Configuring Windows Server 2008 Remote Desktop Administration

From Techotopia
Revision as of 18:37, 14 July 2008 by Neil (Talk | contribs) (Running Multiple Remote Desktops)

Jump to: navigation, search

Windows Server 2008 is, as the name suggests, a server operating system. In the real world this means that systems running Windows Server 2008 will most likely be located in large rack systems in a server room. As such, it is highly unlikely that system administrators are going to want to have to physically visit each of these servers to perform routine administrative tasks such as system configuration and monitoring. A far preferable scenario involves these administrators remotely logging into the servers from their own desktop systems to perform administrative tasks. Fortunately Windows Server 2008 provides precisely this functionality through Remote Desktop and the remote administration features of the Machine Management Console (MMC). In this chapter we will look at the steps necessary to remotely administer Windows Server 2008 systems using Remote Desktop. For details of remote administration using MMC refer to Windows Server 2008 Remote Administration using the MMC.


Contents

What is Remote Desktop?

Remote Desktop allows the graphical interface of a remote Windows system to be displayed on a local system. In addition, keyboard and mouse events on the local system are transmitted to the remote system enabling the local user to perform tasks on the remote system as if they were physically sitting at the remote system. This remote control can be established in a number of ways, including over wide area networks (WAN), local area networks (LAN) or over the internet.

In the case of Windows Server 2008, this service is provided by Terminal Services running on the remote systems and the Remote Desktop Connection (RDC) client on the local system.

Terminal Services run in two different modes, Remote Desktop for Administration and Terminal Server. Remote Desktop for Administration provides full administration functionality to the remote administrator (including access to the console session and visibility of notification messages). Remote Desktop for Administration is the equivalent to working directly at the remote system's console. In Terminal Server mode the user is subject to some limitations such as the ability to install applications and view console notification messages.

Windows Server 2008 imposes some administrator logon restrictions. Specifically, a maximum of two administrators may be logged on at any one time, either two logged on remotely, or one local and one remote administrator. This assumes, however, that different accounts are being used to log on. In other words, the same user may not log on locally and remotely simultaneously.

Enabling Remote Desktop Administration on the Remote Server

As mentioned previously, remote desktop functionality on the server is provided by Terminal Services. It is important to note, however, that Terminal Services do not have to be explicitly enabled on the server in order to support Remote Desktop Administration. In fact, all that needs to be done is to enable Remote Desktop Administration. This is configured by opening the Control Panel from the Start menu and selecting the System icon (if the Control Panel is in Control Panel Home mode this is located under System and Maintenance). In the Task section in the top left hand corner of the System page select Remote settings to display the following properties window:


The Windows Server 2008 Remote Desktop Properties Dialog


The Remote properties dialog provides a number of options. The default setting is to disallow remote connections to the computer system. The second option allows remote desktop connections from any version of the Remote Desktop client. The third, and most secure option, will only allow connections from Remote Desktop clients with Network Level Authentication support. This typically will only allow access to systems providing secure network authentication such as Windows Vista and Windows Server 2008.

If the Windows Firewall is active, the act of enabling Remote Desktop administration also results in the creation of a firewall exception allowing Remote Desktop Protocol (RDP) traffic to pass through on TCP port 3389. This default port can be changed by changing this setting in the Registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-tcp\PortNumber. The easist way to locate this registry key value is to execute regedit from the Run window or a command prompt, select Edit - > Find and enter RDP-tcp.


Controlling Remote Desktop Access

The default configuration for Remote Desktop is to allow all members of the Administration group to connect remotely. Active Directory also contains a Remote Desktop Users group to which users may be added to provide Remote Desktop access privileges. To provide users with remote desktop open the Control Panel -> System and Maintenance -> System -> Remote settings and click on the Select Users button to invoke the Remote Desktop Users dialog illustrated in the following figure:


Selecting Windows Server 2008 Remote Desktop Users


Note that user sith administrative privileges do not not need to be added to this list, by default they already have Remote Desktop access. To add additional users click on the Add... button to display the Select Users dialog. Enter the name of the user in the text box entitled Enter object names to select and click on Check names to list names that match the name entered. Select the appropriate name from the list. The following example shows user Bill on server winserver-2:


Selecting a user for remote access


Click on OK to apply the change. The new user will now appear in the list of users with Remote Desktop access on the remote users screen. Click OK to close this screen and click on Appy in the System Settings screen. The specified user will now have remote desktop access to the system.

Remote Desktop Group Policy

A vast array of configuration options for Terminal Services and Group Policy are available through Group Policy settings. To access these values start the Group Policy Object Editor (open the Start menu and enter gpedit.msc into the Search box). In the Group Object Policy Editor navigate to Computer Configuration\Administrative Templates\Windows Components\Terminal Services or User Configuration\Administrative Templates\Windows Components\Terminal Services.

Policy options include, amongst other options, items such control over resource redirection (printers, audio etc), setting session time limits and security settings.

Starting the Remote Desktop Client

With the appropriate configuration tasks completed on the remote system the next step is to launch the Remote Desktop Client on the local system. The client can be run in either administration mode which provide full integration with the console of the remote server and virtual session mode which provides administrative privileges but does not provide console access.

To invoke the Remote Desktop Client in virtual session mode either select Start -> All Programs -> Accessories -> Remote Desktop Connection or enter the following in the Run dialog or at a command prompt: 

mstsc

To start the Remote Desktop Client in administrator mode run the following command: 

mstsc /admin

In either case the following initial screen will appear requesting details of computer to which the client is to connect:


Specifying the Remote Computer


This can either be an IP address or a computer name. If previous connections have been established the User name field will be populated with the user name used in the preceding session. If you need to log in as a different user this option will be provided on the next screen which appears after the Connect button is pressed:


Windows Serevr 2008 Remote Desktop Security Screen


In this screen enter the password for the selected user (note that remote desktop accessis not available for user accounts which are are not password protected). If a user other than the one displayed is required simply click on the 'Use another account link and enter the necessary details. Click on OK to establish the connection. After a short delay the remote desktop will appear on the lcoal computer screen.

Remote Desktop Client Configuration Options

The Options button displayed on the initial screen of the Remote Desktop Client provides six tabs,each containing a range of configuration options:

  • General - Allows login credentials to be configured and saved.
  • Display - Configures the resolution and color settings to be used when displaying the remote desktop on the local system.
  • Local Resources - Specified which local resources (sound, disk drives, printers etc) are to be made accessible to the remote system during the Remote Desktop session. This page also provide options to control the situations under which special key combinations such as Ctrl-Alt-Del are interpreted by the local or remote systems.
  • Programs - Allows specified programs to be automatically invoked each time a remote sessions is established.
  • Experience - Control which desktop features are enabled or disabled for the Remote Desktop session. For example. over a slow dialup connection it is unwise to have the desktop background displayed. Either select the connection type and speed to see recommended settings, or use Custom to configure you own settings. This particular screen also provides the option to have connected automatically re-established in the event that a session is dropped.
  • Advanced - Enables and disables remote server verification. this ensures that the remote server to which you are connected is indeed the server you wanted. Also available are TS Gateway settings. By default the Remote Desktop Client is configured to automatically detect TS Gateway settings.

Remote Session Tracking

With Remote Desktop access implemented it is often useful to find out at times who is logged into a system. This can be achieved using the qusers command line tool. To obtain details of logged in users on a local system simply run quser at a command prompt or in a Run dialog: 

C:Users\Administrator> quser
 USERNAME              SESSIONNAME        ID  STATE   IDLE TIME  LOGON TIME
 administrator                             1  Disc         3:18  7/11/2008 12:36 PM
 bill                  rdp-tcp#0           2  Active          .  7/14/2008 9:11 AM
 nas                   console             3  Active      none   7/11/2008 12:58 PM

To obtain information for a remote system simply run quser with the /server:<hostname> command-line option. For example: 

C:\Users\Administrator> quser /server:winserver-2
 USERNAME              SESSIONNAME        ID  STATE   IDLE TIME  LOGON TIME
 administrator                             1  Disc         3:22  7/11/2008 12:36 PM
 bill                  rdp-tcp#0           2  Active          .  7/14/2008 9:11 AM
 nas                   console             3  Active      none   7/11/2008 12:58 PM

Logging out from a Remote Desktop Session

When the Remote Desktop Client is exited by pressing the 'X' on the control panel the remote session continues to run on the server even though no client is connected. Next time the user connects the desktop session will appear exactly as it was left before.

To end the session select Start, click on the right arrow button in the bottom right hand corner of the menu and select Log Off. This will close down the remote desktop session and close the remote desktop client.

Running Multiple Remote Desktops

Multiple concurrent remote desktops can be run and managed within a single window using the MMC Remote Desktops snap-in. This may either be snapped into the MMC or launched from the command-line or a Run dialog by typing: 

tsmmc.msc

Once launched right click on the Remote desktops item in the tree in the left hand panel and select Add a new connection from the menu. Once selected the Add New Connection dialog will appear as follows:


Adding a new connection to the Remote Desktops snap-in


In this dialog enter the IP address or computer name of the remote system together with the User name and the name to be assigned to this connection (this is essntial the name by which this connection will be listed and administered inside the Remote Desktops snap-in). For an administrative session (as opposed to a virtual session) set the Connect with /admin box. Click OK to add the session to the snap-in. Once added the session will appear in the left hand panel under Remote Desktops. Repeat these steps to add connections to additional remote systems.

To establish a remote desktop connection right click on thename of the session and select Connect from the menu. The remote session will appear in the window. To start anotehr session simply right click on the session name and once again select Connect. To switch between sessions simply click on the name of the session in the tree and the corresponding desktop will be displayed. The following figure illustrates two sessions running in Remote Desktops:


Multiple remote desktops running in the Windows Server 2008 Remote Desktops Snap-in


To change configuration options for each session right click on the desired session in the left hand panel and select Properties. This panel has a number of tabs which enable credentials, screen size and program start properties to be defined.

Retrieved from "https://www.techotopia.com/index.php?title=Configuring_Windows_Server_2008_Remote_Desktop_Administration&oldid=5609"