Click Add and then either specify or find user accounts in AD DS or on the local puter on stand-alone host computers and add them to the list of Remote Desktop Users authorized to access
Trang 1When enabling Remote Desktop on a computer, you must also authorize which users will
be allowed to remotely connect to that computer using RDC By default, only administrators are authorized to remotely connect to the host computer Authorize additional users by fol-lowing these steps:
1. Click the Select Users button to open the Remote Desktop Users dialog box
2. Click Add and then either specify or find user accounts in AD DS (or on the local puter on stand-alone host computers) and add them to the list of Remote Desktop Users authorized to access the host computer using Remote Desktop This adds the selected users to the Remote Desktop Users local group on the host computer
com-Enabling Remote Desktop Using Group policy
You can also use Group Policy to enable Remote Desktop on host computers To enable Remote Desktop on all computers in a specified organizational unit (OU), open the Group Policy object (GPO) linked to the OU using Group Policy Object Editor, enable the following policy setting and add users to the Remote Desktop Users group:
Computer Configuration\Policies\Administrative Templates\Windows Components
\Remote Desktop Services\Remote Desktop Session Host\Connections\Allow Users To Connect Remotely Using Remote Desktop Services
Enabling Remote Desktop on computers using Group Policy also enables the Allow nections From Computers Running Any Version Of Remote Desktop (Less Secure) option on the computers targeted by the GPO To enable Remote Desktop using the Allow Connections Only From Computers Running Remote Desktop With Network Level Authentication (More Secure) option instead, you must enable the following policy setting in addition to the preceding one:
Con-Computer Configuration\Policies\Administrative Templates\Windows Components
\Remote Desktop Services\Remote Desktop Session Host\Security\Require User Authentication For Remote Connections By Using Network Level Authentication
note By default, when the first policy setting is enabled but the second setting is not configured, local administrators on the targeted computers have the ability to change the Remote Desktop security level on their computers to allow Connections Only From Computers Running Remote Desktop With Network Level authentication (More Secure)
if desired When the second policy setting is enabled, the option allow Connections From Computers Running any Version Of Remote Desktop (Less Secure) on the Remote tab is unavailable and appears dimmed.
Trang 2Configuring and Deploying Remote Desktop Connection
After you have enabled Remote Desktop on the host computer, you must configure the RDC client software on the client computer You can configure RDC in several ways:
n Click Start, click All Programs, click Accessories, and then click Remote Desktop Connection This opens the Remote Desktop Connection UI, shown in Figure 27-10
n Type mstsc at a command prompt or in the Search box to open the Remote Desktop Connection UI, or type mstsc followed by various parameters to customize how the RDC client software will run For help with Mstsc exe parameters, type mstsc /? at a
command prompt
n Use Notepad to manually edit an * rdp file previously saved from the Remote Desktop Connection UI For more information, read the section titled “Configuring Remote Desktop Connection Using Notepad” later in this chapter
n Configure those Remote Desktop Services Group Policy settings that apply to Remote Desktop
FIgURE 27-10 The Remote Desktop Connection client UI shows configuration options both den and displayed
hid-Table 27-9 summarizes the configuration options available on the different tabs of the Remote Desktop Connection client UI
Trang 3TABlE 27-9 Configuration Options for Remote Desktop Connection Client
General Logon Settings: Computer Specifies the FQDN or IP address (can be IPv4
or IPv6) of the host computer Logon Settings: User Name Specifies the user account to be used to
establish the Remote Desktop session This is displayed only when credentials from previous Remote Desktop sessions have been saved Logon Settings: Always
Ask For Credentials
Select this check box to require the user to always supply credentials This is displayed only when credentials from previous Remote Desktop sessions have been saved
Connection Settings Saves the current configuration of RDC client
as an * rdp file or opens a previously saved
* rdp file Display Display Configuration Changes the size of your remote desktop
Use All My Monitors For The Remote Session
Configures the Remote Desktop session monitor layout to match the current client-side configuration
Colors Specifies color depth for your remote desktop Display The Connection
Bar When In Full-Screen Mode
Makes it easier to use Remote Desktop in screen mode without needing to remember keyboard shortcuts
full-Local Resources
Remote Audio Controls where remote audio is played back
and whether it should be recorded Keyboard Specifies how Windows key combinations,
such as Alt+Tab, behave when used from within a Remote Desktop session Local Devices And
Resources: Printers
Prints to network computers connected to the host computer from within the Remote Desktop session without having to install additional drivers
Local Devices And Resources: Clipboard
Shares a clipboard between the client and host computers
Local Devices And Resources: More
Redirects additional devices local to the host computer to the remote client including serial ports, smart cards, disk drives, and supported PnP devices such as media players and digital cameras
Trang 4TAB SETTINg NOTES
Programs Start A Program Specifies a program that should automatically
start when your Remote Desktop session is established
Experience Performance: Choose Your
Connection Speed To Optimize Performance
Specifies the connection speed closest to actual available network bandwidth to obtain the optimal mix of functionality and perfor-mance for your Remote Desktop session Desktop Background
Font SmoothingDesktop CompositionShow Window Contents While Dragging
Menu And Window Animation
Visual StylesPersistent Bitmap Caching
Enables or disables each desktop user interface feature that is indicated
Reconnect If Connection Is Dropped
Specifies that the RDC client should attempt
to re-establish a connection with the remote host if the connection between them is unexpectedly terminated
Advanced Server Authentication:
Authentication Options
Specifies whether unauthenticated Remote Desktop sessions should be allowed; if they are allowed, specify whether a warning mes-sage should be displayed For more informa-tion, see the sidebar titled “Remote Desktop Connection Server Authentication” later in this chapter
Connect From Anywhere:
Settings
Configures Remote Desktop Gateway (RD Gateway) settings to allow RDC clients to connect to remote computers behind corporate firewalls
note In enterprise environments, administrators can also preconfigure RDC client figurations and save them as Remote Desktop files (*.rdp files) These *.rdp files can then
con-be deployed to users as e-mail attachments or copied from a network share using a logon script.
Trang 5Remote Desktop Connection Server Authentication
RDC includes a Server authentication setting that ensures that you are connecting to the remote computer or server that you intend to connect to
To configure Server authentication for an RDC, open the properties dialog box of your connection, click the advanced tab, and click Settings Then select one of the following three options:
n Connect And Don’t Warn Me (least Secure) Lets you connect even if RDC can’t verify the identity of the remote computer.
n Warn Me (More Secure) Lets you choose whether to continue with the connection when RDC can’t verify the identity of the remote computer.
n Do Not Connect (Most Secure) prevents you from connecting to the remote computer when RDC can’t verify the remote computer’s identity.
The default setting for Server authentication is Warn Me.
Configuring Remote Desktop Connection from the Command Line
To use the RDC client from the command line or custom shortcut, type mstsc followed by the
appropriate command-line switches For example, to initiate a Remote Desktop session using
a custom display resolution of 1680 × 1050, type mstsc /w:1680 /h:1050 at a command
prompt
You can use the /span switch to initiate a Remote Desktop session that spans across multiple monitors Note that when both the /span and /h: /w: switches are present, the /span switch takes precedence In addition, when the /span option is selected, the slider for adjust-
ing remote desktop size is unavailable on the Display tab so that users cannot change their initial settings, which can cause confusion
New in Windows 7 is the /multimon switch, which configures the Remote Desktop session
monitor layout to match the current client-side configuration
Using the /public switch runs Remote Desktop in public mode When an RDC client is
run-ning in public mode, it does not persist any private user data (such as user name, password, domain, and so on) either to disk or to the registry on the computer on which the client is running, nor does the client make use of any saved private data that may exist on the com-puter (a trusted sites list, the persistent bitmap cache, and so on) This means that the client essentially functions as if there were no registry or secondary storage present for storing pri-vate data A client running in public mode still honors Group Policy settings, however Finally,
the /console switch used in previous versions of Mstsc exe was removed in Windows Vista SP1
and has been replaced with the /admin switch For more information about this, see the lowing sidebar, titled “Direct from the Source: Replacement of /console by /admin ”
Trang 6fol-note For more help with Mstsc.exe parameters, type mstsc /? at a command prompt.
diReCt FRoM tHe SoURCeReplacement of /console by /admin
Mahesh Lotlikar, SDE II
Remote Desktop Services Team
In Windows Server 2003, the /console option for Mstsc.exe was used for several purposes With the introduction of the /admin option in Windows Vista Sp1 and Windows Server 2008, the /console option has now been deprecated The follow- ing examples illustrate the /console switch’s significance in previous versions of
Windows and why the scenario does not apply for Windows 7, Windows Vista Sp1 or later versions, Windows Server 2008, and Windows Server 2008 R2.
First, in earlier versions of Windows such as Windows Xp and Windows Server 2003,
the /console option was used to connect to the session on the physical console
(session 0), because some applications could not install and run in any session other than session 0 In Windows Vista and Windows Server 2008, the Windows features are re-architected, so that only services run in session 0 and applications do not
need to run in session 0 Therefore, the administrator does not need the /console
option for this purpose.
Second, in earlier versions of Windows, the /console option was also used for the
purpose of reconnecting to and resuming work in the user session on the physical console In Windows Vista and Windows Server 2008, this option is not required to reconnect to the existing session on the physical console (The blog post referenced
at the end of this sidebar includes details on console behavior differences.)
Third, in Windows Server 2003, the /console option was used for administering the
Remote Desktop Session Host remotely without consuming a client access license
(CaL) In Windows Server 2008, /admin option serves this purpose.
Thus, you do not need the /console option while connecting to Windows Vista or Windows Server 2008, and you can now use the /admin switch to connect to the
physical console of Windows Vista or Windows Server 2003.
For more information, see the following post on the Remote Desktop Services
Team Blog: http://blogs.msdn.com/ts/archive/2007/12/17/changes-to-remote-
administration-in-windows-server-2008.aspx.
Trang 7Configuring Remote Desktop Connection Using Notepad
You can also configure a saved RDC client by opening its * rdp file in Notepad and editing it For example, to configure a saved RDC client to use a custom display resolution of 1680 ×
1050, change the lines specifying screen resolution to read as follows desktopwidth:i:1680
desktopheight:i:1050
As a second example, to configure a saved RDC client to span a Remote Desktop session across multiple monitors, add or change the following line:
span:i:0tospan:i:1
Configuring Remote Desktop Using Group policy
You can also use Group Policy to manage some aspects of how Remote Desktop works You can find the policy settings for managing Remote Desktop in two locations:
n Per-computer policy settings can be found under Computer Configuration\Policies
\Administrative Templates\Windows Components\Remote Desktop Services
n Per-user policy settings can be found under User Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services
Table 27-10 lists Group Policy settings that affect Remote Desktop Policies that were introduced earlier in Windows Vista are marked with an asterisk (*), and policies that are new
in Windows 7 are marked with two asterisks (**) (Additional policy settings found in these locations apply only to Remote Desktop Session Hosts or only when an RDC client is used to connect to a Remote Desktop Session Host ) If a computer and user policy setting are identi-cal, the computer setting takes precedence if configured
To use the Group Policy settings in this table, configure them in a GPO linked to an OU where the host computers (the computers that have Remote Desktop enabled) are located For additional Group Policy settings that affect Remote Desktop, see the section titled
“Enabling Remote Desktop Using Group Policy” earlier in this chapter
note The folder layout of the Group policy settings for Remote Desktop Services—under Computer Configuration\policies\administrative Templates\Windows Components\Remote Desktop Services and User Configuration\policies\administrative Templates\Windows Components\Remote Desktop Services—has been reorganized in Windows 7 for ease of discoverability, but the registry keys are still the same all policy settings common to both Windows Vista and Windows Xp, even if located under different folders, will still be applied
to all computers in the targeted OU.
Trang 8TABlE 27-10 Group Policy Settings That Affect Remote Desktop
Remote Desktop Connection Client
Do Not Allow Passwords To Be Saved
Prevents users from saving their credentials
in the RDC client Windows Vista saves the password using Credential Manager instead
of saving it within the * rdp file as in earlier versions of Windows
Remote Desktop Session
Host\Connections
Automatic Reconnection
Enables RDC clients to attempt to cally reconnect when underlying network connectivity is lost
automati-Allow Users To Connect Remotely Using Remote Desktop Services
Enables Remote Desktop on the targeted computer
Deny Logoff Of An Administrator Logged
In To The Console Session
Prevents an administrator on the client computer from bumping an administrator off of the host computer
Remote Desktop Session Host\Device and Resource Redirection
Allow Audio And Video Playback Redirection
Enables redirection of the remote computer’s audio and video output in a Remote Desktop session (This policy was named Allow Audio Redirection in Windows Vista and earlier versions )
Allow Audio Recording Redirection
Enables recording of audio to the remote computer during a Remote Desktop session
**Limit Audio Playback Quality
Enables limiting of audio quality to improve the performance of a Remote Desktop session over a slow link
Do Not Allow Clipboard Redirection
Prevents sharing of a clipboard
Do Not Allow COM Port Redirection
Prevents redirection of serial port devices
Do Not Allow Drive Redirection
Prevents redirection of disk drive resources
Do Not Allow LPT Port Redirection
Prevents redirection of parallel port devices
*Do Not Allow Supported Plug And Play Device
Prevents redirection of supported PnP media players and digital cameras
Trang 9FOlDER POlICy SETTINg NOTES
Do Not Allow Smart Card Device Redirec-tion
Prevents redirection of smart card readers
Remote Desktop Session Host\Printer Redirection
Do Not Set Default Client Printer To Be Default Printer In A Session
Prevents users from redirecting print jobs from the remote computer to a printer attached to their local (client) computer
Do Not Allow Client Printer Redirection
Prevents the client default printer from automatically being set as the default printer for the Remote Desktop session Remote Desktop
Session Host\Remote Session Environment
Limit Maximum Color Depth
Enables specifying a maximum color depth to improve performance of a Remote Desktop session over a slow link
**Limit Maximum Display Resolution
Enables specifying a maximum display resolution to improve performance of a Remote Desktop session over a slow link
**Limit Maximum Number Of Monitors
Enables specifying a maximum number
of monitors to improve performance of a Remote Desktop session over a slow link
**Optimize Visual Experience For Remote Desktop Services Sessions
Enables optimizing the Remote Desktop session for either multimedia or text
Enforce Removal
Of Remote Desktop Wallpaper
Prevents wallpaper from being displayed in the Remote Desktop session
Remote Desktop Session Host\Security
Set Client Connection Encryption Level
Specifies the level of encryption used to protect RDP traffic between the client and host computers The options available are High (128-bit), Low (56-bit), and Client Compatible (highest encryption level supported by the client) When this policy setting is Not Configured, the default encryption level used is Client Compatible
Trang 10FOlDER POlICy SETTINg NOTES
Always Prompt For Password Upon Connection
Requires remote users to always enter a password to establish a Remote Desktop session with the targeted computer
*Require Use Of Specific Security Layer For Remote (RDP) Connections
Specifies whether the client should attempt
to authenticate the host computer during establishment of the Remote Desktop ses-sion The options available are:
n DP, which means that no level authentication is required
computer-n SSL (TLS 1 0), which means that the client tries to use Kerberos or certificates to authenticate the host computer; if this fails, the session is not established
n Negotiate, which first attempts to authenticate the host using Kerberos
or certificates; if this fails, the session is still established
When this policy setting is Not Configured, the default authentication method used is Negotiate
*Require User Authentication For Remote Connections
By Using Network Level Authentication
Requires client computers to be running Windows Vista or Windows XP SP2 with the downloadable RDC 6 0 client installed (This policy was named Require User Authentica-tion Using RDP 6 0 For Remote Connections
in Windows Vista and earlier versions )
*Server cation Certificate Template
Authenti-Lets you specify a certificate template to be used for authenticating the host computer
Remote Desktop Session Host\Session Time Limits
Terminate Session When Time Limits Are Reached
Forcibly logs the remote user off of the Remote Desktop session when the session time limit has been reached
Set Time Limit For Disconnected Sessions
Forcibly logs the remote user off of the Remote Desktop session when the session time limit for disconnected sessions has been reached
Trang 11FOlDER POlICy SETTINg NOTES
Set Time Limit For Active But Idle Remote Desktop Services Sessions
Specifies a time limit for no activity in Remote Desktop sessions When the time limit is reached, the session is disconnected, but the remote user is not logged off If, however, the Terminate Session When Time Limits Are Reached policy is enabled, the user is disconnected and then forcibly logged off
Set Time Limit For Active Remote Desktop Services Sessions
Specifies a time limit for Remote Desktop sessions When the time limit is reached, the session is disconnected, but the remote user
is not logged off If, however, the Terminate Session When Time Limits Are Reached policy is enabled, the user is disconnected and then forcibly logged off
Establishing a Remote Desktop Session
After the host computer has been configured to enable Remote Desktop for authorized users and the RDP client software has been configured and deployed on the client computer, the user can initiate establishment of a Remote Desktop session with the remote host computer
by using one of the following methods:
n Double-click the desired * rdp file (or a shortcut to this file) and (if required) click Yes Then specify your credentials for connecting to the host computer (if required)
n Open a command prompt and type mstsc rdp_file, where rdp_file is the name of the
desired * rdp file (specifying the path may be required) and (if required) click Yes Then specify your credentials for connecting to the host computer, if required
When a Remote Desktop session has been established, the client can end the session in two ways:
n By disconnecting This ends the Remote Desktop experience on the client computer
but leaves the session running on the host computer so that the client can reconnect later if desired Any applications running in the session on the host continue to run until this session is terminated, either by the user on the client (who must reconnect and then log off) or by a user logging on interactively to the host
n By logging off This ends the Remote Desktop experience on the client computer
and terminates the session on the host computer as well
Trang 12note You can also remotely shut down the host computer to which you are remotely connected, or you can put it into Sleep mode To do this from within a Remote Desktop session, click the taskbar, press alt+F4, and then choose the option you want to select You can also open a command prompt in your Remote Desktop session and type shutdown -s -t 0 to immediately shut down the host computer or shutdown -r -t 0 to immediately restart it (Be sure to save any open files first.)
Improving Remote Desktop performance
If available network bandwidth between a client computer and the remote host computer is limited, you can improve a Remote Desktop experience by reducing the color depth on the Display tab of the RDC client from its default 32-bit value You can also selectively disable desktop experiences on the Experience tab to further improve Remote Desktop performance
If you routinely transfer large files, submit large print jobs, or perform other intensive actions over a Remote Desktop connection, you may be able to improve the per-formance of a Remote Desktop experience by configuring display data prioritization on the host computer Display data prioritization is designed to ensure that the screen performance aspect of a Remote Desktop experience is not adversely affected by such bandwidth-intensive actions Display data prioritization works by automatically controlling virtual channel traffic between the client and host computer by giving display, keyboard, and mouse data higher priority than other forms of traffic
bandwidth-The default setting for display data prioritization is to allocate 70 percent of available bandwidth for input (keyboard and mouse) and output (display) data All other traffic, includ-ing use of a shared clipboard, file transfers, print jobs, and so on, is allocated by default only
30 percent of the available bandwidth of the network connection You can manually configure display data prioritization settings by editing the registry on a host computer running Windows Vista or later versions The registry entries for display data pri-oritization are the following values, which are found under HKLM\SYSTEM\CurrentControlSet
\Services\TermDD (If these DWORD values are not present, you can create them )
n FlowControlDisable Set this value to 1 to disable all display data prioritization and
handle all requests on a first-in-first-out (FIFO) basis The default value of this setting is
0
n FlowControlDisplayBandwidth Specify a relative bandwidth priority for display and
input data up to an allowed value of 255 The default value of this setting is 70
n FlowControlChannelBandwidth Specify a relative bandwidth priority for all other
virtual channels up to an allowed value of 255 The default value of this setting is 30
n FlowControlChargePostCompression Determine whether flow control will
calcu-late bandwidth allocation based on pre-compression bytes (if the value is 0) or compression bytes (if the value is 1) The default value for this setting is 0
Trang 13post-By default, the ratio of FlowControlDisplayBandwidth to FlowControlChannelBandwidth is
70 to 30 or 70:30 This means that 70 percent of available bandwidth is reserved for display and input traffic, and the remaining 30 percent will be used for other types of traffic If your Remote Desktop experience is being degraded during large file transfers and other
bandwidth-intensive activity, you might change FlowControlDisplayBandwidth to 85 and FlowControlChannelBandwidth to 15, which allocates 85 percent of available bandwidth for
display and input traffic while reserving only 15 percent for other traffic
note You must reboot your host computer for these registry changes to take effect.
Troubleshooting Remote Desktop Sessions
If you have trouble establishing a Remote Desktop session with the host computer, do the following:
n Verify that Remote Desktop has been enabled on the host computer
n Verify that you are using credentials that have been authorized for remotely connecting
to the host computer
n Verify that you have the correct FQDN or IP address of the remote computer
n Verify network connectivity with the remote computer by using the ping command
If you are missing expected functionality during a Remote Desktop session, do the following:
n Check whether the host computer is running an older version of Windows such as Windows XP Professional Edition or Windows Server 2003
n Verify that you have the latest version of Remote Desktop Connection client software installed on your computer
n Verify that Group Policy is not locking down some aspect of Remote Desktop ality that you expected to experience
function-note For additional troubleshooting guidance, read Chapter 31, “Troubleshooting work Issues.” When working through the troubleshooting processes in this chapter, keep in mind that RDp uses TCp port 3389.
Net-Configuring and Using Remoteapp and Desktop Connection
RemoteApp and Desktop Connection requires configuration on both the server and client side On the server side, you need a Windows Server 2008 R2 server that has the Remote Desktop Services role installed together with the following role services:
Trang 14n Remote Desktop Session Host
n Remote Desktop Web Access
n Remote Desktop Connection Broker
In addition, if you want users on client computers to also be able to connect to virtual machines using RemoteApp and Desktop Connection, you must install the Remote Desktop Virtualization Host role service, which also requires installing the Hyper-V role to the server For guidance on configuring RemoteApp and Desktop Connection on the server side, refer to steps 1 and 2 in the “Deploying RemoteApp Programs to the Start Menu by Using RemoteApp and Desktop Connection Step-by-Step Guide” found at
http://technet.microsoft.com/en-us/library/dd772639.aspx You will also need to import the
SSL certificate for the Remote Desktop Web Access server to your client computers before the users of these computers can use RemoteApp and Desktop Connection For information on how to import certificates, see step 3 of the above guide
After you have configured your servers and have installed certificates on your clients, you can configure RemoteApp and Desktop Connection on the client side by following these steps:
1. Open RemoteApp and Desktop Connection from Control Panel
2. Click Set Up A New Connection With RemoteApp And Desktop Connections to launch the New Connection wizard
3. Type the URL to the Remote Desktop Web Access server in the Connection URL box:
4. Click Next to add connection resources for the RemoteApp And Desktop Connection (be sure to enter your credentials if prompted to do so) When the connection resources have been added, the details of the RemoteApp And Desktop Connection will be dis-played
Trang 155. Click Finish to complete the wizard
6. To view all RemoteApp And Desktop Connections that have been added to the client, open RemoteApp And Desktop Connections again from Control Panel
7. You can now access your RemoteApp programs from the RemoteApp and Desktop Connections folder of your Start menu
Trang 168. You can even access them by searching for them using Start menu search
9. When you start a RemoteApp program, a balloon notification above the system tray icon indicates that a RemoteApp program is being used
Trang 17Administrators can create a RemoteApp and Desktop Connection client configuration file ( wcx) and distribute it to users so they can automatically configure the RemoteApp and Desk-top Connection Administrators can also use scripts to run the client configuration file silently
on the client so that the RemoteApp and Desktop Connection is set up automatically when the user logs on to her Windows 7 computer
To create a wcx configuration file, follow these steps:
1. Open Remote Desktop Connection Manager on your Remote Desktop Connection Broker server
2. Right-click on the root node in the console tree and select Create Configuration File
3. In the Create Configuration File dialog box, type the URL to the Remote Desktop Web Access server in the RAD Connection Feed URL box
4. Click Save, then distribute the configuration file to users as e-mail attachments, by placing them on a network share, or by using scripts
Trang 18For more information on RemoteApp and Desktop Connection, see the Remote
Desktop Services section of Microsoft TechNet at http://technet.microsoft.com/en-us/library /cc770412.aspx
Summary
Windows 7 includes new remote connectivity technologies, such as VPN Reconnect, DirectAccess, and BranchCache These technologies and others, such as Remote Desktop, have been enhanced in Windows 7 to make them more reliable, more secure, and easier to use and manage
n General information concerning Remote Desktop Services in Windows Server 2008 R2
and Windows 7 can be found at http://technet.microsoft.com/en-us/library /cc770412.aspx
n The white paper, “Networking Enhancements for Enterprises,” at
b083-3334ddd1ef86&DisplayLang=en.
http://www.microsoft.com/downloads/details.aspx?FamilyID=38fd1d96-3c6e-43ca-n The Routing and Remote Access Blog can be found at http://blogs.technet.com /rrasblog/
n The Remote Desktop Services Team Blog can be found at http://blogs.msdn.com/ts/
n The white paper, “Step-by-Step Guide: Deploying SSTP Remote Access” can be
found at 3fb9d1f37063/Deploying%20SSTP%20Remote%20Access%20Step%20by%20Step%20 Guide.doc
http://download.microsoft.com/download/b/1/0/b106fc39-936c-4857-a6ea-On the Companion Media
n Get-Modem ps1
Trang 19C H A P T E R 2 8 Deploying Ipv6
n Understanding IPv6 1371
n IPv6 Enhancements in Windows 7 1388
n Configuring and Troubleshooting IPv6 in Windows 7 1392
n Planning for IPv6 Migration 1406
n Summary 1414
n Additional Resources 1414
Like the Windows Vista operating system before it, the Windows 7 operating system has a new Next Generation Transmission Control Protocol/Internet Protocol (TCP/IP) stack with enhanced support for Internet Protocol version 6 (IPv6) This chapter provides you with an understanding of why IPv6 is necessary and how it works The chapter de-scribes the IPv6 capabilities in Windows 7, Windows Vista, and Windows Server 2008 and outlines how to migrate the IPv4 network infrastructure of your enterprise to IPv6 using IPv6 transition technologies, such as Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) Finally, the chapter describes how to configure and manage IPv6 settings in Windows 7 and how to troubleshoot IPv6 networking problems
Trang 20n The growing use of real-time communications (RTC) on the Internet, such as Voice over
IP (VoIP) telephony, instant messaging (IM), and audio/video conferencing, exposes the limited support for Quality of Service (QoS) currently provided in IPv4 These new RTC technologies need improved QoS on IP networks to ensure reliable end-to-end communications The design of IPv4 limits possible improvements
n The growing threats faced by hosts on IPv4 networks connected to the Internet can be mitigated considerably by deploying Internet Protocol security (IPsec), both on private intranets and on tunneled connections across the public Internet However, IPsec was designed as an afterthought to IPv4 and is complex and difficult to implement in many scenarios
IPv6, developed by the Internet Engineering Task Force (IETF) to solve these problems, includes the following improvements and additions:
n IPv6 increases the theoretical address space of the Internet from 4 3 × 109 addresses (based on 32-bit IPv4 addresses) to 3 4 × 1038 possible addresses (based on 128-bit IPv6 addresses), which most experts agree should be more than sufficient for the foreseeable future
n The IPv6 address space is designed to be hierarchical rather than flat in structure, which means that routing tables for IPv6 routers can be smaller and more efficient than for IPv4 routers
n IPv6 has enhanced support for QoS that includes a Traffic Class field in the header to specify how traffic should be handled and a new Flow Label field in the header that enables routers to identify packets that belong to a traffic flow and handle them appropriately
n IPv6 now requires IPsec support for standards-based, end-to-end security across the Internet The new QoS enhancements work even when IPv6 traffic is encrypted using IPsec
Understanding how IPv6 works is essential if you plan to benefit from IPv6 by deploying it
in your enterprise The following sections provide an overview of key IPv6 concepts, features, and terminology
note For more detailed information on Ip concepts, features, and terminology, see the
white paper titled “Introduction to Ip Version 6” at http://www.microsoft.com/downloads
/details.aspx?FamilyID=CbC0b8A3-b6A4-4952-bbE6-D976624C257C&displaylang=en
another good reference for learning Ipv6 is the book, Understanding IPv6, 2nd Edition, by
Joseph Davies (Microsoft press, 2008).
Understanding Ipv6 Terminology
The following terminology is used to define IPv6 concepts and describe IPv6 features:
Trang 21n Node An IPv6-enabled network device that includes both hosts and routers
n Host An IPv6-enabled network device that cannot forward IPv6 packets that are not
explicitly addressed to itself A host is an endpoint for IPv6 communications (either the source or destination) and drops all traffic not explicitly addressed to it
n Router An IPv6-enabled network device that can forward IPv6 packets that are not
explicitly addressed to itself IPv6 routers also typically advertise their presence to IPv6 hosts on their attached links
n link One or more LAN (such as Ethernet) or wide area network (WAN, such as
Point-to-Point Protocol [PPP]) network segments bounded by routers Like interfaces, links may be either physical or logical
n Neighbors Nodes that are connected to the same physical or logical link
n Subnet One or more links having the same 64-bit IPv6 address prefix
n Interface A representation of a node’s attachment to a link This can be a physical
interface (such as a network adapter) or a logical interface (such as a tunnel interface)
note an Ipv6 address identifies an interface, not a node a node is identified by having one or more unicast Ipv6 addresses assigned to one of its interfaces.
Understanding Ipv6 addressing
IPv6 uses 128-bit (16-byte) addresses that are expressed in colon-hexadecimal form For example, in the address 2001:DB8:3FA9:0000:0000:0000:00D3:9C5A, each block of 4-digit hexadecimal numbers represents a 16-bit digit binary number The eight blocks of four-digit hexadecimal numbers thus equal 8 × 16 = 128 bits in total
You can shorten colon-hexadecimal addresses by suppressing leading zeros for each block Using this technique, the representation for the preceding address now becomes 2001:DB8:3FA9:0:0:0:D3:9C5A
You can shorten colon-hexadecimal addresses even further by compressing contiguous 0 (hex) blocks as double colons ("::") The address in this example thus shortens to
2001:DB8:3FA9::D3:9C5A Note that only one double colon can be used per IPv6 address to ensure unambiguous representation
Understanding Ipv6 prefixes
An IPv6 prefix indicates the portion of the address used for routing (a subnet or a set of nets as a summarized route) or for identifying an address range IPv6 prefixes are expressed
sub-in a manner similar to the Classless Inter-Domasub-in Routsub-ing (CIDR) notation used by IPv4 For example, 2001:DB8:3FA9::/48 might represent a route prefix in an IPv6 routing table
In IPv4, CIDR notation can be used to represent individual unicast addresses in dition to routes and subnets IPv6 prefixes, however, are used only to represent routes
Trang 22ad-and address ranges, not unicast addresses Unlike IPv4, IPv6 does not support length subnet identifiers, and the number of high-order bits used to identify a subnet in IPv6 is almost always 64 It is thus redundant to represent the address in our example as 2001:DB8:3FA9::D3:9C5A/64; the /64 portion of the representation is understood
variable-Understanding Ipv6 address Types
IPv6 supports three different address types:
n Unicast Identifies a single interface within the scope of the address (The scope of an
IPv6 address is that portion of your network over which this address is unique ) IPv6 packets with unicast destination addresses are delivered to a single interface
n Multicast Identifies zero or more interfaces IPv6 packets with multicast destination
addresses are delivered to all interfaces listening on the address (Generally speaking, multicasting works the same way in IPv6 as it does in IPv4 )
n Anycast Identifies multiple interfaces IPv6 packets with anycast destination
ad-dresses are delivered to the nearest interface (measured by routing distance) specified
by the address Currently, anycast addresses are assigned only to routers and can only represent destination addresses
note Ipv6 address types do not include broadcast addresses as used by Ipv4 In Ipv6, all broadcast communications are performed using multicast addresses See Table 28-2 for more information on multicast addresses.
Understanding Unicast addresses
Unicast addresses are addresses that identify a single interface IPv6 has several types of unicast addresses:
n global unicast address An address that is globally routable over the IPv6-enabled
portion of the Internet Therefore, the scope of a global address is the entire Internet, and global addresses in IPv6 correspond to public (non-RFC 1918) addresses used in IPv4 The address prefix currently used for global addresses as defined in RFC 3587 is 2000::/3, and a global address has the following structure:
• The first 48 bits of the address are the global routing prefix specifying your zation’s site (The first three bits of this prefix must be 001 in binary notation ) These
organi-48 bits represent the public topology portion of the address, which represents the collection of large and small Internet service providers (ISPs) on the IPv6 Internet and which is controlled by these ISPs through assignment by the Internet Assigned Numbers Authority (IANA)
• The next 16 bits are the subnet ID Your organization can use this portion to specify
up to 65,536 unique subnets for routing purposes inside your organization’s site These 16 bits represent the site topology portion of the address, which your organi-
Trang 23• The final 64 bits are the interface ID and specify a unique interface within each subnet
n link-local unicast address An address that can be used by a node for
communicat-ing with neighborcommunicat-ing nodes on the same link Therefore, the scope of a link-local dress is the local link on the network; link-local addresses are never forwarded beyond the local link by IPv6 routers Because link-local addresses are assigned to interfaces using IPv6 address autoconfiguration, link-local addresses in IPv6 correspond to Au-tomatic Private IP Addressing (APIPA) addresses used in IPv4 (which are assigned from the address range 169 254 0 0/16) The address prefix used for link-local addresses is FE80::/64, and a link-local address has the following structure:
ad-• The first 64 bits of the address are always FE80:0:0:0 (which will be shown as FE80::)
• The last 64 bits are the interface ID and specify a unique interface on the local link Link-local addresses can be reused—in other words, two interfaces on different links can have the same address This makes link-local addresses ambiguous; an additional identifier called the zone ID (or scope ID) indicates to which link the address is either assigned or destined In Windows 7, the zone ID for a link-local address corresponds
to the interface index for that interface You can view a list of interface indexes on a
computer by typing netsh interface ipv6 show interface at a command prompt For
more information on the zone ID, see the section titled “Displaying IPv6 Address tings” later in this chapter
Set-n Unique local unicast address Because a site-local address prefix can represent
multiple sites within an organization, it is ambiguous and not well suited for ganizational routing purposes Therefore, RFC 4193 currently proposes a new type of address called a unique local unicast address The scope of this address is global to all sites within the organization, and using this address type simplifies the configuration
intraor-of an organization’s internal IPv6 routing infrastructure A unique local address has the following structure:
• The first seven bits of the address are always 1111 110 (binary) and the eighth bit
is set to 1, indicating a unique local address This means that the address prefix is always FD00::/8 for this type of address
• The next 40 bits represent the global ID, a randomly generated value that identifies
a specific site within your organization
• The next 16 bits represent the subnet ID and can be used for further subdividing the internal network of your site for routing purposes
• The last 64 bits are the interface ID and specify a unique interface within each subnet
note Site-local addresses have been deprecated by RFC 3879 and are replaced by unique local addresses.
Trang 24Identifying Ipv6 address Types
As Table 28-1 shows, you can quickly determine which type of IPv6 address you are dealing with by looking at the beginning part of the address—that is, the high-order bits of the address Tables 28-2 and 28-3 also show examples of common IPv6 addresses that you can recognize directly from their colon-hexadecimal representation
TABlE 28-1 Identifying IPv6 Address Types Using High-Order Bits and Address Prefix
TABlE 28-2 Identifying Common IPv6 Multicast Addresses
All-routers multicast Interface-local FF01::2
TABlE 28-3 Identifying Loopback and Unspecified IPv6 Addresses
Trang 25technolo-Understanding Interface Identifiers
For all the types of unicast IPv6 addresses described in the preceding sections, the last 64 bits
of the address represent the interface ID and are used to specify a unique interface on a local link or subnet In previous versions of Windows, the interface ID is uniquely determined as follows:
n For link-local addresses, such as a network adapter on an Ethernet segment, the interface ID is derived from either the unique 48-bit media access control (MAC)–layer address of the interface or the unique Extended Unique Identifier (EUI)–64 address of the interface as defined by the Institute of Electrical and Electronics Engineers (IEEE)
n For global address prefixes, an EIU-64–based interface ID creates a public IPv6 address
n For global address prefixes, a temporary random interface ID creates a temporary dress This approach is described in RFC 3041; you can use it to help provide anonym-ity for client-based usage of the IPv6 Internet
ad-In Windows 7, however, the interface ID by default is randomly generated for all types of unicast IPv6 addresses assigned to LAN interfaces
note Windows 7 randomly generates the interface ID by default You can also disable this behavior by typing netsh interface ipv6 set global randomizedidentifiers=disabled
at a command prompt.
Comparing Ipv6 with Ipv4
Table 28-4 compares and contrasts the IPv4 and IPv6 addressing schemes
TABlE 28-4 IPv4 vs IPv6 Addressing
Private addresses Yes (RFC 1918 addresses) Yes (unique local addresses)Autoconfigured addresses
for the local link
Yes (APIPA) Yes (link-local addresses)Support for address classes Yes, but deprecated by CIDR No
length for addresses assigned
to interfaces