Terminal Services: Windows Server 2008 (R2)
I would like to start a series of articles about using Windows Terminal Server. Here is what I would like to share with a reputable community:
What sets this series apart from numerous Windows Terminal Services articles?
Firstly, it emphasizes the creation of fault-tolerant systems (starting with WS2008, everything necessary for this is available directly in Windows, without the use of additional equipment and programs). Secondly, it is the integration of all the many technologies under the roof of Terminal Services. Thirdly, I will touch upon the issues of daily, periodic and emergency servicing of Terminal Services roles, as well as monitoring and reporting. And fourthly, this series is based on more than three years of experience working with Windows Server 2008 (and more than a year when migrating from WS2008 to R2 and working with the beautiful, gorgeous WS2008 R2). How is this possible, you ask, because WS2008 came out a year ago, I only released R2 recently? The answer is simple: I work at Microsoft IT and was directly involved in “dog food” of Terminal Services and their subsequent transfer to a full-fledged production service.
Another caveat before we get to the point: I try to use tracing paper with English terms as little as possible, and believe that “dog food”, “production” and the like were a tough nut for me: I didn’t pick up good Russian words, I decided to use simple transliteration. So if you do not grasp the meaning of these words, or want to offer a Russian analogue - comment, but I still ask for some leniency - it is very difficult to adequately translate terms like Single sign-on.
So, what did WS2008 bring to TS in comparison with WS2003?
The list of all the innovations is very extensive: here is the change in architecture (for example, there is no more session 0 (aka “console session”)), and the introduction of new group policies, and much more. We will touch on some minor improvements, but for now we will focus on major changes.
In the next article (well, of course, if anyone is interested in this), we will consider the innovations of WS2008R2 (aka Win7 Server) compared to WS2008, and finally, let's get down to business.
- Overview of innovations in WS2008 and WS2008R2
- Terminal server
- Install Terminal Server
- Software installation
- Basic monitoring
- Terminal server farm
- Planning
- Redirection and Session Broker
- User profiles
- Monitoring and maintenance
- TSWA / RemoteApp
- WS2008 and R2: differences
- Planning and installation
- application filtering
- TS Gateway
- Principles of operation and conditions necessary for installation
- Installation and setup
- Detailed review of authorization policies
- TS Gateway Farm
- Maintenance, monitoring and collection of connection statistics
- TSG / TSWA / TS Integration
- Vdi
- General integration
What sets this series apart from numerous Windows Terminal Services articles?
Firstly, it emphasizes the creation of fault-tolerant systems (starting with WS2008, everything necessary for this is available directly in Windows, without the use of additional equipment and programs). Secondly, it is the integration of all the many technologies under the roof of Terminal Services. Thirdly, I will touch upon the issues of daily, periodic and emergency servicing of Terminal Services roles, as well as monitoring and reporting. And fourthly, this series is based on more than three years of experience working with Windows Server 2008 (and more than a year when migrating from WS2008 to R2 and working with the beautiful, gorgeous WS2008 R2). How is this possible, you ask, because WS2008 came out a year ago, I only released R2 recently? The answer is simple: I work at Microsoft IT and was directly involved in “dog food” of Terminal Services and their subsequent transfer to a full-fledged production service.
Another caveat before we get to the point: I try to use tracing paper with English terms as little as possible, and believe that “dog food”, “production” and the like were a tough nut for me: I didn’t pick up good Russian words, I decided to use simple transliteration. So if you do not grasp the meaning of these words, or want to offer a Russian analogue - comment, but I still ask for some leniency - it is very difficult to adequately translate terms like Single sign-on.
Overview of Terminal Services innovations in Windows Server 2008 and Windows Server 2008 R2.
So, what did WS2008 bring to TS in comparison with WS2003?
The list of all the innovations is very extensive: here is the change in architecture (for example, there is no more session 0 (aka “console session”)), and the introduction of new group policies, and much more. We will touch on some minor improvements, but for now we will focus on major changes.
Terminal server
- New RDP 6.1 protocol. The three most significant improvements:
- the ability to work via SSL (when using TS Gateway)
- significant client security improvements (passwords are not stored in RDP files, server certificate verification)
- new mode of operation: RemoteApp applications
- New drainstop mode. It allows you to stop servicing requests for new sessions, but does not affect already created ones, and also plays an important role in VDI and in some scenarios for creating fault-tolerant server farms. We will definitely consider its application.
- New NLA authentication mode (Network Level Authentication, not to be confused with Network Location Awareness). Allows you to authenticate the user even before showing him the classic login form (logon screen). This mode is in most cases incompatible with TS Gateway, and we will definitely figure out why.
- Support for EasyPrint technology. In WS2003, in order for a client to print from a server session to a local printer, the drivers for this printer must be installed on TS. EasyPrint solves this problem.
EasyPrint is available in Vista and Win7 out of the box; to use it on XP, you need to install .net and several updates. - New Group Policies for TS Management. Some of them will be considered later.
Session broker
- WS2003 was called "Session Broker"
- Support for load balancing based on the number of sessions per TS. Allows you to create fault tolerant terminal server farms without the use of additional hardware. We will discuss this in a separate article.
Terminal Services Gateway
It did not exist until WS2008. It allows connecting clients from other networks (for example, from the Internet) to terminal servers and client computers (XP, Vista, Win7) via the RDP protocol through an SSL tunnel, while not connecting the networks themselves. (This explanation may seem unnecessarily confusing, but it reflects the essence well. We will return to this in the article on TS Gateway). For now, I note that this excellent technology allows in many cases to avoid the use of RAS / VPN and significantly improve the security of the connection.By the way, the technology won the Security Award at the Engineering Excellence Forum'08, and I am very pleased that I also put some effort into this.
Terminal Services Web Access
It did not exist until WS2008. Lets you create a website that publishes RemoteApp applications and a form for connecting to workstations in your organization. This technology is very often confused with TS Gateway, so I immediately emphasize that TSWA does not deal with the actual “Access” - this is an example of a slightly unfortunate name. The most interesting application of this technology is in combination with TS Gateway, and we will deal with this in an article on the integration of Terminal Server, TS Gateway and TS Web Access.In the next article (well, of course, if anyone is interested in this), we will consider the innovations of WS2008R2 (aka Win7 Server) compared to WS2008, and finally, let's get down to business.
Separately, I note that the lack of links, pictures and practical recommendations is more than compensated for later, when we begin to consider technologies in more detail. I hope it will not be boring.