Tài liệu Windows Server 2008 R2 Remote Desktop Services Resource Kit Book pdf

Th s s a deta ed techn ca resource for p ann ng, dep oy ng, and run-n run-ng M crosoft Remote Desktop Serv ces RDS Because some features of RDS are brand new, th s book s va uab e both

PUBLISHED BY

M crosoft Press

A D v s on of M crosoft Corporat on

One M crosoft Way

Redmond, Wash ngton 98052-6399

Copyr ght © 2010 by Chr sta Anderson

A r ghts reserved No part of the contents of th s book may be reproduced or transm tted n any form or by any means w thout the wr tten perm ss on of the pub sher

L brary of Congress Contro Number 2010934986

Pr nted and bound n the Un ted States of Amer ca

M crosoft Press books are ava ab e through bookse ers and d str butors wor dw de For further nfor mat on about nternat ona ed t ons, contact your oca M crosoft Corporat on off ce or contact M crosoft Press Internat ona d rect y at fax (425) 936-7329 V s t our Web s te at www m crosoft com/mspress Send comments to

ms nput@m crosoft com

M crosoft and the trademarks sted at http //www m crosoft com/about/ ega /en/us/Inte ectua Property/Trademarks/EN-US aspx are trademarks of the M crosoft group of compan es A other marks are property of the r respect ve owners

The examp e compan es, organ zat ons, products, doma n names, e-ma addresses, ogos, peop e, p aces, and events dep cted here n are fict t ous No assoc at on w th any rea company, organ zat on, product, doma n name, e-ma address, ogo, person, p ace, or event s ntended or shou d be nferred

Th s book expresses the author’s v ews and op n ons The nformat on conta ned n th s book s prov ded w thout any express, statutory, or mp ed warrant es Ne ther the authors, M crosoft Corporat on, nor ts rese ers, or

d str butors w be he d ab e for any damages caused or a eged to be caused e ther d rect y or nd rect y by

th s book

Acquisitions Editor: Mart n De Re

Developmental Editor: Karen Sza

Project Editor: Va er e Woo ey and Megan Sm th-Creed

Editorial Production: Custom Ed tor a Product ons, Inc

Technical Reviewer: A ex Jusch n; Techn ca Rev ew serv ces prov ded by Content Master, a member of CM

Group, Ltd

Cover: Cover Des gn Tom Draper Des gn; I ustrat on Todd Daman

Body Part No X17-21601

I dedicate this book to my family, who has always been supportive, always pushes me to do

my very best I can do, and always has a “Go team!” waiting when I really need one.

—Chr sta

I dedicate this book to Elizabeth Nelson Lyda and Michael B Smith for taking me under your wing back in the day, and for always believing in me You were great mentors and are great friends

—Kr st n

Contents at a Glance

CHAPTER 2 Key Architectural Concepts for Remote Desktop Services 39 CHAPTER 3 Deploying a Single Remote Desktop Session Host Server 117 CHAPTER 4 Deploying a Single Remote Desktop Virtualization

CHAPTER 5 Managing User Data in a Remote Desktop Services

CHAPTER 7 Molding and Securing the User Environment 363 CHAPTER 8 Securing Remote Desktop Protocol Connections 401

CHAPTER 10 Making Remote Desktop Services Available from

CHAPTER 12 Licensing Remote Desktop Services 643

What do you think of this book? We want to hear from you!

M crosoft s nterested n hear ng your feedback so we can cont nua y mprove our

books and earn ng resources for you To part c pate n a br ef on ne survey, p ease v s t:

microsoft.com/learning/booksurvey

Contents

Where D d RDS Come From? 2

The Evo v ng Remote C ent Access Exper ence 6

What Can You Do w th RDS? 7

Br ng ng W ndows to PC Unfr end y Env ronments 10

Bus ness Cont nu ty and D saster Recovery 11

RDS for W ndows Server 2008 R2: New Features 12

The Chang ng Character of RD Sess on Host Usage 13

New RDS Techno ogy n W ndows Server 2008 R2 19

How Other Serv ces Support RDS 32

Authent cat ng Servers w th Cert ficates 34

Enab ng WAN Access and D sp ay ng Remote Resources 34

Funct ona ty for RDS Scr pters and Deve opers 35

Summary 35

Add t ona Resources 36

Chapter 2 Key Architectural Concepts for Remote Desktop

Know Your App cat on De very System 40

Re evant W ndows Server 2008 R2 nterna s 41

How Does D sk Affect App cat on De very? 56

How Does V rtua zat on Affect Resource Usage? 59

Determ n ng System Requ rements for RD Sess on Host Servers 66

An A ternat ve to Fu Test ng: Extrapo at on 91

Support ng C ent Use Profi es 99

What App cat ons Can Run on an RD Sess on Host Server? 101

What Vers on of Remote Desktop Connect on Do Need? 109

What Ro e Serv ces Do Need to Support My Bus ness? 114

Summary 114 Add t ona Resources 115Chapter 3 Deploying a Single Remote Desktop Session Host Server 117

How RD Sess on Host Servers Work 117

nsta ng an RD Sess on Host Server 134

nsta ng an RD Sess on Host Server Us ng the Adm n strat ve

nsta ng an RD Sess on Host Server from the Command L ne 142

Essent a RD Sess on Host Configurat on 144

Enab ng P ug and P ay Red rect on w th the Desktop Exper ence 150

Adjust ng Server Sett ngs w th Remote Desktop Configurat on 150

nsta ng App cat ons on an RD Sess on Host Server 164

Summary 174

Add t ona Resources 174

Chapter 4 Deploying a Single Remote Desktop Virtualization Host

What s VD ? 175

How M crosoft VD Works 178

The Centra Ro e of the RD Connect on Broker 179

nsta ng Support ng Ro es for VD 188

nsta ng RD V rtua zat on Host Ro e Serv ce v a W ndows PowerShe 192

Configur ng the RD Connect on Broker Server 197

Configur ng Persona and Poo ed VM Propert es 216

Us ng RemoteApp for Hyper V for App cat on Compat b ty 218

Can You Use RemoteApp for Hyper V Without RDS? 222

Summary 224

Add t ona Resources 224

Chapter 5 Managing User Data in a

How Profi es Work 226

Profi e Contents Externa to the Reg stry 233

Des gn Gu de nes for User Profi es 242

Prevent Users from Los ng F es on the Desktop 245

Up oad Profi e Reg stry Sett ngs n the Background 246

Speed Up Logons 246

Dep oy ng Roam ng Profi es w th Remote Desktop Serv ces 248

Convert ng an Ex st ng Loca Profi e to a Roam ng Profi e 254

Us ng Group Po cy to Manage Roam ng Profi es 257

Us ng Group Po cy to Define the Roam ng Profi e Share 267

Centra z ng Persona Data w th Fo der Red rect on 275

Shar ng Persona Fo ders Between Loca and Remote Env ronments 278

Shar ng Fo ders Between W ndows Server 2003 and W ndows Server 2008

Sett ng Standards w th Mandatory Profi es 281

Convert ng Ex st ng Roam ng Profi es to Mandatory Profi es 283

Decrease Logon T mes w th Loca Mandatory Profi es 286

Profi e and Fo der Red rect on Troub eshoot ng T ps 287 Summary 288 Add t ona Resources 289

How Remot ng Works 291

What Defines the Remote C ent Exper ence? 293

The Foundat on of RDP: V rtua Channe s and PDUs 296

Mov ng the C ent Exper ence to the Remote Sess on 307

Wh ch C ent Dev ces Can You Add to the Remote Sess on? 307

How the RDC Vers on Affects the User Exper ence or Doesn t 330

Pr nt ng w th RDP 334

Pr nt ng to a D rect y Connected Pr nter 335

Summary 359 Add t ona Resources 360

Lock ng Down the Server 364

Restr ct ng Dev ce and Resource Red rect on 365

Prevent ng Users from Reconfigur ng the Server 367

C os ng Back Doors on RD Sess on Host Servers 369

Prevent ng Users from Runn ng Unwanted App cat ons 376

Creat ng a Read On y Start Menu 391

Keep ng the RD Sess on Host Server Ava ab e 393

A ow ng or Deny ng Access to the RD Sess on Host Server 393

L m t ng the Number of RD Sess on Host Server Connect ons 393

Tak ng Remote Contro of User Sess ons 394

Summary 398

Add t ona Resources 398

Chapter 8 Securing Remote Desktop Protocol Connections 401

Core Secur ty Techno og es 402

Us ng RDP Encrypt on 409

Authent cat ng Server dent ty (Server Authent cat on) 410

Creat ng Test Cert ficates for a Server Farm 411

Authent cat ng C ent dent ty w th Network Leve Authent cat on (NLA) 415

Configur ng the Secur ty Sett ngs on the RD Sess on Host Server 417

Configur ng Connect on Secur ty Us ng RD Sess on Host Configurat on 417

Configur ng Connect on Secur ty Us ng Group Po cy 419

Summary 420

Add t ona Resources 421

Key Concepts for Mu t Server Dep oyments 423

RemoteApp Programs and Mu t p e Mon tors 428

Creat ng and Dep oy ng a Farm 431

D str but ng n t a Farm Connect ons 432

Connect on Broker ng n a Farm Scenar o 433

RDS Farm Connect on Broker ng n Act on 434

Perm t RD Sess on Host Servers to Jo n RD Connect on Broker 440

Pub sh ng and Ass gn ng App cat ons Us ng RemoteApp Manager 454

Configur ng G oba RemoteApp Dep oyment Sett ngs 457

Ma nta n ng A ow L st Cons stency Across the Farm 469

Configur ng T meouts for RemoteApp Sess ons 471

De ver ng RemoteApp Programs and VMs Through RD Web Access 478

nsta ng the RD Web Access Ro e Serv ce 481

Troub eshoot ng RD Web Access Perm ss ons 496

Us ng RemoteApp And Desktop Connect ons 502

Summary 505 Add t ona Resources 506Chapter 10 Making Remote Desktop Services Available from the Internet

507How RD Gateway Works 507

Understand ng RD Gateway Author zat on Po c es 509

nsta ng RD Gateway 512

nsta ng RD Gateway Us ng W ndows PowerShe 515

Creat ng and Ma nta n ng RD Gateway Author zat on Po c es 515

Mod fy ng an Ex st ng Author zat on Po cy 521

Configur ng RD Gateway Opt ons 521

Us ng RD Gateway Computer Groups to Enab e Access to a Server Farm 530

Bypass ng RD Gateway for nterna Connect ons 533

Us ng Group Po cy to Contro RD Gateway Authent cat on Sett ngs 533

Mon tor ng and Manag ng Act ve RD Gateway Connect ons 534

Creat ng a Redundant RD Gateway Configurat on 537

Us ng NLB to Load Ba ance RD Gateway Servers 537

Prevent ng Sp t SSL Connect ons on RD Gateway 542

Ma nta n ng dent ca Sett ngs Across an RD Gateway Farm 543

P ac ng RD Web Access and RD Gateway 576

RD Gateway n the nterna Network and Br dged 581

Summary 586

Add t ona Resources 586

ntroduc ng RD Sess on Host Management Too s 590

Connect ng Remote y to Servers for Adm n strat ve Purposes 598

Manag ng RD Sess on Host Servers from W ndows 7 599

Organ z ng Servers and VMs n the Remote Desktop Serv ces Manager 600

Mon tor ng and Term nat ng Processes 602

Mon tor ng and End ng User Sess ons .605

Prov d ng He p w th Remote Contro 610

Enab ng Remote Contro v a RD Sess on Host Configurat on 614

Prepar ng for Server Ma ntenance 619

Shutt ng Down and Restart ng RD Sess on Host Servers 624

App y ng RDS Management Too s 631

D fferent at ng RemoteApp Sess ons from Fu Desktop Sess ons 631

Summary 641

Add t ona Resources 642

Chapter 12 Licensing Remote Desktop Services 643

The RDS L cens ng Mode 644

RDS L cens ng 644

VD L cens ng 646

L cense Track ng and Enforcement 648

How RD L cense Servers Ass gn RDS CALs 648

Sett ng Up the RDS L cens ng nfrastructure 651

nsta ng RD L cense Server 652 RD L cense Server Connect on Methods 653 Act vat ng the L cense Server 653 Background: How RDS CALs Are T ed to an RD L cense Server 657 Add ng L cense Servers to AD DS 660 nsta ng RDS CALs 660 Configur ng RD Sess on Host Servers to Use RD L cense Servers 662 Configur ng RD L cense Servers to A ow Commun cat on From RD Sess on Host Servers 663 M grat ng RDS CALs from One L cense Server to Another 663

Rebu d ng the RD L cense Server Database 665

Back ng Up an RD L cense Server and Creat ng Redundancy 665

Manag ng and Report ng L cense Usage 667

Revok ng RDS CALs 670 Restr ct ng Access to RDS CALs 671 Prevent ng L cense Upgrades 673

Us ng the L cens ng D agnos s Too 673

Summary 675

Add t ona Resources 675

ndex 677

What do you think of this book? We want to hear from you!

M crosoft s nterested n hear ng your feedback so we can cont nua y mprove our books and earn ng resources for you To part c pate n a br ef on ne survey, p ease v s t:

microsoft.com/learning/booksurvey

Th s book sn’t the work of just two peop e We owe many thanks to the

com-b ned efforts of a ot of peop e at M crosoft, our terr fic set of ed tors, and the

greater commun ty (A th s sa d, any errors n th s book are the so e respons b ty

of the authors )

One of the best th ngs about work ng at M crosoft s that a ot of very smart (and

very he pfu ) peop e work there, and we are gratefu for the ns ghts of these peop e

Throughout th s book, you’ find D rect from the Source s debars contr buted by

members of the product team We a so extend our heartfe t thanks to the members

of the product team who sat down w th us to exp a n the finer deta s of how

someth ng worked From the Remote Desktop V rtua zat on (RDV) team, we’d ke

to thank N raj Agarwa a, James Baker, Ara Bernard , Tad Brockway, V kash Bucha,

Yuvraj Budhraja, Hammad Butt, Rommy Channe, Mun ndra Das, S v a Doomra,

Sam m Erdogan, Rajesh Ganta, Cost n Hag u, A Henr quez, Trav s Howe, O ga

Ivanova, Gop kr shna Kannan, Sergey Kuz n, Rob Le tman, Raghu L ngampa y, Meher

Ma akapa , Benjam n Me ster, Ranjana Rath nam, Rajesh Rav ndranath, Ray Reskus ch,

Sr ram Sampath, Bhaskar Swarna, and Janan Venkateswaran Even peop e from other

teams got nvo ved Many thanks to Ky e Beck, Jeff Heatton, M chae K eef, T mothy

Newton, Mark Russ nov ch, Tom Sh nder, Makarand Patwardhan, Bohdan Ve ushchak,

Pau Vo osen, and Jon Wojan for your nva uab e ass stance We’d a so ke to thank

Chr sta’s manager, Ashw n Pa ekar, for h s support dur ng th s project

RDS expert se sn’t m ted to peop e at M crosoft, e ther Remote Desktop

Serv ces MVPs as we as MVPs and experts from other d sc p nes a so p tched n

to contr bute D rect from the F e d s debars and exp a n the ntr cac es of re ated

techno og es Many thanks go to Jan que Carbone, Br an Eh ert, Ross Harvey,

He ge K e n, Russ Kaufmann, Shay Levy, Br an Madden, Patr ck Rouse, Greg Sh e ds,

M chae Sm th, and M tch Tu och

The great team at M crosoft Press had a huge hand n turn ng th s project from

an dea nto the book you ho d n your hands We’d ke to thank Mart n De Re at

M crosoft Press for ask ng us to wr te the first ed t on of the book n the first p ace,

Megan Sm th-Creed at Custom Ed tor a Product ons, Inc , for great ed t ng and

project management on th s ed t on, and A ex Jusch n for tech ed t ng the book

The rest of the ed tor a team at Custom Ed tor a Product ons, Inc , d d a terr fic

job of copyed t ng and proofing th s text Thank you a !

F na y, we’d ke to thank our fr ends and fam es for the r support dur ng

th s b g project We cou dn’t have done t w thout you We prom se to ta k about

someth ng e se now

We come to the Windows Server 2008 R2 Remote Desktop Services Resource

Kit! Th s s a deta ed techn ca resource for p ann ng, dep oy ng, and

run-n run-ng M crosoft Remote Desktop Serv ces (RDS) Because some features of RDS

are brand new, th s book s va uab e both for those comp ete y new to RDS and

those who have used Term na Serv ces ( ts former name) n prev ous vers ons of

M crosoft W ndows

W th n th s resource k t, you’ find n-depth nformat on about the

mprove-ments n RDS ntroduced n W ndows Server 2008 R2 Th s book comb nes

under-y ng arch tectura concepts w th pract ca hands-on nstruct ons that a ow under-you to

set up a work ng RDS ecosystem, understand why t’s work ng, and g ve you some

gu dance about how to fix t when t’s not You’ a so find deta ed nformat on

and task-based gu dance on manag ng a aspects of RDS, nc ud ng dep oy ng

RD Sess on Host servers, ntegrat ng RDS ro e serv ces w th other key parts of the

W ndows Server 2008 R2 operat ng system, and extend ng the reach of RDS to

outs de the corporate network F na y, the compan on med a nc udes add t ona

too s and documentat on that you can use to manage and troub eshoot RDS ro e

serv ces A though we ment on some th rd-party too s n the course of th s book,

th s book s fundamenta y about runn ng RDS us ng on y the too s found n the

operat ng system You can do what we’ve done here us ng only W ndows Server

2008 R2 Nor do we get nto extens ve d scuss on of any of the th rd-party too s

that many peop e use w th nat ve Remote Desktop Serv ces For examp e, many

peop e w th h gh-comp ex ty RDS dep oyments use management software from

C tr x or Quest or other RDS partners, but we don’t d scuss t here because t’s not

nc uded w th the operat ng system

ON THE COMPANION MEDIA See the team partner page at

http://www.microsoft.com/windowsserver2008/en/us/rds-partners.aspx

for a list of companies that make products complementing or expanding

on Remote Desktop Services in Windows Server 2008 R2.

What’s New in Remote Desktop Services in

Windows Server 2008 R2?

Remote Desktop Serv ces n W ndows Server 2008 R2 took a ot of the

mprove-ments added n W ndows Server 2008 and added the features peop e had asked

for Want nat ve support for VDI? It’s added to RD Connect on Broker Want

fewer ogons, secur ty fi ter ng, s mp fied d scovery of ava ab e app cat ons and

v rtua mach nes (VMs)? It’s n the new vers on of RD Web Access Want to address prob ems d scovered v a Network Access Po c es (NAP), not just shut peop e out

of the network? It’s n the new ed t on of RD Gateway Want mproved app cat on compat b ty? See RD Sess on Host for IP address v rtua zat on and dynam c fa r share schedu ng that proact ve y prevents one sess on from tak ng a the proces-sor cyc es Want to stop nsta ng pr nter dr vers on both sess ons and VMs? Easy

Pr nt now works for both v rtua zat on opt onsFor those who went stra ght to W ndows Server 2008 R2 from W ndows Server

2003, et’s take a ook at what the new features add to the former mode of a term na server and a cense server

Simplified Application Delivery and Display

Term na Serv ces n W ndows Server 2003 presented a remote app cat ons from

a desktop, comp ete y separat ng the d sp ay of oca and remote app cat ons RemoteApp programs ( ntroduced n W ndows Server 2008) aunch from a server, but ntegrate w th the oca desktop so they ook ke they’re runn ng oca yNot on y do the app cat ons ntegrate better w th the oca desktop, they’re eas er to find and d str bute, thus mak ng t eas er to support a arger and more comp ex dep oyment One of the ssues n enab ng remote access s how to get the most comp ete and up-to-date set of remote resources to your user base Th s

s espec a y true when you’re prov d ng access to nd v dua app cat ons, not to a

fu desktop Us ng RDS Web Access, you can present nks to nd v dua app

ca-t ons or ca-to enca-t re deskca-tops and know ca-thaca-t ca-these nks w a ways be up ca-to daca-te In

W ndows Server 2008 R2, RD Web Access can present RemoteApp programs from more than one farm as we as VMs It a so, however, supports secur ty fi ter ng

so that you can manage an aggregated source for a remote resources but on y

d sp ay to peop e the ones they shou d use

Improved Farm Support

The Sess on D rectory serv ce n W ndows Server 2003 offered the beg nn ng of farm support, but was on y ava ab e for Enterpr se SKUs and d dn’t nc ude any oad ba anc ng— t just kept track of where connect ons had gone In W ndows Server 2008 R2, RD Connect on Broker s ava ab e on the Standard SKU, supports oad ba anc ng, and can broker connect ons to both sess ons and VMs

Secure Internet Access

One of the key benefits of Remote Desktop Serv ces s ts ab ty to support mob e

workers We had a great (and extreme y t nerant) tech ed tor, RDS MVP A ex

Jusch n, for th s ed t on of the book He’s got a great descr pt on of how he used

Remote Desktop Serv ces wh e comp et ng h s part

In your book you can mention that I have been reviewing your

book all over the world using the RDP protocol to connect to my

home in Dublin via 3G or WiFi I’ve worked while on a smelly

Kebap Bus in Poland, in a freezing hotel in Latvia, while being

driven in a high-end coach in Estonia, on the ferry to England, in

a pub in Ireland, on a train going down the coast from Belfast,

while tasting wine in France, sitting in a nice Brasserie on the

island of Jersey, eating Belgian chocolate in Brussels, on a plane

to Germany, on a bench with a beautiful view in Zurich, in a café

near the Berlin Wall, in a prison in Finland (ok, hotel, but it used

to be a prison), and on the highest point of Germany (Zugspitze)

In W ndows Server 2003, Term na Serv ces d dn’t support secure Internet

ac-cess except across v rtua pr vate networks In W ndows Server 2008 R2, Remote

Desktop Serv ces supports connect v ty over Secure Sockets Layer (SSL) v a RD

Gateway RD Gateway a ows you to set up d fferent ru es for oca and remote

access and does not requ re any c ent-s de setup Introduced n W ndows Server

2008, n R2, RD Gateway now enforces dev ce and resource red rect on dec s ons

made at the gateway and supports NAP remed at on

Simpler and Broader Device Redirection

RDS assumes that a ot of peop e w be work ng from computers w th oca

re-sources, and that those peop e won’t want to be cut off from the r resources when

they’re work ng n the r sess on or VM It a so assumes that the server adm n

s-trators don’t want to spend more t me than necessary mak ng these resources

ava ab e

A though pr nter red rect on, as t’s been known n ear er vers ons of Term na

Serv ces, st works as t d d, Easy Pr nt, ntroduced n W ndows Server 2008, he ps

s mp fy pr nter red rect on Rather than requ r ng adm n strators to nsta pr nter

dr vers on the server, Easy Pr nt a ows red rected pr nters to use the dr vers a

-ready nsta ed on the c ent computer In W ndows 2008 R2, RD Easy Pr nt works

w th even more pr nter types and works from both sess ons and VMs

Part of the r ch remote work exper ence s us ng oca dev ces Support for oca dev ces has been expanded through the P ug and P ay Dev ce Red rect on Framework, ntroduced n W ndows Server 2008

Simplified License Management

Per-user cens ng was ntroduced n W ndows Server 2003 but d dn’t nc ude any track ng, so you cou dn’t eas y te f you were n comp ance W ndows Server

2008 R2 a ows you to track Per-User RDS CAL usage Add t ona y, the L cens ng

D agnost cs feature can he p you reso ve cens ng ssues W ndows 2008 R2 RD

L cense servers can now m grate censes from one server to another w thout the

he p of the M crosoft C ear nghouse Th s can be done even f a cense server s out of comm ss on

Th s s on y a part a st of new features—Chapter 1, “Introduc ng Remote Desktop Serv ces,” descr bes the Remote Desktop Serv ces features n W ndows Server 2008 R2, and the rest of the book exp a ns how to use them But these are some of the h gh ghts that show how the ro e has expanded n management and user exper ence

ON THE COMPANION MEDIA The authors will post data that is

rel-evant to the Windows Server 2008 R2 Remote Desktop Services Resource Kit on the book’s blog, located at http://blog.kristinlgriffin.com/ You can

find this link on the companion media.

How This Book Is Structured

Our goa n wr t ng th s book s to he p you set up a work ng Remote Desktop Serv ces farm, as we as VDI poo ed and persona VMs us ng a the p eces n the operat ng system, wh e understand ng the greater context of the c rcumstances under wh ch Remote Desktop Serv ces s usefu , how t works, and how W ndows Server 2008 R2 compares to prev ous vers ons Th s book has twe ve chapters

■ Chapter 1, “Introduc ng Remote Desktop Serv ces,” exp a ns where RDS came from and how t has evo ved as a p atform, what new features are ava ab e n th s atest terat on, and what you can accomp sh w th th s new vers on of the product It a so exp a ns how other serv ces support RDS

■ Chapter 2, “Key Arch tectura Concepts for Remote Desktop Serv ces,” d ves nto RDS nterna s and re evant W ndows Server 2008 R2 nterna s It a so shows you how to determ ne the hardware and software you w need to support th s product n your env ronment

■ Chapter 3, “Dep oy ng a S ng e Remote Desktop Sess on Host Server,”

shows you how RD Sess on Host servers work, and how to nsta and

con-figure th s ro e serv ce

■ Chapter 4, “Dep oy ng a S ng e Remote Desktop V rtua zat on Host Server,”

exp a ns what VDI s, how M crosoft VDI works, and how to nsta and

con-figure a RD V rtua zat on Host and the support ng ro es

■ Chapter 5, “Manag ng User Data n a Remote Desktop Serv ces Dep

oy-ment,” d scusses the d fferent types of profi es that work w th RDS and how

to dep oy and troub eshoot user profi e so ut ons and fo der red rect on

■ Chapter 6, “Custom z ng the User Exper ence,” d scusses how remot ng

works, promot ng good c ent exper ence n the remote sess on, and how

to pr nt from RDS sess ons

■ Chapter 7, “Mo d ng and Secur ng the User Env ronment,” exp a ns why

you shou d ock down the RDS env ronment and how you shou d do t, and

descr bes how to prov de remote ass stance to users from w th n the user

sess on

■ Chapter 8, “Secur ng Remote Desktop Protoco Connect ons,” d scusses

RDP encrypt on, server and c ent authent cat on, and how to configure

secur ty sett ngs on the RD Sess on Host server

■ Chapter 9, “Mu t Server Dep oyments,” ntroduces key concepts for mu t

-server dep oyments, shows how to create RD Sess on Host farms, and

ex-p a ns how to ex-pub sh aex-pex-p cat ons and d sex-p ay resources through RD Web

Access

■ Chapter 10, “Mak ng Remote Desktop Serv ces Ava ab e from the Internet,”

shows you how to nsta and configure RD Gateway to prov de access to

RemoteApps, desktop sess ons, and poo ed and persona VMs to users

ocated outs de the corporate network

■ Chapter 11, “Manag ng Remote Desktop Sess ons,” shows you how to

mon tor and term nate processes and users sess ons runn ng on an RD

Sess on Host server, how to prov de he p w th remote contro , and how to

dra n RD Sess on Host servers for ma ntenance

■ Chapter 12, “L cens ng Remote Desktop Serv ces,” d scusses the new RDS

cens ng parad gm, nc ud ng both RDS and VDI cens ng Th s chapter

ex-p a ns how censes are tracked and enforced; how RD L cense server ass gn

RDS CALs; how to nsta , configure, and ma nta n RDS L cense servers; how

to d agnose cens ng ssues w th the L cens ng D agnos s too ; and how to

m grate censes from one server to another

Document Conventions

The fo ow ng convent ons are used n th s book to h gh ght spec a features or usage

Reader Aids

The fo ow ng reader a ds are used throughout th s book to po nt out usefu deta s

READER AID MEANING

Caut on Warns you that fa ure to take or avo d a spec fied act on

can cause ser ous prob ems for users, systems, data

nteg-r ty, and so on Note Underscores the mportance of a spec fic concept or

h gh ghts a spec a case that m ght not app y to every

s tuat on

On the Compan on Med a Ca s attent on to a re ated scr pt, too , temp ate, job a d, or URL on the compan on CD that he ps you perform a

task descr bed n the text

Sidebars

The fo ow ng s debars are used throughout th s book to prov de added ns ght,

t ps, and adv ce concern ng d fferent Remote Desktop Serv ces features

NOTE Sidebars are provided by individuals in the industry as examples for informational purposes only and may not represent the views of their employers No warranties, express, implied, or statutory, are made as to the information provided in sidebars.

SIDEBAR MEANING

D rect from the Source Contr buted by experts from the product group who pro-v de “from-the-source” ns ght nto how Remote Desktop

Serv ces works, best pract ces, and troub eshoot ng t ps

D rect from the F e d Contr buted by experts externa to the product group who have rea -wor d exper ence work ng w th Remote

Desktop Serv ces Some experts are M crosoft fie d eng neers; others are M crosoft MVPs or other expertsHow It Works Prov des un que g mpses of Remote Desktop Serv ces

-features and how they work

Italic font Used to nd cate var ab es for wh ch you need to

sup-p y a ssup-pec fic va ue (for examsup-p e, file name can refer to

any va d fi e name)

%Var ab eName% Used for env ronment var ab es

Companion Media

In add t on to the book tse f, you a so get a CD that conta ns some great too s

and other resources System requ rements for runn ng the CD are at the back of

th s book The CD nc udes the fo ow ng resources

Links

The compan on med a nc udes many nks to URLs that ead to more nformat on

about Remote Desktop Serv ces-re ated top cs, Remote Desktop Serv ces

resources, partner web s tes, and more Some of the URLs are referenced

throughout the book and some are not

Management Scripts

On the compan on med a, you w find a co ect on of scr pts ustrat ng ways

to work w th Remote Desktop Serv ces us ng W ndows PowerShe and VBScr pt

We’ve a so nc uded st ngs n re evant ocat ons n the book so that you can

better understand how these scr pts support the funct ona ty you’re ook ng for A

-though these scr pts are ntended as samp es nstead of fin shed products, they do

usefu work such as a ow ng you to eas y determ ne the shadow ng perm ss ons

on a server or prov d ng app cat on-usage meter ng not prov ded n the GUI

Find Additional Content Online As new or updated mater a becomes ava

-ab e that comp ements your book, t w be posted on ne The type of mater a

you m ght find nc udes updates to book content, art c es, nks to compan on

content, errata, samp e chapters, and more Th s webs te s ava ab e at

http://go.microsoft.com/fwlink/?LinkId=203980 and s updated per od ca y

Support for This Book

Every effort has been made to ensure the accuracy of th s book As correct ons

or changes are co ected, they w be added the O’Re y Med a webs te To find

M crosoft Press book and med a correct ons

1. Go to http://microsoftpress.oreilly.com

2. In the Search box, type the ISBN for the book, and c ck Search

3. Se ect the book from the search resu ts, wh ch w take you to the book’s cata og page

4. On the book’s cata og page, under the p cture of the book cover, c ck

V ew/Subm t Errata

If you have quest ons regard ng the book or the compan on content that are not answered by v s t ng the book’s cata og page, p ease send them to M crosoft

Press by send ng an ema message to mspinput@microsoft.com

We Want to Hear from You

We we come your feedback about th s book P ease share your comments and deas v a the fo ow ng short survey

at http://twitter.com/MicrosoftPress For support issues, use only the email

address shown above.

C H A P T E R 1

Introducing Remote

Desktop Services

■ Where D d RDS Come From? 2

■ What Can You Do w th RDS? 7

■ RDS for W ndows Server 2008 R2: New Features 12

■ How Other Serv ces Support RDS 32

■ Funct ona ty for RDS Scr pters and Deve opers 35

You m ght be read ng th s book for any of a number of reasons Perhaps you’re an o d

hand at M crosoft Term na Server and are nterested n see ng what Remote top Serv ces (RDS) n M crosoft W ndows Server 2008 R2 can do for you You m ght have nsta ed W ndows Server 2008 R2 and are now nterested n what a these web accesses, gateways, and Remote Desktop Sess on Host servers do Maybe you have heard about RDS and are nterested n how you m ght benefit by ncorporat ng t nto your env ron-ment For that matter, you m ght be wonder ng how RDS compares to other remote access techno og es n W ndows Server 2008 R2

Desk-Wh chever reason you have to be nterested n RDS, th s book s for you

Th s chapter sets the stage for the rest of the book To understand the evo ut on of M crosoft Term na Serv ces (now ca ed Remote Desktop Serv ces), you have to understand where t came from and the ecosystem n wh ch t operates To understand what you can

-do w th the ro es and ro e serv ces, you have to understand the essent a goa s of RDS n

W ndows Server 2008 R2 and the scenar os that t’s des gned for And, because RDS sn’t

an end n tse f but a p ece of the broader W ndows nfrastructure, you’ see how RDS

ro es nteract w th other techno og es, ke W ndows Server 2008 Hyper-V and IIS

After read ng th s chapter, you’ understand the fo ow ng

■ Why Term na Serv ces s now known as Remote Desktop Serv ces

■ What W ndows Server 2008 R2 nc udes for support ng a RDS env ronment

■ What scenar os the RDS ro e serv ces are ntended to support

■ What k nds of new techno ogy enab e those new scenar os

■ How RDS ro e serv ces nteract w th each other

■ How RDS ro e serv ces depend on other W ndows Server ro es

■ What app cat on programm ng nterfaces (APIs) ex st for deve opers to use, and what are some examp es of the k nds of features that deve opers can add to RDS

Where Did RDS Come From?

If you’re ook ng at RDS for the first t me w th W ndows Server 2008 R2, you’d hard y

recog-n ze ts ear est recog-ncarrecog-nat orecog-ns L ke W recog-ndows Server tse f, RDS has charecog-nged a lot over the years

and has become much more comprehens ve It’s not mportant to go through an exhaust ve feature st for each ed t on, but t’s usefu to see how mu t -user W ndows has deve oped

s nce ts ncept on n the m d-1990s

Citrix MultiWin

The or g na Mu t W n arch tecture was des gned not by M crosoft but by C tr x, who censed the M crosoft W ndows NT 3 51 source code from M crosoft to create mu t -user W ndows [Mu t W n was or g na y go ng to be based on IBM Operat ng System/2 (OS/2) when M cro-soft was part of the OS/2 project, but W ndows won ] C tr x created ts own product ca ed

W nFrame, wh ch was a mu t -user vers on of W ndows NT 3 51 and tota y separate from the operat ng system that M crosoft produced

A First Experience with Multi-User Windows

Christa first experienced multi-user Windows through WinFrame 1.7 in 1997 at

an IBM training center in New York’s Hudson River Valley Training lasted tiple days, so there were hotel rooms in the training center Originally, the training center provided a PC in each guest room, and staff had to deal with the mainte-

mul-nance headaches of that setup But by that training session in 1997, they’d moved

to setting up thin clients (connected to the WinFrame servers) in all guest rooms so that guests could check email and work from their rooms When attendees checked

in, a script automatically created a user account for that person This is all

com-mon now, of course, but at the time, it was heady stuff and a big change from the desktop-centric model of Windows.

Windows NT, Terminal Server Edition

W nFrame was bu t on W ndows NT 3 51 M crosoft censed Mu t W n back from C tr x n

1995 and p ugged th s mu t -user core nto the W ndows NT 4 0 base operat ng system to make a new product W ndows Server w th mu t -user capab t es The resu t was W ndows

NT 4 0 Term na Server Ed t on C tr x no onger prov ded a stand-a one product but re eased MetaFrame, wh ch ran on top of Term na Server Ed t on ( n much the same way that C tr x XenApp runs on W ndows Server now) and added some new features and management too s

Term na Server Ed t on was very much a start ng po nt The operat ng system was pretty

bas c, to put t m d y A most every nsta at on of Term na Server Ed t on ran MetaFrame

on top of t, because the base product d d tt e more than prov de a mu t -user operat ng

system Even bas c funct ona ty such as c pboard mapp ng was not nc uded The fact that

Term na Server Ed t on and the core operat ng system were d fferent products wasn’t great

for e ther M crosoft or ts customers M crosoft had to dea w th two sets of operat ng system

serv ce packs, and customers had to purchase a separate product to test server-based

com-put ng and jugg e two d fferent serv ce packs that were not re eased at the same t me On

the p us s de, when there was a prob em w th Serv ce Pack 6 (SP6) for W ndows NT 4 0, t was

so ved by the t me SP6 for Term na Server Ed t on was re eased

Windows 2000 Server

The first rea breakthrough n Term na Serv ces was n M crosoft W ndows 2000 Server For

the first t me, Term na Serv ces was a server ro e n the base server operat ng system, not a

separate product Why d d th s matter? There are severa reasons F rst, the game of

jug-g njug-g ncompat b e serv ce packs for s njug-g e-user and mu t -user operat njug-g systems was over

Second, there was a fundamenta change n the way that server-based comput ng and remote

access were perce ved Before W ndows 2000, f you wanted to manage a W ndows server

from the graph ca user nterface (GUI), you genera y sat down n front of t—there was no

capab ty for remote management us ng M crosoft Remote Desktop Protoco (RDP) The

prob em was that there s a m t to the number of servers that you can s t n front of dur ng

the day, espec a y when those servers are n d fferent bu d ngs—or even n d fferent c t es

W ndows 2000 Server ntroduced Remote Adm n strat on as an opt ona component, a ow ng

server adm n strators to manage servers even when they weren’t s tt ng n front of them Not

on y d d th s make server adm n strat on a ot eas er, t a so came to the a d of Term na

Ser-v ces, because t gaSer-ve peop e a good use case for remote usage and mu t -user comput ng

Hav ng Term na Serv ces n App cat on Server mode ava ab e n the core operat ng

system a so meant that try ng Term na Server for users requ red comparat ve y tt e effort—

sett ng up a bas c p ot cou d be done w th as tt e effort as nsta ng the ro e n App cat on

Server mode and ett ng peop e use Notepad In add t on, because RDP n W ndows 2000

Server added some bas c funct ona ty such as c ent pr nter red rect on and a shared c

p-board between oca and remote sess ons, try ng Term na Server and gett ng a fee for how

users cou d benefit from shared comput ng was poss b e even w th on y the too s n the core

operat ng system

Windows Server 2003

The next b g step was M crosoft W ndows Server 2003, wh ch took some of the dec s ons

made n the W ndows 2000 Server t meframe to the r next og ca conc us ons If Remote

Adm n strat on s a good th ng, why shou d t be an opt ona component? Instead, enab e

t for a W ndows server ro es and make t an opt on for the c ent And a though the bas c

funct ona ty n W ndows 2000 Term na Server s usefu , t doesn’t prov de a suffic ent y r ch

c ent exper ence Let’s enab e dr ve mapp ng, fu co or, sound, and other features that were prev ous y poss b e on y w th th rd-party products, so that the remote exper ence can be a ot more ke the oca desktop exper ence

Another b g change to W ndows Server 2003 was n management W ndows 2000 term na servers cou d be managed on y s ng y You cou d configure them remote y, but not co ect ve y

W ndows Server 2003 ntroduced some Group Po cy sett ngs for configur ng and manag ng term na servers, and Term na Server Manager supported management of remote servers

Windows Server 2008

M crosoft W ndows Server 2008 represented a b g breakthrough n Term na Serv ces

func-t ona func-ty Prev ous vers ons of Term na Serv ces had nc uded on y func-two ro es func-the func-term na server and a cense server

NOTE Although Windows Server 2003 included the Session Directory Server for basic farm support, this role was available only in the Enterprise Edition and was not widely deployed.

If your needs extended beyond remote access to a fu desktop on the oca area network (LAN), then you needed th rd-party add t ons to the ro e to he p you fu fi them W th W n-dows Server 2008, Term na Serv ces ga ned the fo ow ng advantages

■ V sua ntegrat on between oca y and remote y runn ng app cat ons

■ A web nterface for present ng app cat ons on the term na servers nd v dua y

■ A secure gateway to enab e support for secure access v a the Internet

■ A sess on broker to route ncom ng connect ons to the most appropr ate term na server

■ A pr nt ng subsystem that d d not requ re pr nt dr vers to be nsta ed on the term na servers

■ Red rect on of new types of dev ces

Windows Server 2008 R2 and RDS

W ndows Server 2008 R2 s techn ca y a “m nor re ease” ke other R2 re eases, but t duces a ot of changes for RDS The ro e serv ce has expanded aga n to add v rtua desktop

ntro-support (often ca ed VDI, for Virtual Desktop Infrastructure) It has a so ga ned some new

features, some of the most mportant be ng the fo ow ng

■ Support for connect on to Hyper-V based v rtua mach ne (VM) poo s of shared VMs and persona VMs ass gned to an nd v dua

■ Changes to Remote Desktop (RD) Web Access that a ow the porta to d sp ay resources from mu t p e RD Sess on Host servers (former y known as term na servers) or farms, and that enab e secur ty fi ter ng for RemoteApp programs and VMs

■ Improved app cat on compat b ty and resource management on RD Sess on Host

Support for Aero G ass remot ng and other user exper ence mprovements to RDP 7

■ Support for forms-based s ng e s gn-on through RD Web Access so that users need

authent cate on y once n the webs te to get to a the RemoteApp programs ass gned

to them

■ Improvements to Remote Desktop Gateway to enforce dr ve red rect on po c es and

enab e c ent remed at on when c ents do not conform to software ru es

■ Improved d scoverab ty for cense servers for a more re ab e connect on

DIRECT FROM THE SOURCE

Why VDI?

Michael Kleef, Senior Product Manager

Windows Server Marketing

Microsoft added VDI support to Windows Server 2008 R2 to allow customers

further desktop delivery choice in thin client computing Although Remote

Desktop Session Host is a mature product and still provides relevant customer value

at the right TCO (total cost of ownership) point, there are times when the level of

personalization and isolation that VDI with Windows 7 delivers are important for

specific use cases Applications that require elevated permissions are hard to

sup-port on an RD Session Host because one elevated-privilege mistake could affect

all users of the server The isolation of VMs makes it possible to support this type

of application using VDI Another example is native application compatibility; this

was largely solved by Microsoft App-V, but it can’t solve all application issues in

which the application requires a Windows client installation It’s for reasons like this

that Microsoft invested in delivering a VDI platform in Windows Server 2008 R2

and extended it further in Service Pack 1 with Dynamic Memory and RemoteFX, to

increase VM density and improve the rich user experience.

Most obv ous y, Term na Serv ces s now ca ed Remote Desktop Serv ces, and a subro es

are renamed to go a ong w th the change The serv ce was renamed to reflect the much

broader scope of the server ro e, nc ud ng sess ons and the ro e serv ces needed to get

peo-p e connected to them, but a so host ng of VMs and secure w de area network (WAN) access

NOTE Because this book is about Windows Server 2008 R2, it uses the current names

for the server role and its role services See Table 1-1 for a list of some of the names you’ll

come across most often For a complete mapping of the old and new name for RDS, see

http://technet.microsoft.com/en-us/library/dd560658(WS.10).aspx.

TABLE 1-1 Mapp ng TS Names o RDS Names

FORMER NAME WINDOWS SERVER 2008 R2 NAME

Term na Serv ces L cens ng

Term na Serv ces Web Access (TS Web Access) Remote Desktop Web Access (RD Web Access)Term na Serv ces Gateway

Term na Serv ces C ent Access L cense (TSCAL) Remote Desktop Serv ces C ent Access L cense (RDSCAL)Term na Serv ces Manager Remote Desktop Serv ces ManagerTerm na Serv ces Configurat on Remote Desktop Serv ces Configurat on

The pattern s pretty obv ous; f any names you see don’t make sense, ook at the st

pro-v ded at the nk

The Evolving Remote Client Access Experience

A though th s book focuses on the server shared-computer exper ence, not the c ent, t s mportant to know that RDS a so changed on the c ent s de as the server-s de capab t es evo ved M crosoft W ndows 2000 Profess ona d d not support ncom ng remote access con-

nect ons (nor d d M crosoft W ndows 9 x), but M crosoft W ndows XP, W ndows V sta, and

W ndows 7 a do Support ng ncom ng remote connect ons enab ed severa new ways to use

W ndows c ents, nc ud ng

■ Remote access to a phys ca computer from home or another area of the bu d ng

■ Remote Ass stance

■ V rtua desktop host ng

■ Host ng RemoteApp programs to be d sp ayed n another c ent operat ng system (for app cat on compat b ty)

Remote access from another computer reflects the rea ty that many peop e use more than one computer, and that a home m ght have more than one computer Remote Ass stance uses the remote contro feature of RDS—the ab ty to perm t a second person to see or even take over a remote sess on—for enab ng he p desk support, even on desktops V rtua desktop host ng was one of the ch ef compet tors to sess on host ng for a ong t me (and s now part

of the serv ce) Features ke RemoteApp on Hyper-V a ow peop e to run app cat ons on an

o der operat ng system wh e see ng them on a newer one, even f the app cat on won’t run

on W ndows 7 for some reason

NOTE Generally speaking, most 32-bit applications can run on a 64-bit platform as long

as these applications don’t include drivers and don’t have a 16-bit installation routine Web

applications designed to run in Microsoft Internet Explorer 6 are one exception to this

rule Internet Explorer 6 is included with Windows Server 2003, but can’t be installed on

Windows Server 2008 R2 Therefore, if you have Internet Explorer 6–dependent

applica-tions and want to display them as RemoteApp programs, you can host them in VMs using

RemoteApp for Hyper-V.

RDS shows up n the c ent vers ons of W ndows even when you don’t expect t It’s the

techno ogy that enab es Fast User Sw tch ng and Remote Ass stance (to name just two), and a

vers on of the RDP protoco s the bas s of L ve Mesh

In short, the story of Remote Desktop Serv ces s the story of how mu t -user comput ng

has become ess of a n che techno ogy and more of a M crosoft strategy for enab ng var ous

scenar os that b ur the ne between the PC and the data center Even when they’re not ca ed

RDS, mu t -user comput ng and the Remote Desktop Protoco have become cruc a parts of

the core W ndows p atform

What Can You Do with RDS?

The preced ng sect on prov des a (very fast) ook at where RDS came from and how t became

part of the core W ndows p atform for both c ent and server You w earn about the

tech-no ogy n depth n ater chapters But what do you do w th t?

Fundamenta y, RDS breaks the hard nks between ocat on, c ent operat ng system, and

capab ty

In many ways, th s s a natura extens on of network ng If you’re us ng a s ng e computer

unconnected to any networks, you’re m ted to the app cat ons and data stored on that

computer If you attach that computer to a network and enab e fi e shar ng, you can use data

that s not stored on your aptop, and a systems adm n strator can both back up that data

( mposs b e for someone e se to do on an so ated desktop) and secure t W th RDS, you can

use not on y data stored somewhere e se but a so app cat ons stored somewhere e se They

don’t even have to be capab e of runn ng on the c ent computer as ong as they’ run on the

host Presentat on remot ng mproves fi e shar ng because the fi es you use don’t have to be

access b e to the c ent computer as ong as they’re ava ab e to the back-end app cat on

W th an so ated PC, you are abso ute y t ed to what that computer can do W th

presenta-t on remopresenta-t ng, presenta-the capab presenta-t es are more flex b e, because whapresenta-t you see sn’presenta-t necessar y

run-n run-ng orun-n the computer where you’re work run-ng, or everun-n run-n the same courun-ntry Th s has berun-nefits

for secur ty, ocat on, and dev ce ndependence

Improved Security for Remote Users

Tota y PC-based comput ng has prob ems w th data secur ty More and more peop e work

on aptops, and aptops are meant to be taken p aces But aptops w th data stored on them are a secur ty r sk, even f you password-protect the aptop Un ess you take the aptop w th

you everywhere, nc ud ng ugg ng t a ong to d nner nstead of eav ng t n the hote room

when you’re on the road, the data on your aptop s vu nerab e to theft And f someone

really wants the aptop, t doesn’t matter f you take t w th you Th s doesn’t even address

the d emma of eav ng the aptop n a tax or on a tra n by acc dent It happens B tLocker techno ogy on W ndows 7 and W ndows V sta protects aga nst theft but does not protect aga nst oss from a m sp aced or broken aptop that wasn’t backed up

If the data s on the aptop and you ose the aptop, the data’s gone The obv ous so ut on

s not to keep the data on the aptop—store t n the data center nstead But f you’re

access-ng the data center from a remote ocat on v a a v rtua pr vate network (VPN) and work access-ng

w th arge fi es ( n th s day of heavy-duty formatt ng, what fi e isn’t arge?), t’s tempt ng to

keep the fi e on the oca dr ve wh e work ng on t remote y and then copy t back to the work when you’re done w th t However, f you work th s way, you’re back where you started

net-w th the data on the oca dr ve

Information Insecurity

It’s not practical to make sensitive information accessible only to people within the

four walls of the office, but it’s been shown again and again what happens when that information leaves the data center In November 2009, the Army Corps of Engi- neers lost a hard drive containing the names and social security numbers of as many

as 60,000 current and former Army service members and some civilians As of this writing, the drive has not yet been recovered This isn’t the first time that sensitive data has been lost to a misplaced laptop or other portable media.

It’s not always feasible to store sensitive information only in the data center, sible solely via secure connection to a Remote Desktop Session Host server behind the perimeter network Sometimes, the information must be available even when

acces-a network connection isn’t But when it is feacces-asible, it’s much more secure to keep information where it’s least likely to be compromised, stolen, or lost: in the data center.

One so ut on to the d emma of how to secure data wh e keep ng t access b e to the

peo-p e who need t s to keepeo-p everything n the data center, nc ud ng the apeo-ppeo-p cat ons requ red to

ed t the data If both the app cat ons and the confident a data are on the network, then t’s

e ther mposs b e to ed t the data oca y (because no app cat on for do ng the ed t ng s sta ed oca y) or not as des rab e to do so because there’s no reason to down oad the remote

n-fi e to the oca computer for a more respons ve exper ence No sens t ve data ends up on the

c ent computer; t a stays w th n the boundar es of the data center

NOTE Given a sufficiently long distance or sufficiently slow Internet connection, the

remote connection will also be slow; and if the network connection isn’t totally reliable, it

can be frustrating as the session disconnects As you know all too well, even high-speed

networks experience some latency when you’re working on one continent and the data

center is on another one But these problems apply to any remote-access scenario and

have less chance of accidentally corrupting the original document by attempting to write

to it over a slow connection A disconnected session doesn’t lead to data loss—it’s just

there waiting for its user to reconnect to it.

What f you want peop e to be ab e to ed t confident a documents when they are n a

secure ocat on but not when they’re access ng the corporate network from the oca

cof-fee shop? Us ng RDS n W ndows Server 2008 R2, you can set up ru es that determ ne wh ch

app cat ons a remote user has access to, whether the user has any oca dr ves mapped, and

even whether t’s poss b e to cut and paste text between oca and remote app cat ons

Secu-r ty needs can deteSecu-rm ne the Secu-restSecu-r ct ons p aced on Secu-remote access wh e st keep ng the data

eas y ava ab e when t shou d be

Provisioning New Users Rapidly

Th s s espec a y usefu for temporary workers If you are prov d ng computer serv ces for

someone who w on y be around temporar y (for examp e, a consu tant need ng a

tempo-rary desktop or a tempotempo-rary worker) then t’s good not to need to spend much t me on

set-t ng up a compuset-ter for her, buset-t a so good set-to g ve her a c ean work env ronmenset-t set-thaset-t doesn’set-t

requ re her to work around the detr tus eft by the prev ous user of the computer Through

RDS, you can get a new user set up and work ng a most as qu ck y as you’re ab e to get her a

doma n account In add t on, the poo ed VM or remote desktop sess on the person uses w

be brand new, w th no o d sett ngs eft from a prev ous user, wh ch shou d s mp fy troub

e-shoot ng and tra n ng

Enabling Remote Work

Re ated to secur ty for mob e workers s remote work Te ecommut ng s becom ng more

common n the workp ace Some he p desk supp ers and U S government agenc es don’t

even have desks for a the r workers, s nce the r workp aces are des gned for most peop e

to be work ng from home most of the t me Accord ng to the Status of Te ework Report

to the Congress (see http://www.telework.gov/Reports and Studies/Annual Reports

/2009teleworkreport.pdf), over 100,000 peop e work ng for the U S government te eworked

dur ng 2008, w th 64 percent of these te ework ng at east 1 to 3 days per week Th s

represents an ncrease of just under 9 percent s nce 2007

Nor s te ework a so e y North Amer can phenomenon In 39 percent of western European

compan es, some peop e work at home at east part of the t me, accord ng to “IT and the

Env ronment,” a 2007 paper by the Econom st Inte gence Un t

But work ng from home has ts own set of cha enges, not east be ng the quest on of how the company can support the desktop env ronment Home-based computers can’t be eas y managed by Group Po cy; they can break down w th no IT staff mmed ate y ava ab e

to prov de ass stance, and peop e work ng from home can’t a ways read y ta k through a computer-based prob em w th he p desk staff And how do you update an app cat on when t’s t me to move from, say, M crosoft Office 2007 to Office 2010? If you’ve worked remote y for even a br ef span of t me, you probab y have exper enced the advantages of mob ty and the d sadvantages of ack of oca support It’s great be ng ab e to work from the coffee shop, hote , or a rport obby; t’s not so great act ng as your own he p desk

Server-based comput ng he ps enab e remote scenar os n severa ways You don’t have

to worry about home users nsta ng app cat ons that they shou dn’t run on the Remote Desktop Sess on Host servers f you fo ow bas c secur ty procedures (more ater on th s top c)

S nce the app cat ons are stored on the RD Sess on Host servers, they’re nsta ed and dated there, not on the c ents And, as d scussed n the prev ous sect on, “Prov s on ng New Users Rap d y,” us ng RDS a ows the adm n strator to determ ne the k nd of resource shar ng that the oca and remote computers shou d do and wh ch app cat ons are ava ab e, depend-

up-ng on the ocat on from wh ch a user s connect up-ng

Bringing Windows to PC-Unfriendly Environments

Not a the peop e who need a PC work n an env ronment that a ows them to have one One examp e s e ectron cs firms If you’re mak ng c rcu t boards, you make them w th n what’s

ca ed a clean room, a room w th no dust and wh ch requ res a t me-consum ng process to

enter If you need to use W ndows app cat ons n a c ean room, you can’t use PCs The fans

ns de the case k ck up dust ns de the computer and spread t nto the room In add t on, t’s not pract ca to have PCs that m ght need serv c ng n any room that takes extens ve prepara-

t on to enter as a c ean room does Therefore, you need RDS to prov de W ndows app cat ons

to the term na s

Th n c ents are a so good for env ronments where you want access to W ndows app

ca-t ons buca-t ca-the c rcumsca-tances are noca-t PC-fr end y, f ca-they’ve goca-t ca-too much dusca-t or v braca-t on

to be good for the PC Sma term na s that can be wa -mounted or carr ed work better n these c rcumstances than PCs do But s nce these sma term na s have very m ted memory and CPU power and no d sks, you can’t run W ndows 7 on them To get access to the atest operat ng system and app cat ons, you need an RD Sess on Host server for the term na s to connect to

PC- ess W ndows env ronments nc ude p aces such as upsca e hea th c ubs or c ty ment obb es Management wants to attract customers by offer ng the conven ence of a persona computer n the obby or cafe but doesn’t want to support computers n these ocat ons (Bu k can a so be an ssue when you’re try ng to squeeze five user work areas nto a sma counter space ) W ndows term na s can connect to an RD Sess on Host server and pres-ent the app cat ons They’re a so sma er, coo er, and more re ab e than PCs, wh ch can get

apart-m sconfigured

It has been sa d that there’s no po nt to gett ng th n c ents because f you buy PCs, you

get more power for the same money W th th n c ents, you’re not pay ng for the comput ng

power; you’re us ng very tt e, comparat ve y speak ng You’re pay ng for the reduced adm

n-strat on and sma er phys ca footpr nt and energy use Th s so ut on s not for everyone, but

somet mes th n c ents are a better cho ce than PCs

Business Continuity and Disaster Recovery

One advantage of RDS s that t enab es you to set up user work env ronments qu ck y As

ong as the servers are ava ab e n the data center, they can be made ava ab e to users

a most as qu ck y as the user’s computer s p ugged n and turned on Us ng a comb nat on of

centra zed app cat on nsta s and Internet access, t’s poss b e to set up a new branch office

qu ck y even f the RD Sess on Host servers are ocated offs te For max mum flex b ty and

ease of setup, th s mode assumes that the RD Sess on Host servers are user-agnost c (that s,

a user nformat on, nc ud ng profi es, s stored e sewhere) and dent ca y configured

Supporting Green Computing

One of the hot top cs (no pun ntended) these days s how to make compan es and

govern-ments greener—how to he p them use ess energy IDC, a market-research firm, says that

power consumpt on s now one of systems managers’ top five concerns Compan es now

spend as much as 10 percent of the r techno ogy budgets on energy, says Rakesh Kumar of

Gartner, a consu tancy (On y about ha f of th s amount s used to run computers; much of t

goes toward coo ng them, s nce for every do ar used to power a server, you spend a do ar to

coo t ) Dropp ng power usage s a w n-w n s tuat on, rea y—because compan es have to pay

for the r power, us ng ess energy means that they spend ess money on power

NOTE A December 2007 paper from McKinsey & Company, “Reducing U.S Greenhouse

Gas Emissions: How Much at What Cost?” (http://www.mckinsey.com/clientservice/ccsi/pdf

/US ghg final report.pdf), shows the marginal costs of reducing carbon dioxide emissions

The cost of reducing the carbon emissions for combined heat and power in commercial

buildings is negative That is, it pays companies to go green.

There’s a lot of waste n desktop-centr c comput ng Accord ng to IDC, average server

ut zat on eve s range from 15 to 30 percent Average resource ut zat on rates for PCs have

been est mated at ess than 5 percent Because you have to power the processor and memory

whether you’re us ng them or not, th s represents a ot of waste Therefore, depend ng on

the needs of the c ent, there m ght be qu te a b t of room for peop e access ng the r

desk-tops—or at east the r app cat ons—from an RD Sess on Host server For compan es that can

reasonab y exchange desktop computers for W ndows-based term na s, th s can represent a

huge sav ngs, both n terms of the power drawn by the fu desktops and n terms of the a r

cond t on ng requ red to coo the bu d ng heated by hundreds of powerfu PCs

Improved Command-Line Support

W ndows Server 2008 had a w de array of programmab e nterfaces that dup cated—and even extended—the capab t es of the GUI What t d dn’t have was the best way to get at them W ndows PowerShe supported W ndows Management Instrumentat on (WMI) but had no remote access capab t es (and find ng the r ght WMI object sn’t tr v a un ess you

a ready know what you’re ook ng for), so you cou dn’t use W ndows PowerShe to manage sett ngs on a server farm VBScr pt d d support remote access and WMI, but t requ red know-

ng how to scr pt (You a so need to earn to use W ndows PowerShe to use t, but t’s s mp er and a ot of bas c tasks have cmd ets a ready prepared )

Command- ne management s s mp er n W ndows Server 2008 R2 for two reasons F rst, the W ndows PowerShe team ntroduced remote access support n W ndows PowerShe

2 0 Second, the RDS team created W ndows PowerShe objects to map to ts WMI structure It’s now poss b e to eas y find the capab ty that you want accord ng to server ro e, and the objects are fu y supported by standard W ndows PowerShe cmd ets You’ be rev ew ng throughout th s book how to use W ndows PowerShe to manage the RDS farms

RDS for Windows Server 2008 R2: New Features

So far, you’ve seen an overv ew of some of the ways you m ght app y server-based comput ng

to meet your company’s needs for support ng remote workers or PC-unfr end y env ronments Many new features n W ndows Server 2008 he p you support these scenar os spec fica y

Th s book s devoted to ett ng you know what’s new n RDS and how to use t Th s sect on

d scusses some of the features and how th s vers on of RDS d ffers from prev ous vers ons n ways arger than nd v dua features

For example, did you know that its Dynamic Fair Share Scheduling ensures that

each user on the same server gets an equal amount of processor attention? With it,

a lightweight user running Microsoft Word can collocate with a heavyweight user

performing a software build, or crunching a database query, or any other

CPU-intensive activity Neither session is impacted by the actions of the other.

Remote Desktop IP Virtualization is also new for those finicky applications that

require unique IP addresses to function Without it, all applications running from

the same RD Session Host will appear to have the same IP address With it, an RDS

server can virtualize a set of IP addresses so that those applications execute without

problems.

Even Windows Installer gets improved with Windows Server 2008 R2 In previous

operating system versions, Windows Installer wasn’t fully Terminal Services–aware

This limitation made the installation of some applications very difficult as

concur-rent installs would block each other That awareness is finally present in R2,

improv-ing the success rate of installimprov-ing applications to RDS Installimprov-ing MSI packages on an

RD Session Host server is the same as installing them on a client computer—they

serialize and don’t block.

With R2, your options for connecting users to applications become as important as

the application delivery itself This “feature” isn’t so much a feature as a completely

new way of thinking about application delivery The incorporation of RemoteApp

and Desktop Connection in Windows 7 with the RD Web Access in Windows Server

2008 R2 gives you more options for how you connect users to their applications

Depending on your needs, you can deliver RemoteApp programs and VMs via a web

page in Internet Explorer, through an RDP file delivered to the user, or, for those

using Windows 7, you can simply populate your users’ Start menu.

The Changing Character of RD Session Host Usage

One RDS change n W ndows Server 2008 R2 s n the usage assumpt ons W ndows Server

2003, for examp e, assumed that adm n strators w genera y run nd v dua servers from the

corporate LAN (and probab y on y one or two of them) s nce the sess on broker ng p ece s

ava ab e on y n the Enterpr se ed t on of the software W ndows Server 2008 assumed that

term na servers wou d be hosted n farms, that peop e wou d run both oca y nsta ed

ap-p cat ons and RemoteAap-pap-p ap-programs, and that at east some ap-peoap-p e wou d be access ng the

RD Sess on Host servers from the Internet

RDS n W ndows Server 2008 R2 expands on the assumpt ons n W ndows Server 2008 to

assume the fo ow ng, among other th ngs

■ Many users access the corporate LAN from the Internet at east some of the t me

■ Users don’t a ways og on from doma n-jo ned computers

■ Users are more ke y to use a PC (w th some oca y nsta ed app cat ons) than a term

-na dev ce

■ Users m ght work from a branch office but st are connected to the doma n

■ Some users w run very demand ng app cat ons from the data center

■ App cat ons w be served from a farm of dent ca servers more often than a s ng e server

■ Some users w be a owed to nsta app cat ons even n a hosted workspace

■ Some app cat ons shou d be so ated for best compat b tyYou w earn about some RDS ro e serv ces here, but a techn ca wa kthrough of these features s ess mportant r ght now than understand ng the bus ness prob ems that they’re des gned to so ve The rest of th s book w prov de des gn, dep oyment, and operat ons

gu dance

Supporting VM Users

Sess ons are a good way to enab e that a ot of peop e use the same phys ca hardware ever, sess ons don’t work for everyone, espec a y not f desktop rep acement s the goa A sess on can’t perm t ts users fu adm n strat ve access to tweak sett ngs through the Contro Pane , sn’t a ways fr end y to resource-hungry app cat ons (at east, the resource-hungry app cat ons are not a ways fr end y to the other sess ons), and doesn’t perm t users to nsta app cat ons to use ater n exact y the same env ronment Nor can you h bernate a sess on to eas y save not just data, but a so the work that you were n the m dd e of comp et ng when you dropped everyth ng and ran to catch the bus Us ng a VM, t s tera y poss b e to save your work state

How-One new feature n W ndows Server 2008 R2 s nat ve support for V rtua Desktop structure (VDI), wh ch s a short name for “managed v rtua mach nes ” M crosoft VDI supports

Infra-two k nds of VMs Personal desktops are ass gned to an nd v dua and can be custom zed cord ng to whatever ru es are n p ace n the organ zat on Pooled desktops are genera y ava -

ac-ab e to anyone w th access to the poo A though t s poss b e n some cases to make changes

to them, there s no guarantee that a user chang ng a poo ed desktop w get the same one the next t me they og n—ro ng back changes s often norma , to avo d peop e contam nat-

ng the desktop poo w th app cat ons and sett ngs they w never reuseEach k nd of desktop s des gned for a d fferent purpose Persona desktops are for fu desktop rep acement A though access b e on y v a RDP, a persona desktop s contro ed by the user t s ass gned to, and f a person has a persona desktop, the RD Connect on Broker

w a ways attempt to connect them to t first A persona desktop can rep ace a phys ca computer and even has the advantage of mak ng the mach ne state easy to back up, so mov-

ng to a new phys ca p atform doesn’t mean os ng a sett ngsPoo ed desktops are more for support ng peop e who need to run app cat ons that aren’t

we hosted on an RD Sess on Host server, even w th the new support for fa r share process ng

that prevents a s ng e sess on from us ng a the processor power They can be pre nsta ed

w th any app cat ons that the peop e who need the poo w need

Poo ed desktops can a so support an app cat on-compat b y feature re eased after

W ndows Server 2008 R2 sh pped RemoteApp on Hyper-V Th s feature a ows you to run

RemoteApp programs from a VM rather than from an RD Sess on Host server It’s des gned

to a ow computers runn ng W ndows 7 that need to run an app cat on that can’t run on

W ndows 7 (for examp e, a web app cat on based on Internet Exp orer 6) from a computer

runn ng W ndows XP ocated n the data center A though each VM can st on y support one

ncom ng connect on at a t me, RemoteApp for Hyper-V makes t poss b e to support these

o der app cat ons wh e reta n ng the features of W ndows 7 on the desktop

How to Get RemoteApp Technology from a Client

Remoting technology is great for displaying applications that can’t run on the

client For example, you can run really demanding applications from a session

or a VM to integrate with an older operating system or on hardware that won’t

support them.

Supporting older applications that won’t run on an operating system later than

Windows Server 2003 and Windows XP is a bit more problematic Windows

Server 2003 didn’t include support for RemoteApp technology, so to run the

older applications there would mean publishing only from a full desktop And up

until now, Windows XP didn’t support RemoteApp connections (although some

companies had solutions that did something functionally similar).

Microsoft has several different technologies that support RemoteApp from client

operating systems such as Windows XP They’re all intended for different user

scenarios.

XP Mode uses Virtual PC technology to run a Windows XP VM on a computer

run-ning Windows 7 People with their own computers would run this to enable

them-selves to run applications locally that will not run on Windows 7 To get XP Mode,

go to http://www.microsoft.com/windows/virtual-pc/download.aspx.

MED-V is essentially managed XP Mode (see http://blogs.technet.com/medv

/archive/2009/04/30/windows-xp-mode-in-windows-7-how-it-relates-to-future-ver-sions-of-med-v.aspx) You’d use this to deploy XP Mode in an organization so that

you don’t rely on individuals to update their own RemoteApp guest machines.

The catch to XP Mode is that it requires the RemoteApp VM to run locally Not all

computers have the hardware to run two full machines at the same time (required

with Type 2 hypervisors like Virtual PC) To make it possible to support RemoteApp

from Windows XP, there’s RemoteApp for Hyper-V This model runs the Windows XP

guest VMs hosting the RemoteApp programs in a data center and uses RDP to

Continued on the next page

display them on a computer running Windows 7 To get the updates required to use

RemoteApp for Hyper-V, go to http://support.microsoft.com/kb/961742.

MED-V and XP Mode are outside the scope of this book because they do not use the RDS infrastructure, but RemoteApp for Hyper-V is discussed in more detail in Chapter 3, “Deploying a Single Remote Desktop Session Host Server.”

Supporting Telecommuters and Mobile Workers Securely

The way that peop e work n nformat on fie ds has changed a great dea over the years At one t me, most nformat on workers (the best way to descr be peop e who need regu ar ac-cess to a shared poo of data to do the r jobs) went to where the nformat on was name y, to the office When they eft the office, they stopped work ng on anyth ng that depended on that centra poo of nformat on S m ar y, when they were n the office, they cou d eas y add

to th s centra poo of nformat on—after a , a th s nformat on s created by peop e—and when they eft, they cou d not cont nue add ng to the centra poo of nformat on

Laptops changed th s by g v ng te ecommuters a computer that they cou d eas y take w th them, but aptops st d dn’t have access to the centra poo of nformat on that peop e cou d access at the office W despread Internet access comb ned w th the ncreas ng use of ema as

a persona nformat on store gave add t ona access, but ema doesn’t nc ude everything your

company knows—just that nformat on nc uded w th n ema s you’ve sent or rece ved

The next stage was secure y connect ng to the corporate network, retr ev ng the

nforma-t on requ red, and nforma-then down oad ng nforma-t nforma-to nforma-the apnforma-top Th s, of course, requ red bonforma-th broad access to h gh-speed networks for down oad ng the documents to the oca computer and

a so for the app cat on to be nsta ed oca y It a so meant that peop e needed some way for the aptop to access the data center w thout creat ng a secur ty breach or spread ng a v rus on the corporate network

Much of the ndustr a zed wor d today has access to the necessary components tops and h gh-speed networks that are ava ab e both at home and n pub c p aces such as

ap-a rports ap-and hote s The tr cky prob ems thap-at ap-ar se nc ude how to regu ap-ate wh ch computers are a owed access to the network and how to keep sens t ve data off computers vu nerab e to theft or oss There’s a so the prob em of ga n ng access to the data that mob e workers cre-ate wh e on the road Data stored on a aptop won’t make t back to the corporate network unt the road warr ors get back from the tr p, or at east get some free t me to up oad a the r new data to the centra data poo

RDS ong he d prom se n support ng te ecommuters and mob e workers, but the so

u-t on nc uded w u-th u-the operau-t ng sysu-tem d dn’u-t have a u-the u-too s needed u-to make u-th s work unt W ndows Server 2008 W ndows Server 2008 Term na Serv ces changed th s, ntroduc ng Term na Serv ces Gateway (TS Gateway) TS Gateway enab ed author zed users to access au-thor zed corporate resources secure y v a RDP tunne ed through the Internet W ndows Server

2008 R2 added some enhancements for ncreased secur ty n the new vers on of TS Gateway,

ca ed Remote Desktop Gateway (RD Gateway)