OFFICIAL MICROSOFT LEARNING PRODUCT

6428A:
Configuring and Troubleshooting
Microsoft® Windows Server®
2008 Terminal Services
ii Configuring and Troubleshooting Microsoft® Windows Server® 2008 Terminal Services

Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the example companies, organizations, products,
domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious,
and no association with any real company, organization, product, domain name, e-mail address,
logo, person, place or event is intended or should be inferred. Complying with all applicable
copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part
of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted
in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for
any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.

The names of manufacturers, products, or URLs are provided for informational purposes only and
Microsoft makes no representations and warranties, either expressed, implied, or statutory,
regarding these manufacturers or the use of the products with any Microsoft technologies. The
inclusion of a manufacturer or product does not imply endorsement of Microsoft of the
manufacturer or product. Links may be provided to third party sites. Such sites are not under the
control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link
contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for
webcasting or any other form of transmission received from any linked site. Microsoft is providing
these links to you only as a convenience, and the inclusion of any link does not imply endorsement
of Microsoft of the site or the products contained therein.
© 2008 Microsoft Corporation. All rights reserved.

Microsoft, Access, Active Directory, ActiveX, Aero, ClearType, Internet Explorer, Jscript, MSDN, MSN,
Outlook, PowerPoint, SharePoint ,SQL Server, Visual Basic, Visual SourceSafe, Windows, Windows
Media, Windows NT, Windows Server, and Windows Vista are either registered trademarks or
trademarks of Microsoft Corporation in the United States and/or other countries.

All other trademarks are property of their respective owners.

Technical Reviewer: Corey J. Hynes

Product Number: 6428A

Part Number: X14-99399

Released: 06/2008
MICROSOFT LICENSE TERMS
OFFICIAL MICROSOFT LEARNING PRODUCTS - TRAINER
EDITION – Pre-Release and Final Release Versions
These license terms are an agreement between Microsoft Corporation and you. Please read them. They
apply to the Licensed Content named above, which includes the media on which you received it, if any. The
terms also apply to any Microsoft
• updates,
• supplements,
• Internet-based services, and
• support services
for this Licensed Content, unless other terms accompany those items. If so, those terms apply.
By using the Licensed Content, you accept these terms. If you do not accept them, do not use
the Licensed Content.

If you comply with these license terms, you have the rights below.
1. DEFINITIONS.
a. “Academic Materials” means the printed or electronic documentation such as manuals,
workbooks, white papers, press releases, datasheets, and FAQs which may be included in the
Licensed Content.
b. “Authorized Learning Center(s)” means a Microsoft Certified Partner for Learning Solutions
location, an IT Academy location, or such other entity as Microsoft may designate from time to time.
c. “Authorized Training Session(s)” means those training sessions authorized by Microsoft and
conducted at or through Authorized Learning Centers by a Trainer providing training to Students
solely on Official Microsoft Learning Products (formerly known as Microsoft Official Curriculum or
“MOC”) and Microsoft Dynamics Learning Products (formerly know as Microsoft Business Solutions
Courseware). Each Authorized Training Session will provide training on the subject matter of one
(1) Course.
d. “Course” means one of the courses using Licensed Content offered by an Authorized Learning
Center during an Authorized Training Session, each of which provides training on a particular
Microsoft technology subject matter.
e. “Device(s)” means a single computer, device, workstation, terminal, or other digital electronic or
analog device.
f. “Licensed Content” means the materials accompanying these license terms. The Licensed
Content may include, but is not limited to, the following elements: (i) Trainer Content, (ii) Student
Content, (iii) classroom setup guide, and (iv) Software. There are different and separate
components of the Licensed Content for each Course.
g. “Software” means the Virtual Machines and Virtual Hard Disks, or other software applications that
may be included with the Licensed Content.
h. “Student(s)” means a student duly enrolled for an Authorized Training Session at your location.
 i. “Student Content” means the learning materials accompanying these license terms that are for
use by Students and Trainers during an Authorized Training Session. Student Content may include
labs, simulations, and courseware files for a Course.
j. “Trainer(s)” means a) a person who is duly certified by Microsoft as a Microsoft Certified Trainer
and b) such other individual as authorized in writing by Microsoft and has been engaged by an
Authorized Learning Center to teach or instruct an Authorized Training Session to Students on its
behalf.
k. “Trainer Content” means the materials accompanying these license terms that are for use by
Trainers and Students, as applicable, solely during an Authorized Training Session. Trainer Content
may include Virtual Machines, Virtual Hard Disks, Microsoft PowerPoint files, instructor notes, and
demonstration guides and script files for a Course.
l. “Virtual Hard Disks” means Microsoft Software that is comprised of virtualized hard disks (such as
a base virtual hard disk or differencing disks) for a Virtual Machine that can be loaded onto a single
computer or other device in order to allow end-users to run multiple operating systems concurrently.
For the purposes of these license terms, Virtual Hard Disks will be considered “Trainer Content”.
m. “Virtual Machine” means a virtualized computing experience, created and accessed using
Microsoft® Virtual PC or Microsoft® Virtual Server software that consists of a virtualized hardware
environment, one or more Virtual Hard Disks, and a configuration file setting the parameters of the
virtualized hardware environment (e.g., RAM). For the purposes of these license terms, Virtual Hard
Disks will be considered “Trainer Content”.
n. “you” means the Authorized Learning Center or Trainer, as applicable, that has agreed to these
license terms.
2. OVERVIEW.
Licensed Content. The Licensed Content includes Software, Academic Materials (online and
electronic), Trainer Content, Student Content, classroom setup guide, and associated media.
License Model. The Licensed Content is licensed on a per copy per Authorized Learning Center
location or per Trainer basis.
3. INSTALLATION AND USE RIGHTS.
a. Authorized Learning Centers and Trainers: For each Authorized Training Session, you
may:
i. either install individual copies of the relevant Licensed Content on classroom Devices only for
use by Students enrolled in and the Trainer delivering the Authorized Training Session, provided
that the number of copies in use does not exceed the number of Students enrolled in and the
Trainer delivering the Authorized Training Session, OR
ii. install one copy of the relevant Licensed Content on a network server only for access by
classroom Devices and only for use by Students enrolled in and the Trainer delivering the
Authorized Training Session, provided that the number of Devices accessing the Licensed
Content on such server does not exceed the number of Students enrolled in and the Trainer
delivering the Authorized Training Session.
iii. and allow the Students enrolled in and the Trainer delivering the Authorized Training Session to
use the Licensed Content that you install in accordance with (ii) or (ii) above during such
Authorized Training Session in accordance with these license terms.
 i. Separation of Components. The components of the Licensed Content are licensed as a single
unit. You may not separate the components and install them on different Devices.
ii. Third Party Programs. The Licensed Content may contain third party programs. These license
terms will apply to the use of those third party programs, unless other terms accompany those
programs.
b. Trainers:
i. Trainers may Use the Licensed Content that you install or that is installed by an Authorized
Learning Center on a classroom Device to deliver an Authorized Training Session.
ii. Trainers may also Use a copy of the Licensed Content as follows:
A. Licensed Device. The licensed Device is the Device on which you Use the Licensed Content.
You may install and Use one copy of the Licensed Content on the licensed Device solely for
your own personal training Use and for preparation of an Authorized Training Session.
B. Portable Device. You may install another copy on a portable device solely for your own
personal training Use and for preparation of an Authorized Training Session.
4. PRE-RELEASE VERSIONS. If this is a pre-release (“beta”) version, in addition to the other provisions
in this agreement, these terms also apply:
a. Pre-Release Licensed Content. This Licensed Content is a pre-release version. It may not
contain the same information and/or work the way a final version of the Licensed Content will. We
may change it for the final, commercial version. We also may not release a commercial version.
You will clearly and conspicuously inform any Students who participate in each Authorized Training
Session of the foregoing; and, that you or Microsoft are under no obligation to provide them with
any further content, including but not limited to the final released version of the Licensed Content
for the Course.
b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, you give to
Microsoft, without charge, the right to use, share and commercialize your feedback in any way and
for any purpose. You also give to third parties, without charge, any patent rights needed for their
products, technologies and services to use or interface with any specific parts of a Microsoft
software, Licensed Content, or service that includes the feedback. You will not give feedback that is
subject to a license that requires Microsoft to license its software or documentation to third parties
because we include your feedback in them. These rights survive this agreement.
c. Confidential Information. The Licensed Content, including any viewer, user interface, features
and documentation that may be included with the Licensed Content, is confidential and proprietary
to Microsoft and its suppliers.
i. Use. For five years after installation of the Licensed Content or its commercial release,
whichever is first, you may not disclose confidential information to third parties. You may
disclose confidential information only to your employees and consultants who need to know
the information. You must have written agreements with them that protect the confidential
information at least as much as this agreement.
ii. Survival. Your duty to protect confidential information survives this agreement.
iii. Exclusions. You may disclose confidential information in response to a judicial or
governmental order. You must first give written notice to Microsoft to allow it to seek a
 protective order or otherwise protect the information. Confidential information does not
include information that
• becomes publicly known through no wrongful act;
• you received from a third party who did not breach confidentiality obligations to
Microsoft or its suppliers; or
• you developed independently.

d. Term. The term of this agreement for pre-release versions is (i) the date which Microsoft informs
you is the end date for using the beta version, or (ii) the commercial release of the final release
version of the Licensed Content, whichever is first (“beta term”).
e. Use. You will cease using all copies of the beta version upon expiration or termination of the beta
term, and will destroy all copies of same in the possession or under your control and/or in the
possession or under the control of any Trainers who have received copies of the pre-released
version.
f. Copies. Microsoft will inform Authorized Learning Centers if they may make copies of the beta
version (in either print and/or CD version) and distribute such copies to Students and/or Trainers. If
Microsoft allows such distribution, you will follow any additional terms that Microsoft provides to you
for such copies and distribution.
5. ADDITIONAL LICENSING REQUIREMENTS AND/OR USE RIGHTS.
a. Authorized Learning Centers and Trainers:
i. Software.
ii. Virtual Hard Disks. The Licensed Content may contain versions of Microsoft XP, Microsoft
Windows Vista, Windows Server 2003, Windows Server 2008, and Windows 2000 Advanced
Server and/or other Microsoft products which are provided in Virtual Hard Disks.
A. If the Virtual Hard Disks and the labs are launched through the Microsoft
Learning Lab Launcher, then these terms apply:
Time-Sensitive Software. If the Software is not reset, it will stop running based upon the
time indicated on the install of the Virtual Machines (between 30 and 500 days after you
install it). You will not receive notice before it stops running. You may not be able to
access data used or information saved with the Virtual Machines when it stops running and
may be forced to reset these Virtual Machines to their original state. You must remove the
Software from the Devices at the end of each Authorized Training Session and reinstall and
launch it prior to the beginning of the next Authorized Training Session.
B. If the Virtual Hard Disks require a product key to launch, then these terms
apply:
Microsoft will deactivate the operating system associated with each Virtual Hard Disk.
Before installing any Virtual Hard Disks on classroom Devices for use during an Authorized
Training Session, you will obtain from Microsoft a product key for the operating system
software for the Virtual Hard Disks and will activate such Software with Microsoft using such
product key.
C. These terms apply to all Virtual Machines and Virtual Hard Disks:
 You may only use the Virtual Machines and Virtual Hard Disks if you comply with
the terms and conditions of this agreement and the following security
requirements:
o You may not install Virtual Machines and Virtual Hard Disks on portable Devices or
Devices that are accessible to other networks.
o You must remove Virtual Machines and Virtual Hard Disks from all classroom Devices at
the end of each Authorized Training Session, except those held at Microsoft Certified
Partners for Learning Solutions locations.
o You must remove the differencing drive portions of the Virtual Hard Disks from all
classroom Devices at the end of each Authorized Training Session at Microsoft Certified
Partners for Learning Solutions locations.
o You will ensure that the Virtual Machines and Virtual Hard Disks are not copied or
downloaded from Devices on which you installed them.
o You will strictly comply with all Microsoft instructions relating to installation, use,
activation and deactivation, and security of Virtual Machines and Virtual Hard Disks.
o You may not modify the Virtual Machines and Virtual Hard Disks or any contents
thereof.
o You may not reproduce or redistribute the Virtual Machines or Virtual Hard Disks.
ii. Classroom Setup Guide. You will assure any Licensed Content installed for use during an
Authorized Training Session will be done in accordance with the classroom set-up guide for the
Course.
iii. Media Elements and Templates. You may allow Trainers and Students to use images, clip
art, animations, sounds, music, shapes, video clips and templates provided with the Licensed
Content solely in an Authorized Training Session. If Trainers have their own copy of the
Licensed Content, they may use Media Elements for their personal training use.
iv. iv Evaluation Software. Any Software that is included in the Student Content designated as
“Evaluation Software” may be used by Students solely for their personal training outside of the
Authorized Training Session.
b. Trainers Only:
i. Use of PowerPoint Slide Deck Templates. The Trainer Content may include Microsoft
PowerPoint slide decks. Trainers may use, copy and modify the PowerPoint slide decks only for
providing an Authorized Training Session. If you elect to exercise the foregoing, you will agree
or ensure Trainer agrees: (a) that modification of the slide decks will not constitute creation of
obscene or scandalous works, as defined by federal law at the time the work is created; and
(b) to comply with all other terms and conditions of this agreement.
ii. Use of Instructional Components in Trainer Content. For each Authorized Training
Session, Trainers may customize and reproduce, in accordance with the MCT Agreement, those
portions of the Licensed Content that are logically associated with instruction of the Authorized
Training Session. If you elect to exercise the foregoing rights, you agree or ensure the Trainer
agrees: (a) that any of these customizations or reproductions will only be used for providing an
Authorized Training Session and (b) to comply with all other terms and conditions of this
agreement.
 iii. Academic Materials. If the Licensed Content contains Academic Materials, you may copy and
use the Academic Materials. You may not make any modifications to the Academic Materials
and you may not print any book (either electronic or print version) in its entirety. If you
reproduce any Academic Materials, you agree that:

• The use of the Academic Materials will be only for your personal reference or training use
• You will not republish or post the Academic Materials on any network computer or
broadcast in any media;
• You will include the Academic Material’s original copyright notice, or a copyright notice to
Microsoft’s benefit in the format provided below:
Form of Notice:
© 2008 Reprinted for personal reference use only with permission by Microsoft
Corporation. All rights reserved.
Microsoft, Windows, and Windows Server are either registered trademarks or
trademarks of Microsoft Corporation in the US and/or other countries. Other
product and company names mentioned herein may be the trademarks of their
respective owners.
6. INTERNET-BASED SERVICES. Microsoft may provide Internet-based services with the Licensed
Content. It may change or cancel them at any time. You may not use these services in any way that
could harm them or impair anyone else’s use of them. You may not use the services to try to gain
unauthorized access to any service, data, account or network by any means.
7. SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some
rights to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you
more rights despite this limitation, you may use the Licensed Content only as expressly permitted in this
agreement. In doing so, you must comply with any technical limitations in the Licensed Content that
only allow you to use it in certain ways. You may not
• install more copies of the Licensed Content on classroom Devices than the number of Students and
the Trainer in the Authorized Training Session;
• allow more classroom Devices to access the server than the number of Students enrolled in and the
Trainer delivering the Authorized Training Session if the Licensed Content is installed on a network
server;
• copy or reproduce the Licensed Content to any server or location for further reproduction or
distribution;
• disclose the results of any benchmark tests of the Licensed Content to any third party without
Microsoft’s prior written approval;
• work around any technical limitations in the Licensed Content;
• reverse engineer, decompile or disassemble the Licensed Content, except and only to the extent
that applicable law expressly permits, despite this limitation;
• make more copies of the Licensed Content than specified in this agreement or allowed by applicable
law, despite this limitation;
• publish the Licensed Content for others to copy;
 • transfer the Licensed Content, in whole or in part, to a third party;
• access or use any Licensed Content for which you (i) are not providing a Course and/or (ii) have not
been authorized by Microsoft to access and use;
• rent, lease or lend the Licensed Content; or
• use the Licensed Content for commercial hosting services or general business purposes.
• Rights to access the server software that may be included with the Licensed Content, including the
Virtual Hard Disks does not give you any right to implement Microsoft patents or other Microsoft
intellectual property in software or devices that may access the server.
8. EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and
regulations. You must comply with all domestic and international export laws and regulations that apply
to the Licensed Content. These laws include restrictions on destinations, end users and end use. For
additional information, see www.microsoft.com/exporting.
9. NOT FOR RESALE SOFTWARE/LICENSED CONTENT. You may not sell software or Licensed
Content marked as “NFR” or “Not for Resale.”
10. ACADEMIC EDITION. You must be a “Qualified Educational User” to use Licensed Content marked as
“Academic Edition” or “AE.” If you do not know whether you are a Qualified Educational User, visit
www.microsoft.com/education or contact the Microsoft affiliate serving your country.
11. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you
fail to comply with the terms and conditions of these license terms. In the event your status as an
Authorized Learning Center or Trainer a) expires, b) is voluntarily terminated by you, and/or c) is
terminated by Microsoft, this agreement shall automatically terminate. Upon any termination of this
agreement, you must destroy all copies of the Licensed Content and all of its component parts.
12. ENTIRE AGREEMENT. This agreement, and the terms for supplements, updates, Internet-
based services and support services that you use, are the entire agreement for the Licensed
Content and support services.
13. APPLICABLE LAW.
a. United States. If you acquired the Licensed Content in the United States, Washington state law
governs the interpretation of this agreement and applies to claims for breach of it, regardless of
conflict of laws principles. The laws of the state where you live govern all other claims, including
claims under state consumer protection laws, unfair competition laws, and in tort.
b. Outside the United States. If you acquired the Licensed Content in any other country, the laws
of that country apply.
14. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the
laws of your country. You may also have rights with respect to the party from whom you acquired the
Licensed Content. This agreement does not change your rights under the laws of your country if the
laws of your country do not permit it to do so.
15. DISCLAIMER OF WARRANTY. The Licensed Content is licensed “as-is.” You bear the risk of
using it. Microsoft gives no express warranties, guarantees or conditions. You may have
additional consumer rights under your local laws which this agreement cannot change. To
the extent permitted under your local laws, Microsoft excludes the implied warranties of
merchantability, fitness for a particular purpose and non-infringement.
16. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER FROM
MICROSOFT AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP TO U.S. $5.00. YOU CANNOT
RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL, LOST PROFITS, SPECIAL,
INDIRECT OR INCIDENTAL DAMAGES.
This limitation applies to
• anything related to the Licensed Content, software, services, content (including code) on third party
Internet sites, or third party programs; and
• claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence,
or other tort to the extent permitted by applicable law.
It also applies even if Microsoft knew or should have known about the possibility of the damages. The
above limitation or exclusion may not apply to you because your country may not allow the exclusion or
limitation of incidental, consequential or other damages.
Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in
this agreement are provided below in French.

Remarque : Ce le contenu sous licence étant distribué au Québec, Canada, certaines des clauses
dans ce contrat sont fournies ci-dessous en français.
EXONÉRATION DE GARANTIE. Le contenu sous licence visé par une licence est offert « tel quel ». Toute
utilisation de ce contenu sous licence est à votre seule risque et péril. Microsoft n’accorde aucune autre
garantie expresse. Vous pouvez bénéficier de droits additionnels en vertu du droit local sur la protection dues
consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties
implicites de qualité marchande, d’adéquation à un usage particulier et d’absence de contrefaçon sont
exclues.
LIMITATION DES DOMMAGES-INTÉRÊTS ET EXCLUSION DE RESPONSABILITÉ POUR LES
DOMMAGES. Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de
dommages directs uniquement à hauteur de 5,00 $ US. Vous ne pouvez prétendre à aucune indemnisation
pour les autres dommages, y compris les dommages spéciaux, indirects ou accessoires et pertes de
bénéfices.
Cette limitation concerne:
• tout ce qui est relié au le contenu sous licence , aux services ou au contenu (y compris le code)
figurant sur des sites Internet tiers ou dans des programmes tiers ; et
• les réclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilité stricte,
de négligence ou d’une autre faute dans la limite autorisée par la loi en vigueur.
Elle s’applique également, même si Microsoft connaissait ou devrait connaître l’éventualité d’un tel
dommage. Si votre pays n’autorise pas l’exclusion ou la limitation de responsabilité pour les dommages
indirects, accessoires ou de quelque nature que ce soit, il se peut que la limitation ou l’exclusion ci-dessus ne
s’appliquera pas à votre égard.
EFFET JURIDIQUE. Le présent contrat décrit certains droits juridiques. Vous pourriez avoir d’autres droits
prévus par les lois de votre pays. Le présent contrat ne modifie pas les droits que vous confèrent les lois de
votre pays si celles-ci ne le permettent pas.
 Configuring and Troubleshooting Microsoft® Windows Server® 2008 Terminal Services xi

Contents
Module 1: Configuring Terminal Services Core Functionality
Lesson 1: Configuring the TS Server Role Service 1-3
Lesson 2: Configuring the TS Settings 1-20
Lab: Configuring TS Core Functionality 1-25

Module 2: Configuring and Managing Terminal Services Licensing

Lesson 1: Configuring TS Licensing 2-3
Lesson 2: Managing TS Licenses 2-12
Lab Demonstration: Configuring and Managing TS Licensing 2-17

Module 3: Configuring and Troubleshooting Terminal Services Connections

Lesson 1: Configuring the TS Connection Properties 3-3
Lesson 2: Configuring the TS Connection Properties by Using Group Policy 3-16
Lesson 3: Troubleshooting TS Connections 3-22
Lab: Configuring and Troubleshooting the TS Connections 3-25

Module 4: Configuring Terminal Services RemoteApp and Easy Print

Lesson 1: Installing Applications 4-3
Lesson 2: Configuring RemoteApp Programs 4-7
Lesson 3: Configuring Printers 4-17
Lab: Configuring TS RemoteApp and Easy Print 4-21

Module 5: Configuring Terminal Services Web Access and Session Broker

Lesson 1: Installing TS Web Access 5-3
Lesson 2: Configuring TS Session Broker 5-14
Lab: Configuring TS Web Access and Session Broker 5-19
xii Configuring and Troubleshooting Microsoft® Windows Server® 2008 Terminal Services

Module 6: Configuring and Troubleshooting Terminal Services Gateway

Lesson 1: Configuring TS Gateway 6-3
Lesson 2: Monitoring and Troubleshooting TS Gateway Connections 6-16
Lab: Configuring and Troubleshooting TS Gateway 6-23

Module 7: Managing and Monitoring Terminal Services

Lesson 1: Methods for Managing and Monitoring TS 7-3
Lesson 2: Configuring Windows System Resource Manager for TS 7-9
Lab: Managing and Monitoring TS 7-14

Lab Answer Keys

 About This Course xiii

MCT USE ONLY. STUDENT USE PROHIBITED

About This Course
This section provides you with a brief description of the course, audience,
suggested prerequisites, and course objectives.

Course Description
This two-day instructor-led course introduces you to Microsoft® Windows Server®
2008 Terminal Services. The course prepares you for configuring and managing
the TS roles—TS licensing, Gateway, and Web Access—as well as monitoring and
troubleshooting a TS environment.

Audience
The primary audiences for this course include Technology Specialists in an
enterprise environment as well as individuals who are assuming a new role
requiring skills to manage connections served by a terminal server session over the
intranet, extranet, and Internet.

Student Prerequisites
This course requires that you meet the following prerequisites:
• Course 6420: Fundamentals of a Windows Server 2008 Network
Infrastructure and Application Platform
• Course 6421: Configuring and Troubleshooting a Windows Server 2008
Network Infrastructure
or
• Microsoft Windows Server 2003 Terminal Server experience in an enterprise
environment as follows:
• Minimum of one year of experience in administering and supporting TS
• Minimum of one year of experience in administering and supporting
Windows Server 2003 or Windows Server 2003 R2
• Minimum of one year of experience in administering certificate services
• Network + certification
xiv About This Course

MCT USE ONLY. STUDENT USE PROHIBITED

Course Objectives
After completing this course, students will be able to:
• Configure the TS role.
• Manage TS licensing.
• Configure TS connection properties by using the Terminal Services
Configuration snap-in and Group Policy.
• Configure TS Easy Print and TS RemoteApp programs.
• Configure the TS Web Access role service.
• Configure the TS Session Broker role for a load-balanced TS farm.
• Configure and troubleshoot TS Gateway.
• Maintain TS connections post installation and configure Windows System
Resource Manager (WSRM) for TS.

Course Outline
This section provides an outline of the course:
Module 1, "Configuring Terminal Services Core Functionality" prepares you for
installing and configuring the TS role. The module also introduces the new core
functionality in TS, lists the considerations for using a standalone instance and a
farm, and briefly explains how to configure the TS settings.
Module 2, "Configuring and Managing Terminal Services Licensing" introduces
you to TS Licensing and covers how the license server and terminal server need to
be configured for issuing and managing licenses. The module also includes
installing Per User and Per Device TS Client Access Licenses (CALs) on the license
server as well as managing the licensing lifecycle.
Module 3, "Configuring and Troubleshooting Terminal Services Connections"
introduces the connection properties that can be set by using either the Terminal
Services Configuration snap-in or Group Policy. Besides setting these properties,
the module also covers configuring the authentication and encryption levels,
Desktop Experience and Plug and Play (PnP) Device Redirection Framework, and
Single Sign-On (SSO) for user profiles. The module ends with troubleshooting
connectivity issues.
 About This Course xv

MCT USE ONLY. STUDENT USE PROHIBITED

Module 4, "Configuring Terminal Services RemoteApp and Easy Print" starts with
discussing the types of applications that can be installed on the terminal server.
The module then provides an overview of RemoteApp programs, advantages of
using these programs, and the methods used to deploy them on the terminal
server. Also covered in the module is TS Easy Print, which facilitates printer
redirection over a TS session.
Module 5, "Configuring Terminal Services Web Access and Session Broker"
provides the steps for installing and configuring RemoteApp programs by using TS
Web Access. The module also covers a separate role service, the TS Session Broker,
which facilitates reconnection to an existing session in a load-balanced TS farm.
Module 6, "Configuring and Troubleshooting Terminal Services Gateway" explains
how to install and configure the TS Gateway role service. The module also covers
how to manage TS Connection Authorization Policies (CAPs) and TS Resource
Authorization Policies (RAPs). Following a brief introduction to Network Access
Protection (NAP), the module goes on to discuss troubleshooting TS Gateway.
Module 7, "Managing and Monitoring Terminal Services" explains the tasks
involved in managing and monitoring TS Connections. The module also
introduces the enhanced features of WSRM and how to configure WSRM.
xvi About This Course

MCT USE ONLY. STUDENT USE PROHIBITED

Course Materials
The following materials are included with your kit:
• Course Handbook. The Course Handbook contains the material covered in
class.
• Course CD. The Course CD contains the full lab exercises and answer keys as
well as the topical and categorized resources and Web links.

Note: To access the Course CD, insert the CD into the CD-ROM drive, and then in the
root directory of the CD, double-click StartCD.exe.

• Course evaluation. At the end of the course, you will have the opportunity to
complete an online evaluation to provide feedback on the course, training
facility, and instructor.

To provide additional comments or feedback on the course, send e-mail to

[email protected]. To inquire about the Microsoft Certification
Program, send e-mail to [email protected].

Virtual Machine Environment

This section provides the information for setting up the classroom environment to
support the business scenario of the course.

Virtual Machine Configuration

In this course, you will use Microsoft Virtual Server 2005 to perform the labs.

Important: At the end of each lab, you must close the virtual machine and must not save
any changes. To close a virtual machine without saving the changes, perform the
following steps:
1. On the host computer, click Start, point to All Programs, point to Microsoft Virtual
Server, and then click Virtual Server Administration Website.
2. Under Navigation, click Master Status. For each virtual machine that is running,
point to the virtual machine name, and, in the context menu, click Turn off
Virtual Machine and Discard Undo Disks. Click OK.
 About This Course xvii

MCT USE ONLY. STUDENT USE PROHIBITED

The following table shows the role of each virtual machine that this course uses:

Virtual machine Role

NYC-DC1 A Domain Controller for woodgrovebank.com

NYC-TS Terminal server with terminal services installed

NYC-WEB A member of the woodgrovebank.com domain

Software Configuration
The following software is installed on each virtual machine:
• Windows Server 2008 Enterprise

Classroom Setup
Each classroom computer will have the same virtual machine configured in the
same way.

Course Hardware Level

To ensure a satisfactory student experience, Microsoft Learning requires a
minimum equipment configuration for trainer and student computers in all
Microsoft Certified Partner for Learning Solutions (CPLS) classrooms in which
Official Microsoft Learning Product courseware are taught. This course requires a
computer that meets or exceeds hardware level 5.5, which specifies a 2.4–gigahertz
(minimum) Pentium 4 or equivalent CPU, at least 2 gigabytes (GB) of RAM, 16
megabytes (MB) of video RAM, and a 7200 RPM 40-GB hard disk.
MCT USE ONLY. STUDENT USE PROHIBITED
 Configuring Terminal Services Core Functionality 1-1

MCT USE ONLY. STUDENT USE PROHIBITED

Module 1
Configuring Terminal Services Core
Functionality
Contents:
Lesson 1: Configuring the TS Server Role Service 1-3
Lesson 2: Configuring the TS Settings 1-20
Lab: Configuring TS Core Functionality 1-25
1-2 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

Module Overview

TS in Windows Server 2008 has been upgraded to incorporate improved features

that are especially useful for organizations with branch offices. This module
introduces the new features in TS and prepares you for installing and configuring
the TS server role service.
The module also includes considerations for using a standalone instance and a
farm, as well as configuring the TS settings.
 Configuring Terminal Services Core Functionality 1-3

MCT USE ONLY. STUDENT USE PROHIBITED

Lesson 1:
Configuring the TS Server Role Service

TS in Windows Server 2008 includes new core functionality that provides

enhanced features to remotely deploy and access applications. This new core
functionality includes Remote Desktop Connection (RDC) 6.1, Remote Desktop
Connection Display improvements, and Plug and Play (PnP) device redirection.
The TS server role service can be installed as a standalone instance or in a farm
with multiple terminal servers.
1-4 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

TS Features

Key Points
TS in Windows Server 2008 allows users to connect to a server running Windows-
based programs or the full Windows desktop.
In addition, Windows Server 2008 TS also provides:
• A secure and encrypted connection between remote users and the resources
on a local network.
• Support for Embedded Point of Service (POS) device redirection.
• Support for Network Access Protection (NAP) that enforces network
authentication.
• A new role management tool and an improved scalable spooler.
 Configuring Terminal Services Core Functionality 1-5

MCT USE ONLY. STUDENT USE PROHIBITED

• Support for Microsoft Internet Protocol version 6 (IPv6) that enables peer-to-
peer and mobile applications.
• The Windows System Resource Manager (WSRM) tool to manage system
resources by using preconfigured policies or custom resource policies.

Question: Which features of Windows Server 2008 TS will be useful in your

organization?

For more information about TS features, see "What's New in Terminal

Services for Windows Server 2008" on the Microsoft TechNet Web site.
1-6 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

Installing the TS Server Role Service

Key Points
You can install the TS server role service by using the Server Manager, if no other
TS role services, such as TS Gateway and TS Licensing, are installed on the server.
If a TS role service is already installed on the server, the Terminal Services check
box will be selected and dimmed. You then need to select the "To install the
Terminal Server role server when Terminal Services is already installed" option.

For more information about installing the TS server role, see "Terminal
Server Installation" on the Microsoft TechNet Web site.
 Configuring Terminal Services Core Functionality 1-7

MCT USE ONLY. STUDENT USE PROHIBITED

Authentication Modes

Key Points
Two types of authentication modes can be used on a terminal server:
• User authentication supported by password, smart card, Windows NT LAN
Manager (NTLM), and one-time password (OTP) over encrypted channels
• Host level authentication supported by Kerberos and Secure Sockets Layer
(SSL) or Transport Layer Security (TLS) certificates

NTLM authentication is mostly used for stand-alone systems on the network. The
Kerberos authentication protocol provides a more secure network connection than
traditional authentication methods.
1-8 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

You can also configure Single Sign-On (SSO) on the terminal server. SSO is an
access method that allows a client to gain access to multiple systems with a single
set of credentials.

Note: Besides providing the Basic authentication method, Windows Server 2008 also
provides Network Level Authentication. If you select this method, only clients running
Windows Server 2008 or Microsoft Windows Vista with RDC version 6.0, or later, will be
able to connect to the terminal server.

For more information about authentication modes, see "Windows Server

2008 Technical Review" and "Single Sign-On for Terminal Services" on
the Microsoft TechNet Web site.
 Configuring Terminal Services Core Functionality 1-9

MCT USE ONLY. STUDENT USE PROHIBITED

TS Core Functionality

Key Points
The following are the requirements for configuring TS core functionality on the
client:
• High resolution monitors, such as super video graphics array (SVGA) or
1680 x 1050 or 1920 x 1200
• Windows portable devices
• Embedded POS for .NET devices
1-10 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

The core functionality works with:
• RDC 6.0 available with Windows Vista and Microsoft Windows XP
• RDC 6.1available with Windows Server 2008

For more information about TS core functionality, see "What’s New in

Terminal Services for Windows Server 2008" on the Microsoft TechNet
Web site.
 Configuring Terminal Services Core Functionality 1-11

MCT USE ONLY. STUDENT USE PROHIBITED

Remote Desktop Connection 6.1

Key Points
RDC 6.1:
• Is available with Windows Server 2008 and Windows Vista with SP1.
• Supports Remote Desktop Protocol (RDP) 6.1 on the client computer.

As an administrator, you can remotely connect to a Windows Server 2008-based

server by using the new /admin switch introduced in RDC 6.1. RDC 6.1 does not
support the /console switch used in Microsoft Windows Server 2003. However, to
connect to a physical console session on Windows Server 2003-based server from
Windows Vista SP1, you can use the mstsc.exe/admin command.

For more information about RDC, see "Terminal Services Core

Functionality" on the Microsoft TechNet Web site.
1-12 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

Remote Desktop Connection Display

Key Points
Both RDC 6.0 and RDC 6.1 support higher-resolution desktops and provide for
spanning of multiple monitors horizontally to form a single large desktop.
You can also set a custom display resolution in a .rdp file using the RemoteApp
Microsoft Management Console (MMC) or at the command prompt.
To set a custom display resolution in a .rdp file by using a text editor, add or
change the following settings:

desktopwidth:i:<width>
desktopheight:i:<height>

To set a custom display resolution at the command prompt, use the mstsc.exe
command as follows:

mstsc.exe /w:<width> /h:<height>

 Configuring Terminal Services Core Functionality 1-13

MCT USE ONLY. STUDENT USE PROHIBITED

In the syntax, <width> and <height> are the resolution values—for example, 1680
and 1050.
Spanning of a session across multiple monitors requires:
• Same resolution on all the monitors—for example, all monitors having 1024 x
768 resolution
• Horizontal alignment of all monitors
• Total resolution of all monitors not to exceed 4096 x 2048

You can enable spanning of the same session across multiple monitors by
changing the settings in a .rdp file or at the command prompt.
To set spanning in a .rdp file using a text editor, add or modify the following
setting:

Span:i:<num>

If <num> = 0, then monitor spanning is disabled and if <num> = 1, then monitor

spanning is enabled.
To set spanning at the command prompt, type the following command:

mstsc.exe /span

Question: In which scenarios, would custom display resolution and spanning help
in an organization?

For more information about RDC display, see "Remote Desktop

Connection Display" on the Microsoft TechNet Web site.
1-14 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

Remote Desktop Experience

Key Points
In Windows Server 2008 TS, you can further enhance the end-user’s experience of
connecting to a remote desktop with the Desktop Experience feature. This feature
provides the functionality of Windows Vista such as Windows Media® Player 11,
desktop themes, and photo management.
The TS client computers with Windows Vista include the Windows Aero™
interface that shows:
• Translucent glass windows
• Customized lightweight window colors
• Open windows in a three-dimensional stack on the desktop
• Subtle animations supporting the repositioning of windows
 Configuring Terminal Services Core Functionality 1-15

MCT USE ONLY. STUDENT USE PROHIBITED

Note: The desktop composition feature using Windows Aero works from a Vista client to
a Vista terminal server only.

Windows Server 2008 also provides the ClearType® feature that is now supported
over RDP. This feature works by smoothing the characters, thus making it easier to
read text on LCD screens. Because this feature was not supported over RDP prior
to Windows Server 2008, text over TS was displayed in low resolution.
The smoothing of fonts is also available on client computers having:
• Windows Vista
• Windows Server 2003 with SP1 and SP2 and RDC 6.0
• Windows XP with SP2 and RDC 6.0
1-16 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

Device Redirection

Key Points
The new PnP Redirection Framework provided in Windows Server 2008 enhances
the PnP device redirection over RDP. The PnP device redirection, however, is not
available for nested terminal server connections. For example, a client computer
with a PnP device is redirected to a session with terminal server 1. The client then
connects to another session with terminal server 2 from within the terminal server
1 session. The PnP device will not be available for this session with terminal server
2. Windows Server 2008 also redirects devices that use POS for .NET1.11.

Note: POS redirection is not supported if the terminal server has x86-based version of
Windows Server 2008.
 Configuring Terminal Services Core Functionality 1-17

MCT USE ONLY. STUDENT USE PROHIBITED

You can enable POS for .NET device redirection by editing the .rdp file used to
connect to the terminal server as follows:

redirectposdevices:i <value>

In the above syntax, if <value> = 0, POS for .NET device redirection is disabled and
if the <value> =1, it is enabled.

For more information about device redirection, see "Plug and Play
Device Redirection for Media Players and Digital Cameras" and
"Microsoft Point of Service for .NET Device Redirection" on the Microsoft
TechNet Web site.
1-18 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

Introduction to a Standalone Instance and a Farm

Key Points
The TS sever role service can be installed on a single server as a standalone
instance. Alternatively, you can implement a TS farm comprising multiple terminal
servers to facilitate load balancing in a large organization. Windows Server 2008
provides the TS Session Broker role service that allows administrators to load
balance sessions between terminal servers in a farm. TS Session Broker stores
information related to the state of a session. This information is used to distribute
the sessions evenly between the terminal servers.
Question: What problems do you anticipate if a standalone instance is used as a
terminal server in an organization having many branches?
 Configuring Terminal Services Core Functionality 1-19

MCT USE ONLY. STUDENT USE PROHIBITED

Standalone Instance vs. Farm

A standalone instance is used in small organizations that require minimum

administration. This environment usually includes one terminal server that is
accessed by a few client computers.
Large organizations require a farm installation that caters to many branches. This
type of environment requires multiple terminal servers that can be easily accessed
by many client computers.
1-20 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

Lesson 2:
Configuring the TS Settings

After installing the TS server role service, you can start configuring the TS settings
according to your organization’s requirements. To take maximum advantage of TS,
you need to plan what type of applications you would require to run on the
terminal server. You can even configure a specific program to start when you start a
session on the terminal server. To enhance the performance of the terminal server,
you can restrict the number of simultaneous remote connection sessions on the
terminal server. You can configure these settings on TS by using the Terminal
Services Configuration snap-in.
 Configuring Terminal Services Core Functionality 1-21

MCT USE ONLY. STUDENT USE PROHIBITED

Demonstration: Configuring ‘Start Program on Connection’

Question: Which program would you want to launch at the start of a TS session in
your organization?
1-22 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

Restricting Remote Connection Sessions

Key Points
It is a best practice to configure the maximum number of sessions that can connect
to the server by using Group Policy. Any modifications in Group Policy should be
validated before applying them to users and computers. As an administrator, you
can invoke Group Policy by using the Active Directory Users and Computers snap-
in on the computer that has the domain controller.

Note: The recommended practice is to limit users to one remote session.

Question: What kind of problems do users encounter when there are too many
remote connections?
 Configuring Terminal Services Core Functionality 1-23

MCT USE ONLY. STUDENT USE PROHIBITED

Configuring Other TS Settings

Key Points
The Terminal Services Configuration snap-in can be used to edit settings such as
security, session timeouts, and encryption levels based on the connection. To
configure RDP-Tcp Connections, you can use the following tabs in the RDP-Tcp
Properties dialog box:
• General
• Log On Settings
• Sessions
• Environment
• Security
1-24 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

• Remote control
• Client Settings
• Network Adapter

Some best practices for using terminal servers:

• Install only specific services required in a branch office environment to
minimize security risks.
• Configure the TS session broker role service that enables load balancing of
sessions between terminal servers in a farm.
• Configure the license server discovery mode to ensure that the terminal server
can obtain the required license from the license server.

For more information about configuring TS, see "Windows Server 2008
RC0 TS Session Broker Load Balancing Step-by-Step Guide" and
"Configuring License Settings on a Terminal Services" on the Microsoft
TechNet Web site.
 Configuring Terminal Services Core Functionality 1-25

MCT USE ONLY. STUDENT USE PROHIBITED

Lab: Configuring TS Core Functionality

Overarching Scenario
You are the Windows Application Platform Services technology specialist for
Woodgrove Bank, which has a presence in America, Europe, the Middle East, Africa
(EMEA), and Asia. Woodgrove Bank's information technology (IT) department is
responsible for maintaining the database, applications, user authentication, Group
Policy, and permissions. It is also responsible for the performance of the server and
enterprise infrastructure.
Currently, you are using simple RDP or any third party utility to control the remote
console. You install all programs on all client computers, which is time consuming.
It is also difficult to maintain and upgrade all the applications on every individual
machine. Therefore, the management has advised you to implement the Windows
Server 2008 TS environment. Installing TS would increase productivity and ensure
optimal utilization of the network bandwidth to access remote applications. As a
technology specialist in Woodgrove Bank’s IT department, you have been tasked
with installing and configuring the TS environment.
1-26 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 1: Installing and Configuring the TS Server Role
Service
Scenario
You receive a service request based on an enterprise administrator’s design to
deploy a standalone instance of TS with core functions. You have to select an
authentication method that will ensure that users can securely access applications
over the network. You also want to optimize the administrative tasks that can be
done by configuring SSO and WSRM. The end users require that the local
machines display the Windows Vista desktop during the TS session. To enable this
functionality, you need to configure RDC 6.1. The enterprise administrator has also
requested you to provide enhanced program performance for users at the branch
offices who access centralized data stores.

Exercise Overview
In this exercise, you will install and configure the TS core functionality at the New
York head office.
The main tasks for this exercise are as follows:
1. Start the 6428A-NYC-DC1-01 and 6428A-NYC-TS-01 virtual machines and log
on to these machines as Administrator.
2. Install the TS server role service.
3. Configure authentication on the terminal server.
4. Configure the default credentials to be used on the terminal server.
5. Create a .rdp file and configure custom display.
6. Enable ClearType and Font smoothing.
7. Enable support for PnP redirection.
8. Install and configure WSRM.
9. Install the Desktop Experience.
10. Remotely connect to TS by using RDC.
 Configuring Terminal Services Core Functionality 1-27

MCT USE ONLY. STUDENT USE PROHIBITED

f Task 1: Start the 6428A-NYC-DC1-01 and 6428A-NYC-TS-01 virtual
machines and log on these machines as Administrator
1. Start 6428A-NYC-DC1-01 and log on with the default User ID
WOODGROVEBANK\Administrator with the password Pa$$w0rd.
2. Verify the membership in the local administrators group in the Active
Directory User and Group.

Note: Wait for the domain controller virtual machine, 6428A-NYC-DC1-01, logon screen
to appear before starting 6428A-NYC-TS-01 VM.

3. Start 6428A-NYC-TS-01 and log on as WOODGROVEBANK\Administrator

with the password Pa$$w0rd.
4. Confirm that 6428A-NYC-TS-01 is a member of the Woodgrove.com domain
under Computers in the Active Directory User and Group.

f Task 2: Install the TS server role service

1. On 6428A-NYC-TS-01, start Server Manager from the Administrative Tools
menu.
2. Add the Terminal Services role in the Add Roles wizard.
3. On the Terminal Services page, configure the Terminal Server:
• Authentication Method: Network Level Authentication setting for a
terminal server
• Licensing Mode: Per-User
• Select User Groups Allowed Access to This Terminal Server: Add
NYC_MarketingGG nested in NYC under WoodgroveBank.com.
4. Confirm the installation of the TS role service in the Server Manager.
1-28 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

f Task 3: Configure authentication on the terminal server
1. Start Terminal Services Configuration by using the tsconfig.msc command.
2. In the RDP-Tcp Properties dialog box, configure the authentication method to
be used as SSL (TLS 1.0).

f Task 4: Configure the default credentials to be used on the terminal

server
1. Open the Local Group Policy Editor by using the gpedit.msc command.
2. On the Credentials Delegation page, enable Allow Delegating Default
Credentials and add the 6428A-NYC-TS-01 server.

f Task 5: Create a .rdp file and configure custom display

1. Create a .rdp file by using the TS RemoteApp Manager snap-in.
2. In the RemoteApp Wizard, verify that the location of the .rdp file is
C:\Program files\Packaged Programs\mstsc.rdp.
3. Open the C:\Program files\Packaged Programs\mstsc.rdp file in a text
editor.
4. Specify the following custom display settings:
desktopwidth:i = 1680
desktopheight:i = 1050
5. Enable monitor spanning by using Span:i:1.

f Task 6: Enable ClearType and Font smoothing

1. In Control Panel, under Appearance and Personalization, enable ClearType.
2. Display the Remote Desktop Connection dialog box, and enable font
smoothing on the Experience tab.
 Configuring Terminal Services Core Functionality 1-29

MCT USE ONLY. STUDENT USE PROHIBITED

f Task 7: Enable support for PnP redirection
1. Display the Remote Desktop Connection dialog box.
2. On the Options tab, under Local devices and resources, enable Devices that
I plug in later.

f Task 8: Install and configure WSRM

1. Start Server Manager, under Features Summary, select Windows System
Resource Manager.
2. Install Windows System Resource Manager by using the wizard.
3. Open the Windows System Resource Manager snap-in.
4. In the Connect to computer dialog box, enable WSRM to administer the local
computer.

f Task 9: Install the Desktop Experience

1. Start Server Manager. Under Features Summary, select Desktop Experience.
2. Install the Desktop Experience by using the wizard.
3. Confirm the installation of the Desktop Experience.

f Task 10: Remotely connect to TS by using RDC

1. On 6428A-NYC-DC1-01, display the Remote Desktop Connection dialog box
by using the mstsc command.
2. Connect to NYC-TS by using the user ID WOODGROVEBANK\Baris and
password Pa$$w0rd.
You will be connected to the terminal server remotely.

Results: After this exercise, you should have configured the TS settings.
1-30 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 2: Configuring the TS Settings
Scenario
You have been tasked with configuring the TS settings to streamline the
infrastructure and secure the database and applications on the terminal server. For
this, you need to specify a program to start when a user logs on, limit users to a
single remote session, and set default permissions for built-in accounts. To further
ensure load-balancing in a TS farm environment, you need to configure the Session
Broker settings and create a policy for the retention of the temporary folder.

Exercise Overview
In this exercise, you will configure the TS settings and the session broker settings.
The main tasks for this exercise are as follows:
1. Specify the program to start when a user logs on to a remote session.
2. Configure the TS settings by using the Terminal Services Configuration snap-
in.
3. Modify the default permissions for built-in accounts.
4. Configure the Session Broker settings.
5. Shut down the virtual machines.

f Task 1: Specify the program to start when a user logs on to a remote

session
1. Start Terminal Services Configuration on 6428A-NYC-TS-01.
2. Under Connections, select RDP-Tcp and then display the Properties dialog
box.
3. On the Environment tab, configure the Initial starting program setting as
C:\Program Files\Packaged Programs\wordpad.
 Configuring Terminal Services Core Functionality 1-31

MCT USE ONLY. STUDENT USE PROHIBITED

f Task 2: Configure the TS settings by using the Terminal Services
Configuration snap-in
• In the Terminal Services Configuration snap-in, under the Edit Settings area,
verify the following are selected:
• Restrict each user to a single session
• Delete Temporary folder on exit
• Use Temporary folders per session

f Task 3: Modify the default permissions for built-in accounts

1. Start WMI Console by using the wmimgmt.msc command.
2. Display the WMI Control Properties dialog box.
3 On the Security tab, modify the Read Security permission for Baris Centinok
and change it to Allow.

f Task 4: Configure the Session Broker settings

1. Start Terminal Services Configuration.
2. In the Edit settings area, under TS Session Broker, select :
• Member of farm in TS Session Broker
• Join a farm in TS Session Broker
• Participate in Session Broker Load-Balancing
3. Provide the server name as NYC-TS, the farm name as WoodGroveBank, and
IP address as 10.10.0.23.
1-32 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

f Task 5: Shut down the virtual machines
• Turn off each virtual machine that is running and discard changes.

Note: After this exercise, you should have configured the TS settings.
 Configuring Terminal Services Core Functionality 1-33

MCT USE ONLY. STUDENT USE PROHIBITED

Lab Review
MCT USE ONLY. STUDENT USE PROHIBITED
 Configuring and Managing Terminal Services Licensing 2-1

MCT USE ONLY. STUDENT USE PROHIBITED

Module 2
Configuring and Managing Terminal Services
Licensing
Contents:
Lesson 1: Configuring TS Licensing 2-3
Lesson 2: Managing TS Licenses 2-12
Lab Demonstration: Configuring and Managing TS Licensing 2-17
2-2 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

Module Overview

The TS licensing management system in Microsoft Windows Server 2008 includes

some significant enhancements as compared to TS licensing in Microsoft Windows
2003.
After the TS server role service is installed in Windows Server 2008, users and
devices require TS client access licenses (CALs) to connect to the terminal server.
The TS licensing role service on the terminal server obtains these TS CALs from a
TS license server.
This module introduces TS licensing and covers the steps to configure the license
and terminal servers for issuing and managing licenses. The module also includes
installing Per User and Per Device TS CALs on the license server as well as
managing the licensing lifecycle.
 Configuring and Managing Terminal Services Licensing 2-3

MCT USE ONLY. STUDENT USE PROHIBITED

Lesson 1:
Configuring TS Licensing

The TS licensing role service is a license management system that manages TS

CALs. You need to install the TS licensing role service on a server running
Windows Server 2008. After installation, you are required to activate the license
server. Only after activation, the license server can issue TS CALs to devices or
users that want to connect to the terminal server.
You can use the TS Licensing Manager snap-in to manage TS licensing.
2-4 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

TS Licensing Role

Key Points
In large organizations, the TS license server is different from the terminal server.
An organization needs to deploy at least one license server to issue licenses to
users and devices wanting to connect to the terminal server. A license server can
concurrently serve many terminal servers.

Note: A terminal server running Windows Server 2008 cannot communicate with a
license server running Windows Server 2003. A terminal server running Windows Server
2003 can, however, communicate with a license server running Windows Server 2008.

For more information about the TS Licensing role, see "TS Licensing" on
the Microsoft TechNet Web site.
 Configuring and Managing Terminal Services Licensing 2-5

MCT USE ONLY. STUDENT USE PROHIBITED

TS Licensing Manager Snap-In

Key Points
The TS Licensing Manager snap-in requires minimum 10 MB of CPU memory for
its transactions. The license database increases by 5 MB with the issuance of every
6,000 TS CALs. The license server is active only when it receives a request for a TS
CAL from the terminal server.

For more information about the TS Licensing Manager snap-in, see "TS
Licensing" on the Microsoft TechNet Web site.
2-6 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

TS Client Access Licenses

Key Points
The two types of TS CALs, Per Device and Per User, are obtained as follows:
1. When a user or device connects to the terminal server, the terminal server first
determines whether a TS CAL is required.
2. If a TS CAL is required, then the terminal server requests the CAL from the
license server.
3. After receiving the TS CAL, the terminal server:
• Delivers the TS CAL to the client device in case of a Per Device TS CAL.
• Stores the information as part of the user account in the Active Directory
Domain Services in case of a Per User TS CAL.
 Configuring and Managing Terminal Services Licensing 2-7

MCT USE ONLY. STUDENT USE PROHIBITED

The Per Device TS CALs are issued statically to client machines, and the Per User
TS CALs are issued to a user’s account and can be used from any device.
Tracking the TS Per User CAL issuances is supported only in domain-joined
scenarios. Active Directory Domain Services is used for tracking the Per User TS
CALs.

Note: Active Directory Domain Services can be based on either Windows Server 2008 or
Windows Server 2003, and no updates to its schema are required for generating tracking
reports of the Per User TS CALs.
2-8 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

Installing the TS Licensing Role Service

Key Points
The TS Licensing database should be located on the same computer on which the
TS licensing role service is being installed.
The TS Licensing Manager snap-in is automatically installed when you install the
TS licensing role service. You can also manage your license servers from a remote
computer running Windows Server 2008 by installing the TS Licensing Manager
snap-in on that computer.
You need to activate a license server only once. While waiting for the activation
process to complete, the license server can issue temporary TS CALs that allow
clients to use the terminal server for 120 days.
 Configuring and Managing Terminal Services Licensing 2-9

MCT USE ONLY. STUDENT USE PROHIBITED

In addition, you need to configure the TS license server discovery scope to help the
terminal servers discover the license server. The three discovery scopes are:
• Workgroup
• Domain
• Forest

Note: To install the TS Licensing role service, you should be a member of the
Administrators group.

For more information about installing the TS Licensing role service, see
"Activating a Terminal Services License Server" and "Terminal Services
License Server Discovery" on the Microsoft TechNet Web site.
2-10 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

Configuring the Terminal Server for Licensing

Key Points
The TS licensing mode, Per Device or Per User, can be set:
• During the installation of the TS server role service.
• By using the Terminal Services Configuration snap-in.
• By using Group Policy.

The TS licensing discovery mode can be set:

• By using the Terminal Services Configuration snap-in.
• By using Group Policy.
 Configuring and Managing Terminal Services Licensing 2-11

MCT USE ONLY. STUDENT USE PROHIBITED

• By using the automatic license discovery process where the terminal server
contacts:
• First, the license servers configured by using the Terminal Services
Configuration snap-in.
• Then, the license servers published in Active Directory Domain Services.
• Finally, the license servers installed on the domain controller within the
same domain as the terminal server.

Note: The TS licensing mode on the terminal server should be the same as that on the
license server.

Note: A user connecting to a terminal server in a Per User licensing mode should have a
TS Per User CAL. If the user does not have TS Per User CAL for the terminal server, the
terminal server will contact the license server for the required Per User CAL.

Question: Can you change the TS Per Device CAL to a TS Per User CAL on your
license server?

For more information about configuring the terminal server for licensing,
see "Configuring License Settings on a Terminal Server" on the Microsoft
TechNet Web site.
2-12 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

Lesson 2:
Managing TS Licenses

After installing and configuring the TS licensing role service, you need to manage
the licensing lifecycle. For this, you will be required to track the issuance of the TS
Per User CALs.
You might also need to judiciously revoke device licenses and reallocate them, as
required. While managing the license server, you can troubleshoot licensing issues
related to the license server by using the Review Configuration snap-in.
 Configuring and Managing Terminal Services Licensing 2-13

MCT USE ONLY. STUDENT USE PROHIBITED

Managing TS Client Access Licenses

To manage the TS licensing, you can perform the following tasks by using the TS
Licensing Manager snap-in:
• Change the properties such as the connection method used to communicate
with the Microsoft Clearing House and the mandatory and optional
information about your organization.
• Change the discovery scope: domain or forest.
• Review the configuration of the license server.
• Control the issuance of TS CALs.
• Track the issuance of TS CALs.
• Revoke the Per Device TS CALs.
2-14 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

• Deactivate and reactivate the license server.
• Locate the Microsoft ClearingHouse telephone number for your country or
region to activate the license server.

Note: You cannot revoke a Per User TS CAL. After you have revoked a Per Device TS CAL,
it will be immediately available for issuance to another device. You must not revoke
licenses only to ensure that there are enough licenses available to support the
requirement.

Other generic tasks that you can perform to manage TS licensing are:
• Back up a TS license server
• Move TS licensing to a new server
• Uninstall the TS licensing role service

For more information about managing TS CALs, see "Managing TS

Licensing" on the Microsoft TechNet Web site.
 Configuring and Managing Terminal Services Licensing 2-15

MCT USE ONLY. STUDENT USE PROHIBITED

Troubleshooting Licenses

Key Points
You can use the Review Configuration tool to identify problems on the license
server related to the:
• Discovery scope
• Issuance of the TS CALs to devices or users
• Tracking and reporting of the issuance of the TS CALs

You can use the Licensing Diagnosis tool to analyze the following information on
the terminal server:
• Configuration of the terminal server
• License servers that the terminal server discovered
• Configuration information of the license servers
• Licensing issues with possible solutions
2-16 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

For more information about troubleshooting licenses, see
"Troubleshooting TS Licensing Installation" and "Known Issues for TS
Licensing Installation" on the Microsoft TechNet Web site.
 Configuring and Managing Terminal Services Licensing 2-17

MCT USE ONLY. STUDENT USE PROHIBITED

Lab Demonstration: Configuring and Managing
TS Licensing

Overarching Scenario
You have configured TS for Woodgrove Bank. To support the TS environment you
need to install the TS licensing role. The TS licensing role will enable you to
determine the TS client access licenses (CALs) that are required for each device or
user to connect to the terminal server. You need to use this role to install, issue,
and monitor the availability of TS CALs on a TS license server.
2-18 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

Demonstration: Configuring and Managing TS Licensing
The main tasks for configuring and managing TS licensing are as follows:
1. Install the TS Licensing role.
2. Add a new device to the HR group.
3. Activate the license server and install TS Per Device CALs by using telephone.
4. Specify the TS Per Device mode on the terminal server.
5. Specify the TS licensing server discovery mode on the terminal server.
6. Revoke a Per Device CALs and make it available for a new device.

f Task 1: Install the TS Licensing Role

1. On the terminal server, start Server Manager and install the TS Licensing role
service.
2. On the Configure Discovery Scope for TS Licensing page, specify the
discovery scope for TS Licensing as domain.
3. On the Configure Discovery Scope for TS Licensing page, specify the default
location of the TS Licensing database.

f Task 2: Add a new device to the HR group

1. On a client, add the computer you want to add to the domain
WoodgroveBank.com on the Properties page of the computer.
2. On the domain controller, add the computer to the HR group in the Active
Directory Users and Computers snap-in.

f Task 3: Activate the license server and install TS Per Device CALs by
using telephone
1. On the terminal server, activate the license server in the TS Licensing
Manager snap-in.
2. On the Connection Method page, select the connection method Telephone.
 Configuring and Managing Terminal Services Licensing 2-19

MCT USE ONLY. STUDENT USE PROHIBITED

3. On the Country or Region Selection page, select your country/region.
4. Call Microsoft by using the telephone number that is displayed on the License
Server Activation page, and then provide the Microsoft customer support
representative with the Product ID that is displayed on your screen. The
representative will also ask you to provide your name and the name of your
company. The representative processes your request to activate the license
server, and creates a unique ID for your license server.
5. Activate the license server with the ID and select the option to install the
licenses now.
6. On the Obtain client license key pack page, use the telephone number that is
displayed to call the Microsoft Clearinghouse, and give the representative your
Terminal Services license server ID and the required information for the
licensing program through which you purchased your TS CALs. The
representative then processes your request to install TS CALs, and gives you a
unique ID for the TS CALs. This unique ID is referred to as the license key
pack ID.
7. In the Install Licenses Wizard, on the Obtain client license key pack page,
enter the license key pack ID provided by the representative into the boxes
provided.
8. The Terminal Services license server can now issue TS CALs to clients that
connect to a terminal server.

f Task 4: Specify the TS Per Device mode on the terminal server

• On the terminal server, in the Terminal Services Configuration snap-in,
under Licensing, specify the licensing mode as Per Device.

f Task 5: Specify the TS licensing server discovery mode on the terminal

server
• On the terminal server, in the Terminal Services Configuration snap-in,
under Licensing, specify the license server to be used.
2-20 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

f Task 6: Revoke a Per Device CAL
1. On the license server, in the TS Licensing Manager snap-in, under NYC-TS,
select Windows Server 2008 - Installed TS Per Device CALs.
2. Select the TS Per Device CAL that you want to revoke.
3. Revoke the TS CAL by using the Action menu.

The Status column for the TS Per Device CAL will show a status of Revoked when
the TS Licensing Manager display is refreshed.

Results: After this demonstration, you should have seen how to install the license
server and add a device to the HR group. Then you saw how to activate the license
server, and install TS CALs by using the telephone. Then you should have seen how to
configure the Per Device mode and the licensing server discovery mode on the
terminal server. Finally, you saw how to revoke a Per Device CAL.
 Configuring and Managing Terminal Services Licensing 2-21

MCT USE ONLY. STUDENT USE PROHIBITED

Lab Review
MCT USE ONLY. STUDENT USE PROHIBITED
 Configuring and Troubleshooting Terminal Services Connections 3-1

MCT USE ONLY. STUDENT USE PROHIBITED

Module 3
Configuring and Troubleshooting Terminal
Services Connections
Contents:
Lesson 1: Configuring the TS Connection Properties 3-3
Lesson 2: Configuring the TS Connection Properties by Using
Group Policy 3-16
Lesson 3: Troubleshooting TS Connections 3-22
Lab: Configuring and Troubleshooting the TS Connections 3-25
3-2 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

Module Overview

After configuring TS Licensing on the terminal server, you need to set the TS
connection properties on the terminal server as well as the clients. This module
introduces the connection properties that can be set by using either the Terminal
Services Configuration snap-in or Group Policy.
Besides setting these properties, it is also important to configure the authentication
and encryption levels for the TS connections between the terminal server and the
clients.
When configuring the client settings, you might also want to enhance the user
experience by enabling the Desktop Experience and Plug and Play (PnP) Device
Redirection Framework.
In addition, configuring Single Sign-On (SSO) for user profiles can be helpful in
reducing administrative effort.
As an administrator, you will also need to perform some checks to identify and
troubleshoot connectivity issues.
 Configuring and Troubleshooting Terminal Services Connections 3-3

MCT USE ONLY. STUDENT USE PROHIBITED

Lesson 1:
Configuring the TS Connection Properties

You can use the Terminal Services Configuration snap-in to configure and
administer TS connection properties such as the maximum number of
simultaneous connections and time-out and reconnection settings.
Using this snap-in, you can also configure authentication and encryption levels for
clients to minimize security risks over remote connections. Also, configuring the
Desktop Experience and enabling PnP device redirection help to enhance the user
experience on TS.
3-4 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

Introduction to TS Properties

Key Points
In a TS environment, you can configure the TS properties such as the TS
connection properties, device and resource redirection, remote session
environments, session time limits, and user profiles. These TS properties can be
configured both by administrators and standard users. The User Account Control
(UAC) feature of Microsoft Windows Server 2008 displays a prompt for the
credentials of an administrator or equivalent account.
If you are logged on as an administrator, you will be provided with two access
tokens: an administrator token and a standard user access token. The
administrator token is used only when you attempt to perform administrative
tasks.
 Configuring and Troubleshooting Terminal Services Connections 3-5

MCT USE ONLY. STUDENT USE PROHIBITED

With the administrator token, you can change the system state, install software,
turn off the firewall, install a service or drive, and configure the security policy. As a
standard user, you are not allowed to perform the administrator tasks but you can
install software on a per-user basis.
The TS properties can apply to users or computers. For example, on a client, you
can enable or disable user profiles. You can also configure connection properties
for the computer, such as allowing a process to run over a slow network
connection.
On the server, you can configure settings for the computer, such as retain or delete
temporary folders on exit. For users, you can configure settings that restrict them
to a single remote session on the server.

Question: Configuring which TS settings helps enhance the performance of the

terminal server?
3-6 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

Introduction to the TS Connection Properties

Key Points
You can use either Group Policy or the Terminal Services Configuration snap-in to
configure the TS connection properties on the terminal server and clients. The TS
connection properties set by using Group Policy always override the settings
configured by using the Terminal Services Configuration snap-in.
The TS connection properties can be set for a specific user and at the server level. If
both user and server settings are configured, the server settings take precedence.
By using the Terminal Services Configuration snap-in, you can configure:
• A new connection
• Automatic logon to the server by a user
• Authentication of the terminal server
 Configuring and Troubleshooting Terminal Services Connections 3-7

MCT USE ONLY. STUDENT USE PROHIBITED

With respect to connection permissions, for each connection, you can:
• Add users and groups to permission lists
• Change the permissions of a user or group
• Remove users or groups from the permission lists

For more information about configuring TS connection properties, see

"Configure Terminal Services Connections" on the Microsoft TechNet
Web site.
3-8 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

Configuring the Maximum Number of Simultaneous
Connections

Key Points
The default TS settings allow an unlimited number of sessions to connect to the
server. This affects the performance of the terminal server as multiple sessions
demand system resources. To improve performance, therefore, you can restrict the
number of sessions.
When using the Terminal Services Configuration snap-in to perform this
procedure, you need to be a member of the administrators group on the local
computer.

For more information about configuring maximum number of

simultaneous connections, see "Specify a maximum number of sessions
that can connect to the server" on the Microsoft TechNet Web site.
 Configuring and Troubleshooting Terminal Services Connections 3-9

MCT USE ONLY. STUDENT USE PROHIBITED

Demonstration: Configuring the Time-Out and
Reconnection Settings

Question: Which connection setting can result in the loss of data at the client side?

For more information about configuring the time-out and reconnection

settings, see "Configure Time-out and Reconnection Settings" on the
Microsoft TechNet Web site.
3-10 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

Configuring Authentication and Encryption

Key Points
To configure the authentication and encryption levels for clients, you will require a
certificate from a certification authority (CA).
In Windows Server 2008, the terminal server uses native Remote Desktop Protocol
(RDP) for encryption. However, RDP does not authenticate the identity of the
terminal server. You, therefore, need to configure the terminal server and clients to
use Transport Layer Security (TLS) 1.0 for server authentication and encryption of
the terminal server communications.

Note: You can enable TLS only by using the Terminal Services Configuration snap-in. You
cannot use Group Policy to enable TLS authentication.
 Configuring and Troubleshooting Terminal Services Connections 3-11

MCT USE ONLY. STUDENT USE PROHIBITED

TLS authentication on a server requires:
• Microsoft Windows Server 2003 SP1
• A computer certificate by using the Web or Certificate Request wizard

TLS authentication on a client requires:

• Microsoft Windows 2000 or Microsoft Windows XP
• RDP 5.2, or later
• Certificate of the certification authority (CA) that issued the server certificate in
the client’s Trusted Root Certification Authorities store

You can configure four levels of encryption by using the Terminal Services
Configuration snap-in:
• Federal Information Processing Standard (FIPS)-compliant
• High
• Client Compatible
• Low

Question: Which encryption level is most commonly used in organizations?

For more information about configuring authentication and encryption, see

"Configure Authentication and Encryption" on the Microsoft TechNet Web
site.
3-12 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

Configuring the Desktop Experience

Key Points
To further enhance the user’s experience in TS, you can install and configure the
Desktop Experience. For features such as Windows Media® Player and Desktop
Themes, you will have to enable audio redirection. The audio redirection setting is
available on the Client Settings tab in the Properties page of the required
connection in the Terminal Services Configuration snap-in. You can also use Group
Policy to configure this setting.

Note: The Sound Recorder feature of Microsoft Windows Vista is not supported by RDP.
Desktop Experience does not enable any of the Windows Vista features automatically;
you need to enable them manually.
 Configuring and Troubleshooting Terminal Services Connections 3-13

MCT USE ONLY. STUDENT USE PROHIBITED

Question: Which scenarios require audio data to be shared between the terminal
server and client?

For more information about configuring the Desktop Experience, see

"Remote Desktop Connection Display" on the Microsoft TechNet Web
site.
3-14 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

Configuring the Plug and Play Device Redirection
Framework

Key Points
You can control the PnP device redirection framework on the Client Settings tab in
the Properties page of the required connection in the Terminal Services
Configuration snap-in.
To redirect devices that use Microsoft Point of Service (POS) for .NET 1.11:
1. Install POS for .NET 1.11.
2. Install the .NET service objects or XML configuration files required by the POS
for .NET device.
3. Stop and start the Terminal Services UserMode Port Redirector service in the
Terminal Services Configuration snap-in.
 Configuring and Troubleshooting Terminal Services Connections 3-15

MCT USE ONLY. STUDENT USE PROHIBITED

Note: POS for .NET 1.11 device redirection is only supported if the terminal server is
running an x86-based version of Windows Server 2008.

For more information about device redirection, see "Terminal Server

Plug and Play Device Redirection Framework in Vista and Longhorn" on
the Microsoft TechNet Web site.
3-16 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

Lesson 2:
Configuring the TS Connection Properties by
Using Group Policy

As an administrator, you might prefer to configure some connection properties by

using Group Policy. The Group Policy settings override the settings configured by
using the Terminal Services Configuration snap-in.
In addition to configuring TS connection properties, you can use Group Policy to
configure the Single Sign-On (SSO) feature of Windows Server 2008. This feature
helps reduce the administrative load significantly as it enables users to log on to
multiple devices or services with a single set of credentials.
 Configuring and Troubleshooting Terminal Services Connections 3-17

MCT USE ONLY. STUDENT USE PROHIBITED

Using Group Policy to Configure the TS Connection
Properties

Key Points
Although most TS connection properties can be set by using the Terminal Services
Configuration snap-in, you might want to set these by using Group Policy. The
choice of method can depend on the complexity of your TS environment. Using
Group Policy is often considered to be a simpler approach to configuring TS,
especially in an environment with multiple terminal servers and users.
By using Group Policy, you can configure properties such as the maximum
number of sessions, encryption level, automatic start program, remote control,
time-out and reconnection, and some other client settings such as connection
drives and printers. In addition, you can also configure the following settings:
• Specifying the interval for the session to be kept alive and keeping it consistent
with the client state
• Removing the Disconnect item from the Shut Down dialog box
• Disabling smart card device redirection
3-18 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

Question: What will happen if you disable a Remote Desktop connection by using
the Group Policy setting while a user is connected to the target computer?

For more information about configuring TS properties by using Group

Policy, see "Configure Group Policy Settings" on the Microsoft TechNet
Web site.
 Configuring and Troubleshooting Terminal Services Connections 3-19

MCT USE ONLY. STUDENT USE PROHIBITED

Introduction to Single Sign-On

The security benefit provided by SSO is that a user needs to log on to the domain
only once by using a password. Subsequently, the user will be authenticated on
any server in the domain. For administrators, this feature minimizes the
administrative effort required to maintain a user account.

For more information about SSO, see "Single Sign-On for Terminal
Services" on the Microsoft TechNet Web site.
3-20 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

Considerations for Configuring Single Sign-On

Key Points
As an administrator, for configuring SSO, you need to ensure that the client
computers should be either Windows Vista-based or Windows Server 2008-based
computers, and the users have appropriate rights to log on to both the client and
server. SSO can also be used on the client computers and terminal server that are
part of a domain.
You also need to note that Windows Server 2008 provides Credential Security
Service Provider (CredSSP) that supports SSO. By using this feature, you can
securely save your credentials for later use.
 Configuring and Troubleshooting Terminal Services Connections 3-21

MCT USE ONLY. STUDENT USE PROHIBITED

Note: SSO will not work on a server that cannot be authenticated by using Kerberos or
Secure Sockets Layer (SSL) certificate. If the terminal server connection is using a TS
Gateway server, then in some cases the credentials of the TS Gateway will override the
SSO settings.

For more information about considerations for configuring SSO, see

"How to enable Single Sign-On for my Terminal Server connections" on
the Microsoft Terminal Services Team Blog Web site.
3-22 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

Lesson 3:
Troubleshooting the TS Connections

A number of connectivity issues can arise in a TS environment. While specific

issues need to be handled by using specific methods, there are some
troubleshooting steps that can help you determine common problems and rectify
them.
 Configuring and Troubleshooting Terminal Services Connections 3-23

MCT USE ONLY. STUDENT USE PROHIBITED

Troubleshooting Connectivity Issues

Key Points
Depending on the connectivity problem, you can perform troubleshooting steps
such as checking the RDP settings, analyzing event and error logs, and verifying
licenses, policies, permissions, and encryption levels.
In addition, you can perform the following troubleshooting steps:
• Use the Terminal Services Manager to view users connected to the terminal
server.
• Identify and fix connectivity problems between the terminal server and
domain controller by using the ping command.
• Use the ping command to determine connectivity problems with other
computers.
• Start the Device Manager by using the devmgmt.msc command, and check the
status of the network adapter.
3-24 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

• Check the network indicator lights on the computer and the hub or router.
Also, check the network cabling.
• Check the firewall settings by using the Windows Firewall with the Advanced
Security snap-in.
• Check the IPsec settings by using the IP Security Policy Management snap-in.

For example, if a user logon request is denied, as an administrator you can check if
the Allow all connections option is selected on the General tab in the Terminal
Services Configuration snap-in.
Another common connectivity issue is the failure of authentication when a user
tries to reconnect to the terminal server. In this case, you can verify the user
accounts connected to the terminal server on the Users tab in the Terminal
Services Configuration snap-in.
 Configuring and Troubleshooting Terminal Services Connections 3-25

MCT USE ONLY. STUDENT USE PROHIBITED

Lab: Configuring and Troubleshooting the TS
Connections

Overarching Scenario
You receive a service request from the enterprise administrator to configure the
connection settings for TS. As an administrator, you need to configure connection
permissions, SSO, client settings, and time-out and reconnection settings, as
defined in the service request. These connection settings will enable you to
efficiently manage connections to remote applications. To avoid overloading of the
terminal server, you need to set permissions for all users and restrict the number of
sessions.
3-26 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 1: Configuring the TS Connection Properties
Scenario
The enterprise administrator is receiving many complaints about unauthorized
users accessing the terminal server. Also some connections get disconnected
automatically and users have a problem working with the applications on the
terminal server. You receive a service request to modify the connection permissions
of Baris, Bernard, and Anton.

Exercise Overview
In this exercise, you will configure the TS connection properties by using the
Terminal Services Configuration snap-in.
The main tasks for this exercise are as follows:
1. Start the 6428A-NYC-DC1-01 and the 6428A-NYC-TS- 03 virtual machines and
log on to these machines as Administrator.
2. Configure the TS connection properties by using the Terminal Services
Configuration snap-in.

f Task 1: Start the 6428A-NYC-DC1-01 and 6428A-NYC-TS- 03 virtual

machines and log on to these machines as Administrator
1. Start 6428A-NYC-DC1-01 and log on with the default login ID
WOODGROVEBANK\Administrator by using the password Pa$$w0rd.
2. Start 6428A-NYC-TS-03 and log on as WOODGROVEBANK\Administrator
by using the password Pa$$w0rd.
3. Verify that TS is installed on the 6428A-NYC-TS-03 virtual machine.

Note: Wait for the domain controller, 6428A-NYC-DC1-01, logon screen to appear
before starting the 6428A-NYC-TS-03 virtual machine.
 Configuring and Troubleshooting Terminal Services Connections 3-27

MCT USE ONLY. STUDENT USE PROHIBITED

f Task 2: Configure the TS connection properties by using the Terminal
Services Configuration snap-in
1. On 6428A-NYC-TS-03, start the Terminal Services Configuration snap-in.
2. Verify that the remote control setting for default users is selected on the
Remote Control tab in the RDP-Tcp Properties dialog box.
3. Configure the connection permissions for users as follows:
• Baris Cetinok: Deny permission to disconnect a connection
• Bernard Duerr: Allow all connection permissions
• Anton Kirilov: Allow permission to disconnect a connection

Results: After this exercise, you should have configured the connection properties.
3-28 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 2: Configuring the TS Connection Properties by
Using Server Group Policy
Scenario
You have been tasked with restricting the maximum number of terminal sessions
to two and configuring the TS connection setting to automatically reconnect to the
server. In addition, you need to configure the RDP client connection security and
encryption levels on the server. You want to configure the connection settings by
using the Group Policy editor. These settings are critical to the performance of the
TS and they will override any other settings that users might have configured by
using the Terminal Services Configuration snap-in.

Exercise Overview
In this exercise, you will configure the TS connection properties by using Group
Policy.
The main tasks for this exercise are as follows:
1. Configure the TS connection properties.
2. Verify that a maximum of two clients can connect to the terminal server.

f Task 1: Configure the TS connection properties

1. On 6428-NYC-DC1-01, start Group Policy Management by using the
gpmc.msc command.
2. Create a new Group Policy Object (GPO) for the Marketing OU as GPO for
TS Connection.
3. Start the Group Policy Management Editor, and configure the following:
• TS Maximum Connections allowed: 2
• Automatic reconnection: Enabled
• Set client connection encryption level: Enabled
• Encryption level: Client Compatible
• Set time limit for disconnected sessions: Enabled
• End a disconnected session: 5 minutes
 Configuring and Troubleshooting Terminal Services Connections 3-29

MCT USE ONLY. STUDENT USE PROHIBITED

f Task 2: Verify that a maximum of two clients can connect to the
terminal server
1. On 6428A-NYC-DC1-01, display the Remote Desktop Connection dialog box
by using the mstsc command.
2. Connect to Nyc-ts, log on as Baris with the password Pa$$w0rd.
3. Log on as a second user, Bernard with the password Pa$$w0rd.
4. Log on as a third user, Anton with the password Pa$$w0rd.
5. Observe that Anton gets a failed logon message.

Results: After this exercise, you should have configured the TS connection properties
by using server Group Policy.
3-30 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 3: Configuring SSO by Using Client Group Policy
Scenario
As an administrator, you want to reduce your administrative tasks. Currently, you
are spending a lot of time maintaining the user accounts that are connecting to the
TS. You want to configure SSO to reduce the administrative effort.

Exercise Overview
The main task for this exercise is to configure SSO by using client Group Policy.

f Task 1: Configure the SSO setting by using client Group Policy

1. On 6428A-NYC-DC1-01, start the Terminal Services Configuration snap-in
by using the tsconfig.msc command.
2. In the RDP-Tcp Properties dialog box, select Security Layer as SSL (TLS
1.0).
3. Start the Local Group Policy Editor by using the gpedit.msc command.
4. Select the option Allow Delegating Default Credentials.
5. Add the server 6428A-NYC-TS- 03 to the list of servers in the Show Contents
dialog box.

Results: After this exercise, you should have configured SSO by using client Group
Policy.
 Configuring and Troubleshooting Terminal Services Connections 3-31

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 4: Troubleshooting Connectivity Issues
Scenario
Users in the organization are having problems connecting to the terminal server. A
user Monika Buschmann is unable to log on because her password has expired.
You need to reset her password. Another user Dana Birkby is unable to connect to
the Remote Desktop. Verify her user permissions. After updating the users account
settings, validate that the users can connect to the terminal server. Help Desk has
verified that this is not a network connectivity issue from the client and that the
firewall is also correctly configured.

Exercise Overview
In this exercise, you will troubleshoot connectivity issues.
The main tasks for this exercise are as follows:
1. Verify the RDP settings and check the event logs.
2. Verify the user and group permissions and policy settings.
3. Verify that the users are able to log on with the updated settings.
4. Shut down the virtual machines.

f Task 1: Verify the RDP settings and check the event logs
1. On 6428A-NYC-TS-03, start TS RemoteApp Manager.
2. Verify that the RDP Port for NYC-TS.WoodgroveBank.Com is 3389.
3. Start Event Viewer by using the eventvwr command.
4. Check the details under Application.

f Task 2: Verify the user and group permissions and policy settings
1. On 6428A-NYC-DC1-01, start the Active Directory Users and Computers
snap-in.
2. Under Marketing, reset the password for Monika Buschmann to
Pass@word1.
3-32 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

3. Start the Terminal Services Configuration snap-in, in the RDP-Tcp
Properties dialog box, verify permission settings for Dana Birkby and modify
the settings to enable her remote connection.
4. Check that the Encryption Level is Client Compatible.

f Task 3: Verify that users are able to log on with the updated settings
1. On 6428A-NYC-DC1-01, start Remote Desktop Connection by using the
mstsc command.
2. Connect to Nyc-ts and log on as Monika with the password as Pass@word1.
3. Log on as the second user, Dana with the password as Pa$$w0rd.

f Task 4: Shut down the virtual machines

1. Turn off 6428A-NYC-DC1-01, and discard changes.
2. Turn off 6428A-NYC-TS-03, and discard changes.

Results: After this exercise, you should have used troubleshooting techniques to
resolve connectivity issues.
 Configuring and Troubleshooting Terminal Services Connections 3-33

MCT USE ONLY. STUDENT USE PROHIBITED

Lab Review
MCT USE ONLY. STUDENT USE PROHIBITED
 Configuring Terminal Services Core Functionality 4-1

MCT USE ONLY. STUDENT USE PROHIBITED

Module 4
Configuring Terminal Services RemoteApp and
Easy Print
Contents:
Lesson 1: Installing Applications 4-3
Lesson 2: Configuring RemoteApp Programs 4-7
Lesson 3: Configuring Printers 4-17
Lab: Configuring TS Resources 4-21
4-2 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

Module Overview

Before installing programs on the terminal server, it is important that you are
familiar with the types of applications that can be installed and considerations for
installing these applications. This module provides an overview of TS RemoteApp
programs that can be remotely accessed through TS, advantages of using these
programs, and the methods used to deploy them.
The module also introduces TS Easy Print, which facilitates printer redirection over
a TS session.
 Configuring Terminal Services Core Functionality 4-3

MCT USE ONLY. STUDENT USE PROHIBITED

Lesson 1:
Installing Applications

You can install any Windows-based application on a terminal server. However,

running some of these applications might affect the performance of the terminal
server. Therefore, it is important to bear in mind some key considerations for
installing these applications.
4-4 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

Types of Applications

Key Points
Terminal servers support off-the-shelf, custom, and line of business (LOB)
applications. You can also install applications that use application virtualization
technologies.
Application virtualization isolates an application from the underlying operating
system. The application runs in a virtualized environment and does not need to be
installed on or interact with the underlying operating system.
Windows Server 2008 TS provides a functionality that facilitates central hosting of
client applications by using a virtualization technique called presentation
virtualization. Using this technique, the keyboard and mouse inputs are directed to
the server, and the video output is sent to the client over a network connection.
 Configuring Terminal Services Core Functionality 4-5

MCT USE ONLY. STUDENT USE PROHIBITED

Considerations for Installing Applications

Key Points
Although all Windows-based applications run on a terminal server, you need to
remember that some 16-bit applications require more RAM than others. These
applications may affect the performance of other applications.
Also note that all applications on the terminal server should be installed by using
the Windows installer.

Note: Most programs have been tested for compatibility, and scripts are available for
those that require some minor changes to the installation. These scripts are located in
the System root, in the following path: \Application Compatibility Scripts\Install. You
need to run these scripts after the installation of the program is completed.
4-6 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

Note: It is recommended that you avoid installing Microsoft DOS-based applications in a
TS environment because these applications require frequent keyboard checks that use a
lot of CPU memory. Applications accessing INI files also cause problems in a TS
environment, owing to the frequent changes in the INI files.

For more information about considerations for installing applications,

see "Build Your Skills: How to Optimize Apps to Run in Terminal Services"
on TechRepublic.com Web site.
 Configuring Terminal Services Core Functionality 4-7

MCT USE ONLY. STUDENT USE PROHIBITED

Lesson 2:
Configuring RemoteApp Programs

TS RemoteApp programs are applications that can be accessed remotely through

TS. Using RemoteApp programs, organizations can provide access to Windows-
based applications from any location to any computer or user.
These RemoteApp programs can be deployed by using TS Web Access, Windows
installer package (.msi file), or Remote Desktop Protocol (.rdp file).
4-8 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

Introduction to TS RemoteApp Programs

Key Points
In Windows Server 2008 TS, a RemoteApp program is integrated with the client's
desktop and runs in its own resizable window with its own entry on the taskbar. A
RemoteApp program that uses a notification area icon displays the icon in the
client's notification area.
Using RemoteApp programs, the popup windows can be redirected to the local
desktop and the local drives and printers can be redirected to appear in the
RemoteApp program.
 Configuring Terminal Services Core Functionality 4-9

MCT USE ONLY. STUDENT USE PROHIBITED

Question: You want to access multiple programs running on the terminal server at
the same time. How many terminal server sessions will be required to run multiple
RemoteApp programs?

For more information about TS RemoteApp programs, see “Windows

Server 2008 Terminal Services RemoteApp Step-by-Step Guide" on the
Microsoft TechNet Web site.
4-10 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

Advantages of Using RemoteApp Programs

Key Points
Using TS RemoteApp programs minimizes the overall administrative effort,
enhances user experience, and facilitates running different programs on multiple
desktops.
You can use TS RemoteApp programs in the following scenarios:
• For users who need to access applications from remote locations
• In an organization having many branches with limited local IT support and
bandwidth
• In companies that have LOB applications, which need to be deployed on
computers with different configurations
 Configuring Terminal Services Core Functionality 4-11

MCT USE ONLY. STUDENT USE PROHIBITED

• For users who need to use different versions of a program
• For users who are mobile and need to work from different computers and/or
locations

Question: What is the scenario in your organization and how will the
implementation of RemoteApp programs assist you?
4-12 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

Methods for Deploying RemoteApp Programs

Key Points
Depending on the deployment method used—TS Web Access, .msi file, or .rdp file—
you can access RemoteApp programs by:
• Clicking a link to the program on a Web site
• Double-clicking a .rdp file created by the administrator through a file share
• Double-clicking a program icon created by an administrator on the desktop or
in the Start menu of the client computer
• Double-clicking a file with a file name extension that is associated with the
RemoteApp program through a file share

Questions: Can you access a RemoteApp program by using Internet Explorer?

 Configuring Terminal Services Core Functionality 4-13

MCT USE ONLY. STUDENT USE PROHIBITED

Using TS Web Access to Deploy RemoteApp Programs

Key Points
TS Web Access provides access to RemoteApp programs through a Web page over
the Internet or an intranet.
When using TS Web Access to deploy RemoteApp programs, you first need to
install the required RemoteApp programs and verify the remote connection
settings on the terminal server. Then, you need to add the programs to the
RemoteApp Programs list in the TS RemoteApp Manager. The TS RemoteApp
Manager is then used to configure the following global settings that will apply to
all RemoteApp programs:
• Terminal server
• TS Gateway
• Common Remote Desktop Protocol (RDP)
4-14 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

• Custom RDP
• Digital signature

You can then install the TS Web Access role service by using the Server Manager
snap-in.
If the TS Web Access server is different from the terminal server that hosts the
RemoteApp programs, then you need to add the computer account of the TS Web
Access server to the TS Web Access Computers security group on the terminal
server. You can add the computer account by using the Computer Management
administrative tool on the terminal server.
Finally, you can specify the data source or the terminal server from which to
populate the RemoteApp programs list. For this you can connect to the TS Web
Access Web site. By using the Configuration tab on the site, you can enter the name
of the terminal server that you want to use as the data source.

Note: You can use a digital signature to sign .rdp files for connecting RemoteApp
programs to the terminal server. The client must be running RDC 6.1.

Note: Windows Installer packages or MSI packages are made available by using a file
share, Microsoft Systems Center Configuration Manager, or Active Directory software
distribution. These methods enable you to make RemoteApp programs available to users
without using TS Web Access.

For more information about using TS Web Access for deploying

RemoteApp programs, see “Windows Server 2008 Terminal Services
RemoteApp Step-by-Step Guide" on the Microsoft TechNet Web site.
 Configuring Terminal Services Core Functionality 4-15

MCT USE ONLY. STUDENT USE PROHIBITED

Considerations for Connecting to TS Web Access

Key Points
Clients connecting to TS Web Access must be running Windows Server 2008,
Windows Vista, or Windows XP and must have the TS ActiveX client control
approved by a standard user.
In case of any problems in connecting to TS Web Access from the client computer,
you can use the Manage Add-ons tool available on the Tools menu of Internet
Explorer. The add-on will be displayed as Microsoft Terminal Services Client
Control.
On Windows XP SP3, you might need to modify the registry to enable the ActiveX
control.

Note: RDC 6.1 is included in Vista SP1 and XP SP3.

4-16 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

Demonstration: Using an MSI File to Deploy RemoteApp
Programs

Question: Why is it important to view the associated file name extensions for
programs on the terminal server?
 Configuring Terminal Services Core Functionality 4-17

MCT USE ONLY. STUDENT USE PROHIBITED

Lesson 3
Configuring Printers

TS Easy Print is a new feature in Windows Server 2008 TS. This feature enables
users to print to the correct printer on the client computer from a RemoteApp
program or from a remote desktop connection to a terminal server. TS Easy Print
simplifies printer redirection as it requires only Group Policy to be configured.
4-18 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

TS Easy Print

Key Points
TS Easy Print redirects all print jobs from a TS session to the client computer
without the need to install any printer driver on the terminal server.
In addition, it provides enhanced enumeration performance by listing only the
printers that are available for a particular session instead of all the redirected
printers.

Note: The Group Policy setting applies to both TS Easy Print and legacy fallback. TS Easy
Print is the default behavior, however, it coexists with the legacy fallback behavior of
Windows Server 2003 RTM.

For more information about TS Easy Print, see "Terminal Services

Printing" on the Microsoft TechNet Web site.
 Configuring Terminal Services Core Functionality 4-19

MCT USE ONLY. STUDENT USE PROHIBITED

Considerations for Using TS Easy Print

Key Points
Client computers using TS Easy Print must be running either Windows Vista or
Windows XP. If, however, these computers do not support Easy Print, then the
local and network printer drivers will have to be installed on the terminal server. If
you are using a third-party printer driver, then that driver needs to be signed by
Windows Hardware Quality Labs (WHQL). The third-party printer driver should
be compatible with Windows Server 2008 to run without any connectivity
problems.

On client computers that do not support TS Easy Print, printing defaults to the behavior
in Windows 2003 and prior to Windows 2000.
4-20 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

Configuring Group Policy for Printer Redirection

Key Points
Windows Server 2008 has introduced a new Group Policy that is available in the
Group Policy Management snap-in. The policy is located under the Administrative
Templates\Windows Components\Terminal Services\Terminal Server\Printer
Redirection node. The policy is named Redirect only the default client printer.
The possible values for this Group Policy setting are:
• Enabled or Not Configured
• Disabled

By enabling this policy, you can ensure that only the TS client’s default printer is
redirected on the terminal server. This policy will function from any version of the
TS client.
 Configuring Terminal Services Core Functionality 4-21

MCT USE ONLY. STUDENT USE PROHIBITED

Lab: Configuring TS Resources

Overarching Scenario
Woodgrove Bank is launching a new investment scheme to benefit the
underprivileged. The management has prepared a presentation that needs to be
distributed to all the members of the Marketing group. The IT department is
responsible for deploying the presentation on the terminal server so that it is
accessible to all the members of the Marketing group.
As a technology specialist in Woodgrove Bank’s IT department, you have been
tasked with installing Microsoft PowerPoint Viewer on the terminal server and
making it available as a RemoteApp program. You also need to ensure that
members are able to print the presentation if required.
4-22 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 1: Configuring and Deploying TS RemoteApp
Programs
Scenario
You receive a service request from the enterprise administrator to install
PowerPoint Viewer on the terminal server. You need to create a RemoteApp
program link to PowerPoint Viewer for the Marketing group because they need to
use the application to view the presentation of the new investment scheme.

Exercise Overview
In this exercise, you will install TS Web Access and create a link to PowerPoint
Viewer for the Marketing group.
The main tasks for this exercise are as follows:
1. Start the 6428A-NYC-DC1-01 and 6428A-NYC-TS-03 virtual machines and log
on to these machines as Administrator.
2. Install the TS Web Access role service.
3. Add the computer account of the TS Web Access server to the security group.
4. Specify the data source.
5. Install PowerPoint Viewer.
6. Add the PowerPoint Viewer program in the RemoteApp Programs list.
7. Configure an RDP file from the PowerPoint Viewer RemoteApp program.
8. Determine if the RemoteApp program is enabled for TS Web Access.
9. Configure the TS Web Access server to allow access from the Internet.

f Task 1: Start the 6428A-NYC-DC1-01 and 6428A-NYC-TS-03 virtual

machines and log on to these machines as Administrator
1. Start 6428A-NYC-DC1-01 and log on as WoodgroveBank\Administrator
using the password Pa$$w0rd.
2. Start 6428A-NYC-TS-03 and log on as WoodgroveBank\Administrator using
the password Pa$$w0rd.
 Configuring Terminal Services Core Functionality 4-23

MCT USE ONLY. STUDENT USE PROHIBITED

f Task 2: Install the TS Web Access role service
1. On 6428A-NYC-TS-03, start Server Manager and display the Add Role
Services link.
2. Add the TS Web Access role service by using the Select Role Services page.

f Task 3: Add the computer account of the TS Web Access server to the
security group
1. On 6428A-NYC-TS-03, start the Computer Management snap-in.
2. Under the Local Users and Groups node, select the group TS Web Access
Computers, and add the computer NYC-TS.

f Task 4: Specify the data source

1. Connect to the TS Web Access Web site by using the URL http://NYC-TS/ts.
2. Log on to the site as WoodgroveBank\Administrator using the password
Pa$$w0rd.
3. Use the Configuration tab on the title bar to name the terminal server as NYC-
TS.

f Task 5: Install PowerPoint Viewer

1. Display the command prompt and enter change user /install.
2. Use Control Panel to install the application on the terminal server.
3. Install the PowerPointViewer.exe from E:\Tools.
4-24 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

f Task 6: Add the PowerPoint Viewer program in the RemoteApp
Programs list
1. Start TS RemoteApp Manager.
2. Use the RemoteApp wizard to add PowerPoint Viewer to the RemoteApp
Programs list page.
3. Verify that the RemoteApp program, Microsoft Office PowerPoint Viewer
2007, is available through TS Web Access.

f Task 7: Configure an RDP file from the PowerPoint Viewer RemoteApp

program
1. In the TS RemoteApp Manager, in the RemoteApp Programs list, select
Microsoft Office PowerPoint Viewer 2007.
2. Create a .rdp file for Microsoft Office PowerPoint Viewer 2007 by using the
RemoteApp Wizard and on the Specify Package Settings page, verify the
following settings:
• Location of the program: C:\Program Files\Packaged Programs
• Terminal server: NYC-TS.WoodgroveBank.com
• Server authentication: Yes
• Port: 3389

f Task 8: Determine if the RemoteApp program is enabled for TS Web

Access
1. On 6428A-NYC-TS-03, in the RemoteApp Programs list, verify that Microsoft
Office PowerPoint Viewer 2007 is available through TS Web Access.
2. Start Internet Explorer.
3. Access the URL http:// NYC-TS/TS.
4. Provide the user credentials as WoodGroveBank\Baris with the password
Pa$$w0rd.
 Configuring Terminal Services Core Functionality 4-25

MCT USE ONLY. STUDENT USE PROHIBITED

f Task 9: Configure the TS Web Access server to allow access from the
Internet
1. On the 6428A-NYC-TS-03, start Internet Information Services (IIS) Manager.
2. Enable Windows Authentication.

Results: After this exercise, you should have installed the PowerPoint program and
created a link to C:\Program Files\Packaged Programs.
4-26 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 2: Configuring TS Easy Print
Scenario
The Marketing group wants to print documents remotely. They might also want to
print the investment scheme presentation. You receive a service request from the
server administrator to ensure that TS Easy Print on the terminal server is used as
the default printer driver on the client computers.

Exercise Overview
The main tasks for this exercise are as follows:
1. Configure the printer redirection settings.
2. Shut down the virtual machines.

f Task 1: Configure the printer redirection settings

1. On 6428A-NYC-DC1-01 start Group Policy Management.
2. Create a GPO, GPO for RDP link, for Marketing.
3. Under Printer Redirection, enable:
• Use Terminal Services Easy Print printer driver first.
• Redirect only the default client printer.

f Task 2: Shutdown the virtual machines

• Turn off each virtual machine that is running and discard changes.

Results: After this exercise, you should have configured TS Easy Print and the client
print driver should have been redirected to TS.
 Configuring Terminal Services Core Functionality 4-27

MCT USE ONLY. STUDENT USE PROHIBITED

Lab Review
MCT USE ONLY. STUDENT USE PROHIBITED
 Configuring Terminal Services Web Access and Session Broker 5-1

MCT USE ONLY. STUDENT USE PROHIBITED

Module 5
Configuring Terminal Services Web Access and
Session Broker
Contents:
Lesson 1: Installing TS Web Access 5-3
Lesson 2: Configuring TS Session Broker 5-14
Lab: Configuring TS Web Access and Session Broker 5-19
5-2 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

Module Overview

TS Web Access is a role service that allows you to access TS RemoteApp™

programs on a Microsoft Windows Server 2008-based terminal server through a
Web browser. This role service allows you to remotely connect to the desktop of
any computer that provides Remote Desktop access.
This module introduces TS Web Access and covers the considerations for
installing this role service followed by the steps to install and configure
RemoteApp programs by using TS Web Access. The module also describes the
procedure to connect to the Remote Desktop Web by using TS Web Access.
The module finally covers another role service, TS Session Broker, which facilitates
reconnecting to an existing session in a load-balanced terminal server farm.
 Configuring Terminal Services Web Access and Session Broker 5-3

MCT USE ONLY. STUDENT USE PROHIBITED

Lesson 1:
Installing TS Web Access

With TS Web Access, you can easily access a list of RemoteApp programs from a
Web site on the Internet or intranet. When you start a RemoteApp program, a TS
session is started on the terminal server that hosts the application.
The TS Web Access page includes the TS Web Access Web part that displays the
list of RemoteApp programs. This Web part can be included on a customized Web
page of an organization or can be incorporated in a Microsoft Windows SharePoint
Services (WSS) Web site.
5-4 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

Introduction to TS Web Access

Key Points
TS Web Access in Windows Server 2008:
• Allows users to run multiple RemoteApp programs on the same terminal
server in the same TS session
• Provides for centralized and easy remote administration and maintenance

TS Web Access in Windows Server 2008 also includes the Remote Desktop Web
Connection feature, which enables users to connect to the desktop of remote
computers.
This feature is available as a Remote Desktop tab on the TS Web Access Web page.
Remote Desktop Web Connection is installed as part of the TS Web Access role
service and is not an optional component of Microsoft Internet Information
Services (IIS) 7.0.
 Configuring Terminal Services Web Access and Session Broker 5-5

MCT USE ONLY. STUDENT USE PROHIBITED

Note: TS Web Access does not route Remote Desktop Protocol (RDP) over the Internet.
To connect to RemoteApp programs over the Internet, TS Gateway is used in conjunction
with TS Web Access.

For more information about TS Web Access, see “Terminal Services Web
Access (TS Web Access)" on the Microsoft TechNet Web site.
5-6 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

What's Different in Windows Server 2008 TS Web Access?

Key Points
TS Web Access in Windows Server 2008 replaces the TS Web Connection software
available with Microsoft Windows Server 2003. An important point to note is that
accessing TS Web Access does not require a separate ActiveX control to be
downloaded. The required Active X control is included in Remote Desktop
Connection (RDC) 6.1.
 Configuring Terminal Services Web Access and Session Broker 5-7

MCT USE ONLY. STUDENT USE PROHIBITED

Considerations for Installing TS Web Access

Key Points
Before installing TS Web Access in Windows Server 2008, you need to ensure that
the client computers are running either Windows Server 2008 or Microsoft
Windows Vista with SP1.
RDC 6.1, a necessary component for running TS Web Access, is included with
Windows Server 2008 and Windows Vista with SP1.
5-8 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

Deploying the TS Web Access Web Part

Key Points
The list of RemoteApp programs that appears on the TS Web Access Web part is
taken from a single terminal server that is specified by an administrator. This list is
dynamically updated.
You can deploy the Web part as part of a customized Web page by using an
ActiveX control and Active Server Pages (ASP).
 Configuring Terminal Services Web Access and Session Broker 5-9

MCT USE ONLY. STUDENT USE PROHIBITED

To add the TS Web Access Web part to a WSS site, ensure that the server is running the
release to manufacturing (RTM) version of Windows Server 2008 Standard. This feature
does not work properly with Windows Server 2008 Release Candidate (RC)1.

For more information about the steps used to add the TS Web Access
Web part to a WSS Web site, see the document “Customizing TS Web
Access by Using Windows SharePoint Services" on the Microsoft Web
site.
5-10 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

Installing and Configuring RemoteApp Programs by Using
TS Web Access

To configure RemoteApp programs on the terminal server:

1. Install the programs required on the terminal server.
2. Verify existing remote connections or change remote connection settings as
required.

To enable RemoteApp programs for TS web Access:

1. Add the programs that you want to display in the RemoteApp Programs list.
2. Configure the following:
• Terminal server deployment settings
• TS Gateway deployment settings
 Configuring Terminal Services Web Access and Session Broker 5-11

MCT USE ONLY. STUDENT USE PROHIBITED

• RDP settings for RemoteApp connections
• Custom RDP settings for RemoteApp connections
• Digital signature to sign the .rdp files

To install TS Web Access on the server:

1. Install the TS Web Access role service.
2. Populate the TS Web Access Computers security group.
3. Specify the terminal server with the RemoteApp programs list on the TS Web
Access Web part.

All remote programs on the terminal server or farm configured for TS Web Access
appear on the TS Web Access Web site.

Question: Which RemoteApp programs would you prefer to include on the TS

Web Access Web part in your organization?

For more information about installing and configuring RemoteApp

programs by using TS Web Access, see “Windows Server 2008 Terminal
Services RemoteApp Step-by-Step Guide” on the Microsoft TechNet
Web site.
5-12 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

Connecting to Remote Desktop Web by Using TS Web
Access

Key Points
If you are an administrator, you can specify whether the Remote Desktop tab on
the TS Access Web page is available to users by using the IIS Manager. You can
also configure settings such as the TS Gateway server, authentication method, and
default device and resource redirection options.
By default, server authentication is enabled for the Remote Desktop Web
connection.
To connect to the remote computer:
• The computer must be configured to accept Remote Desktop connections.
• The user must be a member of the Remote Desktop Users group on the
remote computer.
 Configuring Terminal Services Web Access and Session Broker 5-13

MCT USE ONLY. STUDENT USE PROHIBITED

Note: You can also configure the settings for the Remote Desktop Web connection by
changing the %windir%\Web\ts\Web.config file in Notepad.

Question: What are the advantages of using the Remote Desktop Web connection
in a branch scenario?
5-14 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

Lesson 2:
Configuring TS Session Broker

In a farm environment, you can use the TS Session Broker role service to balance
the load among the terminal servers. By using TS Session Broker, you can
distribute the sessions such that the more powerful terminal servers take more
load than the less powerful terminal servers.
 Configuring Terminal Services Web Access and Session Broker 5-15

MCT USE ONLY. STUDENT USE PROHIBITED

Introduction to TS Session Broker

Key Points
In Windows Server 2008, TS Session Broker provides session-based load balancing
as compared to connection-based Network Load Balancing (NLB) in Windows
Server 2003. However, Windows Server 2008 continues to support third party
NLB configurations of Windows 2003.
TS Session Broker works through the following two phases:
• In the first phase, the connections are distributed to the terminal servers by
using a load balancing mechanism such as Domain Name System (DNS)
round robin. The terminal server in turn then queries TS Session Broker for
redirection.
• In the second phase, the terminal server redirects the user connections to the
terminal server specified by TS Session Broker.
5-16 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

Note: The TS Session Directory feature available in the previous versions is called
TS Session Broker in Windows Server 2008.

For more information about TS Session Broker, see "Windows Server

2008 TS Session Broker Load Balancing Step-by-Step Guide" on the
Microsoft TechNet Web site.
 Configuring Terminal Services Web Access and Session Broker 5-17

MCT USE ONLY. STUDENT USE PROHIBITED

Prerequisites for Configuring TS Session Broker

Key Points
Windows Server 2003 terminal servers cannot use the TS Session Broker load
balancing feature.
As a best practice, you should install the TS Session Broker role service on a back-
end infrastructure server, such as a file server. This ensures that the service will not
be affected when you need to perform maintenance on the terminal servers in the
farm.
To use the TS Session Broker role service, the terminal servers should be members
of the Session Directory Computers local group. This group is located on the TS
Session Broker server.
5-18 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

Demonstration: Configuring TS Session Broker

Question: You need to configure the IP addresses for reconnection. What

precaution do you need to take to include the terminal servers running Windows
Server 2003?
 Configuring Terminal Services Web Access and Session Broker 5-19

MCT USE ONLY. STUDENT USE PROHIBITED

Lab: Configuring TS Web Access and Session
Broker

Overarching Scenario
The Marketing group of Woodgrove bank has prepared a presentation about a new
product by using Microsoft PowerPoint. This presentation should be available on a
Web site to all users of this group. The Finance group has also prepared a
presentation on the current financial position of the organization. The
management wants users from the Finance group to access this presentation from
the WSS Web site.
To manage all the traffic on the Web servers in the farm, the enterprise
administrator wants to implement TS Session Broker.
5-20 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 1: Configuring TS RemoteApp Programs for TS
Web Access
Scenario
You receive a service request from the enterprise administrator to create a link to
Microsoft Office PowerPoint Viewer 2007 on the terminal server. This link should
be available to all users of the Marketing Group through a Web browser. To enable
this, you need to create the link to PowerPoint Viewer that can be accessed through
the TS Web Access Web site.

Exercise Overview
In this exercise, you will install and configure the TS Web Access role service on
the terminal server and create a .msi file for PowerPoint Viewer. A link for this .msi
file needs to be created so that the marketing group can access it through a Web
browser.
The main tasks for this exercise are as follows:
1. Start the 6428A-NYC-DC1-01, 6428A-NYC-TS-05, and 6428A-NYC-WEB-05
virtual machines and log on to these machines as Administrator.
2. Install the TS Web Access role service.
3. Determine if the RemoteApp program is enabled for TS Web Access.
4. Create an MSI file.
5. Create a link to the TS RemoteApp program on the terminal server.
6. Verify that the link is functional and available through the Web browser.

f Task 1: Start the 6428A-NYC-DC1-01, 6428A-NYC-TS-05, and 6428A-

NYC-WEB-05 virtual machines and log on to these machines as
Administrator
1. Start 6428A-NYC-DC1-01, and log on as WoodgroveBank\Administrator by
using the password Pa$$w0rd.
2. Start 6428A-NYC-TS-05, and log on as WoodgroveBank\Administrator by
using the password Pa$$w0rd.
3. Start 6428A-NYC-WEB-05, and log on as WoodgroveBank\Administrator by
using the password Pa$$w0rd.
 Configuring Terminal Services Web Access and Session Broker 5-21

MCT USE ONLY. STUDENT USE PROHIBITED

f Task 2: Install the TS Web Access role service
1. In the Server Manager snap-in on 6428A-NYC-TS-05, under Role Summary,
add the TS Web Access role service.
2. Start the Computer Management snap-in.
3. In the left pane on the Computer Management page, under the Local Users
and Groups node, select TS Web Access Computers, and add the NYC-TS
computer.
4. Connect to the TS Web Access Web site by using the URL http://NYC-TS/ts.
5. Log on to the site as Woodgrovebank\Administrator by using the password
Pa$$w0rd.
6. Add the site to trusted sites.
7. Use the Configuration tab on the title bar to name the terminal server as NYC-
TS.

f Task 3: Determine if the RemoteApp program is enabled for TS Web

Access
1. On 6428A-NYC-TS-05, start the TS RemoteApp Manager.
2. In the RemoteApp Programs list, verify that Microsoft Office PowerPoint
Viewer 2007 is available through TS Web Access.

f Task 4: Create an MSI file

1. On 6428A-NYC-TS-05, start the TS RemoteApp Manager.
2. In the RemoteApp Programs list, select the program Microsoft Office
PowerPoint Viewer 2007.
3. In the Actions pane, select the option to create the Windows Installer package
by using the RemoteApp Wizard.
5-22 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

f Task 5: Create a link to the TS RemoteApp program on the terminal
server
1. In the TS RemoteApp Manager, in the RemoteApp Programs list, verify that a
Yes value is displayed for TS Web Access next to Microsoft Office PowerPoint
Viewer.
2. Start Internet Explorer and type the URL as http:// NYC-TS/ts.
3. Display the Connect to nyc-ts dialog box, and provide the user credentials as
WoodGroveBank\Bernard with password Pa$$w0rd.
4. Add the URL to trusted sites.
5. On 6428A-NYC-TS-05, start the Internet Information Services (IIS) Manager
and specify the default Web site as TS.
6. To configure TS Web Access server to allow access from the Internet, verify
that Windows Authentication is enabled.

f Task 6: Verify that the link in functional and available through the
Web browser
1. On 6428A-NYC-WEB-05, verify that you are logged on as
WoodgroveBank\Administrator with the password Pa$$w0rd.
2. Start Internet Explorer and type the URL as http://NYC-TS/ts.
3. In the Connect to NYC-TS dialog box, provide the user name as
WoodgroveBank\Bernard and password as Pa$$w0rd.
4. Observe that Microsoft Office PowerPoint is listed in the remote application
programs list.

Results: After this exercise, you should have installed TS Web Access on the terminal
server, created an MSI file for the remote program, created a link to the remote program,
and verified that the link is functional through Internet Explorer.
 Configuring Terminal Services Web Access and Session Broker 5-23

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 2: Customizing TS Web Access by Using WSS
Scenario
The enterprise administrator has tasked you with customizing the TS Web Access
Web part to provide a link to Microsoft PowerPoint Viewer and adding the Web
part to a WSS Web site. Users from the Finance group should be able to access this
link so that they can view the PowerPoint presentation put up by the group.

Exercise Overview
In this exercise, you will create a customized Web part and export it to a WSS Web
site.
The main tasks for this exercise are as follows:
• Add a Web Part to a WSS site.

f Task 1: Add a Web Part to a WSS site

1. On 6428A-NYC-WEB-05, visit the SharePoint 3.0 Central Administration
Web site.
2. Display the authentication dialog box, and connect to the WSS Site http://nyc-
web:44341/ as WoodgroveBank\Administrator by using the password
Pa$$w0rd.
3. On the Home page of the Central Administration site, click Site Actions, and
then select Edit Page from the drop-down list.
4. On the Edit page, under the Resources section, add the Web part as a new
link http:// NYC-TS/ts link.

Results: After this exercise, you should have added a customized Web part by using TS
Web Access, and exported it to a WSS site.
5-24 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 3: Configuring TS Session Broker
Scenario
You receive a service request from the enterprise administrator to configure the TS
Session Broker role service to manage all the TS Web Access servers in the farm.

Exercise Overview
In this exercise, you will install the TS Session Broker role service and configure
the Session Broker settings for servers in a TS farm.
The main tasks for this exercise are as follows:
1. Install the TS Session Broker role service.
2. Add each server in the farm to the Session Directory Computers local group.
3. Configure the TS Session Broker settings by using Group Policy.
4. Shut down the virtual machines.

f Task 1: Install the TS Session Broker role service

1. On 6428A-NYC-TS-05, start Server Manager.
2. On the Select Role Services page, install the TS Session Broker role service.

f Task 2: Add each server in the farm to the Session Directory

Computers local group
1. Start the Computer Management snap-in.
2. In the left pane, under Local Users and Groups, select the Session Directory
Computers group.
3. In the Select Users, Computers or Groups dialog box, in the Object Type
dialog box, add the computer accounts NYC-WEB and NYC –TS.
 Configuring Terminal Services Web Access and Session Broker 5-25

MCT USE ONLY. STUDENT USE PROHIBITED

f Task 3: Configure the TS Session Broker settings by using Group Policy
1. On 6428A-NYC-DC1-01, start the Group Policy Management snap-in.
2. In the left pane, under the NYC node, create a new GPO GPO for TS Web
Access.
3. In the right pane, on the Settings tab of GPO for TS Web Access, edit the
computer configuration.
4. Under the Computer Configuration node, click TS Session Broker, and
configure the following settings:
• Join TS Session Broker policy: Enabled
• Configure TS Session Broker farm name: Enabled
• TS Session Broker server name: NYC-TS
• Use TS session Broker load balancing: Enabled

f Task 4: Shut down the virtual machines

• Turn off all virtual machines and discard changes.

Results: After this exercise, you should have configured TS Session Broker load balancing
for a farm.
5-26 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

Lab Review
 Configuring and Troubleshooting Terminal Services Gateway 6-1

MCT USE ONLY. STUDENT USE PROHIBITED

Module 6
Configuring and Troubleshooting Terminal
Services Gateway
Contents:
Lesson 1: Configuring TS Gateway 6-3
Lesson 2: Monitoring and Troubleshooting TS Gateway Connections 6-16
Lab: Configuring and Troubleshooting TS Gateway 6-23
6-2 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

Module Overview

TS Gateway is a role service that provides access to the terminal servers, computers
running RemoteApp programs as well as the computers and servers that have
Remote Desktop enabled.
By using TS Gateway, remote users can access resources on an internal network
with minimum security risks.
This module covers configuring the TS Gateway role service as well as monitoring
and troubleshooting the TS Gateway connections.
 Configuring and Troubleshooting Terminal Services Gateway 6-3

MCT USE ONLY. STUDENT USE PROHIBITED

Lesson 1:
Configuring TS Gateway

The installation and configuration of TS Gateway has some requirements. For

example, you must obtain a trusted Secure Sockets Layer (SSL) certificate for the
TS Gateway server to function.
In addition, users can connect to internal resources by using TS Gateway only if
they meet the conditions specified in a TS Connection Authorization Policy (CAP)
or TS Resource Authorization Policy (RAP).
By using TS CAPs or RAPs, you can manage the connections made through TS
Gateway.
6-4 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

Introduction to TS Gateway

Key Points
TS Gateway uses Remote Desktop Protocol (RDP) tunneled over Hypertext
Transfer Protocol over Secure Socket Layer (HTTPS). By using TS Gateway, you
can make secure and encrypted connections between users on the Web and the
remote production application computers. The connection is made by using port
443. This connection works even if the remote computers are located behind a
network address translation (NAT) traversal-based router in a network.
The TS Gateway secure remote connection can also be used by TS Web Access. By
integrating TS Web Access with TS Gateway, you can ensure transport-level SSL
security for all terminal server traffic. Remote users can also access RemoteApp
programs through TS Gateway securely.
 Configuring and Troubleshooting Terminal Services Gateway 6-5

MCT USE ONLY. STUDENT USE PROHIBITED

Note: TS Gateway does not require any additional configuration to provide access to
resources behind a firewall in private networks or across NATs.

For more information about the TS Gateway server, see "Terminal

Services Gateway (TS Gateway)" on the Microsoft TechNet Web site.
6-6 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

Requirements for TS Gateway

Key Points
To install TS Gateway, you need to be a member of the administrator group on the
server.
You also need to obtain an SSL certificate from a trusted third party. Alternatively,
you can obtain a self-signed certificate.
It is recommended that you use HTTPS with a certificate for TS Web Access. You
can use the TS Web Access certificate if TS Gateway is installed on the same server
as TS Web Access. You can also use wildcard SSL certificates.
In addition, TS Gateway requires some role services and features to be installed
and functioning.
 Configuring and Troubleshooting Terminal Services Gateway 6-7

MCT USE ONLY. STUDENT USE PROHIBITED

You can configure the TS Gateway server to use the TS CAPs that are stored on
another server running the Network Policy Server (NPS) service. This NPS server
can then be used to centrally administer and manage TS CAPs, thus improving the
deployment of TS Gateway.

Note: TS Gateway does not require any change in code when routing connections to a
TS-based session with Microsoft Windows Server 2003, Microsoft Windows Vista, or
Microsoft Windows XP-based computers.
6-8 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

Configuring TS Gateway

Key Points
You can configure TS Gateway by using the Server Manager snap-in. You can use
an existing certificate for SSL encryption or create a self-signed certificate. You can
also select an option that will allow you to obtain the certificate later.

Note: If you select an existing certificate, only certificates that can be used to
authenticate the TS Gateway server with the appropriate Enhanced Key Usage (EKU) will
be displayed in the list of certificates.

You need not map a self-signed certificate if you have created it by using:
• The Add Remove Roles Wizard during the installation of the TS Gateway role
service
• The TS Gateway Manager after the installation of the TS Gateway role service
 Configuring and Troubleshooting Terminal Services Gateway 6-9

MCT USE ONLY. STUDENT USE PROHIBITED

Question: When is it recommended to use self-signed certificates?

For more information about configuring TS Gateway, see "Configuring

the TS Gateway Core Scenario" on the Microsoft TechNet Web site.
6-10 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

Obtaining Certificates

Key Points
You can generate and submit a certificate request by using various methods
depending on the policies and configuration of your organization. It is
recommended that you use self-signed certificates for evaluation and testing
purposes only.
An organization can have the following certificates:
• A stand-alone or enterprise certificate authority (CA)-issued certificate that
must be cosigned by a trusted public CA. This CA must participate in the
Microsoft Root Certification Program Members program. You need to install
this certificate on the TS Gateway server and then map the certificate.
• A certificate from a trusted public CA that participates in the Microsoft Root
Certificate Program Members program. You need to install this certificate on
the TS Gateway server and then map the certificate.
 Configuring and Troubleshooting Terminal Services Gateway 6-11

MCT USE ONLY. STUDENT USE PROHIBITED

• A self-signed certificate for technical evaluation and testing purposes only. You
must install this certificate in the Trusted Root Certification Authorities store
on the client computer. You do not need to install this certificate or map it to
the TS Gateway server.

Note: The Windows Server 2003 Certificate Services Web enrollment feature depends on
an ActiveX control named Xenroll.

Question: Which certificate enables users to connect from home computers and
kiosks to a TS Gateway server?
6-12 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

TS Connection Authorization Policies

Key Points
TS CAPs enhance security by regulating access to TS Gateway and are stored on
the network policy server. Using these policies, you can specify user groups, and
optionally client computer groups, that can connect to the TS Gateway server. You
can also specify conditions that a user needs to meet to connect to the server—for
example, whether a user should use a password or a smart card to access the
server. TS CAPs can be created by using the TS Gateway Manager.
Tasks involved in managing TS CAPs include:
• Enabling or disabling TS CAPs
• Modifying or removing a local TS CAP
• Specifying a new central TS CAP
• Evaluating the permissions of the user and computer groups that connect to
TS Gateway
 Configuring and Troubleshooting Terminal Services Gateway 6-13

MCT USE ONLY. STUDENT USE PROHIBITED

You can also use TS CAPs to specify which client device redirection should be
enabled or disabled for specific groups. Devices can be disk drives or supported
Plug and Play (PnP) devices.
The suggested device redirection settings can only be enforced on client computers
running Remote Desktop Connection (RDC).

Note: The enforcing of device redirection feature on a client cannot provide guaranteed
security even for RDC clients.

For more information about TS CAPs, see "TS Gateway Overview" on the
Microsoft TechNet Web site.
6-14 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

TS Resource Authorization Policies

Key Points
TS RAPs allow you to regulate access by specifying the internal network resources
that users can connect to through TS Gateway. You can create a computer group
and associate it with a TS RAP. You can also create a group of computer accounts
in Active Directory and associate it with a TS RAP.
When you associate a TS Gateway-managed computer group with a TS RAP, you
can use both the fully qualified domain names (FQDNs) and NetBIOS names by
adding them separately to the computer group.
When you associate an Active Directory security group to a TS RAP, both FQDNs
and NetBIOS computer names are automatically supported, if the computer to
which you are connecting is in the same domain as the TS Gateway server. If the
client computer is in a different domain from the TS Gateway server, then the
FQDN of the client computer needs to be specified.
 Configuring and Troubleshooting Terminal Services Gateway 6-15

MCT USE ONLY. STUDENT USE PROHIBITED

If you want remote users to connect to a computer managed by TS Gateway by
using either the computer name or the IP address, then you need to add the
computer twice to the computer group—once by the computer name and then by
the IP address of the computer.
Tasks involved in managing TS RAPs include:
• Enabling or disabling TS RAPs
• Modifying or removing a local TS RAP
• Specifying the computers that users can connect to through TS Gateway
• Configuring the TS clients to access resources on the network

Note: Remote users should meet the conditions specified in at least one TS CAP and one
TS RAP to be able to connect to resources on the internal network through TS Gateway.
6-16 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

Lesson 2:
Monitoring and Troubleshooting TS Gateway
Connections

TS Gateway has monitoring capabilities that allow you to view the information
about active connections from the TS clients to the internal network resources.
Furthermore, the TS Gateway server can be configured to use Network Access
Protection (NAP). NAP is a feature of Microsoft Windows Server 2008 that allows
administrators to maintain computer health.
Although TS Gateway provides these tools to monitor connections and enforce
compliance with health requirement policies for network access, you will still need
to resolve connectivity issues. You can use the TS Gateway Manager to
troubleshoot the TS Gateway connections.
 Configuring and Troubleshooting Terminal Services Gateway 6-17

MCT USE ONLY. STUDENT USE PROHIBITED

Monitoring Active Connections Through TS Gateway

Key Points
You can use the TS Gateway Manager to monitor the active connections from TS
clients to network resources.
You can specify the events to be logged, such as successful or unsuccessful
connection attempts to an internal network computer through the TS Gateway
server. When an event occurs, you can monitor the event by using the Windows
Event Viewer.

For more information about monitoring active connections by using the

TS Gateway server, see "Monitoring Active Connections Through a TS
Gateway Server" on the Microsoft TechNet Web site.
6-18 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

Network Access Protection

Key Points
Configuring TS Gateway to use NAP allows administrators to enforce system
health requirements, security update requirements, required computer
configurations, and other settings.
NAP controls network resources based on the identity of a computer and
compliance with corporate governance policy.
NAP presents an application programming interface (API) that allows developers
to create solutions for validation of health status, limitation of network access or
communication, and ongoing compliance.
In addition, NAP allows administrators to define granular levels of network access
based on the identity of the client, the group the client belongs to, and the degree
of compliance with corporate governance policy.
 Configuring and Troubleshooting Terminal Services Gateway 6-19

MCT USE ONLY. STUDENT USE PROHIBITED

Note: NAP does not prevent authorized users on a compliant computer from uploading
malicious program to the network.

For more information about NAP, see "Network Access Protection" on

the Microsoft MSDN Web site.
6-20 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

Demonstration: Configuring Network Access Protection on
TS Gateway

Question: Which operating systems are supported as NAP clients when TS

Gateway server enforces NAP?
 Configuring and Troubleshooting Terminal Services Gateway 6-21

MCT USE ONLY. STUDENT USE PROHIBITED

Troubleshooting TS Gateway

Key Points
To ensure that client computers successfully connect through TS Gateway, the TS
Gateway server must be configured correctly. You need to ensure that the server is
configured to use an appropriate SSL-compatible X.509 certificate, and the TS
CAPs and RAPs are correctly configured.
In addition, you need to:
• Check the authentication method used for the connection.
• Check the number of simultaneous connections being made.
• Check the traffic of ports used for TS on the firewall.
6-22 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

Question: If you get an error message displaying that the authentication method
used by you is not supported, how will you change the authentication settings?

For more information about troubleshooting connections, see "TS

Gateway Server Connections" on the Microsoft TechNet Web site.
 Configuring and Troubleshooting Terminal Services Gateway 6-23

MCT USE ONLY. STUDENT USE PROHIBITED

Lab: Configuring and Troubleshooting TS
Gateway

Overarching Scenario
The enterprise administrator of Woodgrove Bank wants you to configure TS
Gateway so that remote users in the HR group can securely access the internal
network resources of the organization. You need to install the TS Gateway role on
the terminal server and create the connection and resource authorization policies
for the HR group.
6-24 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 1: Configuring and Monitoring TS Gateway
Scenario
You need to install the TS Gateway role service on the terminal server and install a
self-signed certificate for the TS Gateway to function. You also need to create a CAP
and a RAP for the HR group so that the members of the HR group are able to
access the computers existing in the HR group.

Exercise Overview
In this exercise, you will install and configure the TS Gateway server role on the
terminal server and create a CAP and a RAP for the HR group.
The main tasks for this exercise are as follows:
1. Start the 6428A-NYC-DC1-06 and 6428A-NYC-TS-05 virtual machines and log
on to these machines as Administrator.
2. Install the TS Gateway role.
3. Install the certificate.
4. Create a CAP for the HR group.
5. Select the pre-configured Active Directory Security group HR.
6. Create a RAP for the HR group.

f Task 1: Start the 6428A-NYC-DC1-06 and 6428A-NYC-TS-05 virtual

machines and log on to these machines as Administrator
1. Start 6428A-NYC-DC1-06 and log on as WoodgroveBank\Administrator by
using the password Pa$$w0rd.
2. Start 6428A-NYC-TS-05 and log on as Administrator by using the password
Pa$$w0rd.
 Configuring and Troubleshooting Terminal Services Gateway 6-25

MCT USE ONLY. STUDENT USE PROHIBITED

f Task 2: Install the TS Gateway role
1. On 6428A-NYC-TS-05, start Server Manager and install the TS Gateway role
service.
2. On the Select Roles Services page, select the options to configure the server
authentication certificate for SSL encryption and the authorization policies for
TS Gateway, later.

f Task 3: Install the certificate

1. Start TS Gateway Manager, under NYC-TS, create a self-signed for SSL
encryption.
2. Specify the certificate name as NYC-TS.WOODGROVEBANK.COM.
3. Specify the certificate location as c:\certificate\NYS-TS.cer.
4. Start the Certificates snap-in by using the MMC command.
5. On the File menu, select Add/Remove Snap-in.
6. Import the certificate from c:\certificate\NYC-TS.cer by using the Certificate
Import Wizard.
7. Start the TS Gateway Manager, and on the properties page of NYC-TS, install
the certificate for NYC-TS.woodgrovebank.com.

f Task 4: Create a CAP for the HR group

1. On the TS Gateway Manager, under NYC-TS, create a new connection
authorization policy as TS CAP.
2. On the Requirements tab, under Supported Windows authentication
methods verify that Password is selected.
3. Add a group HR, and enable device redirection for all client devices for the
group.
6-26 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

f Task 5: Select the pre-configured Active Directory Security group HR
1. Start Active Directory Users and Computers and select the HR group for
WoodgroveBank.com.
2. Select NYC-TS as the Object Type for Computers.

f Task 6: Create a RAP for the HR group

1. On 6428A-NYC-TS-05 start the TS Gateway Manager, create Resource
Authorization Policy as TS RAP.
2. Add user group, HR and on the Computer Group tab, verify Select an
existing Active Directory security group is selected.
3. Select group HR, and on Allowed Ports tab, verify Allow connections only
through TCP port 3389 is selected.

Results: After this exercise, you should have installed the TS Gateway Server role
service and created a TS CAP and TS RAP for the HR group.
 Configuring and Troubleshooting Terminal Services Gateway 6-27

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 2: Troubleshooting the TS Gateway Connections
Scenario
You receive a service request from the Help Desk that a user, Baris, is unable to
connect to the network using TS Gateway. You need to verify that the TS Gateway
Server certificate has not expired. You also need to verify that the TS Gateway
configuration is correct. In addition, you need to check that the user exists in the
HR group, which can access the TS Gateway Server. An additional service request
is to include Bernard to the HR group.

Exercise Overview
In this exercise, you need to verify that the TS Gateway server certificate has not
expired. You also need to check the TS CAP and RAP for the HR group. In
addition, you need to verify the existence of the user Baris in the HR group and
add a new user Bernard to the HR group.
The main tasks for this exercise are as follows:
1. Verify that the TS Gateway Server certificate has not expired.
2. Verify that the TS CAP is accurate.
3. Verify that the TS RAP is accurate.
4. Verify that the user Baris exists in the HR group.
5. Add Bernard to the HR group.
6. Verify that the TS RAP is functional.
7. Shut down the virtual machines.

f Task 1: Verify that the TS Gateway Server certificate has not expired
1. On 6428A-NYC-TS-05, in the TS Gateway Manager, in the properties page of
NYC-TS, on the SSL Certificate tab, verify that Select an existing certificate
for SSL encryption (recommended) is selected.
2. Install the certificate for NYC-TS.woodgrovebank.com.
3. Verify validity of certificate has not expired.
6-28 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

f Task 2: Verify that the TS CAP is accurate
1. In the Server Manager, under NYC-TS, in Connection Authorization Policies
select TS CAP policy.
2. In the properties page of TS CAP, verify that the policy is enabled.
3. Verify that the authentication method for Windows is Password.
4. Verify that WOODGROVEBANK\HR group exists.
5. Verify that Device redirection for all client devices is selected.

f Task 3: Verify that the TS RAP is accurate

1. In the Server Manager, under NYC-TS in Resource Authorization Policies
select TS RAP policy.
2. In the TS RAP Policy Properties page, verify that the policy is enabled.
3. Verify that WOODGROVEBANK\HR group exists.
4. Under Select an existing Active Directory security group verify that
WOODGROVEBANK\HR exists.
5. On the Allowed Ports tab, verify that Allow connections only through TCP
port 3389 is selected.

f Task 4: Verify that the user Baris exists in the HR group

1. On 6428A-NYC-DC1-06, start Active Directory Users and Computers.
2. Under WoodgroveBank.com select HR Security group.
3. In the properties of HR security group, verify user Baris Cetinok exists.

f Task 5: Add Bernard to the HR group

1. In the Active Directory Users and Computers snap-in, under
WoodgroveBank.com, verify Users is selected.
2. In the properties of HR security group, add a user Bernard Duerr.
 Configuring and Troubleshooting Terminal Services Gateway 6-29

MCT USE ONLY. STUDENT USE PROHIBITED

f Task 6: Verify that the TS RAP is functional
1. Install the certificate, NYC-TS.cer from \\NYC-TS\certificate using the
Certificate Import Wizard.
2. Open remote connection by using the MSTSC command.
3. In Remote Desktop Connection, configure these TS Gateway Server settings
as:
• Server name: NYC-TS.woodgrovebank.com
• Logon method: Ask for password (NTLM)
4. Connect to NYC-TS, as Woodgrovebank\Baris with password Pa$$w0rd.

f Task 7: Shut down the virtual machines

1. Turn off 6428A-NYC-DC1-06 virtual machine and discard undo disk.
2. Turn off 6428A-NYC-TS-05 virtual machine and discard changes.

Results: After this exercise, you should have verified that the configuration of TS
Gateway is correct and the user Baris exists in the HR group. In addition, you should
have added a new user Bernard to the HR group.
6-30 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

Lab Review
 Managing and Monitoring Terminal Services 7-1

MCT USE ONLY. STUDENT USE PROHIBITED

Module 7
Managing and Monitoring Terminal Services
Contents:
Lesson 1: Methods for Managing and Monitoring TS 7-3
Lesson 2: Configuring Windows System Resource Manager for TS 7-9
Lab: Managing and Monitoring TS 7-14
7-2 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

Module Overview

As an administrator using Microsoft Windows Server® 2008 TS, you need to

manage and monitor TS connections to ensure smooth transactions between the
terminal server and the client computers. This module introduces the tasks
involved in managing TS connections. It also describes some of the tools used to
monitor TS connections.
Additionally, you can use Windows System Resource Manager (WSRM) to manage
server processor resources and memory usage. This module introduces the
features of WSRM and how to configure WSRM.
 Managing and Monitoring Terminal Services 7-3

MCT USE ONLY. STUDENT USE PROHIBITED

Lesson 1:
Methods for Managing and Monitoring TS

To manage the TS connections, you need to perform tasks such as remotely

controlling user sessions and resetting connections. The TS connections can be
monitored by using tools such as the TS Gateway Manager and the Performance
and Reliability Monitor.
Besides managing and monitoring TS connections, you will also need to perform
troubleshooting steps to resolve client connectivity issues. These issues can be
resolved by reviewing the errors in the Event Viewer.
7-4 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

Managing the TS Connections

Key Points
To remotely manage the TS connections, you need to be a member of the
administrators group. You can enable, disable, rename, or delete the TS
connections.

Note: It is a security best practice to manage TS connections by using the Run as

command through the user interface or at the command prompt, instead of logging on
with administrator credentials.
 Managing and Monitoring Terminal Services 7-5

MCT USE ONLY. STUDENT USE PROHIBITED

Question: When logged on as an administrator, which setting will you use to
remotely interact with a user’s session?

For more information about managing connections, see "Manage

Terminal Services Connections" on the Microsoft TechNet Web site.
7-6 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

Monitoring the TS Connections

Key Points
You can use the TS Gateway Manager to audit specific events such as the
unsuccessful attempts to connect to the TS Gateway server by the client. These
events can then be monitored by using the Event Viewer.
You can monitor the TS Web Access outbound traffic by using the Microsoft®
Internet Security and Acceleration (ISA) Server Management tool, and check the
ISA Server log to determine which rule is denying the outbound traffic to the
Internet.
The Performance and Reliability Monitor provides the following new features in
Windows Server 2008:
• A data collector set that groups portable data collectors used with different
performance monitoring scenarios
 Managing and Monitoring Terminal Services 7-7

MCT USE ONLY. STUDENT USE PROHIBITED

• The Resource View that provides an enhanced view of the CPU, disk, network,
and memory usage
• The Reliability Monitor that helps you to diagnose potential causes of the
instability of the system

For more information about monitoring methods, see "Troubleshooting

Web Access for Internal Clients," "Windows Server "Longhorn"
Performance and Reliability Monitoring Step-by-Step Guide, " and
"Introducing Microsoft System Center Operations Manager 2007" on
Microsoft TechNet Web site.
7-8 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

Discussion: Troubleshooting the Client Connectivity Issues

For more information about troubleshooting client connectivity issues,

see "TS Gateway Server Connections" on the Microsoft TechNet Web
site.
 Managing and Monitoring Terminal Services 7-9

MCT USE ONLY. STUDENT USE PROHIBITED

Lesson2
Configuring Windows System Resource
Manager for TS

With WSRM, you can manage your resources such that all resources are provided
evenly to all processes. Alternatively, you can make resources available to high-
priority services, applications, or users.
7-10 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

Introduction to Windows System Resource Manager

Key Points
The condition for WSRM to function is that the combined processor load should
be greater than 70%. In case of a conflict among processor resources, resource
allocation policies are used to ensure minimum resource availability. This
availability is based on the management profile defined by the administrator.

Question: You want to troubleshoot a processor resource problem. Which tool in

WSRM can you use to view the usage of hardware resources and the activity of
system services on the computer?

For more information about WSRM, see "Terminal Services and Windows
System Resource Manager" on the Microsoft TechNet Web site.
 Managing and Monitoring Terminal Services 7-11

MCT USE ONLY. STUDENT USE PROHIBITED

Features of Windows System Resource Manager

Key Points
WSRM can be used to collect resource usage data from multiple servers and store
it on a single computer running WSRM.
The benefits of using WSRM are:
• Improved availability of services on a single server through dynamically
managed resources
• Improved accessibility of the system for high-priority users or administrators
during maximum resource load

For more information about the features of WSRM, see "Overview of

Windows System Resource Manager" on the Microsoft TechNet Web
site.
7-12 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

Configuring Windows System Resource Manager

Key Points
Equal_Per_Session is the new and recommended resource allocation policy for
configuring WSRM in Windows Server 2008 TS.
While monitoring the performance of the terminal server, it is also recommended
that you collect data before and after implementing the Equal_Per_Session
resource allocation policy.
There are some applications and processes that dynamically change their own
memory limits. As a best practice, you should not specify the memory limits in
WSRM for such applications and processes.
You must also note that excessive limitation of memory for an application can slow
down the working of the application and increase disk usage.
 Managing and Monitoring Terminal Services 7-13

MCT USE ONLY. STUDENT USE PROHIBITED

Question: You want to set a limit on the memory used by the different processes
on a system. Which feature of WSRM will help you do this?

For more information about configuring WSRM using resource allocation

policies, see "Creating Resource Management Policies" and "Working
with Resource Allocation Policies" on Microsoft TechNet Web site.
7-14 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

Lab: Managing and Monitoring TS

Overarching Scenario
You receive a service request from the Network Operations Center (NOC) claiming
that there is an overload of resource utilization. Therefore, you have been asked to
configure the NOC technicians’ client computers to connect to TS through TS
Gateway and manage these connections.
The enterprise administrator has also tasked you with installing WSRM on the TS.
You need to configure WSRM to monitor the performance of the terminal server.
You are also required to configure the resource allocation policies.
 Managing and Monitoring Terminal Services 7-15

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 1: Managing the TS Connections
Scenario
You are required to configure the NOC technician’s client computer for a TS
Gateway connection. To manage the remote connections, you have been asked to
log off, disconnect, and reset all TS connections for your TS Gateway server. You
also need to verify that the NOC technician’s computer is properly configured by
remotely controlling the user session.

Exercise Overview
In this exercise, you will configure the TS Gateway settings on the client computer.
You will then disconnect the NOC technician’s computer and reset the connection.
The main tasks for this exercise are as follows:
1. Start the 6428A-NYC-DC1-06 and 6428A-NYC-TS -07 virtual machines and
log on to these machines as Administrator.
2. Start the 6428A-NYC-WEB-05 virtual machine and log on as Susan.
3. Configure the TS Gateway settings on the client.
4. Manage the TS connections on the terminal server.

f Task 1: Start the 6428A-NYC-DC1-06 and 6428A-NYC-TS-07 virtual

machines and log on to these machines as Administrator
1. Start 6428A-NYC-DC1-06 and log on as WoodgroveBank\Administrator by
using the password Pa$$w0rd.
2. Start 6428A-NYC-TS-07 and log on as WoodgroveBank\Administrator by
using the password Pa$$w0rd.

f Task 2: Start the 6428A-NYC-WEB-05 virtual machine and log on as

Susan
• Start 6428A-NYC-WEB-05, switch the user and log on as Susan who belongs
to the NOC Department using the password pass@word1.
7-16 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

f Task 3: Configure the TS Gateway settings on client
1. To configure TS Gateway on 6428A-NYC-WEB-05, start Remote Desktop
Connection.
2. Configure the following settings in Options:
• TS Gateway server name as NYC-TS.Woodgrovebank.com
• Logon method as Ask for password (NTLM)
• Logon settings as NYC-TS
3. Connect to the terminal server NYC-TS.
4. Log on as Woodgrovebank\Susan with the password pass@word1.

f Task 2: Manage the TS connections on the terminal server

1. Log off all TS Gateway connections on 6428A-NYC-TS -07 by using Terminal
Services Manager.
2. Disconnect all TS Gateway connections.
3. Reset all TS Gateway Connections.

Results: After this exercise, you should have configured the TS Gateway settings on the
client and managed the TS connections remotely.
 Managing and Monitoring Terminal Services 7-17

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 2: Monitoring the TS Connections
Scenario
You receive a request from the enterprise administrator asking you to configure the
TS connections. As an administrator, you need to limit the number of TS
connections to 2. You also need to configure the refresh option of the connection.
These settings will help you monitor the TS connections. In addition, you also
need to specify the events to be logged for the TS Gateway connections.

Exercise Overview
In this exercise, you need to monitor TS connections by using the TS Gateway
Manager and specify the TS Gateway events to be logged.
The main tasks for this exercise are:
1. Connect to the remote computer.
2. Monitor TS Gateway.
3. Specify the TS Gateway events to be logged.

f Task 1: Connect to the remote computer

1. Connect to 6428A-NYC-TS -07 by using Remote Desktop Connection on
6428A-NYC-WEB-05.
2. Log on as Woodgrovebank\Susan using the password pass@word1.

f Task 2: Monitor TS Gateway

1. On 6428A-NYC-TS -07, start TS Gateway Manager.
2. On the NYC-TS node, monitor Susan’s session.
3. Edit the connection by using the NYC_TS Properties dialog box.
4. Limit the maximum number of simultaneous connections to 2.
5. On the Actions panel, set the Automatic Refresh Options to 0:30:20.
6. Disconnect Susan’s connection.
7-18 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

f Task 3: Specify the TS Gateway events to be logged
1. On the TS Gateway Manager snap-in, in the NYC-TS Properties dialog box,
select the events to be audited for TS Gateway server.
2. View the events in the Event Viewer.

Results: After this exercise, you should have monitored the TS Gateway connections
and specified the events to be logged for TS Gateway.
 Managing and Monitoring Terminal Services 7-19

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 3: Configuring WSRM for TS
Scenario
You receive a service request from the enterprise administrator to install and
configure WSRM for Terminal Services. You are asked to monitor the
Equal_Per_Session resource allocation policy for TS. After observing the
performance and generating a report for the per session policy, you need to
implement the Equal_Per_User policy on TS.

Exercise Overview
The main tasks for this exercise are as follows:
1. Install WSRM on TS.
2. Configure the TS resource allocation policy for per session.
3. Monitor TS performance by using Resource Monitor.
4. Configure the TS resource allocation policy for per user.
5. Shut down the virtual machines.

f Task 1: Install WSRM on TS

1. Start Server Manager on 6428A-NYC-TS-07, under Features Summary, select
Windows System Resource Manager.
2. Install WSRM by using the wizard.
3. Open the Windows System Resource Manager snap-in.
4. In the Connect to computer dialog box, select This computer.

f Task 2: Configure the TS resource allocation policy for per session

• In the Windows System Resource Manager snap-in, under the Resource
Allocation Policies node, implement the per session resource-allocation
policy.
7-20 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

f Task 3: Monitor TS performance using Resource Monitor
1. In the Windows System Resource Manager snap-in, display the Resource
Monitor.
2. Review the performance data.
3. Display the Properties dialog box, and change the Graph to Report.
4. In the Windows System Resource Manager Properties dialog box, configure
the e-mail notification options as [email protected].
5. Use the SMTP server NYC-TS.woodgrovebank.com.
6. Select two or more events under the Error, Warning, and Information nodes.

f Task 4: Configure the TS resource allocation policy for per user

• On the Windows System Resource Manager snap-in, under the Resource
Allocation Policies node, implement the per user resource-allocation policy.

f Task 5: Shut down the virtual machines

• Turn off each virtual machine that is running and discard changes.

Results: After this exercise, you should have configured WSRM, configured the
resource allocation policies, and monitored the TS performance by using the Resource
Monitor.
 Managing and Monitoring Terminal Services 7-21

MCT USE ONLY. STUDENT USE PROHIBITED

Lab Review
7-22 Configuring and Troubleshooting Microsoft Windows Server 2008 Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

Course Evaluation

Your evaluation of this course will help Microsoft understand the quality of your
learning experience.
Please work with your training provider to access the course evaluation form.
Microsoft will keep your answers to this survey private and confidential, and will
use your responses to improve your future learning experience. Your open and
honest feedback is valuable and appreciated.
 Lab: Configuring TS Core Functionality L1-1

MCT USE ONLY. STUDENT USE PROHIBITED

Module 1: Configuring Terminal Services Core
Functionality
Lab: Configuring TS Core
Functionality
Exercise 1: Installing and Configuring the TS Server Role Service
Exercise 2: Configuring the TS Settings

Logon Information:
• Virtual Machine1: 6428A-NYC-DC1-01
• Virtual Machine 2: 6428A-NYC-TS-01
• User Name: Administrator/Baris
• Password: Pa$$w0rd

Estimated time: 65 minutes

Exercise 1: Installing and Configuring the TS Server Role

Service
Exercise Overview
In this exercise, you will install and configure the TS core functionality at the New
York head office.

The main tasks for this exercise are as follows:

1. Start the 6428A-NYC-DC1-01 and 6428A-NYC-TS-01 virtual machines and log
on to these machines as Administrator.
2. Install the TS server role service.
L1-2 Module 1: Configuring Terminal Services Core Functionality

MCT USE ONLY. STUDENT USE PROHIBITED

3. Configure authentication on the terminal server.
4. Configure the default credentials to be used on the terminal server.
5. Create a .rdp file and configure custom display.
6. Enable ClearType and Font smoothing.
7. Enable support for PnP redirection.
8. Install and configure WSRM.
9. Install the Desktop Experience.
10. Remotely connect to TS by using RDC.

f Task 1: Start the 6428A-NYC-DC1-01 and 6428A-NYC-TS-01 virtual

machines and log on to these machines as Administrator
1. Start 6428A-NYC-DC1-01 using the Lab Launcher tool.
Wait for the virtual machine to start. The Recent Events section will display the
messages of the events.
2. Log on with the default login ID WOODGROVEBANK\Administrator and
the password Pa$$w0rd, and then click Go. The Server Manager snap-in is
displayed.

Note: Wait for the domain controller, 6428A-NYC-DC1-01, logon screen to appear
before starting 6428A-NYC-TS-01 virtual machine. If the virtual machine is not properly
shut down, the Shutdown Event Tracker dialog box will be displayed. Select the
Security issue option from the drop-down list and click OK.

3. Start 6428A-NYC-TS-01 using the Lab Launcher tool.

4. Log on with the ID WOODGROVEBANK\administrator and password
Pa$$w0rd.The Server Manager snap-in is displayed.
5. On 6428A-NYC-DC1-01, click Start, point to Administrative Tools, click
Active Directory Users and Computers.
6. In the left pane, click the WoodgroveBank.com node, click Computers, and
verify that NYC-TS is displayed in the right pane.
 Lab: Configuring TS Core Functionality L1-3

MCT USE ONLY. STUDENT USE PROHIBITED

f Task 2: Install the TS server role service
1. On 6428A-NYC-TS-01, in Server Manager, in the left pane, right-click Roles,
and then click Add Roles.
2. In the Add Roles Wizard, on the Before You Begin page, click Next.
3. On the Select Server Roles page, under Roles list, select the Terminal
Services check box, and then click Next.
4. On the Terminal Services page, click Next.
5. On the Select Role Services page, select the Terminal Server check box, and
then click Next.
6. On the Uninstall and Reinstall Applications for Compatibility page, click
Next.
7. On the Specify Authentication Method for Terminal Server page, select
Require Network Level Authentication option, and then click Next.
8. On the Specify Licensing Mode, select Per User, and then click Next.
9. On the Select User Groups Allowed Access To This Terminal Server page,
click Add.
10. In the Select Users, Computers, or Groups dialog box, verify that From this
location box has WoddgroveBank.com.
11. In the Enter the object names to select{examples} box, type
NYC_MarketingGG, click Check Names, click OK, and then click Next.
12. On the Confirm Installation Selections page, click Install.
13. On the Installation Progress page, note the installation progress. On
completion of the installation, the Installation Results page is displayed.
14. On the Installation Results page, you are prompted to restart the server to
finish the installation process. Click Close.
15. On the Add Roles Wizard message box, click Yes to restart the server.
16. After the server restarts and you log on to the computer as
WOODGROVEBANK\Administrator and password Pa$$w0rd, the Resume
Configuration Wizard is displayed. On the Installation Progress page, note
the installation progress. On completion of the installation, the Installation
Results page is displayed.
17. Observe that the installation of the Terminal Services has succeeded. Click
Close.
L1-4 Module 1: Configuring Terminal Services Core Functionality

MCT USE ONLY. STUDENT USE PROHIBITED

18. On the Server Manager link, scroll down to the Roles Summary section, click
the Terminal Services link.
19. On the Terminal Services page, scroll down to System Services section, and
confirm that the Status for TS is Running.
20. In the Role Services section, confirm that the Status for TS is Installed.
21. Close the Server Manager.

f Task 3: Configure authentication on the terminal server

1. Start the Terminal Services Configuration snap-in on 6428A-NYC-TS-01.
Click Start, click Run, in the Open box type tsconfig.msc, and then click OK.
2. On the Terminal Services Configuration page, in the middle pane, in the
Connections section, under Connection Name, right-click RDP-Tcp, and then
click Properties.
3. In the RDP-Tcp Properties dialog box, on the General tab, in the Security
Layer box, select SSL (TLS 1.0) from the drop-down list box, and then click
OK.

f Task 4: Configure the default credentials to be used on the terminal

server
1. Start the Local Group Policy Editor on 6428A-NYC-TS-01. Click Start, in the
Start Search box, type gpedit.msc, and then press ENTER.
2. In the left pane, under the Computer Configuration node, open the
Administrative Templates folder, then open the Systems folder, and then
open the Credentials Delegation folder.
3. In the right pane, under Setting, double-click Allow Delegating Default
Credentials.
4. In the Allow Delegating Default Credentials Properties dialog box, on the
Setting tab, click Enabled, and then click Show.
5. In the Show Contents dialog box, click Add to add servers to the list.
6. In the Add Item dialog box, in the Enter the item to be added box, type
6428A-NYC-TS-01, and then click OK.
 Lab: Configuring TS Core Functionality L1-5

MCT USE ONLY. STUDENT USE PROHIBITED

7. Click OK to close the Show Contents dialog box.
8. In the Allow Delegating Default Credentials Properties dialog box, click OK.
9. Close the Local Group Policy Editor.

f Task 5: Create .a rdp file and configure custom display

1. To create .rdp file, click Start, click Administrative tools, click Terminal
Services, and then click TS RemoteApp Manager.
2. On the TS RemoteApp Manager page, in the Actions pane, click Add
RemoteApp Programs, and then click Next.
3. In the RemoteApp Wizard page, select Remote Desktop Connection check
box, and click Next.
4. In the Review settings page, click Finish.
5. In TS RemoteApp Manager, scroll down to RemoteApp Programs, click
Remote Desktop Connection, and then right-click Create .rdp file to display
the RemoteApp Wizard page.
6. In the RemoteApp Wizard page, click Next.
7. Under the Specify Package Settings, verify the location of package is
C:\Program Files\Packaged Programs, click Next.
8. In the Review Settings page, click Finish.
9. To configure the custom display, click Start, click Computer, and browse to
C:\Program files\Packaged Programs\Mstsc.rdp.
10. Right-click the mstsc.rdp file, click Open With, double-click Other Programs,
and then select Notepad. Click OK.
11. At the bottom of the mstsc.rdp file, type desktopwidth:i:1680. Press ENTER.
12. Then type desktopheight:i:1050. Press ENTER.
13. Then type Span:i:1.
14. Click File, and then click Save. Close the mstsc.rdp file.
15. Close Packaged Programs.
L1-6 Module 1: Configuring Terminal Services Core Functionality

MCT USE ONLY. STUDENT USE PROHIBITED

f Task 6: Enable ClearType and Font smoothing
1. Click Start, click Control Panel, and then in the left panel, click Control Panel
Home.
2. In Control Panel, click the Appearance and Personalization link.
3. Under Personalization, click Change the color scheme.
4. On the Appearance Settings page, on the Appearance tab, click Effects, and
then select the Use the following method to smooth edges of screen fonts
check box.
5. Verify that ClearType is selected by default, and then click OK twice.
6. Close the Control Panel\Appearance and Personalization screen.
7. Click Start, point to All Programs, click Accessories, and then click Remote
Desktop Connection.
8. In the Remote Desktop Connection dialog box, click Options.
9. In the Remote Desktop Connection dialog box, click the Experience tab, in
the Performance section, select the Font smoothing check box.

f Task 7: Enable support for PnP redirection

1. In the Remote Desktop Connection dialog box, on the Local Resources tab,
under Local devices and resources section, click More.
2. Under Local devices and resources, expand the Supported Plug and Play
devices node.
3. Select the Devices that I plug in later check box, and then click OK.
4. Close the Remote Desktop Connection dialog box.

f Task 8: Install and configure WSRM

1. To start the Server Manager snap-in on 6428A-NYC-TS-01, click Start, point to
Administrative Tools, and then click Server Manager.
2. In the Server Manager, scroll down to the Features Summary section, click
the Add Features link. The Add Features Wizard page is displayed.
 Lab: Configuring TS Core Functionality L1-7

MCT USE ONLY. STUDENT USE PROHIBITED

3. In the wizard, on the Select Features page, scroll down and select the
Windows System Resource Manager check box. The Add Features Wizard
message box is displayed informing you that Windows Internal Database also
needs to be installed for Windows System Resource Manager (WSRM) to work
properly.
4. Click Add Required Features, and then click Next.
5. On the Confirm Installation Selections page, click Install.
6. On the Installation Progress page, note the installation progress. On
completion of the installation, the Installation Results page is displayed.
7. On the Installation Results page, confirm that the installation of Windows
Internal Database and WSRM succeeded, and then click Close.
8. To start the WSRM snap-in, click Start, point to Administrative Tools, and
then click Windows System Resource Manager. The WSRM snap-in is
displayed.
9. In the Connect to computer dialog box, under Administer, verify that This
Computer is selected, and then click Connect. This will enable the WRSM to
administer the local computer."
10. Close WSRM [Windows System Resource Manager (local)].

f Task 9: Install the Desktop Experience

1. To start the Server Manager snap-in on 6428A-NYC-TS-01, click Start, point to
Administrative Tools, and then click Server Manager.
2. In the Server Manager, scroll down to the Features Summary section, click
the Add Features link. The Add Features Wizard page is displayed.
3. In the wizard, on the Select Features page, select the Desktop Experience
check box, and then click Next.
4. On the Confirm Installation Selections page, observe the message that the
server must be restarted after the installation of the Desktop Experience
completes, and then click Install.
5. On the Installation Progress page, note the installation progress. On
completion of the installation, the Installation Results page is displayed.
6. On the Installation Results page, you are prompted to restart the server to
finish the installation process. Click Close.
7. On the Add Features Wizard message box, click Yes to restart the server.
L1-8 Module 1: Configuring Terminal Services Core Functionality

MCT USE ONLY. STUDENT USE PROHIBITED

8. After the server restarts and you log on to the computer as
WOODGROVEBANK\Administrator with password Pa$$w0rd, the Resume
Configuration Wizard is displayed. On the Installation Progress page, note
the installation progress. On completion of the installation, the Installation
Results page is displayed.
9. Observe that the installation of the Desktop Experience has succeeded.
10. Click Close.
11. Close the Server Manager.

f Task 10: Remotely connect to TS by using RDC

1. On 6428A-NYC-DC1-01, open the Remote Desktop Connection. Click Start,
and then type mstsc in the Start Search box, and then press ENTER.
2. In the Remote Desktop Connection dialog box, in the Computer box, verify
that NYC-TS is displayed by default, and then click Connect. The Windows
Security dialog box is displayed.
3. In the Windows Security dialog box, click Use another account.
4. In the User name box, type WOODGROVEBANK\Baris.
5. In the Password box, type Pa$$w0rd, and then click OK. The Remote Control
screen is displayed.
6. Close the remote connection. The Disconnect Terminal Services Session
confirmation message box is displayed. Click OK.

Result: After this exercise, you should have installed and configured the TS server role
service.
 Lab: Configuring TS Core Functionality L1-9

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 2: Configuring the TS Settings
In this exercise, you will configure TS settings and the session broker settings.

Exercise Overview
The main tasks for this exercise are as follows:
1. Specify the program to start when user logs on to a remote session.
2. Configure the TS settings by using the Terminal Services Configuration snap-
in.
3. Modify the default permissions for built-in accounts.
4. Configure the Session Broker settings.
5. Shut down the virtual machines.

f Task 1: Specify the program to start when user logs on to a remote

session
1. Log on to 6428A-NYC-TS-01. Start Terminal Services Configuration on
6428A-NYC-TS-01. Click Start, point to Administrative tools, point to
Terminal Services, and then click Terminal Services Configuration.
2. In the Terminal Services Configuration snap-in, in the middle pane, in the
Connections section, under Connection Name, right-click RDP-Tcp, and then
click Properties.
3. In the RDP-Tcp Properties dialog box, click the Environment tab, under
Initial program area, click Start the following program when the user logs
on option.
4. In Program path and file name box, type C:\Program Files\Packaged
Programs\wordpad, and then click OK.
L1-10 Module 1: Configuring Terminal Services Core Functionality

MCT USE ONLY. STUDENT USE PROHIBITED

f Task 2: Configure the TS settings by using the Terminal Services
Configuration snap-in
1. In Terminal Services Configuration NYC-TS, in the middle panel, under the
Edit Settings area, under the General section, double-click the Delete
Temporary folders on exit option. The Properties dialog box is displayed.
2. On the General tab, verify that the following check boxes are selected:
• Restrict each user to a single session
• Delete Temporary folders on exit
• Use Temporary folders per session
Then click OK.
3. Close Terminal Services Configuration.

f Task 3: Modify the default permissions for built-in accounts

1. Start WMI Console. Click Start, click Run and type wmimgmt.msc, and press
ENTER.
2. In the Root tree, right-click WMI Control(Local), and then click Properties.
3. In the WMI Control (Local) Properties dialog box, click the Security tab,
click Security.
4. In the Security for Root dialog box, click Add.
5. In the Select Users, Computers, or Groups dialog box, in the Enter the
object names to select (Examples) box, type Baris, and then click Check
Names. Click OK.
6. Under Permissions for Baris Centinok, select the Allow check box for the
Read Security permission, and then click OK.
7. Click OK to close WMI Control.
 Lab: Configuring TS Core Functionality L1-11

MCT USE ONLY. STUDENT USE PROHIBITED

f Task 4: Configure the Session Broker Settings
1. Click Start, point to Administrative tools, point to Terminal Services, and
then click Terminal Services Configuration.
2. In the middle pane, in the Edit settings area, scroll down to the TS Session
Broker section, double-click Member of farm in TS Session Broker.
3. In the Properties page, on the TS Session Broker tab, select the Join a farm in
TS Session Broker check box.
4. In the TS Session Broker server name or IP address box, type NYC-TS.
5. In the Farm name in TS Session Broker box, type WoodgroveBank.
6. Select the Participate in Session Broker Load-Balancing check box.
7. Verify that the Use IP address redirection (recommended) check box is
enabled.
8. Select the IP address 10.10.0.23 check box, and then click OK.
9. The Terminal Services Configuration dialog box is displayed. Click Yes.
Close Terminal Services Configuration.

f Task 5: Shut down the virtual machines

1. Exit the Lab Launcher tool by clicking the close button.
2. In the Close window, click Turn off machine and discard changes.
3. Click OK.
MCT USE ONLY. STUDENT USE PROHIBITED
 Lab: Configuring and Troubleshooting TS Connections L3-13

MCT USE ONLY. STUDENT USE PROHIBITED

Module 3: Configuring and Troubleshooting
Terminal Services Connections
Lab: Configuring and
Troubleshooting TS Connections
Exercise 1: Configuring the TS Connection Properties
Exercise 2: Configuring the TS Connection Properties by Using Server Group
Policy
Exercise 3: Configuring SSO by Using Client Group Policy
Exercise 4: Troubleshooting Connectivity Issues

Logon Information:
• Virtual Machine1: 6428A-NYC-DC1-01
• Virtual Machine 2: 6428A-NYC-TS-03
• User Names: Administrator/Bernard/Baris/Anton/Monika/Dana
• Password 1: Pa$$w0rd
• Password 2: Pass@word1

Estimated time: 70 minutes

L3-14 Module 3: Configuring and Troubleshooting Terminal Services Connections

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 1: Configuring the TS Connection Properties
Exercise Overview
In this exercise, you will configure the TS connection properties by using the
Terminal Services Configuration snap-in.
The main tasks for this exercise are as follows:
1. Start the 6428A-NYC-DC1-01 and 6428A-NYC-TS- 03 virtual machines and log
on to these machines as Administrator.
2. Configure the TS connection properties by using the Terminal Services
Configuration snap-in.

f Task 1: Start the 6428A-NYC-DC1-01 and 6428A-NYC-TS- 03 virtual

machines and log on to these machines as Administrator
1. Start 6428A-NYC-DC1-01 using the Lab Launcher tool.

2. The login ID is displayed as WOODGROVEBANK\Administrator. Log on by

using the password Pa$$w0rd, and then press ENTER.

Note: Wait for the domain controller 6428A-NYC-DC1-01 logon screen to appear before
starting the 6428A-NYC-TS-03 virtual machine.

3. Start 6428A-NYC-TS-03 using the Lab Launcher tool.

4. Log on as WoodgroveBank\Administrator using the password Pa$$w0rd,

and then press ENTER. The Server Manager page is displayed by default.
 Lab: Configuring and Troubleshooting TS Connections L3-15

MCT USE ONLY. STUDENT USE PROHIBITED

5. On 6428A-NYC-TS-03, verify that TS is installed on this virtual machine by
performing the following steps:
• In the Server Manager, scroll down to the Roles Summary section, click
the Terminal Services link.
• On the Terminal Services page, under System Services section, verify
that the Status of Terminal Services is shown as Running.
• Under the Role Services section, verify that the Status of Terminal Server
is shown as Installed.
• Close the Server Manager console.

f Task 2: Configure the TS connection properties by using the Terminal

Services Configuration snap-in
1. To start the Terminal Services Configuration snap-in on 6428A-NYC-TS-03,
click Start, point to Administrative Tools, point to Terminal Services, and
then click Terminal Services Configuration.
2. Verify the remote control setting as follows:
a. In the middle pane, in the Connections section, under Connection Name,
right-click RDP-Tcp, and then click Properties.
b. In the RDP-Tcp Properties dialog box, click the Remote Control tab and
verify that the Use remote control with default user settings option is
selected.
3. To configure connection permissions:
a In the RDP-Tcp Properties dialog box, click the Security tab.
b. The Terminal Services Configuration message box is displayed. Click
OK.
c. Click the Advanced button below the Permissions for SYSTEM section.
The Advanced Security Settings for RDP-Tcp dialog box is displayed.
d. On the Permissions tab, in the Permission entries list, select the record
for Baris Cetinok, and then click the Edit button. The Permission Entry
for RDP-Tcp dialog box is displayed.
L3-16 Module 3: Configuring and Troubleshooting Terminal Services Connections

MCT USE ONLY. STUDENT USE PROHIBITED

e. On the Object tab, in the Permissions list, select the Deny check box for
the Disconnect permission, and then click OK.
f. In the Advanced Security Settings for RDP-Tcp dialog box, on the
Permissions tab, in the Permission entries list, select the record for
Bernard Duerr, and then click Edit. The Permission Entry for RDP-Tcp
dialog box is displayed.
g. On the Object tab, in the Permissions list, verify that the Allow check
boxes for all permissions are selected, and then click OK.
h. In the Advanced Security Settings for RDP-Tcp dialog box, on the
Permissions tab, in the Permissions entries list, select the record for
Anton Kirilov, and then click Edit.
i. On the Object tab, in the Permissions list, select the Allow check box for
the Disconnect permission and Deny check box for login permission. A
Windows Security Warning dialog box appears. Click Yes.
j. Click Yes to close the RDP-Tcp Properties dialog box.
4. Close the Terminal Services Configuration snap-in.

Results: After this exercise, you should have configured the connection properties.
 Lab: Configuring and Troubleshooting TS Connections L3-17

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 2: Configuring the TS Connection Properties by
Using Server Group Policy
Exercise Overview
In this exercise, you will configure the TS connection properties by using Group
Policy.
The main tasks for this exercise are as follows:
1. Configure the TS connection properties.
2. Verify that a maximum of two clients can connect to the terminal server.

f Task 1: Configure the TS connection properties

1. To open the Group Policy Management snap-in on 6428-NYC-DC1-01, click
Start, click Run and in the Open box type gpmc.msc, and then click OK.
2. In the Group Policy Management snap-in, expand Forest:
WoodgroveBank.com, expand Domains, WoodgroveBank.com, NYC nodes,
then right-click Marketing, and then click Create a GPO in this domain, and
Link it here.
3. In the New GPO dialog box that is displayed, type the name of the policy as
GPO for TS Connection, and then click OK.
4. On the Marketing node, right-click the GPO for TS Connection link, and then
click Edit.
5. In the Group Policy Management Editor page, under the Computer
Configuration node, expand Policies, expand Administrative Templates,
expand Windows Components, click Terminal Services, and under the
Terminal Server node, click Connections.
6. In the right pane, under Setting, double-click Limit number of connections.
7. In the Limit number of connections properties dialog box, on the Setting
tab, select Enabled, in the TS Maximum Connections allowed box, select 2,
and then click OK.
8. In the right pane of the Group Policy Management Editor snap-in, under
Setting, double-click Automatic reconnection.
L3-18 Module 3: Configuring and Troubleshooting Terminal Services Connections

MCT USE ONLY. STUDENT USE PROHIBITED

9. In the Automatic reconnection Properties dialog box, select Enabled, and
then click OK.
10. In the left pane of the Group Policy Management Editor snap-in, under
Terminal Services node, expand the Terminal Server node, and then click
Security.
11. In the right pane of the Group Policy Management Editor snap-in, under
Setting, double-click Set client connection encryption level.
12. In the Set client connection encryption level Properties dialog box, select
Enabled.
13. From the Encryption level drop-down list, verify that Client Compatible is
selected, and then click OK.
14. In the left pane, under Terminal Services node, click Terminal Server, and
then click Session Time Limits.
15. In the right pane, double-click Set time limit for disconnected sessions.
16. In the Set time limit for disconnected sessions Properties dialog box, select
Enabled.
17. In the End a disconnected session box, select 5 minutes from the drop-down
list, and then click OK.
18. Close the Group Policy Management Editor page.
19. Close the Group Policy Management snap-in.
 Lab: Configuring and Troubleshooting TS Connections L3-19

MCT USE ONLY. STUDENT USE PROHIBITED

f Task 2: Verify that a maximum of two clients can connect to the
terminal server
1. On 6428A-NYC-DC1-01, click Start, click Run, in the Open box type mstsc,
and then click OK.
2. In the Remote Desktop Connection dialog box, verify that the Computer box
displays Nyc-ts, and then click Connect.

Note: If the Remote Desktop Connection is disconnected perform the following steps to
create the remote connection:

a. Open Control Panel.

b. Click the Network and Sharing Center icon. Verify whether NYC-DC is
connected to Unidentified network.
c. Check the status of the Local Area Connection.
d. In the Network and Sharing Center window, under Tasks, click Manage
network connections.
e. In the Network Connections window, right-click Local Area Connection,
and then click Disable.
f. Then right-click Local area Connection, and click Enable.
g. Close the Network Connections window. In the Network and Sharing
Center window, check whether NYC-DC is connected to
WoodgroveBank.com.
3. In the Windows Security dialog box, click Use another account. Log on with
the login ID WOODGROVEBANK\Baris using the password Pa$$w0rd, and
then press ENTER.
4. Minimize the Nyc-ts Remote Desktop connection.
5. To log on as the second user, click Start, click Run, in the Open box type
mstsc, and then click OK.
6. In the Remote Desktop Connection dialog box, verify that the Computer is
Nyc-ts, and then click Connect.
L3-20 Module 3: Configuring and Troubleshooting Terminal Services Connections

MCT USE ONLY. STUDENT USE PROHIBITED

7. In the Windows Security dialog box, click Use another account.
8. Log on as WOODGROVEBANK\Bernard with the password as Pa$$w0rd
and then press ENTER.
9. Minimize the Nyc-ts Remote Desktop connection.
10. To log on as the third user, click Start, click Run, in the Open box type mstsc,
and then click OK.
11. In the Remote Desktop Connection dialog box, verify that the Computer is
Nyc-ts, and then click Connect.
12. In the Windows Security dialog box, click Use another account, log on with
the login ID WOODGROVEBANK\Anton using the password Pa$$w0rd, and
then click OK.
13. Observe that a message displaying “The requested session access is denied”
appears on the screen. Click OK.
14. Close all the remote connections.
15. The Disconnect Terminal Services Session dialog box is displayed. Click OK.

Results: After this exercise, you should have configured the TS connection properties
by using Server Group Policy.
 Lab: Configuring and Troubleshooting TS Connections L3-21

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 3: Configuring SSO by Using Client Group Policy
Exercise Overview
The main task for this exercise is to configure SSO by using client Group Policy.

f Task 1: Configure the SSO setting by using client Group Policy

1. To open the Terminal Services Configuration snap-in on 6428A-NYC-DC1-
01, click Start, click Run, in the Open box type tsconfig.msc, and then click
OK.
2. In the middle pane, under Connections section, under Connection Name,
right-click RDP-Tcp, and then click Properties.
3. In the RDP-Tcp Properties dialog box, on the General tab, in the Security
layer box, select SSL (TLS 1.0) from the drop-down list, and then click OK.
4. Close the Terminal Services Configuration snap-in.
5. To open the Local Group Policy Editor, click Start and in the Start Search
box, type gpedit.msc, and then press ENTER.
6. In the left pane, under the Computer Configuration node, expand the
Administrative Templates node, expand System node, and then click
Credentials Delegation.
7. In the right pane, under Setting, double-click Allow Delegating Default
Credentials.
8. In the Allow Delegating Default Credentials Properties dialog box, on the
Setting tab, click Enabled, and then click Show to add servers to the list.
9. In the Show Contents dialog box, click Add to add servers to the list.
10. In the Add Item dialog box, in the Enter the item to be added box, type
6428A-NYC-TS- 03, and then click OK.
11. Click OK to close the Show Contents dialog box.
12. In the Allow Delegating Default Credentials Properties dialog box, click OK.
13. Close the Local Group Policy Editor.

Results: After this exercise, you should have configured SSO by using client Group
Policy.
L3-22 Module 3: Configuring and Troubleshooting Terminal Services Connections

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 4: Troubleshooting Connectivity Issues
Exercise Overview
In this exercise, you will troubleshoot connectivity issues.
The main tasks for this exercise are as follows:
1. Verify the RDP settings, and check the event logs.
2. Verify the user and group permissions and policy settings.
3. Verify that the users are able to log on with the updated settings.
4. Shut down the virtual machines.

f Task 1: Verify the RDP settings and check the event Logs
1. On 6428A-NYC-TS-03, click Start, point to Administrative Tools, point to
Terminal Services, and then click TS RemoteApp Manager.
2. In the TS RemoteApp Manager page, under the Overview section for RDP
Settings, click the Change link.
3. In the RemoteApp Deployment Settings dialog box, click the Terminal
Server tab.
4. On the Terminal Server tab, ensure that the Server name box has NYC-
TS.WoodgroveBank.Com.
5. Ensure that the port number in RDP Port is 3389, and then click OK to close
the RemoteApp Deployment Settings dialog box.
6. Close the TS RemoteApp Manager.
7. To display the Event Viewer dialog box, click Start, click Run, in the Open
box type eventvwr, press ENTER.
8. In the Event Viewer dialog box, expand the Windows Logs node.
9. Click Application, and check the details of any error in the events.
10. Close Event Viewer.
 Lab: Configuring and Troubleshooting TS Connections L3-23

MCT USE ONLY. STUDENT USE PROHIBITED

f Task 2: Verify the user and group permissions and policy settings
1. On 6428A-NYC-DC1-01, click Start, point to Administrative Tools, and then
click Active Directory Users and Computers.
2. In the left pane, under the WoodgroveBank.com node, expand the NYC node,
and then click Marketing.
3. In the right pane, right-click Monika Buschmann and then click Reset
Password.
4. In the Reset Password dialog box, in the New password box type
Pass@word1.
5. In the Confirm password box type Pass@word1, and then click OK.
6. In the Active Directory Domain Services confirmation box, click OK.
7. Close Active Directory Users and Computers snap-in.
8. To start the Terminal Services Configuration snap-in on 6428A NYC-TS-03,
click Start, point to Administrative Tools, point to Terminal Services, and
then click Terminal Services Configuration.
9. In the Connections section, under Connection Name, right-click RDP-Tcp,
and then click Properties.
10. In the RDP-Tcp Properties dialog box, click the Security tab. The Terminal
Services Configuration message box is displayed. Click OK to close the
message box.
11. On the Security tab, under Group or user names section, select Dana Birkby.
12. Click Advanced, select the record for Dana Birkby, click Edit and verify that
the check box under Deny for Remote Control is not selected. If selected,
clear the check box, and then click OK twice.
13. In the RDP-Tcp Properties dialog box, click the General tab.
14. In the Encryption level box, verify that the value is Client Compatible, and
then click OK.
15. Close the Terminal Services Configuration snap-in.
L3-24 Module 3: Configuring and Troubleshooting Terminal Services Connections

MCT USE ONLY. STUDENT USE PROHIBITED

f Task 3: Verify that the users are able to log on with the updated
settings
1. On 6428A-NYC-DC1-01, click Start, click Run, in the Open box type mstsc,
and then click OK.
2. In the Remote Desktop Connection dialog box, verify that the computer is
Nyc-ts, and then click Connect.

Note: If the Remote Desktop Connection is disconnected, perform the following steps to
create the remote connection:

a. Open Control Panel.

b. Click the Network and Sharing Center icon. Verify that NYC-DC is
connected to Unidentified network.
c. Check the status of the Local Area Connection.
d. In the Network and Sharing Center window, under Tasks, click Manage
network connections.
e. In the Network Connections window, right-click Local Area Connection,
and then click Disable.
f. Then, right-click Local area Connection and click Enable.
g. Close the Network Connections window. In the Network and Sharing
Center window, verify that NYC-DC is connected to
WoodgroveBank.com.
3. In the Windows Security dialog box, click Use another account, log on as
WOODGROVEBANK\Monika with the password as Pass@word1 and then
click OK.
4. To log off Monika, click Start, point to the arrow key next to the lock
computer button, and then click Log off.
5. To log on as the second user, click Start, click Run, type mstsc, and then click
OK.
6. In the Remote Desktop Connection dialog box, click Connect.
 Lab: Configuring and Troubleshooting TS Connections L3-25

MCT USE ONLY. STUDENT USE PROHIBITED

7. In the Windows Security dialog box, click Use another account.
8. Log on as WOODGROVEBANK\Dana with the password as Pa$$w0rd and
then click OK.
9. Close the remote connection.
10. The Disconnect Terminal Services Session dialog box is displayed. Click OK.

f Task4: Shut down the virtual machines

1. Exit the Lab Launcher tool by clicking the close button.
2. In the Close window, click Turn off machine and discard changes.
3. Click OK.

Results: After this exercise, you should have used troubleshooting techniques to
resolve connectivity issues.
MCT USE ONLY. STUDENT USE PROHIBITED
 Lab: Configuring TS RemoteApp and Easy Print L4-27

MCT USE ONLY. STUDENT USE PROHIBITED

Module 4: Configuring Terminal Services
RemoteApp and Easy Print
Lab: Configuring TS RemoteApp
and Easy Print
Exercise 1: Configuring and Deploying TS RemoteApp Programs
Exercise 2: Configuring TS Easy Print

Logon Information:
• Virtual Machine1: 6428A-NYC-DC1-01
• Virtual Machine 2: 6428A-NYC-TS-03
• User Names: Administrator/Baris
• Password: Pa$$w0rd

Estimated time: 45 minutes

Exercise 1: Configuring and Deploying TS RemoteApp

Programs
Exercise Overview
In this exercise, you will install TS Web Access and create a link to Microsoft®
PowerPoint Viewer for the Marketing group.
The main tasks for this exercise are as follows:
1. Start the 6428A-NYC-DC1-01 and 6428A-NYC-TS-03 virtual machines and log
on to these machines as Administrator.
2. Install the TS Web Access role service.
3. Add the computer account of the TS Web Access server to the security group.
L4-28 Module 4: Configuring Terminal Services RemoteApp and Easy Print

MCT USE ONLY. STUDENT USE PROHIBITED

4. Specify the data source.
5. Install PowerPoint Viewer.
6. Add the PowerPoint Viewer program in the RemoteApp Programs list.
7. Configure an RDP file from the PowerPoint Viewer RemoteApp program.
8. Determine if the RemoteApp program is enabled for TS Web Access.
9. Configure the TS Web Access server to allow access from the Internet.

f Task 1: Start the 6428A-NYC-DC1-01 and 6428A-NYC-TS-03 virtual

machines and log on to these machines as Administrator
1. Start 6428A-NYC-DC1-01 using the Lab Launcher tool.
2. Log on using the default ID as WOODGROVEBANK\Administrator and
password Pa$$w0rd. The Server Manager page is displayed by default.

Note: Wait for the domain controller 6428A-NYC-DC1-01 logon screen to appear before
starting the 6428A-NYC-TS-03 virtual machine.

3. Start 6428A-NYC-TS-03 using the Lab Launcher tool.

4. Log on as WoodgroveBank\Administrator using the password Pa$$w0rd.
The Server Manager page is displayed by default.

f Task 2: Install the TS Web Access role service

1. On 6428A-NYC-TS-03, in Server Manager, scroll down to the Roles Summary
section, click the Terminal Services link. On Terminal Services, scroll down
to Roles Services.
2. In the Role Services section, click the Add Role Services link.
3. On the Select Role Services page, select the TS Web Access check box. The
Add Role Services dialog box is displayed.
4. Review the information about the required role services for Web Server (IIS)
and click Add Required Role Services, and then click Next.
5. Review the Web Server (IIS) page, and then click Next.
 Lab: Configuring TS RemoteApp and Easy Print L4-29

MCT USE ONLY. STUDENT USE PROHIBITED

6. On the Select Role Services page, you are prompted to select the role services
that you want to install for IIS. Then, click Next.
7. On the Confirm Installation Selections page, click Install.
8. On the Installation progress page, note the installation progress. On
completion of the installation, the Installation Results page is displayed.
9. On the Installation Results page, confirm that the installation of TS Web
Access succeeded, and then click Close.
10. On the Server Manager page under Roles Services, confirm that TS Web
Access is Installed.
11. Close the Server Manager.

f Task 3: Add the computer account of the TS Web Access server to the
security group
1. On 6428A-NYC-TS-03, click Start, point to Administrative Tools, and then
click Computer Management.
2. In the left pane, click the Local Users and Groups node, and then click the
Groups node.
3. In the middle pane, double-click the group name TS Web Access Computers.
4. In the TS Web Access Computers Properties dialog box, to add members in
the group, click the Add button.
5. In the Select Users, Computers, or Groups dialog box, click Object Types.
6. In the Object Types dialog box, select the Computers check box, and then
click OK.
7. In the Enter the object names to select {examples} box, type NYC-TS as the
computer account of the TS Web Access server, click Check Names, and then
click OK.
8. Click OK to close the TS Web Access Computers Properties dialog box.
L4-30 Module 4: Configuring Terminal Services RemoteApp and Easy Print

MCT USE ONLY. STUDENT USE PROHIBITED

f Task 4: Specify the data source
1. To start Internet Explorer, click Start, click All Programs, and then click
Internet Explorer.
2. To connect to the TS Web Access Web site, in the URL box, type http://NYC-
TS/ts. Click the go button.
3. In the Connect to nyc-ts dialog box, log on to the site as
WoodgroveBank\Administrator with the password Pa$$w0rd.
4. A message box regarding the blocked content is displayed. To add the site as a
trusted site, click the Add button.
5. The Trusted sites message box is displayed. Click Add.
6. Close the Trusted sites message box.

Note: If you are already logged on to the computer, you are not prompted for the
credentials. You need to add the Web site as a trusted Web site only the first time you
access the site.

7. On the title bar, click the Configuration tab.

8. On the right side of the page, in the Editor Zone area, in the TS Web Access
Properties section, in the Terminal server name box, type NYC-TS.
9. Click Apply to apply the changes.

f Task 5: Install PowerPoint Viewer

1. Click Start, and then click Command Prompt.
2. At the command prompt, type change user /install, press ENTER, and then
close the window.
3. Click Start, click Control Panel, and then double-click the Install Application
on Terminal Server icon.
4. In the Install Program From Floppy Disk or CD-ROM wizard, click Next.
5. Click Browse. In the left pane, click Computer, and then browse to E:\Tools.
6. At the bottom of the page, in the Setup programs box, select All Files from the
drop-down list.
 Lab: Configuring TS RemoteApp and Easy Print L4-31

MCT USE ONLY. STUDENT USE PROHIBITED

7. Double-click PowerPointViewer.exe.
8. In the Run Installation Program page, click Next.
9. In the Microsoft Office PowerPoint Viewer 2007 license agreement page,
select the check box to accept the license terms, and click Continue.
10. The Microsoft Office PowerPoint Viewer 2007 message box informing about
the completion of the installation is displayed. Click OK.
11. On the Finish Admin Install page, click Finish.

f Task 6: Add the PowerPoint Viewer program in the RemoteApp

Programs list
1. Start TS RemoteApp Manager on 6428A-NYC-TS-03. Click Start, point to
Administrative Tools, point to Terminal Services, and then click TS
RemoteApp Manager.
2. In the Actions pane on the right, click Add RemoteApp Programs.
3. On the Welcome to the RemoteApp Wizard page, click Next.
4. On the Choose programs to add to the RemoteApp Programs list page,
select the check box next to Microsoft Office PowerPoint Viewer 2007
program.
5. Click Microsoft Office PowerPoint Viewer 2007 program, and then click
Properties.
6. In the RemoteApp Properties dialog box, verify that the RemoteApp program
is available through TS Web Access check box is selected, click OK, and then
click Next.
7. On the Review Settings page, review the settings and then click Finish.

f Task 7: Configure an RDP file from the PowerPoint Viewer RemoteApp

program
1. Scroll down to the RemoteApp Programs list and click Microsoft Office
PowerPoint Viewer 2007.
2. On the Actions pane under Microsoft PowerPoint Viewer 2007, click Create
.rdp File.
3. On the Welcome to the Remote App Wizard page, click Next.
L4-32 Module 4: Configuring Terminal Services RemoteApp and Easy Print

MCT USE ONLY. STUDENT USE PROHIBITED

4. On the Specify Package Settings page:
• Keep the default location to save the program as C:\Program
Files\Packaged Programs.
• Verify that the terminal server setting is NYC-TS.WoodgroveBank.com.
• Verify that the required server authentication is set to Yes.
• Verify that the port is 3389.
5. Click Next.
6. On the Review Settings page, click Finish.

f Task 8: Determine if the RemoteApp program is enabled for TS Web

Access
1. On 6428A-NYC-TS-03, in the RemoteApp Programs list, verify that a Yes
value appears for TS Web Access next to Microsoft Office PowerPoint
Viewer 2007 that you want to make available through TS Web Access.
2. Click Start, click All Programs, and then click Internet Explorer.
3. In URL box type http:// NYC-TS/TS.
4. In the Connect to nyc-ts dialog box, provide user credentials from the
Marketing Group. In User name type WoodGroveBank\Baris and provide
password Pa$$w0rd, and then click OK.

f Task 9: Configure the TS Web Access Server to allow access from the
Internet
1. On 6428A-NYC-TS-03, click Start, point to Administrative Tools, and then
click Internet Information Services (IIS) Manager.
2. In the left pane of Internet Information Services (IIS) Manager, click the
NYC-TS(WOODGROVEBANK\Administrator) node, click the Sites node,
click the Default Web Site node, and then click TS.
 Lab: Configuring TS RemoteApp and Easy Print L4-33

MCT USE ONLY. STUDENT USE PROHIBITED

3. In the middle pane, scroll down to IIS, double-click the Authentication icon.
4. Verify Windows Authentication is set to Enabled. If it is not, right-click
Windows Authentication, and then click Enable.

Results: After this exercise, you should have installed the PowerPoint program and
created a link to C:\Program Files\Packaged Programs.

Exercise 2: Configuring TS Easy Print

Exercise Overview
The main tasks for this exercise are as follows:
1. Configure the printer redirection settings.
2. Shut down the virtual machines.

f Task 1: Configure the printer redirection settings

1. On 6428A-NYC-DC1-01, start the Group Policy Management snap-in. Click
Start, point to Administrative Tools, and then click Group Policy
Management.
2. In the left panel, under Group Policy Management, click Forest:
WoodgroveBank.com, followed by Domains, WoodgroveBank.com, NYC
nodes, and right click the Marketing node.
3. Click Create a GPO in this domain, and Link it here.
4. In the New GPO dialog box, under the Name box, type GPO for RDP Link,
and then click OK.
5. In the left panel, click the Marketing node, right click GPO for RDP link, and
then click Edit.
6. In the left panel on the Group Policy Management Editor page, under
Computer Configuration, click Policies and Administrative Templates
nodes, and then click the Windows Components node.
7. Under Windows Component, click the Terminal Services node, and then
click the Terminal Server node.
8. In the left panel, double-click Printer Redirection.
L4-34 Module 4: Configuring Terminal Services RemoteApp and Easy Print

MCT USE ONLY. STUDENT USE PROHIBITED

9. In the right panel, double-click Use Terminal Services Easy Print printer
driver first.
10. In the Use Terminal Services Easy Print printer driver first Properties
dialog box, on the Setting tab, select Enabled, and then click OK.
11. In the right panel, double-click Redirect only the default client printer.
12. In the Redirect only the default client printer Properties dialog box, on the
Setting tab, select Enabled, and then click OK.

f Task 2: Shut down the virtual machines

1. Exit the Lab Launcher tool by clicking the close button.
2. In the Close window, click Turn off machine and discard changes.
3. Click OK.

Results: After this exercise, you should have configured TS Easy Print and the client
print driver should have been redirected to TS.
 Lab: Configuring TS Web Access and Session Broker L5-35

MCT USE ONLY. STUDENT USE PROHIBITED

Module 5: Configuring Terminal Services Web
Access and Session Broker
Lab: Configuring TS Web Access
and Session Broker
Exercise 1: Configuring TS RemoteApp Programs for TS Web Access.
Exercise 2: Customizing TS Web Access by Using WSS.
Exercise 3: Configuring TS Session Broker.

Logon Information:
• Virtual Machine1: 6428A-NYC-DC1-01
• Virtual Machine 2: 6428A-NYC-TS-05
• Virtual Machine 3: 6428A-NYC-WEB-05
• User Name: Administrator\Bernard
• Password: Pa$$w0rd

Estimated time: 60 minutes

L5-36 Module 5: Configuring Terminal Services Web Access and Session Broker

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 1: Configuring TS RemoteApp Programs for TS
Web Access
Exercise Overview
In this exercise, you will install and configure the TS Web Access role service on
the terminal server and create a .msi file for Microsoft® Office PowerPoint Viewer. A
link for this .msi file needs to be created so that the Marketing group can access it
through a Web browser.
The main tasks for this exercise are as follows:
1. Start the 6428A-NYC-DC1-01, 6428A-NYC-TS-05, and 6428A-NYC-WEB-05
virtual machines and log on to these machines as Administrator.
2. Install the TS Web Access role service.
3. Determine if the RemoteApp program is enabled for TS Web Access.
4. Create an MSI file.
5. Create a link to the TS RemoteApp program on the terminal server.
6. Verify that the link is functional and available through the Web browser.

f Task 1: Start the 6428A-NYC-DC1-01, 6428A-NYC-TS-05, and 6428A-

NYC-WEB-05 virtual machines and log on to these machines as
Administrator
1. Start 6428A-NYC-DC1-01using the Lab Launcher tool.
2. Log on using the default WOODGROVEBANK\Administrator user ID and
password Pa$$w0rd.
3. Start 6428A-NYC-TS-05 using the Lab Launcher tool.
4. Log on as WoodgroveBank\Administrator by using the password Pa$$w0rd.
5. Start 6428A-NYC-WEB-05 using the Lab Launcher tool.
6. Log on as WOODGROVEBANK\Administrator by using the password
Pa$$w0rd.
 Lab: Configuring TS Web Access and Session Broker L5-37

MCT USE ONLY. STUDENT USE PROHIBITED

f Task 2: Install the TS Web Access role service
1. Start the Server Manager snap-in on 6428A-NYC-TS-05. In the snap-in, scroll
down to Roles Summary, and click the Terminal Services link.
2. Scroll down to Role Services, and click the Add Role Services link.
3. On the Select Role Services page, select the TS Web Access check box.
4. In the Add Role Services message box, click Add Required Role Services.
5. On the Select Role Services page, click Next.
6. On the Web Server (IIS) page, click Next.
7. On the Select Role Services page, click Next.
8. On the Confirm Installation Selections page, click Install.
9. The Installation Progress page is displayed. Observe the progress indicator.
10. On the Installation Results page, observe that the installation of TS Web
Access succeeded, and then click Close.
11. On the Server Manager page, under Role Services, verify that TS Web Access
is installed.
12. Close the Server Manager.
13. On 6428A-NYC-TS-05, click Start, point to Administrative Tools, and then
click Computer Management.
14. In the left pane of the Computer Management window, click the Local Users
and Groups node, and then click Groups.
15. In the right pane, double-click TS Web Access Computers.
16. In the TS Web Access Computers Properties dialog box, click Add to add
members in the group.
17. In the Select Users, Computers, or Groups dialog box, click Object Types.
18. In the Object Types dialog box, select the Computers check box, and then
click OK.
19. In the Enter the object names to select (examples) box, type NYC-TS as the
computer account of the TS Web Access server. Click Check Names, and then
click OK.
20. Click OK to close the TS Web Access Computers Properties dialog box.
21. Click Start, click All Programs, and then click Internet Explorer.
L5-38 Module 5: Configuring Terminal Services Web Access and Session Broker

MCT USE ONLY. STUDENT USE PROHIBITED

22. In the URL box, type http://NYC-TS/ts, and then press ENTER.
23. In the Connect to nyc-ts dialog box, log on to the site by using
WoodgroveBank\Administrator as the login ID and Pa$$w0rd as the
password, and then click OK.
24. A message box regarding blocked content is displayed. To add the site as a
trusted site, click the Add button.
25. The Trusted sites message box is displayed. Click Add.
26. Close the Trusted sites message box.

Note: If you are already logged on to the computer, you are not prompted for the
credentials. You need to add the Web site as a trusted Web site only the first time you
access the site.

27. On the title bar, click the Configuration tab.

28. On the right side of the page, in the Editor Zone section, in the TS Web
Access Properties section, in the Terminal Server name box, type NYC-TS.
29. Click Apply to apply the changes.

f Task 3: Determine if the RemoteApp program is enabled for TS Web

Access
1. On 6428A-NYC-TS-05, click Start, point to Administrative Tools, point to
Terminal Services, and then click TS RemoteApp Manager.
2. Scroll down to the RemoteApp Programs list and verify that a Yes value
appears for TS Web Access next to Microsoft Office PowerPoint
Viewer 2007.
3. Click Microsoft Office Power Point Viewer 2007.
4. To enable a RemoteApp program for TS Web Access, on the Actions pane for
Microsoft Office PowerPoint Viewer 2007, click Show in TS Web Access.
5. Close the TS RemoteApp Manager.
 Lab: Configuring TS Web Access and Session Broker L5-39

MCT USE ONLY. STUDENT USE PROHIBITED

f Task 4: Create an MSI file
1. On 6428A-NYC-TS-05, click Start, point to Administrative Tools, point to
Terminal Services, and then click TS RemoteApp Manager.
2. Scroll down to the RemoteApp Programs list, and click Microsoft Office
PowerPoint Viewer 2007.
3. In the Actions pane for Microsoft Office PowerPoint Viewer 2007, click
Create Windows Installer package.
4. On the Welcome to the RemoteApp Wizard page, click Next.
5. On the Specify Package Settings page, click Next.
6. On the Configure Distribution Package page, click Next.
7. On the Review Settings page, click Finish.
8. Close the Packaged Programs folder.

f Task 5: Create a link to the TS RemoteApp program on the terminal

server
1. On the TS RemoteApp Manager page, in the RemoteApp Programs list, verify
that a Yes value is displayed for TS Web Access next to Microsoft Office
PowerPoint Viewer 2007.
2. Click Start, click All Programs, and then click Internet Explorer.
3. In the URL box, type http:// NYC-TS/ts, and then click Go.
4. In the Connect to nyc-ts dialog box, provide a user credential from the
Marketing Group. In User name, type WoodGroveBank\Bernard and type
the password as Pa$$w0rd, and then click OK.
5. A message box regarding blocked content is displayed. To add the site as a
trusted site, click the Add button, and then click Close.
6. Configure the TS Web Access server to allow access from the Internet. On
6428A-NYC-TS-05, click Start, point to Administrative Tools, and then click
Internet Information Services (IIS) Manager.
7. In the left pane of Internet Information Services (IIS) Manager, expand the
NYC-TS (WOODGROVEBANK\Administrator) node, expand the Sites
node, expand the Default Web Site node, and then click TS.
L5-40 Module 5: Configuring Terminal Services Web Access and Session Broker

MCT USE ONLY. STUDENT USE PROHIBITED

8. In the middle pane, scroll down to IIS, and double-click the Authentication
icon.
9. Select Status from the Group by drop-down list. Select Enabled for Windows
Authentication.

f Task 6: Verify that the link is functional and available through the Web
browser
1. On 6428A-NYC-WEB-05, verify that you are logged on as
Woodgrovebank\Administrator with the password Pa$$w0rd.
2. Click Start, click All Programs, and then click Internet Explorer. In the URL
box, type http://NYC-TS/ts, and then click Go.
3. In the Connect to nyc-ts dialog box, type the user name as
WoodgroveBank\Bernard and the password as Pa$$w0rd. Then click OK.
4. The Trusted Sites message box is displayed. Click Add. Close the Trusted Sites
message box.
5. Observe that Microsoft Office PowerPoint is listed in the remote application
program list.

Results: After this exercise, you should have installed TS Web Access on the terminal
server, created an MSI file for the remote program, created a link to the remote
program, and verified that the link is functional through Internet Explorer.
 Lab: Configuring TS Web Access and Session Broker L5-41

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 2: Customizing TS Web Access by Using WSS
Exercise Overview
In this exercise, you will create a customized Web part and export it to a WSS Web
site.
The main task for this exercise is as follows:
• Add a Web part to a WSS site.

f Task 1: Add a Web part to a WSS site

1. On 6428A-NYC-WEB-05, click Start, point to Administrative Tools, and then
click SharePoint 3.0 Central Administration.
2. To connect to the WSS site http://nyc-web:44341/, in the authentication
dialog box, type the user name as WoodgroveBank\Administrator and
password as Pa$$w0rd. Then click OK.
3. On the Home page of the Central Administration site, click Site Actions, and
then select Edit Page from the drop-down list.
4. On the Edit Page, in the center panel, click Add a Web Part.
5. On the Add Web Parts – Webpage Dialog page, in the Add Web Parts to Left
section, under the List and Libraries section, select the Resources check box,
and then click Add.
6. On the Central Administration page, under the Resources section, click the
Add new link link.
7. On the Resources: New Item page, in the URL box, type http:// NYC-TS/ts.
L5-42 Module 5: Configuring Terminal Services Web Access and Session Broker

MCT USE ONLY. STUDENT USE PROHIBITED

8. In the Description box, type Link for TS Web Access Web Part, and then
click OK.
9. Connect to NYC-ts and click Link for TS Web Access Web Part. The Connect
to nyc-ts dialog box is displayed.
10. Log on to the site as WOODGROVEBANK\Administrator with the password
Pa$$w0rd. Then click OK.
The TS Web Access Web site with the remote applications list will be
displayed.

Results: After this exercise, you should have added a customized Web part by using TS
Web Access, and exported it to a WSS site.
 Lab: Configuring TS Web Access and Session Broker L5-43

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 3: Configuring TS Session Broker
Exercise Overview
In this exercise, you will install the Session Broker role service and configure the
TS Session Broker settings for servers in a TS farm.
The main tasks for this exercise are as follows:
1. Install the TS Session Broker role service.
2. Add each server in the farm to the Session Directory Computers local group.
3. Configure the TS Session Broker settings by using Group Policy.
4. Shut down the virtual machines.

f Task 1: Install the TS Session Broker role service

1. On 6428A-NYC-TS-05, start Server Manager. Click Start, point to
Administrative Tools, and then click Server Manager.
2. Scroll down to the Roles Summary section, click the Terminal Services link.
3. On the Terminal Services page, scroll down to Role Services, and then click
the Add Role Services link.
4. On the Select Role Services page, select the TS Session Broker check box,
and then click Next.
5. On the Confirm Installation Selections page, click Install.
6. The Installation Progress page is displayed. Observe the progress indicator.
7. On the Installation Results page, confirm that the installation succeeded, and
then click Close.
L5-44 Module 5: Configuring Terminal Services Web Access and Session Broker

MCT USE ONLY. STUDENT USE PROHIBITED

f Task 2: Add each server in the farm to the Session Directory
Computers local group
1. Click Start, point to Administrative Tools, and then click Computer
Management.
2. In the left pane, click the Local Users and Groups node, and then click
Groups.
3. In the middle pane, right-click the Session Directory Computers group, and
then click Properties.
4. In the Session Directory Computer Properties dialog box, click Add.
5. In the Select Users, Computers or Groups dialog box, click Object Types.
6. In the Object Type dialog box, select the Computers check box, and then
click OK.
7. In the Enter the object names to select {examples} box, type NYC-WEB; NYC
–TS, and then click Check Names. Click OK twice.
8. Close Computer Management.

f Task 3: Configure the TS Session Broker settings by using Group Policy

1. On 6428A-NYC-DC1-01, click Start, point to Administrative Tools, and then
click Group Policy Management.
2. In the Group Policy Management snap-in, in the left pane, expand the Forest:
WoodgroveBank.com node, followed by Domains and
WoodgroveBank.com. Then, right-click the NYC node, and click Create a
GPO in this domain, and Link it here.
3. In the New GPO dialog box, in the Name box, type GPO for TS Web Access,
and then click OK.
4. In the left pane, expand the Group Policy Objects node, and expand GPO for
TS Web Access.
5. In the right pane, click the Settings tab.
6. Right-click Computer Configuration, and then click Edit.
 Lab: Configuring TS Web Access and Session Broker L5-45

MCT USE ONLY. STUDENT USE PROHIBITED

7. In the left pane, expand the Computer Configuration node, expand the
Policies node, expand Administrative Templates followed by the Windows
Components, Terminal Services, Terminal Server nodes, and then click
TS Session Broker.
8. In the right pane, double-click the Join TS Session Broker policy setting.
9. In the Join TS Session Broker Properties dialog box, click Enabled, and then
click OK.
10. Double-click the Configure TS Session Broker farm name policy setting.
11. In the Configure TS Session Broker farm name Properties dialog box, click
Enabled.
12. In the TS Session Broker farm name box, type NYC-TS, and then click OK.
13. Double-click the Use TS Session Broker load balancing policy setting.
14. In the Use TS Session Broker load balancing Properties dialog box, click
Enabled, and then click OK.
15. Close the Group Policy Management editor.

f Task 4: Shut down the virtual machines

1. Exit the Lab Launcher tool by clicking the close button.
2. In the Close window, click Turn off machine and discard changes.
3. Click OK.

Results: After this exercise, you should have configured TS Session Broker load
balancing for a farm.
MCT USE ONLY. STUDENT USE PROHIBITED
 Lab: Configuring and Troubleshooting TS Gateway L6-47

MCT USE ONLY. STUDENT USE PROHIBITED

Module 6: Configuring and Troubleshooting
Terminal Services Gateway
Lab: Configuring and
Troubleshooting TS Gateway
Exercise 1: Configuring and Monitoring TS Gateway
Exercise 2: Troubleshooting the TS Gateway Connections

Logon Information:
• Virtual Machine1: 6428A-NYC-DC1-06
• Virtual Machine 2: 6428A-NYC-TS-05
• User Name: Administrator
• Password: Pa$$w0rd

Estimated time: 60 minutes

Exercise 1: Configuring and Monitoring TS Gateway

Exercise Overview
In this exercise, you will install and configure the TS Gateway server role on the
terminal server and create a CAP and a RAP for the HR group.
The main tasks for this exercise are as follows:
1. Start the 6428A-NYC-DC1-06 and 6428A-NYC-TS-05 virtual machines and log
on to these machines as Administrator.
2. Install the TS Gateway role.
3. Install the certificate.
4. Create a CAP for the HR group.
L6-48 Module 6: Configuring and Troubleshooting Terminal Services Gateway

MCT USE ONLY. STUDENT USE PROHIBITED

5. Select the pre-configured Active Directory Security group HR.
6. Create a RAP for the HR group.

f Task 1: Start the 6428A-NYC-DC1-06 and 6428A-NYC-TS-05 virtual

machines and log on to these machines as Administrator
1. Start 6428A-NYC-DC1-06 using the Lab Launcher tool.
2. Log on as WOODGROVEBANK\Administrator by using the password
Pa$$w0rd. The Server Manager snap-in is displayed.
3. Start 6428A-NYC-TS-05 using the Lab Launcher tool.
4. Log on as Administrator by using the password Pa$$w0rd. The Server
Manager snap-in is displayed.

f Task 2: Install the TS Gateway role

1. On 6428A-NYC-TS-05, in the Server Manager snap-in, scroll down to Roles
Summary, click the Terminal Services link.
2. Scroll down to Role Services, click Add Role Services.
3. On the Select Role Services page, select the TS Gateway check box.
4. On the Select Role Services page, click Next.
5. On the Choose a Server Authentication Certificate for SSL Encryption page,
select Choose a certificate for SSL encryption later, and then click Next.
6. On the Create Authorization Policies for TS Gateway page, select Later, and
then click Next.
7. On the Confirm Installation Selections page, click Install. The Installation
Progress page is displayed.
8. On the Installation Results page, observe that the installation for TS Gateway
roles, role services, and features is successful, and then click Close.
9. Close the Server Manager snap-in.
 Lab: Configuring and Troubleshooting TS Gateway L6-49

MCT USE ONLY. STUDENT USE PROHIBITED

f Task 3: Install the certificate
1. Click Start, point to Administrative Tools, point to Terminal Services, and
then click TS Gateway Manager.
2. In the TS Gateway Manager console tree, right-click NYC-TS (Local), and
then click Properties.
3. On the NYC-TS Properties page, click the SSL Certificate tab, verify that the
Create a self-signed certificate for SSL encryption option is selected, and
then click Create Certificate.
4. In the Create Self-Signed Certificate dialog box, under Certificate name
verify that NYC-TS.WoodgroveBank.com appears by default.
5. Under Certificate location, delete the default location, type
c:\certificate\NYC-TS.cer, and then click OK.
6. A message box stating that TS Gateway has successfully created a self-signed
certificate is displayed. Click OK twice.
7. Close the TS Gateway Manager.
8. To open the Certificates snap-in, click Start, click Run, type MMC, and then
click OK. The Console1-[Console Root] window is displayed.
9. On the File menu, click Add/Remove Snap-in.
10. In the Add or Remove Snap-ins dialog box, under the Available snap-ins list,
click Certificates, and then click Add.
11. In the Certificates snap-in dialog box, select Computer account, and then
click Next.
12. In the Select Computer dialog box, verify that Local computer: (the
computer this console is running on) is selected, and then click Finish.
13. In the Add or Remove snap-ins dialog box, click OK.
14. In the console dialog box, in the console tree, double-click the Certificates
(Local Computer) node.
15. Right-click the Trusted Root Certification Authorities folder, point to All
Tasks, and then click Import.
16. On the Certificate Import Wizard page, click Next.
17. On the File to Import page, in the File name box type c:\certificate\NYC-
TS.cer, and then click Next.
L6-50 Module 6: Configuring and Troubleshooting Terminal Services Gateway

MCT USE ONLY. STUDENT USE PROHIBITED

18. On the Certificate Store page, click Next.
19. On the Completing the Certificate Import Wizard page, click Finish.
20. A message stating that the import was successful is displayed. Click OK.
21. In the Console1-[Console Root] window, click File, and then click Exit.
22. A message prompting you to save the console settings to Console1 is
displayed. Click No.
23. To open the TS Gateway Manager, click Start, point to Administrative Tools,
point to Terminal Services, and then click TS Gateway Manager.
24. In the TS Gateway Manager console tree, right-click NYC-TS(Local), and
then click Properties.
25. In the NYC-TS Properties dialog box, click the SSL Certificate tab, verify
Select an existing certificate for SSL encryption (recommended) is selected,
and then click Browse Certificates.
26. In the Install Certificate dialog box, click NYC-TS.WoodgroveBank.com,
click Install, and then click OK.

f Task 4: Create a CAP for the HR group

1. In the TS Gateway Manager console tree, expand the NYC-TS(Local) node,
and then expand the Policies node.
2. Under Policies, right-click the Connection Authorization Policies folder,
point to Create New Policy, and then click Custom.
3. In the New TS CAP dialog box, on the General tab, in Policy name, type TS
CAP.
4. Click the Requirements tab, under Supported Windows authentication
methods, verify that Password is selected.
5. Under User group membership (required), click Add Group.
6. In the Select Groups dialog box, click Advanced, and then click Find Now.
7. Under the Search Results section, scroll down and select the group name HR,
click OK twice.
8. In the New TS CAP dialog box, click the Device Redirection tab, verify that
Enable device redirection for all client devices is selected, and then click OK.
9. Close the TS Gateway Manager.
 Lab: Configuring and Troubleshooting TS Gateway L6-51

MCT USE ONLY. STUDENT USE PROHIBITED

f Task 5: Select the pre-configured Active Directory Security group HR
1. On 6428A-NYC-DC1-06, click Start, point to Administrative Tools, and then
click Active Directory Users and Computers.
2. In the Active Directory Users and Computers console tree, under the
WoodgroveBank.com node, click Users.
3. In the right pane, click HR Security Group.
4. Right-click HR Security Group, click Properties.
5. In the HR Properties dialog box, click the Members tab, and then click Add.
6. In the Select Users, Contacts, Computers or Groups dialog box, click Object
Types.
7. Select the Computers check box, and then click OK.
8. Click Advanced, and then click Find Now.
9. Under the Search Results section, scroll down to select the computer name as
NYC-TS, click OK. Then click OK twice.
10. Close Active Directory Users and Computers.

f Task 6: Create a RAP for the HR group

1. Start the TS Gateway Manager on 6428A-NYC-TS-05. Click Start, point to
Administrative Tools, point to Terminal Services, and then click TS Gateway
Manager.
2. In the console tree, open the NYC-TS (Local) folder.
3. Open the Policies folder, and then right-click the Resource Authorization
Policies folder, point to Create New Policy, and then click Custom.
4. In the New TS RAP dialog box, on the General tab, in Policy name, type TS
RAP.
5. On the User Groups tab, click Add.
L6-52 Module 6: Configuring and Troubleshooting Terminal Services Gateway

MCT USE ONLY. STUDENT USE PROHIBITED

6. In the Select Groups dialog box, click Advanced, click Find Now.
7. Under the Search Results section, scroll down to select the group name HR,
and then click OK twice.
8. Click the Computer Group tab, verify Select an existing Active Directory
security group is selected, and then click Browse.
9. In the Select Groups dialog box, click Advanced, and then click Find Now.
10. Under the Search Results section, scroll down to select group HR, and then
click OK twice.
11. Click Allowed Ports tab, verify Allow connections only through TCP port
3389 is selected, and then click OK.

Results: After this exercise, you should have installed the TS Gateway Server role
service and created a TS CAP and TS RAP for the HR group.
 Lab: Configuring and Troubleshooting TS Gateway L6-53

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 2: Troubleshooting the TS Gateway Connections
Exercise Overview
In this exercise, you need to verify that the TS Gateway server certificate has not
expired. You also need to check the TS CAP and RAP for the HR group. In
addition, you need to verify the existence of the user Baris in the HR group and
add a new user Bernard to the HR group.
The main tasks for this exercise are as follows:
1. Verify that the TS Gateway Server certificate has not expired.
2. Verify that the TS CAP is accurate.
3. Verify that the TS RAP is accurate.
4. Verify that the user Baris exists in the HR group.
5. Add Bernard to the HR group.
6. Verify that the TS RAP is functional.
7. Shut down the virtual machines.

f Task 1: Verify that the TS Gateway Server certificate has not expired
1. In the TS Gateway Manager, in the console tree, right-click NYC-TS (Local),
and then click Properties.
2. In the NYC-TS Properties dialog box, click the SSL Certificate tab, verify
Select an existing certificate for SSL encryption (recommended) is selected,
and then click Browse Certificates.
3. In the Install Certificate dialog box, click NYC-TS.WoodgroveBank.com.
4. Click View Certificate and verify that the validity of certificate has not expired
in the valid from field.
5. Click OK, click Cancel, and then click OK.
L6-54 Module 6: Configuring and Troubleshooting Terminal Services Gateway

MCT USE ONLY. STUDENT USE PROHIBITED

f Task 2: Verify that the TS CAP is accurate
1. In the console tree, under the NYC-TS (Local) node, under the Policies node,
click Connection Authorization Policies.
2. In the right pane, right-click TS CAP policy, and then click Properties.
3. In the TS CAP Properties dialog box, on the General tab, verify that Enable
this policy is selected.
4. Click the Requirements tab. Under Supported Windows authentication
methods, verify that Password is selected.
5. Under User group membership (required), verify that
WOODGROVEBANK\HR group exists.
6. Click Device Redirection tab, verify Enable device redirection for all client
devices is selected, and then click OK.

f Task 3: Verify that the TS RAP is accurate

1. In TS Gateway Manager, under the Policies node, click Resource
Authorization Policies.
2. In the right-pane, right-click TS RAP policy, and then click Properties.
3. In the TS RAP Properties dialog box, on the General tab, verify Enable this
policy is selected.
4. Click the User Groups tab and verify that the WOODGROVEBANK\HR
group exists.
5. Click the Computer Group tab, under Select an existing Active Directory
security group, verify that WOODGROVEBANK\HR exists.
6. Click Allowed Ports tab, verify Allow connections only through TCP port
3389 is selected, and then click OK.
7. Close the TS Gateway Manager.
 Lab: Configuring and Troubleshooting TS Gateway L6-55

MCT USE ONLY. STUDENT USE PROHIBITED

f Task 4: Verify that the user Baris exists in the HR group
1. On 6428A-NYC-DC1-06, click Start, point to Administrative Tools, and then
click Active Directory Users and Computers.
2. In the Active Directory Users and Computers console tree, under
WoodgroveBank.com, click Users.
3. In the right pane, click HR Security Group.
4. Right-click HR Security Group, click Properties.
5. In the HR Properties dialog box, click the Members tab, verify user Baris
Cetinok exists, and then click OK.

f Task 5: Add Bernard to the HR group

1. In Active Directory Users and Computers, under WoodgroveBank.com,
click Users.
2. In the right pane, right-click HR Security group, and then click Properties.
3. In the HR Properties dialog box, click the Members tab, and then click Add.
4. In the Select Users, Contacts, Computers or Groups dialog box, click
Advanced, and then click Find Now.
5. Scroll down to select user name Bernard Duerr, click OK,
6. In the Active Directory Domain Services dialog box, click OK twice.
7. Close Active Directory Users and Computers.

f Task 6: Verify that the TS RAP is functional

1. On 6428A-NYC-TS-05, click Start, click Run, type \\NYC-TS\certificate, and
then click OK.
2. In the Certificate (\\NYC-TS) Explorer, select NYC-TS.cer.
3. Right-click NYC-TS.cer, click Install Certificate.
4. The Open file – Security Warning dialog box is displayed, click Open.
5. On the Welcome to the Certificate Import Wizard page, click Next.
6. On the Certificate Store page, select Place all certificates in the following
store, and then click Browse.
L6-56 Module 6: Configuring and Troubleshooting Terminal Services Gateway

MCT USE ONLY. STUDENT USE PROHIBITED

7. In the Select Certificate Store dialog box, select Trusted Root Certification
Authorities, click OK, and then click Next.
8. On the Completing the Certificate Import Wizard page, click Finish.
9. A message box that the import was successful is displayed, click OK.
10. Close Certificate Explorer.
11. On 6428A-NYC-DC1-06, click Start, click Run, type mstsc, and then click OK.
12. In the Remote Desktop Connection dialog box, click Options, click the
Advanced tab, and then click Settings.
13. On the TS Gateway Server Settings page, select Use these TS Gateway Server
settings.
14. In the Server name box, type NYC-TS.woodgrovebank.com, in the Logon
method box select Ask for password (NTLM) from the drop-down list, and
then click OK.
15. Click the General tab, in the Computer box, type NYC-TS, and then click
Connect.
16. In the Windows Security dialog box, type user name as
Woodgrovebank\Baris and password as Pa$$w0rd, and then click OK.
17. Close Remote Desktop Connection.

f Task 7: Shut down the virtual machines

1. Exit the Lab Launcher tool by clicking the close button.
2. In the Close window, click Turn off machine and discard changes.
3. Click OK.

Results: After this exercise, you should have verified that the configuration of TS
Gateway is correct and the user Baris exists in the HR group. In addition, you should
have added a new user Bernard to the HR group.
 Lab: Managing and Monitoring TS L7-57

MCT USE ONLY. STUDENT USE PROHIBITED

Module 7: Managing and Monitoring Terminal
Services
Lab: Managing and Monitoring TS
Exercise 1: Managing the TS Connections
Exercise 2: Monitoring the TS Connections
Exercise 3: Configuring WSRM for TS

Logon Information:
• Virtual Machine1: 6428A-NYC-DC1-06
• Virtual Machine 2: 6428A-NYC-TS-07
• Virtual Machine 3: 6428A-NYC-WEB-05
• User Names: Administrator/Susan
• Password : Pa$$w0rd

Estimated time: 60 minutes

Exercise 1: Managing the TS Connections

Exercise Overview
In this exercise, you will configure the TS Gateway settings on the client computer.
You will then disconnect the NOC technician’s computer and reset the connection.
L7-58 Module 7: Managing and Monitoring Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

The main tasks for this exercise are as follows:
1. Start the 6428A-NYC-DC1-06 and 6428A-NYC-TS -07 virtual machines and log
on to these machines as Administrator.
2. Start the 6428A-NYC-WEB-05 virtual machine and log on as Susan.
3. Configure the TS Gateway settings on the client.
4. Manage the TS connections on the terminal server.

f Task 1: Start the 6428A-NYC-DC1-06 and 6428A-NYC-TS-07 virtual

machines and log on to these machines as Administrator
1. Start 6428A-NYC-DC1-06 using the Lab Launcher tool.
2. The default login ID WOODGROVEBANK\Administrator is displayed. Log
on with the password Pa$$w0rd.

Note: Wait for the domain controller, 6428A-NYC-DC1-06, logon screen to appear
before starting 6428A-NYC-TS-07 virtual machine.

3. Start 6428A-NYC-TS-07 using the Lab Launcher tool.

4. Log on as WoodgroveBank\Administrator with the password Pa$$w0rd.
5. On 6428A-NYC-DC1-06, to verify the membership of the NYC-TS, click Start,
point to Administrative Tools, and then click Active Directory users and
Computers.
6. In the left pane, click Computers node.
7. In the right pane, verify that the computer name NYC-TS exists.

f Task 2: Start the 6428A-NYC-WEB-05 virtual machine and log on as

Susan
1. Start 6428A-NYC-WEB-05 using the Lab Launcher tool.
2. Log on as WoodgroveBank\Susan who belongs to the NOC Department by
using the password Pa$$w0rd.
 Lab: Managing and Monitoring TS L7-59

MCT USE ONLY. STUDENT USE PROHIBITED

f Task 3: Configure the TS Gateway settings on the client
1. To configure TS Gateway on 6428A-NYC-WEB-05, click Start, click All
Programs, click Accessories, and then click Remote Desktop Connection.
2. In the Remote Desktop Connection dialog box, click Options, and then click
the Advanced tab.
3. On the Advanced tab, under Connect from anywhere area, click Settings.
4. Under Connection settings, select Use these TS Gateway server settings.
5. In the Server name box, verify that the FQDN of TS Gateway Server is NYC-
TS.Woodgrovebank.com.
6. Under Logon method, verify that Ask for password (NTLM) from the drop-
down list is selected
7. Verify that the Bypass TS Gateway server for local address check box is not
selected. If selected, then clear the check box and then click OK.
8. Click the General tab. Under Logon settings, in the Computer box, type
NYC-TS.
9. Click Save, and then click Connect.
10. In the Windows Security dialog box, enter the login ID as
Woodgrovebank\Susan. Log on with the password Pa$$w0rd, and then click
OK.

Note: If the Remote Desktop Connection is disconnected, perform the following steps to
create the remote connection:

a. Log off WoodgroveBank\Susan on 6428A-NYC-WEB-05.

b. Log on to 6428A-NYC-WEB-05 as Administrator with the password
Pa$$w0rd.
c. Open Control Panel.
d. Click the Network and Sharing Center icon. Verify that NYC-WEB is
connected to Unidentified network.
e. Check the status of the Local Area Connection.
f. In the Network and Sharing Center window, under Tasks, click Manage
network connections.
L7-60 Module 7: Managing and Monitoring Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

g. In the Network Connections window, right-click Local Area Connection,
and then click Disable.
h. Then, right-click Local area Connection and click Enable.
i. Close the Network Connections window. In the Network and Sharing
Center window, check whether NYC-WEB is connected to
WoodgroveBank.com.
11. Log off as administrator and log on as WoodgroveBank\Susan using the
password Pa$$w0rd.

f Task 4: Manage the TS connections on the terminal server

1. To log off all TS Gateway connections on 6428A-NYC-TS-07, click Start, point
to Administrative Tools, point to Terminal Services, and then click Terminal
Services Manager.
a. In Terminal Services Manager, the Terminal Services Manager dialog
box is displayed, click OK. In the left panel, select NYC-TS.
b. In the middle panel, on the Users tab, observe that the RDP-Tcp#0
Session for Susan has the state as Active.
c. In the middle panel, select the user Susan. In the right panel, under
Actions, click Logoff.
d. The Terminal Services Manager message box about the selected user
getting logged off is displayed. Click OK.
e. The RDC connection in 6428A-NYC-WEB-05 will also get disconnected.
Perform steps 2 to 9 in Task 3 of this exercise to set up the RDC
connection before moving on to the next steps.
2. Disconnect all TS Gateway connections.
a. In the middle panel, select the user Susan. In the right panel, under
Actions, click Disconnect.
b. The Terminal Services Manager message box about the selected user
getting disconnected is displayed. Click OK.
c. The RDC connection in 6428A-NYC-WEB-05 will also get disconnected.
Perform steps 2 to 9 in Task 3 of this exercise to set up the RDC
connection before moving on to the next steps.
 Lab: Managing and Monitoring TS L7-61

MCT USE ONLY. STUDENT USE PROHIBITED

3. Reset all TS Gateway Connections.
a. In the middle panel, select the user Susan. In the right panel, under
Actions, click Reset.
b. The Terminal Services Manager message box about the selected user
getting reset is displayed. Click OK.
c. The RDC connection in 6428A-NYC-WEB-05 will also get disconnected.
Log off from 6428A-NYC-WEB-05 and then log on again using
WOODGROVEBANK\Administrator with the password Pa$$w0rd.
4. Close the Terminal Services Manager.

Results: After this exercise, you should have configured the TS Gateway settings on the
client and managed TS connections remotely.
L7-62 Module 7: Managing and Monitoring Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 2: Monitoring the TS Connections
Exercise Overview
In this exercise, you need to monitor the TS connections by using the TS Gateway
Manager and specify the TS Gateway events to be logged.
The main tasks for this exercise are:
1. Connect to the remote computer.
2. Monitor TS Gateway.
3. Specify the TS Gateway events to be logged.

f Task 1: Connect to the remote computer

1. To connect using TS Gateway on 6428A-NYC-WEB-05, click Start, click All
Programs, click Accessories, and then click Remote Desktop Connection.
2. In the Remote Desktop Connection dialog box, click Connect.
3. In the Windows Security dialog box, the login ID is displayed as
Woodgrovebank\Susan. Log on with the password Pa$$w0rd, and then click
OK.

f Task 2: Monitor TS Gateway

1. On 6428A-NYC-TS-07, click Start, point to Administrative tools, point to
Terminal Services, and then click TS Gateway Manager.
2. In TS Gateway Manager, expand the NYC-TS node, and then expand
Monitoring.
3. Select Susan’s session in the middle panel.
4. In the Actions panel, under Monitoring, click Edit Connection. The NYC-TS
Properties dialog box is displayed.
5. Click Limit maximum allowed simultaneous connections to and select 2 in
the spin box, and then click OK.
6. In the Actions panel, under Monitoring, click Set Automatic Refresh
Options.
 Lab: Managing and Monitoring TS L7-63

MCT USE ONLY. STUDENT USE PROHIBITED

7. In the Set Automatic Refresh Options dialog box, verify Refresh
automatically is selected, in the spin box verify 0:30:0 seconds is selected,
and then click OK.
8. In the middle panel, right-click Susan, click Disconnect This Connection. The
TS Gateway message box about disconnecting from Susan Burk to the
computer NYC-TS is displayed. Click Yes.
9. The RDC connection in 6428A-NYC-WEB-05 will also get disconnected.
Perform steps 2 to 9 in Task 3 of Exercise 1 to set up the RDC connection
before moving on to the next steps.

f Task 3: Specify the TS Gateway events to be logged

1. In the TS Gateway Manager, right click NYC-TS (Local), and then click
Properties.
2. In the NYC-TS Properties dialog box, on the Auditing tab, select all the
checkboxes that you want to monitor for TS Gateway, and then click OK.
3. Close the TS Gateway Manager.
4. To check the event log, click Start, click Administrative Tools, and click
Event Viewer.
5. On the Event Viewer page, in the middle panel, check the Overview and
Summary page.
6. Under Summary of Administrative Events, scroll down and click the Audit
Success node.
7. In the Actions panel, under Audit Success, click View All Instances of This
Event.
8. In the middle panel, under Summary page events, view the event logs.
9. Close the Event Viewer.

Results: After this exercise, you should have monitored TS Gateway and specified the
events to be logged for TS Gateway.
L7-64 Module 7: Managing and Monitoring Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

Exercise 3: Configuring WSRM for TS
Exercise Overview
The main tasks for this exercise are as follows:
1. Install WSRM on TS.
2. Configure the TS resource allocation policy for per session.
3. Monitor TS performance by using Resource Monitor.
4. Configure the TS resource allocation policy for per user.
5. Shut down the virtual machines.

f Task 1: Install WSRM on TS

1. To start the Server Manager snap-in on 6428A-NYC-TS-07, click Start, point to
Administrative Tools, and then click Server Manager.
2. In the Server Manager, scroll down to the Features Summary section, click
the Add Features link. The Add Features Wizard page is displayed.
3. In the Add Features Wizard, on the Select Features page, scroll down to
select the Windows System Resource Manager check box. If the Add Features
Wizard message box displays, informing you that Windows Internal Database
also needs to be installed for WSRM to work properly click Add Required
Features, and then click Next.
4. On the Confirm Installation Selections page, click Install.
5. On the Installation Progress page, note the installation progress. On
completion of the installation, the Installation Results page is displayed.
6. On the Installation Results page, confirm that the installation of Windows
Internal Database and WSRM succeeded, and then click Close.
7. Close the Server Manager.
8. To start the WSRM snap-in, click Start, point to Administrative Tools, and
then click Windows System Resource Manager.
9. In the Connect to computer dialog box, under Administer, verify This
computer is selected, and then click Connect to enable the WSRM to
administer the local computer.
 Lab: Managing and Monitoring TS L7-65

MCT USE ONLY. STUDENT USE PROHIBITED

f Task 2: Configure the TS resource allocation policy for per session
1. To implement the Equal_Per_Session resource-allocation policy, on the
Windows System Resource Manager snap-in, in the left pane, click the
Resource Allocation Policies node.
2. Right-click Equal_Per_Session and then click Set as Managing Policy.
3. If the End Snap-In dialog box appears stating that snap-in is not responding,
click Cancel.
4. If a Warning dialog box is displayed informing you that the calendar will be
disabled, click OK.

f Task 3: Monitor TS performance by using Resource Monitor

1. On the Windows System Resource Manager snap-in, in the navigation tree,
click Resource Monitor.
2. Review the performance data.
3. In the middle pane, on the toolbar, click Properties.
4. In the Properties dialog box, click the Graph tab.
5. On the Graph tab, in the View box, select Report from the drop-down list, and
then click OK.
6. Observe the report for Equal_Per_Session.
7. To configure the notification options, in the left pane, right-click Windows
System Resource Manager (Local), and then click Properties. The Windows
System Resource Manager Properties dialog box is displayed.
8. Click the Notification tab, select Enable e-mail notification.
9. In Notify these e-mail aliases, type [email protected].
10. In Use this SMTP server, type NYC-TS.woodgrovebank.com.
11. In Select the event log messages, select two or more events. To view the list of
events for each category, click the Error node, followed by the Warning and
Information nodes.
12. Click each category, and then select two or more events in each category.
13. When you have finished selecting the events, click OK.
L7-66 Module 7: Managing and Monitoring Terminal Services

MCT USE ONLY. STUDENT USE PROHIBITED

f Task 4: Configure the TS resource allocation policy for per user
1. To implement the Equal_Per_User resource-allocation policy, in the Windows
System Resource Manager snap-in, in the console tree, click the Resource
Allocation Policies node.
2. Right-click Equal_Per_User and then click Set as Managing Policy.
3. If a dialog box appears informing you that the calendar will be disabled, click
OK.

f Task 5: Shut down the virtual machines

1. Exit the Lab Launcher tool by clicking the close button.
2. In the Close window, click Turn off machine and discard changes.
3. Click OK.

Results: After this exercise, you should have configured WSRM, configured resource
allocation policies, and monitored the TS performance by using the Resource Monitor.