Terminal Services in Windows Server 2003 Service Pack 1
Applies To: Windows Server 2003 with SP1
On Windows Server 2003 operating systems, the Terminal Server feature gives users at client computers throughout your network access to Windows-based programs installed on terminal servers. With Terminal Server, you can provide a single point of installation that allows multiple users access to Windows Server 2003 operating system desktops, where they can run programs, save files, and use network resources, all from a remote location, as if these resources were installed on their own computers.
Terminal Services is ideal for rapidly deploying Windows-based applications to computing devices across an enterprise—especially applications that are frequently updated, infrequently used, or hard to manage. Terminal Server lets you deliver Windows-based applications, or the Windows desktop itself, to virtually any computing device—including those that cannot run Windows.
Windows Server 2003 Service Pack 1 includes several new features designed to maximize both the speed and efficiency of Terminal Services administration, and the security of communications between Terminal Services clients and servers.
The features described here will be of interest to Terminal Server client users as well as IT professionals who deploy and configure Terminal Services.
With the release of Windows Server 2003 with Service Pack 1 (SP1), you can make local printing more accessible for Terminal Server clients by configuring Terminal Services to default to a printer driver compatible with PostScript (PS) or Printer Control Language (PCL). The new fallback printer driver capability is exceptionally useful if a terminal server does not have a printer driver installed that matches the Terminal Server client user's specific printer brand and model.
A new Group Policy setting, Terminal Server fallback printer driver behavior, allows you to specify the location and file name of a fallback printer driver, in the event that no printer drivers installed on a terminal server are compatible with the local printer for a Terminal Server client.
By default, the Terminal Server fallback printer driver is disabled. If the terminal server does not have a printer driver that matches the client's printer, no printer will be available for the terminal server session.
If the fallback printer driver is enabled, Terminal Server's default behavior is to locate a suitable printer driver. If one is not found, the client user cannot print Terminal Server session documents to a local printer. The Group Policy setting allows you to select one of four options to modify Terminal Server printing behavior:
Do nothing if one is not found. This is the default setting. In the event of a printer driver mismatch, the server attempts to find a suitable driver. If one is not found, the client's printer is unavailable during the Terminal Server session.
Default to PCL if one is not found. If no suitable printer driver can be found, Terminal Server uses the Hewlett-Packard compatible Printer Control Language (PCL) fallback printer driver.
Default to PS if one is not found. If no suitable printer driver can be found, Terminal Server uses the Adobe PostScript (PS) fallback printer driver.
Show both PCL and PS if one is not found. In the event that no suitable driver can be found, show both PS-based and PCL-based fallback printer drivers.
If this setting is disabled or not configured, Terminal Server does not use a fallback printer driver.
Printing Terminal Server session documents may still be disabled for some client computers, if the fallback printer driver's vendors have deviated from PS or PCL specifications.
Note
If the Group Policy setting Do not allow client printer redirection is enabled, any configuration for the Terminal Server fallback printer driver behavior policy setting is ignored, and the fallback driver is disabled.
This change simplifies local printing for Terminal Server client users. The new Group Policy setting allows client users to print documents locally, if the printer driver installed on the terminal server to which they're connected is incompatible with their local printers, provided their printers are compatible with either a PCL or a PS printer driver.
In Windows Server 2003 SP1, you can enhance the security of Terminal Server by configuring Terminal Services connections to use Secure Sockets Layer (SSL)/Transport Layer Security (TLS) 1.0 for server authentication, and to encrypt terminal server communications. The version used by Terminal Services in Windows Server 2003 SP1 is TLS 1.0.
For SSL (TLS) authentication to work correctly, the terminal server must meet both the following prerequisites:
The terminal server must be running Windows Server 2003 SP1.
You must obtain a certificate for the terminal server. To obtain a certificate, use one of the following methods:
Visit the Web site for your certification authority. For example, visit https://servername/certsrv.
Run the Windows Server 2003 Certificate Request Wizard or the Windows 2000 Server Certificate Request Wizard.
Obtain a certificate from a third-party certification authority, and then manually install the certificate.
If you plan to obtain a certificate by using the certification authority Web site or the Certificate Request Wizard, a public key infrastructure (PKI) must be configured correctly to issue SSL-compatible X.509 certificates to the terminal server. Each certificate must be configured as follows:
The certificate is a computer certificate.
The intended purpose of the certificate is server authentication.
The certificate has a corresponding private key.
The certificate is stored in the terminal server’s personal store. You can view this store by using the Certificates snap-in.
The certificate has a cryptographic service provider (CSP) that can be used for the SSL (TLS) protocol (for example Microsoft RSA SChannel Cryptographic Provider).
For more information, see Microsoft Cryptographic Service Providers (https://go.microsoft.com/fwlink/?LinkID=40983).
In order for SSL (TLS) authentication to function correctly, clients must meet the following prerequisites:
Clients must run Windows 2000 or Windows XP.
Clients must be upgraded to use the Remote Desktop Protocol (RDP) 5.2 (Windows Server 2003) client. You can install this client-side Remote Desktop Connection package by using the %systemdrive\system32\clients\tsclient\win32\msrdpcli.msi file. The msrdpcli.msi file is located on Windows Server 2003 terminal servers. Installing this file from the terminal server installs the 5.2 version of Remote Desktop Connection to the %systemdrive\Program files\Remote Desktop folder on the destination computer. For more information, see Remote Desktop Connection for Windows Server 2003 [5.2.3790] (https://go.microsoft.com/fwlink/?LinkID=41068).
Clients must trust the root of the server’s certificate. That is, clients must have the certificate of the certification authority (CA) that issued the server certificate in their Trusted Root Certification Authorities store. You can view the certificate by using the Certificates snap-in.
Important
Because RDP runs on port 3389, when using SSL (TLS) to secure RDP, SSL (TLS) will run on port 3389.
By default, Terminal Server uses native Remote Desktop Protocol (RDP), which provides data encryption, but does not provide authentication to verify the identity of a terminal server.
For more information about Terminal Services and security protocol settings, see the following:
Configure Authentication and Encryption (https://go.microsoft.com/fwlink/?LinkId=45407)
How to configure a Windows Server 2003 terminal server to use TLS for server authentication (https://go.microsoft.com/fwlink/?LinkId=64593)
Windows Server 2003 SP1 includes new Group Policy settings for Terminal Services Licensing described as follows.
The new Group Policy setting Set the Terminal Server licensing mode determines the type of Terminal Server client access license (CAL) a device or user requires to connect to a terminal server.
When this setting is enabled, you can choose one of the following two licensing modes:
Per User: Each user connecting to the terminal server requires a Per User Terminal Server CAL.
Per Device: Each device connecting to the terminal server requires a Per Device Terminal Server CAL.
If you enable this policy setting, the licensing mode that you specify overrides the licensing mode specified during setup, or in Terminal Services Configuration (TSCC.msc).
If you disable or do not configure this policy setting, Terminal Services uses the licensing mode specified during setup or found in TSCC.msc.
To configure the Terminal Services licensing mode on a specific terminal server using TSCC.msc, see Configure the Terminal Server licensing mode (https://go.microsoft.com/fwlink/?LinkId=45592) in the Terminal Services Help.
The Group Policy setting Use the specified Terminal Server license servers determines whether terminal servers must first attempt to locate Terminal Server license servers that are specified in this policy setting before attempting to locate license servers elsewhere on the network.
During the automatic discovery process, terminal servers attempt to contact license servers in the following order:
Enterprise license servers or domain license servers that are specified in the LicenseServers registry key.
Enterprise license servers that are specified in Active Directory.
Domain license servers.
If you enable this policy setting, terminal servers attempt to locate license servers that are specified in this setting, before following the automatic license server discovery process.
If you disable or do not configure this policy setting, terminal servers follow the automatic license server discovery process.
You can configure a specific terminal server to locate a Terminal Server license server using TSCC.msc. For more information, see Set preferred Terminal Server license servers (https://go.microsoft.com/fwlink/?LinkId=45410) in the Terminal Server Licensing Help.
This Group Policy setting allows you, after successfully logging on to a terminal server as an administrator, to display ToolTips that show any licensing problems with the terminal server, and also display the expiration date of the terminal server's licensing grace period. If this Group Policy setting is not configured, ToolTip display is defined by registry settings.
Specifying the name of a preferred licensing server in Group Policy saves time and may eliminate roadblocks to successful configuration of your terminal servers. With the name of a specific licensing server added to Group Policy, Terminal Services does not need to search the network for a licensing server.
Using ToolTips to view Terminal Server license statistics at a glance speeds administration tasks. By configuring Group Policy to show ToolTips for Terminal Server licenses, you do not need to open the Properties dialog box for specific licenses to view status and expiration information.
Allowing administrators to configure a global Terminal Server licensing mode makes it possible for them to implement unified license policies regardless of the configuration of Terminal Services client computers. With the new Group Policy setting, differences in configuration between terminal servers and clients can be resolved by defining a global policy that overrides other settings.
For more information about Terminal Server Licensing, see the following:
Terminal Server Licensing (https://go.microsoft.com/fwlink/?LinkId=45409)
Set preferred Terminal Server license servers (https://go.microsoft.com/fwlink/?LinkId=45410)
The Group Policy setting Start a program on connection configures Terminal Services to run a specified program automatically when a client connects to a terminal server.
By default, Terminal Services sessions provide access to the full Windows desktop, unless the server administrator has otherwise specified using this policy setting, or unless the user has specified during configuration of the client connection. Enabling this Group Policy setting overrides the Start program settings made by the server administrator or user. The Start menu and Windows Desktop are not displayed, and when the user exits the program, the Terminal Server session is automatically logged off.
If the Start a program on connection policy setting is enabled, Terminal Services sessions automatically run the specified program and use the specified working folder (or the program default folder, if a working folder is not specified) as the working folder for the program.
If this policy setting is disabled or not configured, Terminal Services sessions start with the full desktop, unless the server administrator or client user specifies otherwise.
Note
This setting appears in both Computer Configuration and User Configuration. If both settings are configured, the Computer Configuration setting overrides local user settings.
You can configure a specific terminal server to start a program when a client successfully logs on using TSCC.msc. For more information, see Specify a program to start automatically when a user logs on (https://go.microsoft.com/fwlink/?linkid=64608) in the Terminal Services Configuration Help.
Before the release of Windows Server 2003 with Service Pack 1 (SP1), this policy setting could only be edited in Group Policy if the computer was a domain controller, and it was necessary to access Group Policy by opening Active Directory Users and Computers. Now, you can modify the Start program on connection policy setting in Group Policy for the local policy object, meaning that you can configure this policy setting for individual terminal servers within a domain.
The following table lists the Group Policy settings that have changed for Terminal Services in Windows Server 2003 with SP1, and provides their locations in Group Policy.
Setting name | Location | Default value | Possible values |
---|---|---|---|
Terminal Server Fallback Printer Driver Behavior |
Administrative Templates\Windows Components\Terminal Services\Client/Server data redirection |
Not configured |
Enabled, disabled, not configured |
Set the Terminal Server licensing mode |
Administrative Templates\Windows Components\Terminal Services |
Not configured |
Enabled, disabled, not configured |
Use the specified Terminal Server license servers |
Administrative Templates\Windows Components\Terminal Services |
Not configured |
Enabled, disabled, not configured |
Show ToolTips for licensing problems on Terminal Server |
Administrative Templates\Windows Components\Terminal Services |
Not configured |
Enabled, disabled, not configured |
Start a program on connection |
Administrative Templates\Windows Components\Terminal Services |
Not configured |
Enabled, disabled, not configured |