Microsoft Windows Server 2003 Deployment Kit [Electronic resources] : Planning Server Deployments نسخه متنی

Designing Domain and User Configuration

Developing your design also involves planning the location of Terminal Server within your proposed Windows Server 2003 domain infrastructure, as shown in Figure 4.4. After you have determined how Terminal Server integrates into your domain model, you can plan the user and security settings that can be managed through Active Directory and Group Policy.

Figure 4.4: Planning Domain and Security Configuration

Integrating Terminal Server into Your Domain Model

Terminal Server need not be in an Active Directory domain to function, but without a domain architecture, users must have separate accounts on every computer running Terminal Server. This limits manageability and makes it more difficult to administer groups of users.

Integrating wit h Existing Windows NT 4.0 Domain Structure

If your organization does not currently use Active Directory, you can use an existing Windows NT 4.0 domain, which allows you to take advantage of the new features available in Windows Server 2003 Terminal Server without affecting the production environment. However, limitations apply, such as the existing Security Accounts Manager (SAM) 40,000-objects-per-domain limitation of the Windows NT 4.0 domain model. Administrators have the option of adding Terminal Server-specific attributes to users' accounts. This adds a small amount of information, typically 1 kilobyte (KB) or less, to a user's entry in the domain SAM database.

Integrating with the Windows Server 2003 and Windows 2000 Active Directory Infrastructure

This option takes full advantage of Active Directory, giving you the option of applying Group Policy settings to control the Terminal Server environment. Just as you are likely to manage your portable computers or domain controllers in a manner different from your desktop computers, you also manage your terminal servers and Terminal Server users differently. When you define your Active Directory structure, it is recommended that you place your terminal servers in a separate Terminal Services OU. Reserve this OU for Terminal Services computers. Do not include other users or non-Terminal Services computer objects. In addition, if you are deploying load-balanced server farms for Terminal Services, place each farm in a separate OU within the Terminal Services OU. It is also recommended that you place your Terminal Server users in a separate Terminal Server users OU.

In an Active Directory environment, avoid configuring Terminal Server as a domain controller for the following reasons:

Any user rights policies you apply to such a server apply to all domain controllers in the domain. For example, to use Terminal Services, users must be authorized to log on locally to the server. If the server running Terminal Services is a domain controller, users can log on locally to all domain controllers in the Terminal Services domain, presenting a serious security risk.

Domain controller functions place a heavy load on system resources and would thus have an effect on the user's Terminal Server experience.

By default, enabling Terminal Services sets the server process-scheduling priority to favor interactive applications. The system does not assign top priority to critical domain-level processes such as user count replication, logon requests, logon script replication, and authentication requests.

Planning Per-User Requirements

Because of the multiuser nature of Terminal Server, it is important to plan per-user settings and data storage carefully for ease of management and an optimal user experience. How you plan to use Terminal Server in your organization affects your choice of user profile types, and your plan for using these profiles.

Using User Profiles

A profile describes the Windows Server 2003 configuration for a specific user, including the user's environment and preference settings. Profiles typically contain such user-specific information as installed applications, desktop icons, and color options. To plan for user profiles in a Terminal Server environment, choose the solution that is best for your environment, and then plan for the storage of the profiles. For more information about user profiles, see "User profiles overview" in Help and Support Center for Windows Server 2003. For information about general planning for user profiles, see "Designing Managed Desktops" in Designing a Managed Environment of this kit.

Unless you plan carefully for the use of user profiles, they tend to grow in size. This is a problem in a Terminal Server environment because user profiles are stored on the terminal server by default. If you have many users accessing the terminal server, the user profile files soon consume a large amount of space on the server hard drive. You should store user data and profiles on a separate drive from the system installation hard drive.

There are three different types of profiles you can use with Terminal Server:

Terminal Server-specific profile

Windows Server 2003 mandatory roaming profile

Windows Server 2003 local profile

When a user logs on to a server running Terminal Server, the server first searches for the Terminal Server-specific profile. If Terminal Server cannot locate this profile, it attempts to load the user Windows Server 2003 roaming profile or Windows Server 2003 local profile.

It is recommended that you plan to use either Terminal Server-specific or roaming user profiles for your Terminal Server users, rather than local profiles, in order to better manage the size of the profiles and optimize the user experience. Terminal Server-specific profiles are recommended in most cases. Consider the following situations when choosing which type of user profile to use with Terminal Server:

If you are planning to keep the environment for your Terminal Server users standardized and under tight control, you can use mandatory roaming user profiles to restrict access to certain applications. You can also use mandatory roaming user profiles to assign users profiles that cannot be changed.

If you assign roaming user profiles to users who tend to access the terminal server from different computers (for example IT administrators, users who access the application from a kiosk, or users who work in certain task-worker environments), those users can retain their settings regardless of where they log on.

If you are using Terminal Server to deliver a consistent desktop to client computers of varying platforms or configurations, you cannot use roaming user profiles unless you can group the different configurations and platforms into different OUs.

If you are using Terminal Server in a load-balanced farm, you should plan to use roaming user profiles.

Using Terminal Server-Specific Profiles

Use Terminal Server-specific profiles to present a session to the user that is different from the user's desktop or to create user profiles optimized to the Terminal Services environment. The following are some of the situations where using Terminal Server-specific profiles might be advantageous:

To provide users who are accessing Terminal Server with an environment that is different from the environment on their local computers.

To provide a different look and feel for different users on the same terminal server, for example, if you have task workers and a manager on the same server.

To better manage the size of user profiles for Terminal Services users who do not have controlled user environments that have been set through assigned or mandatory user profiles. You can use Group Policy to manage the profiles on the server that stores your Terminal Server profiles.

You can configure Terminal Services-specific profile settings for each user by using the following procedure.

To configure Terminal Services-specific profile settings

Open Active Directory Users and Computers.





Right-click the user for which you want to set profile settings, and then click Properties.





Click the Terminal Services profile tab.

You can configure the following Terminal Services-specific profile settings:

Terminal Services User Profile path. You can choose a place to store users' Terminal Services profiles other than the default location.

Terminal Services home folder. You can specify a path to a home folder for use with Terminal Server sessions. This directory can be either a local folder or a network share.

For information about setting Terminal Server profiles, see "Terminal Services Profile" in Help and Support Center for Windows Server 2003.

Using Roaming Mandatory User Profiles

Roaming user profiles allow users to move between different computers and maintain the same environment and preference settings. A roaming mandatory user profile is a preconfigured user profile that you assign to users. Because users cannot change a roaming mandatory profile, using this type of profile ensures that these user profiles remain at a manageable size. Additionally, you can assign one mandatory profile to all users who require identical desktop configurations. This allows you to change the desktop environments for all those users by changing only one profile.

Take the following issues into consideration when planning to use roaming mandatory user profiles with Terminal Server:

When planning for the use of profiles for a large number of Terminal Server users, consider using Terminal Server profiles rather than roaming user profiles.

If you are combining Folder Redirection and roaming user profiles, it is recommended you not use quotas on the profile.

If your users roam between computers that are running Windows XP Professional, Windows XP 64-Bit Edition, Windows Server 2003, and Windows 2000, you can use the Prevent Roaming Profile changes from being propagated to the server Group Policy setting to be sure that each client computer receives only the profile that applies to the particular platform that the user is logged on to. For more information, see "Group Policy in multiplatform networks" in Help and Support Center for Windows Server 2003. To find this topic, click Index in Help and Support Center, type the keywords "Group Policy," and then select the topic "multiplatform networks."

The roaming profile information is stored on the local hard drive of the terminal server. It is recommended that this information be deleted after the user logs off. You can do this by enabling the Delete cached copies of roaming profiles Group Policy setting (in System/User Profiles under User Configuration in the Group Policy Object Editor) and applying the setting to your Terminal Server OU.

For information about how to set or change a user's roaming profile path, see "Change a user's Terminal Services profile path" in Help and Support Center for Windows Server 2003.

Planning for User Profile Storage and Management

Unless you manage user profiles correctly, they can become very large and can cause problems for your Terminal Server users. In order to keep the size of your user profiles for Terminal Server under control, use the Limit profile size Group Policy setting or use mandatory profiles. You can find the Limit profile size Group Policy setting under User Configuration\Administrative Templates\System\User Profiles.

The profile path copies all user profiles to drive C of the terminal server by default. Depending on the number of users accessing your terminal server, this could greatly deplete the free space on this disk. Choose a location on a file or print server that has enough space to store the profiles and that is readily available to Terminal Server users, and then create a Windows Server 2003 share that users can access with read/write permissions. Do not store Terminal Server profiles and users' primary desktop profiles in the same location. You should store profiles in a different location from user home directories. For information, see "Change a user's Terminal Services profile path" in Help and Support Center for Windows Server 2003.

Increasing Time-out Values for Profiles with Terminal Server

In a Terminal Server environment, because many users tend to access the terminal server and the profile server at the same time, the server can develop bottlenecks or the network itself can become saturated. This can cause problems with user profiles primarily because a time-out can occur during profile unloading or write back. As a result, changes to the profile are not saved. By increasing the time-out values when you set up Terminal Server, you can reduce the incidence of profile-related issues. You can increase profile time-out values by using the following procedure.

To increase profile time-out values

In the Group Policy Object Editor, navigate to the Maximum retries to unload and update user profile policy, which is located in Computer Configuration/Administrative Templates/System/User Profiles.





Enable this setting and set it to 120.





In the Run dialog box, type regedit, and then click OK.






Locate the following subkey in the registry and select it:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server





On the Edit menu, click Add, and then click DWORD Value.






Add a registry entry named LogoffTimeout with the following settings:





Base: Decimal





Value: 120 (4 minutes, time-out expressed in 2-second units)







Note

Do not set this value lower than 3 minutes or higher than 15 minutes.

For more information, see article 299386, "Logoff Process May Not Be Completed Because Time-Out Is Too Slow" in the Microsoft Knowledge Base. To find this article, see the Microsoft Knowledge Base link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources.

Using Home Directories with Terminal Server

It is important that you plan for use of home directories in a Terminal Server environment because most applications must install user-specific information or copy configuration files for each user. By default, Windows Server 2003 defines a home directory for each user. For Terminal Server users, the default user's home directory is his or her user profile directory on the terminal server, for example \Wtsrv\Profiles\Username. This directory contains user settings. Terminal Services writes user-specific application files, such as .ini files, and by default refers any application seeking the Windows system directory to the user's home directory.

Users typically save their personal files to their home directory, in the My Documents folder. This can be a problem if roaming profiles are used and the home directory is located within the user's profile directory. Windows Server 2003 copies everything in the user's profile directory to the profile cache on the local computer each time the user logs on. This can take considerable time and resources, particularly if the roaming profile is stored across the network or over a slow link. You can use Group Policy to redirect the My Documents folder to a central non-Terminal Server computer. For more information, see "Change a user's Terminal Services profile path" in Help and Support Center for Windows Server 2003.

It is recommended that you use Terminal Services-specific home directories. Choose a location on a file or print server for the home directories. Share the file and give Change permissions to Everyone, then change the home directory path for Terminal Server users. By default, users have full access to their individual home directory. Administrators can copy files into the directory, but not read or delete files there.

You can specify a location for redirecting the home directory for Terminal Services users with the TS User Home Directory Group Policy setting. With this setting you can specify the location of the home directory on the network or on the local computer, the root path, and the network drive letter if the root path is located on the network.

Using Folder Redirection with Terminal Server

Folder Redirection allows users and administrators to redirect the path of a folder to a new location. The new location can be a folder on the local computer or a directory on a network share. It is recommended that you redirect users' My Documents folder to a private server share by using Folder Redirection. Users can then access their My Documents folders from either a Windows XP Professional client computer or Terminal Server session as if they were accessing their local drives. This is especially useful for roaming users who access the terminal server from different computers at different times.

For general information about Folder Redirection, see "Folder Redirection" in Help and Support Center for Windows Server 2003. To find this topic, click Index in Help and Support Center, type the keywords "Folder Redirection," and then select the topic "overview."

When setting Folder Redirection, make sure that the user has write access to the folder in which you create the new folder for that user. If the user does not have sufficient access to the shared folder, the folder redirection fails and defaults to a dedicated folder created on the server or desktop to which the user logs on.

Configuring User Group Policy Settings

Under User Configuration in the Group Policy Object Editor, you can set several Group Policy settings that are particularly useful for Terminal Server. Use these settings to control the user experience and prevent access to areas of the terminal server. For more information about each of the settings listed here, see the Group Policy Explain text associated with each setting. For a job aid to assist you in recording your Terminal Server Group Policy configuration decisions, see "Group Policy Configuration Worksheet" (SDCTS_2.xls) on the Windows Server 2003 Deployment Kit companion CD (or see "Group Policy Configuration Worksheet" on the Web at http://www.microsoft.com/reskit).

See the following resources for more specific information about using Group Policy:

For general information about Group Policy, see the Management Services link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources.

For more information about designing a Group Policy infrastructure, see "Designing a Group Policy Infrastructure" in Designing a Managed Environment of this kit.

For information about using Group Policy to lock down a Terminal Server session, see article 278295, "How to Lock Down a Windows 2000 Terminal Server Session" in the Microsoft Knowledge Base. To find this article, see the Microsoft Knowledge Base link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources.

For more information about applying Group Policy to Terminal Server, see article 260370, "How to Apply Group Policy Objects to Terminal Services Servers." To find this article, see the Microsoft Knowledge Base link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources.

Configuring the User Display

A graphic-intensive display can affect performance for users of Terminal Server. To ensure the best possible performance, you can control what users can put on their desktops by configuring the Group Policy settings located under User Configuration/Administrative Templates/Control Panel/Display.

Configuring desktop items

Many organizations permit users to choose their own desktop wallpaper or screen savers. However, in a Terminal Server environment, these graphics can have an effect on performance. Use the following Group Policy settings to control users' ability to change wallpaper and screen savers.

Screen savers You can use several Group Policy settings to affect the user's screen saver. You can disable screen savers altogether by disabling the Screen Saver policy. You can also specify the screen saver by enabling this policy and also by enabling and specifying the screen saver executable name in the Screen Saver executable name policy. For more information about these Group Policy settings, see the Explain tab located on the property sheet for each policy.

Wallpaper By enabling the Prevent changing wallpaper setting you can disable all the options in the Desktop tab of Display in Control Panel. This includes changing the wallpaper and changing the appearance of the desktop icons. By not allowing these changes, you can ensure that users do not choose desktop display items that might affect the performance of the server.

Configuring the desktop theme

If you are hosting the full desktop with Terminal Server, by default the desktop environment resembles a Windows Classic desktop. By default Windows Server 2003 does not have themes enabled. You can enable themes by starting the Themes service and configuring it to start automatically. For more information about starting the Themes service, see "Configure how a service is started" in Help and Support Center for Windows Server 2003.

After you have configured the Themes service to start automatically, you can enforce a specific desktop theme or the Windows XP theme for your Terminal Server users by using the following procedure. For more information about choosing to use desktop themes with Terminal Server, see "Hosting Full Desktops with Terminal Server" earlier in this chapter.

To load a specific theme for the desktop

In the Group Policy Object Editor, navigate to User Configuration/Administrative Templates/Control Panel/Display/Desktop Themes.





Open the Load a specific visual style file or force Windows Classic setting.





Take one of the following actions, depending on what you are trying to achieve:





To force Windows Classic, enable this setting.





To load the Windows XP theme, enable the setting and type %windir%\resources\Themes\Luna\Luna.msstyles in the Path to Visual Style dialog box. For information about using the Windows XP theme with Terminal Server, see "Choosing Applications to Host" earlier in this chapter.





To load another theme or a custom theme, type the path to that theme in the dialog box.

Restricting Access to Drives on a Terminal Server

You can use Group Policy settings to hide and restrict access to drives on the terminal server. By enabling these settings you can ensure that users do not inadvertently access data stored on other drives, or delete or damage program or other critical system files on the C drive. The following settings are located in the Group Policy Object Editor under User Configuration/Administrative Templates/Windows Components/Windows Explorer:

Hide these specified drives in My Computer. You can remove the icons for specified drives from a user's My Computer folder by enabling this setting and using the drop-down list to select the drives you would like to hide. However, this setting does not restrict access to these drives.

Prevent access to drives from My Computer. Enable this setting to prevent users from accessing the chosen combination of drives. Use this setting to lock down the terminal server for users accessing it for their primary desktop.

Configuring Start Menu and Taskbar Items

You can use Group Policy settings to remove and to restrict access to items from the Start menu for Terminal Server users. The following settings are located in User Configuration/Administrative Templates/Start Menu and Taskbar:

Enabling the Remove Run menu from Start Menu setting removes this menu from the Start menu. It also removes the New Task command from Task Manager and blocks the user from accessing Universal Naming Convention (UNC) paths, local drives, and local folders from the Internet Explorer address bar. While these are not the only methods for running applications, enabling this setting makes it difficult for users to access resources on the server or network.

Enabling the Remove Logoff on the Start Menu setting prevents users from logging off the server from the Start menu. Enabling this setting does not prevent users from logging off using CTRL+ALT+DEL.

Enabling the Remove and Prevent access to the Shut Down command prevents administrators from accidently shutting down the terminal server.

Enabling the Remove links and access to Windows Update setting prevents users from attempting to download updates to Windows on to the server.

Enabling the Remove Favorites menu from Start Menu setting reduces confusion for users who do not have access to the Internet.

Planning Terminal Server User Rights and Logon

You can use the Remote Desktop Users group to manage user rights on a terminal server. There are also special logon configurations and Internet Explorer security configurations you can set for Terminal Server.

The Remote Desktop Users Group

Before users can create a remote connection with Remote Desktop, they must have the appropriate permissions. By default, members of the Administrator group can connect remotely to the server. Members of the Remote Desktop Users built-in local group also have remote logon permissions. This built-in group gives administrators control over the resources that Terminal Server users can access. Access to Terminal Server is distributed with a default set of user rights that you can change for extra security. To provide users or groups with the appropriate rights, use the Terminal Services Configuration snap-in Permissions tab to add these groups or users and to modify permissions. For more information about managing permissions, see "Managing permissions on connections" in Help and Support Center for Windows Server 2003.

Populate the Remote Desktop Users group with your Terminal Services users group by using the Computer Management tool. For more information about populating the Remote Desktop Users group, see "Add users to the Remote Desktop Users group" in Help and Support Center for Windows Server 2003.

To control who can add members to the Remote Desktop Users group, add this group to Restricted Groups by using the following procedure:

To add the Remote Desktop Users group to Restricted Groups

In the Security Templates Microsoft Management Console (MMC) snap-in, create a new template, or use an existing one.





In the navigation pane, right-click Restricted Groups in the template, click Add Group, and then type Remote Desktop Users.





In the details pane, double-click Remote Desktop Users, click Add Members, and select the users who you want to add to this group.

Planning for Automatic Logon

With Terminal Server, you can allow users to connect without entering a user name and password. You can do this on a per-user basis through the Remote Desktop Connection tool or on a per-server basis through TSCC or through Group Policy.

When you enable this, anyone with a Remote Desktop client can log on to the server. Use this connection method only in conjunction with starting users directly into a line-of-business application, especially if the application itself requires a password for access. You can enable this setting on a per-user basis through the Remote Desktop Connection tool or Group Policy or on a per-server basis through TSCC or through Group Policy. A per-server automatic logon policy is appropriate when a server is dedicated to a particular task-based application. If a server hosts more than one application, assign automatic logon on a per-user basis.

Editing User-Specific Logon Information

When users log on to the system, Terminal Services executes a batch file called UsrLogon.cmd in the system32 directory to make any modifications to the end-user environment and to ensure that users can run their applications correctly. If Terminal Server modifications are necessary to the user environment, you can make them by editing this file. Be aware that editing this file can affect the logon compatibility scripts that were written for applications. For more information about compatibility scripts, see "Identifying Ideal Candidates for Hosting" earlier in this chapter.

In your logon scripts, consider checking for the presence of the environment variables clientname or sessionname. These environment variables are Terminal Server-specific, and they only appear in a user environment when the user is logged on to a terminal server. You might choose to make changes to the user environment, for example omitting the execution of antivirus software, if the script determines that the environment is running on Terminal Server.

Internet Explorer Enhanced Security Configuration

Windows Server 2003 is installed with the Internet Explorer Enhanced Security Configuration enabled. This configuration decreases the exposure of your server to attacks that can occur through Web content and application scripts. As a result, some Web sites might not display or perform as expected. For a better user experience with Terminal Server, remove the enhanced security configuration from members of the Users group. Because these users have fewer privileges on the server, they present a lower level of risk if they are victims of an attack. This configuration allows users to browse Internet and intranet sites much as if they were using a stand-alone desktop computer.

For more information about Internet Explorer Enhanced Security Configuration settings, see "Enabling Terminal Server Using an Automated Installation Method" later in this chapter.