Tuesday 12 January 2010

Installing Terminal Services Server, the main things you need to know.

Hi,

Recently I have met a lot of questions about implementing Terminal Services in the organizations. In most of the cases people know the main steps and procedures, but at the same time loads of small things are missing, which lead to the wrong configuration and different problems.

I want to summarize all the steps and create a basic guide for beginners about the Terminal services. Let us call it “My First Terminal Services Server”. I will not be speaking about each setting in details, instead of that I will provide the main steps and the articles which will help you to understand them. As an example I will be speaking about Microsoft Windows 2008 operating system and its Terminal Services role (the main steps are pretty much the same for operating systems starting from Windows Server 2003 to Windows Server 2008 R2). Let us assume you have already planned everything and you already have a clear idea about things you want. So, let start with the installation.

1. Installing TS role. First of all you have to install the Terminal Service role on your Windows Server 2008 machine. It is not a complex task and there are a lot of different guides on the internet. Here is an example of such guide, it is part of the bigger article, but the first part covers installing Terminal Service role.

2. Licensing. The second thing you would want to do is to deal with the licensing. The article that I brought above covers installing the Licensing Server and adding the Terminal Services licenses. I just want to remind you that by default Windows 2008 allows 2 concurrent RDP connections at the same time, if you want more you have to buy licenses and activate them on your Terminal Services Licensing Server. Here is a good article about TS licensing by Microsoft.

3. Applying Group Policy Settings. You will probably want to apply specific Group Policy Settings to the users who logs in to the Terminal Service Server, which are different from the other Group Policy Settings, applied in your organization. Let us go through this step by step, as this bit usually confuses a lot of beginning administrators. Here is what you have to do

- Create an OU (Organizational Unit) called Terminal OU (the name can be different)

- Move your Terminal Services server Computer Object to the Terminal OU.

- Create a GPO (Group Policy Object) called Terminal GPO (the name can be different) and link this GPO to the Terminal OU.

- Open Terminal GPO, navigate to: Computer Configuration > Policies > Admin Templates > System > Group Policy and change the following setting: User Group Policy loopback processing mode. If you are not familiar with this setting, please refer to this article. In addition you can have a look at this article by Microsoft.

4. Filter GPO from applying. As an administrator you probably do not want to be limited just like a standard user, so you have to filter the GPO from applying to your account. Please have a look at this article to learn how to perform this step.

5. Allow logon through Terminal Services. Now you have to allow your users to log on to your Terminal Service server. To do this perform the following steps:

- Open the Terminal GPO which we have just created.

- Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment and find the setting called “Allow logon through Terminal Services”.

- Enable this setting and choose the group which will be given this right. For example you can create a group and call it Terminal Services User.

- Add users who will be logging to the Terminal Services server to the Terminal Services User group.


















Please keep in mind, after we have made changes to the GPO, it has to be applied to the Terminal Service server, you can do this by restarting the server or by issuing gpupdate /force command on the server.

6. Configuring User Settings. The next step is configuring your users for Terminal Services environment. There are few main things that you will have to consider so let us speak about them separately:

a) User Profiles. You can specify profile path for the Terminal Session, i.e. the profile which will be loaded only when the user is logged to the Terminal Services Server over Remote Desktop Connection. Please do not confuse this profile with the Roaming Profile, Terminal Services Profile is loaded only during the terminal session, whereas Roaming Profile is loaded everywhere. For example if you have the Roaming Profile enabled and the Terminal Services Profile enabled. Every time you logon to the Terminal server the Terminal Services Profile will be loaded, but if you logon to a PC interactively (i.e. not through RDP), the Roaming Profile will be loaded.

We can specify the Terminal Service Profile in two ways:

- You can specify profile path in the properties of the User Account, in the tab called “Terminal Services Profile”, “Profile Path” field.

- You can specify this path using a group policy: Open the Group Policy which you created for your Terminal Services server and navigate to: Computer Configuration > Policies > Administrative Templates > Windows Components > Terminal Services > Terminal Server > Profiles, here can specify the Mandatory or Roaming profile which will be used during the Terminal Session.















Just for your information, you do not necessarily have to specify the Terminal Service profile; it is an optional thing to do. You can just leave the default profile path (which is C:\Users) and create a specific folder redirection. In this case, the profile will be residing in the default location, but the main folders (you choose which) are redirected wherever you want.

You can find more explanation about setting Terminal Servies Profile path here.

b) Folder Redirection. In the Terminal GPO you can specify Folder Redirection which will take place only during the Terminal Session. For example you want all users to have a predefined set of Programs in their Start Menu during the Terminal Session; this can be achieved by redirecting the Start Menu folder. You can find details about the Folder Redirection in this article.

As we are making folder redirection under the User Configuration, some of you may think that it is not going to work because the Terminal Services GPO is linked to OU containing the Computer Object, but do not forget that we have enabled Loopback Processing of Group Policy, which allows us to replace the User Configuration for the users logged in to the Terminal Services server.















That is it, you have done the main things and your Terminal Services Server should be up and running. Now you may want to implement Remote Apps or TS Web Access, I will try to speak about this in the future.

Thanks for reading, I hope it helped you. And please let me knoe if you think that I missed something :-)

If you liked the post, please feel free to click on a few Ads on this page ;-)

4 comments:

  1. Can we force all the RDP users to use a profile with this method? I want my users to login to the server through RDP with their own user name and pass, but get an access to the internet explorer that has been configured.

    ReplyDelete
  2. Hi,

    Yes you can force all users to use a specific profile when they logon to the terminal server.

    Have a look at this arcticle:

    http://technet.microsoft.com/en-us/library/cc783578%28WS.10%29.aspx#BKMK_gpolicy

    Point number 2 explains how to set Terminal Services Profile Path through Group Policy.
    In your case you will need to make setting in the group policy which you applied to the Terminal OU.

    If you will have more questions, please feel free to post your question here:

    http://social.technet.microsoft.com/Forums/ru-RU/winserverTS/threads

    Me and other IT professional will be happy to help.

    Thanks,

    Kudrat

    ReplyDelete
  3. buy terminal server license

    i think your blog is very important of the traffic increasing of the site.

    ReplyDelete
  4. Hi,
    Not sure what exactly you mean, but thanks anyway :-)

    ReplyDelete

3