Transcription
MicrosoftWindows Server 2008 R2Remote Desktop ServicesResource KitChrista Anderson and Kristin L. Griffinwith the RemoteVirtualizationDesktopTeam
ContentsAcknowledgmentsxvIntroductionChapter 1IntroducingxviiRemoteDesktopServices1Where Did RDS Come From?2Citrix MultiWin2Windows NT, Terminal Server Edition2Windows 2000 Server3Windows Server 20033Windows Server 20084Windows Server 2008 R2 and RDS4The Evolving Remote Client Access Experience6What Can You Do with RDS?7Improved Security forProvisioningRemote UsersNew UsersEnablingRemote WorkBringingWindows to8Rapidly99PC-Unfriendly EnvironmentsBusinessContinuity and Disaster RecoverySupporting Green ComputingImproved Command-Line Support111112RDS for Windows Server 2008 R2: New FeaturesTheChanging CharacterNew RDSTechnologyof RD Session Host12Usagein Windows Server 2008 R2RDS Roles in Windows Server 2008 R2How Other ServicesSupport3234Authenticating ServersUpdatingFunctionality33VMsEnablingwith CertificatesWAN Access andUser andfor RDS131924RDSThe Client ConnectionHosting10DisplayingRemote ResourcesComputer itional Resources36What do you think of this book? We want to hear fromyou!Microsoft is interested in hearing your feedback so we cancontinually improve ourbooks and learning resources foryou. To participate in a brief online survey, please visit:microsoft.com/learning/booksurveyvii
Chapter 2Key Architectural Concepts for Remote Desktop39ServicesKnow Your40Application Delivery SystemRD Session Host Servers40RD Virtualization Host Servers40Relevant Windows Server 2008 R2 InternalsWindows Server 2008 R2 Is 64-BitHow Does4141OnlyRD Session Host Server Dole Out Processoran43Cycles?How Do RD Session Host Servers Use Memory MoreEfficiently?45How Does Disk AffectApplication Delivery?How Does Virtualization Affect ResourceDetermining System RequirementsDesigning70RD Load Simulation ToolSizing77Testing: Extrapolation9195QuestionsClient Use ProfilesSupportingClient Hardware: PC99Thin Client?or99What's the Best License Model?WhatCan I Run onApplicationsWhat Version of Remote100an3RD Session Host Server?Connection Do I Need?DesktopWhat Role Services Do I Need toChapterSupport MyBusiness?114114Additional Resources115DeployingaSingleRemoteDesktopSession Host Server117117Services Supporting RD Session Host117Creating and Supporting119Installinga Sessionan RD Session Host ServerInstallingan RD Session Host Server134Using the AdministrativeTools InterfaceInstallingan134RD Session Host Server from the Command LineEssential RD Session HostAllocatingandServerInstalling ApplicationsWhichPlayon anwith RemoteDesktop ExperienceDesktop ConfigurationRD Session Host ServerApplications WillWork?150150164165Data168User Profile Data170Storing Application-SpecificAvoiding Overwriting145Redirection with theSettings142144ConfigurationProcessor TimeEnabling PlugAdjustingPopulating the Shadow KeyContents101109SummaryHow RD Session Host Servers Workviii596669TestsAn Alternative to FullOtherfor RD Session Host Serversa Live TestExecuting theUsing the56Usage?171
Chapter4Summary174Additional Resources174DeployingSingle Remote Desktop VisualizationaHostServer175WhatlsVDI?175How Microsoft VDI Works178The Central Role of the RD Connection Broker179Discoveringa VM181BrokeringConnection182aOrchestrating a VMConnecting to a VM PoolConnecting to a DisconnectedRolling Back185186Session186a VMto a PersonalConnecting184187DesktopInstalling Supporting Roles for VDIInstalling the RD Visualization Host188190InstallingRD Virilization Host Role Service via Windows PowerShell192InstallingRD Connection Broker193ConfiguringRD Web Access195Configuringthe RD Connection Broker Server197Setting UpVMs203PoolsCreating209Assigning Personal DesktopsforUsing RemoteAppHyper-VConfiguring RemoteAppCan You UseChapter5212Personal and Pooled VMConfiguringforPropertiesApplication CompatibilityHyper-VRemoteApp for Hyper-V Without216218220onRDS?222Summary224Additional Resources224Managing User Data in aRemote Desktop Services Deployment226How Profiles WorkTypes227of Profiles228How Profiles Are CreatedProfile Contents External to theStoringRegistrya241Consistent Environment242Design Guidelines for User ProfilesBalanceFlexibility and243Lockdown244Use Folder Redirection244Compartmentalize When NecessaryPrevent Users from233239ProfilesProviding225Losing FilesUpload Profile Registry Settingson thein theDesktop245Background246Contentsix
246Speed Up LogonsDeploying Roaming Profiles with Remote Desktop ServicesCreating a New Roaming ProfileConvertinganCustomizingExisting Local Profile to248Roaming ProfileDefault Profilea255257Speeding Up Logons268Data with Folder RedirectionSharing Folders BetweenR2 Roaming ProfilesSettingStandards with279MandatoryProfilesProfiles toProfileCreatingaSingle es with Local286MandatoryProfiles286287Troubleshooting TipsSummary288Additional Resources289Customizing the User ExperienceHow291Remoting Works291What Defines the Remote Client Experience?293The Foundation of RDP: Virtual Channels and PDUs296BasicGraphics Remoting299Advanced Graphics Remoting305Movingthe Clientto the Remote SessionExperience307Which Client Devices Can You Add to the Remote Session?307Pros and Cons of313Device and g Audio326How the RDC Version Affects the UserPrintingDoesn't330334DirectlyConnected Printerto aPrintingvia Redirected PrintersRemoteDesktop Services335337344When You Cannot Use RD Easy Print350Controlling Printer Redirection354Troubleshooting Printing358IssuesSummary359Additional Resources360Molding and Securing theLockingContentsExperience—orwith RDPPrintingPrinting from7283284Read-Only DesktopProfile and Folder Redirection278Windows Server 2003 and Windows Server 2008Converting Existing RoamingDecrease267275Personal Folders Between Local and Remote EnvironmentsSharingChapter254Using Group Policy to Manage Roaming ProfilesUsing Group Policy to Define the Roaming Profile ShareCentralizing PersonalCHAPTER 6a248Down the ServerUser Environment363364
Restricting Device andResource RedirectionPreventingUsers fromPreventingAccess to theClosing Back DoorsReconfiguring365the Server367368Registryon RD Session Host Servers369Controlling Libraries375Preventing Users from Running Unwanted ApplicationsUsing Software Restriction Policies376378Using AppLockerCreatingaRead-Only381Start Menu391Keeping the RD Session Host Server AvailableAllowingDenyingorLimiting theSettingTakingChapter 8Number of RD Session Host Server ConnectionsSession Time Limits393394Summary398Additional Resources398CoreRemoteProtocol ConnectionsDesktopSecurity TechnologiesUsing401402Transport Layer Security402Credential405RDPSecurity Service ProviderEncryption409Understanding Encryption Settings409Choosing Encryption gAuthenticatingaIdentity (Server Authentication)Kerberos FarmTest Certificates forClientwithaon411Authentication (NLA)ConnectionRD Session HostSecurity Using Group Policy415416.the RD Session Host ServerConfiguring Connection Security UsingConfiguring411Server FarmSingle Sign-onConfiguring the Security Settings410IdentityIdentity with Network LevelSpeeding LogonsChapter 9393394Remote Control of User SessionsSecuring'393Access to the RD Session Host ServerConfiguration417417419Summary420Additional Resources421Multi-Server Deployments423Key Concepts for Multi-Server DeploymentsRD Session Host Internals424Components426ComponentsRemoteApp Programs and xi
Distributing Initial Farm ConnectionsConnection Brokering in a Farm ScenarioRDS Farm Connection Brokering in ActionDeploying432433434RD Session Host FarmsPermit RD Session Host ServersJoin RD Session Host Servers439to Join RDConnection Brokerto a Farm447Publishing and Assigning Applications Using RemoteApp ManagerAdding Applications to the Allow ListConfiguring Global RemoteApp Deployment SettingsEditing RemoteApp PropertiesMaintaining Allow List Consistency Across the FarmConfiguring Timeouts for RemoteApp SessionsSigning Already-Created RDP FilesSetting SignaturePoliciesRDP FilesDistributingMSI FilesThroughRD Web l ResourcesRemote506Desktop507Services Available from the InternetHow RD Gateway WorksUnderstandingRD507Gateway AuthorizationPolicies509Gateway RequirementsRDRD512Gateway Using Windows PowerShellMaintaining RD Gateway AuthorizationCreatingandCreatingan RDCAPCreatingan RDRAPModifyingConfiguringan515Policies519Existing Authorization Policy521521RDRDBypassingGateway PropertiesGateway Computer GroupsRDGatewayUsing Group PolicyMonitoring522toEnable Access toaServer Farmfor Internal ConnectionsControl RD Gateway AuthenticationSettingsand Managing Active RDGateway Connectionsto515516RD Gateway 78SummaryInstalling469481the RD Web Access WebsiteUsing RemoteApp And DesktopRD464476and VMsInstalling the RD Web Access Role ServiceConfiguring RD Web AccessCustomizing RD Web AccessTroubleshooting RD Web Access PermissionsMaking457475RD Web Access SourcesChapter 10455475Delivering RemoteApp ProgramsUsing454474Distributing RemoteApp ProgramsDistributing440530533533534
CreatingRedundant RD Gateway ConfigurationNLB to Load-Balance RD Gateway Serversa537UsingPreventing SplitMaintainingUsingSSL ConnectionsIdenticalNAP with RDTroubleshootingPlacingChapter 11onRD537542GatewaySettings Across anRDGatewayFarmGatewayDeclined ConnectionsRD Web Access and RD543554573Gateway576RD Web Access for External Access576RD Gateway Inside the Private Network578RDGatewayin the Perimeter NetworkRDGatewayin the Internal Network and579Bridged581Summary586Additional Resources586ManagingIntroducingRemoteDesktop Sessions589RD Session HostThe RemoteManagement ToolsDesktop Services Manager590591Command-Line Tools595Connecting Remotely toManagingOrganizingServers for AdministrativePurposesSession Host Servers from Windows 7RDServers and VMs in the RemoteDesktopServices598599Manager600Monitoring and Terminating ProcessesMonitoring Application Use602Terminating Applications604603Monitoring and Ending User SessionsSwitching Between SessionsClosing Orphaned Sessions606Providing Help with610EnablingEnabling612Group PolicyRemote Control via RD Session HostConfigurationUser SessionTroubleshootingSessionNewShutting DownRDStoand619UsersRestarting617619LogonsSending Messages614615Shadowingfor Server MaintenanceDisablingApplying608Remote ControlRemote Control viaShadowing aPreparing605621RD Session Host ServersToolsManagementDifferentiating RemoteApp Sessions from Full Desktop SessionsAuditing Application UsageAuditing User LogonsClosing Unresponsive Applications624631631633639640Summary641Additional Resources642Contentsxiii
Chapter 12LicensingRemoteDesktop643ServicesThe RDS Licensing Model644RDSLicensing644VDILicensing646License Tracking and Enforcement648How RD License Servers Assign RDS CALs648Setting Up the RDS Licensing Infrastructure651Installing652RD License Server653RD License Server Connection MethodsActivatingBackground:How RDS CALs Are Tied toAdding License Servers toInstalling653the License ServeranRD License Server660RDS CALsConfiguringRD Session Host Servers to Use RD License ServersConfiguringRD License Servers to Allow Communication FromRDS CALs from One License Server to Another663665the RD License Server DatabaseRebuildingBacking Upan RDLicense Server and CreatingManaging and S CALs671Restricting Access to RDS CALsPreventingUsingtheLicense673UpgradesLicensing Diagnosis673ToolSummary675Additional Resources675Index677What do you think of this book? We want to hear fromMicrosoft is interested in hearing your feedback so webooks and learning resources for you. To participate inyou!continually improve ourbrief online survey, please s662663RD Session Host ServersMigrating657660AD DS
Restricting Device andResourceRedirection 365 Preventing Users fromReconfiguring the Server 367 Preventing Access to the Registry 368 Closing Back Doors onRDSession HostServers 369 Controlling Libraries 375 Preventing UsersfromRunning UnwantedApplications 376 Using SoftwareRestriction Policies 378 Using AppLocker 381 Creating a Read-OnlyStart Menu 391 Keepingthe RDSession Host ServerAvailable 393
