAuthenticationevenwithSP3andthelatestRDCclient.Usersconnecting
fromcomputersrunningWindowsXPwillseethefollowingerrormessage:TheremotecomputerrequiresNetworkLevel
Authentication,whichyourcomputerdoesnotsupport.Forassistancecontactyoursystemadministratorortechnicalsupport.
AnswerBwouldresolvetheissuebutitsmoretimeconsumingandthequestionaskedforaquickresolution.
7. BandCarecorrect,theyarethemostlikelycauseofsuchissues.ItspossiblethattheWindowsFirewallontheTSserversisblocking
trafficfromtheTSGateway,butunlikelysincebydefaultsuchtrafficisallowed,thereforeAiswrong.Disincorrectbecausethe
groupmembershipisclearlynottheissuesinceuserscanconnectfromthecorporatenetwork.Eiswrongbecausetheremoteusers
connectthroughtheTSGateway,theydonotconnectdirectlytotheTSservers.
8. Discorrect,itappearsthatsomeoneconfiguredtherelativeweightofthebusyserverwithavalue10timesgreaterthantheothers.
Sincethedefaultvalueforrelativeweightis100itsprobablethatthebusyserverwassetto1000.
9. A,B,andEarecorrect,apologiesformysadattemptathumorinanswerD.
10. Biscorrect,eachCALisgrantedarandomperiodofvalidityfrom52to89days.Whenauserconnectswithalicensethatiswithin7
daysofexpirationtheTSserverwillattempttorenewit.ACALwillautomaticallyexpireandbereturnedtotheCALpoolifthe
systemorusertowhichitisassignedstopsusingit.
11. Biscorrect,remotecontrolcanbeenabledoneachserverbyconfiguringthepropertiesfortheRDPTcpconnectioninTerminal
ServicesConfigurationorviaGroupPolicy.
12. AandCarecorrect.Biswrongbecausethereisnosuchdomaingroup;DandEareincorrectbecause,well,neitherprocedureis
possible.