328

Chapter 6
N
Monitoring and Maintaining Print and File Servers
16. You manage two Windows Server 2008 servers in a medium-sized domain. The domain
functional level is Windows Server 2003. You want to configure a replication group so
that data folders on one member server are identical to the data folders on another member
server. What service will accomplish this?
A. DFS
B. FRS
C. WDS
D. DNS
17. You are an administrator in a domain running several Windows Server 2008 file servers.
You want to stand up a DFS server to organize the shares on all the servers onto a single
DFS namespace. Further, you want to place this DFS server into a cluster for fault tolerance.
What type of DFS should you configure?
A. Stand-alone
B. Domain-based
C. FRS-based
D. Windows Server 2008 mode–based
18. You are an administrator in a domain running several Windows Server 2008 file servers. You
have two DFS servers in your organization, and you want to create a single DFS namespace
that is stored on each of the DFS servers. What type of DFS should you configure?
A. Stand-alone
B. Domain-based
C. FRS-based
D. Multiple root–based
19. You administer a Windows Server 2008 file server that hosts multiple shares. You have
learned that some users are storing copyrighted files (such as pirated MP3s) on some of
the shares. You want to prevent the storage of these types of files and also have access to

and do other administrative tasks on the domain controller without granting him adminis-
trative rights to the domain. Neither the Power Users group nor the Local Administrators
groups exists on a domain controller. Adding Joe to the Domain Administrators group
would grant him significant privileges and violate a basic security tenet of least privilege.
2. C. The Co-owner role is granted Full Control permissions and Modify permissions. There
isn’t such a thing as a Full Control role, but Full Control permissions can be granted. You
can’t add someone to the Owner role. Instead, someone is an owner if she created an object
or she took ownership of an object. The Contributor role would not grant the ability to
modify permissions.
3. D. The Contributor role is granted permissions necessary to create files within a share. The
Reader role would allow users to only read files, not make any changes. The Creator-Owner
isn’t a role, but a Windows group used to identify the user who created an object. Owners can
modify permissions. There is no such role as Modifier.
4. C. The Reader role is granted permissions necessary to read files within a share. There is
no such role as a DL_Reader or Read permissions. The Contributor role would allow users
to make modifications to the files, but only read permissions should be granted.
5. A. With offline files, Sally’s data will be synchronized to her laptop when she logs on and
logs off. This will give her access to her data files no matter where she is located. For Sally to
access the data on the server, it must already be shared. Posting a CEO’s data on a web server
(Internet Information Services) wouldn’t be very safe and wouldn’t necessarily give her access
to her data from anywhere. A virtual private network connection is a possibility but would be
much more complex and expensive to implement. Using offline files is a simpler solution.
6. D. By selecting Optimized for Performance, you ensure that data changes are synchro-
nized down to the client but not synchronized back up to the server. The Offline Settings
page does not have a One-Way Caching selection, but Optimized for Performance works
as one-way caching. If you selected Deny Write for either NTFS or share permissions, users
wouldn’t be able to create files or make changes to files on the share. Although that may or
may not be desirable, the question only wanted to stop synchronization.
7. D. The File Server Resource Manger (FSRM) allows you to implement quotas on a volume
or folder basis. Since a share is created from a folder, you could implement a quota restric-

to raise the domain functional level to Windows Server 2008 and migrate FRS to DFS. The
forest functional level does not matter. There is no DFS role.
12. D. The File Services role needs to be installed in order to add the DFS service. The Win-
dows System Resource Manager (WSRM) is used to limit the amount of CPU and memory
resources that an application is using. Windows Software Update Services (WSUS) is used
to deploy updates to computers, and Windows Deployment Services (WDS) is used to auto-
mate deployments of operating systems.
13. A. The Windows search service is a File Services role service that can be added to increase
performance of searches on a file server. Indexing is an older Windows Server 2003 search
service that could be added, but the Windows search service performs better. It would not
make sense to copy the centralized data to 100 different systems. Asking users to limit
searches isn’t a reasonable request when there’s a technical method to improve searches.
14. B. File Replication Service (FRS) is being used for replication of the sysvol folder (Group
Policy files and scripts). Distributed File System (DFS) replication of sysvol is supported only
when the domain functional level is Windows Server 2008. Since some domain controllers
are running Windows Server 2003, the domain functional level cannot be Windows Server
2008. Windows Deployment Services (WDS) is used to automate deployments of operating
systems. Windows Software Update Services (WSUS) is used to deploy updates to computers.
93157c06.indd 331 8/7/08 10:34:34 PM
332

Chapter 6
N
Monitoring and Maintaining Print and File Servers
15. A. You should configure Distributed File System (DFS) replication. Specifically, you’d create
a replication group including both servers as member servers with replicated folders. A DFS
namespaces doesn’t necessarily replicate data but instead provides a method of organizing
content in a single namespace to make it easier for the user. File Replication Service (FRS)
was the file replication service used for data prior to Windows Server 2003 R2. As a side
note, FRS is still used for replication of the Active Directory sysvol folder on domain control-

it wouldn’t work. A full mesh topology would require each branch office to be connected
to every other branch office so network traffic would not be minimized.
93157c06.indd 332 8/7/08 10:34:34 PM
Chapter
7
Planning Terminal
Services Servers
MICROSOFT EXAM OBJECTIVES COVERED
IN THIS CHAPTER:
Planning for Server Deployment
Plan Infrastructure Services Server Roles. May include but

is not limited to: address assignment, name resolution,
network access control, directory services, application
services, certificate services.
Planning Application and Data Provisioning
Provision Applications. May include but is not limited

to: presentation virtualization, terminal server infra-
structure, resource allocation, application virtualization
alternatives, application deployment, System Center
Configuration Manager.
Provision Data. May include but is not limited to: shared

resources, offline data access.
93157c07.indd 333 8/8/08 9:29:49 AM
Terminal Services (TS) is a key application server role you
should understand. It includes several TS services that allow
you to host full desktops or single applications.
Although Terminal Services is most often hosted on a server within your network specifi-

Terminal Services Servers

335
FIGURE 7.1 Running Terminal Services on a server
Client1Client1
Client2
Client3
TS1
TS1 Server Memory
Client3 Session
Server OS
Client1 Session
Client2 Session
In the figure, you can see that each client is running a session on the server. This session
could be an individual application or a complete desktop session.
Why would you want to do such as thing?
Imagine a large insurance company. I envision dozens of operators (maybe more) in a
huge room just sitting and waiting for you to call for an insurance quote. Once you call and
ask your questions, they begin typing information into a computer program so they can
give you an accurate quote.
This computer program is highly specialized for that insurance company only, otherwise
known as a line - of-bu siness application. You could deploy the application to the computers
for each person answering phones. However, if you needed to make a change, you’d need to
change each system.
On the other hand, if you deployed the application to a terminal server, you would need
to make the change in only one location.
Terminal Services can be used by administrators to remotely administer
servers and also by end users. Except for TS Web Access, the Terminal
Services role does not need to be installed to remotely administer a server.
For a review of how this is done, take a look at Chapter 3.

reconnect to the same server. Disconnected users will be able to reconnect to the same ses-
sion without any loss of data.
TS Web Access TS Web Access is a role service within the Terminal Services role. With
TS Web Access configured, users can connect from a web browser to the remote desktop
of a server or a client computer. Programs that can run in the browser via TS Web Access
are known as TS RemoteApp applications. TS RemoteApp programs are accessible over the
Internet or over an intranet using Internet technologies.
TS Licensing Terminal Services client access licenses (TS CALs) are required for devices
and clients that will access a TS server. TS Licensing is a management system used to man-
age TS CALs. TS Licensing can be used to install, issue, and monitor the availability of TS
CALs on a TS server. When Terminal Services is first installed, you are granted a 120-day
grace period for licensing. During that grace period you can determine how many licenses
you’ll need and purchase them. After the grace period expires, users will no longer be able
to access the terminal server.
Users are able to access a Terminal Services server from within a network or over the
Internet.
Terminal Services Role
The first step in configuring a terminal server is to add the Terminal Services role. You can
add all the supporting services at the same time or install Terminal Services first and then add
the supporting services later.
93157c07.indd 336 8/8/08 9:29:51 AM
Terminal Services Servers

337
If you want to install Terminal Services specifically to allow users to run specific applica-
tions from within your network, you should take the following steps:
1. Add the Terminal Services role. (No additional role services are required.)
2. Change the installation mode to install applications.
3. Install an application.
4. Change the installation mode to execute applications.


The client computer must be using at least Remote Desktop Connection 6.0 (RDC 6.0).

93157c07.indd 337 8/8/08 9:29:51 AM
338

Chapter 7

Planning Terminal Services Servers
The client computer must be able to support the Credential Security Support Provider

(CredSSP) protocol.
Windows Vista and Windows Server 2008 clients use RDC 6.0 and support the CredSSP
protocol by default. If you’re supporting down-level clients (such as Windows XP and Win-
dows Server 2003), you need to do some checks:
Windows XP needs to have at least SP2 installed.

Windows Server 2003 needs to have at least SP1 installed.

With the proper service packs, Windows XP and Windows Server 2003 can support NLA.
For more information on the Remote Desktop Client 6.0 and how it can run
on down-level clients, check out Knowledge Base article 925876 on Micro-
soft’s website. The easiest way to get there is to enter KB 925876 in your
favorite search engine.
You can tell whether your version of Remote Desktop Connection supports NLA by
clicking the icon at the top left of the window and selecting About. Your display will look
similar to Figure 7.2. If NLA is supported, the About box will include the phrase “Network
Level Authentication Supported.”
FIGURE 7.2 Verifying NLA support in RDC
When installing the Terminal Services role, you will be able to choose from the following

340

Chapter 7

Planning Terminal Services Servers
EXERCISE 7.1
(continued)
7. You can add other role services to provide more Terminal Services functionality. For
this exercise, only the Terminal Server service is added. Click Next.
8. Review the information on application compatibility issues. Click Next.
9. On the Specify Authentication Method for Terminal Server page, select Require Net-
work Level Authentication, and click Next.
10. On the Specify Licensing Mode page, select Configure Later, and click Next.
11. On the Select User Groups Allowed Access to This Terminal Server page, verify that the
Administrators group is added, and click Next. For a production server, you would also
add the group that contains users to whom you want to grant access. As an example,
you may have a global group named G_TelephoneOperators that includes all the users
answering the phones. You could add the G_TelephoneOperators group on this page to
grant these users access to the terminal server.
12. On the Confirm Installation Selections page, review the information, and click Install.
13. When the installation completes, the Installation Results page will appear letting you
know you must restart the server. Click Close.
14. On the Add Roles Wizard page prompting you to restart, click Yes to restart your server.
15. After you reboot and log back on, the Installation Results page will appear. It should
look similar to the following image. Click Close.
93157c07.indd 340 8/8/08 9:29:52 AM
Terminal Services Servers

341
At this point, the terminal server will accept remote sessions by users. However, since

3. From the command line, enter Change user /execute.
Vista Desktop Experience
When users connect to a terminal server on Windows Server 2008, the look and feel is that
of a Windows Server 2008 server. For users who connect with Windows Vista, it is possible
for the Windows Server 2008 Terminal Services session to emulate a Windows Vista desk-
top experience.
To support this, you must add the Desktop Experience feature to the terminal server via
the Add Features link in Server Manager. Once the Desktop Experience feature is installed,
Windows Vista applications (such as Windows Media Player and Windows Calendar) will
appear on the All Programs menu.
Terminal Services and the Firewall
When Terminal Services is installed, the Windows Firewall settings on the server are auto-
matically configured with the following exceptions:
Remote Desktop

Terminal Services

If you need to provide access to Terminal Services through a firewall external to your
terminal server, you need to ensure that port 3389 is open. In other words, if users are
accessing your terminal server through the Internet, you’d open port 3389 at the company
firewall between the network and the Internet.
The exception to opening port 3389 is to stand up a TS Gateway and provide access via
port 443 (using RDP over SSL) as discussed later in this chapter.
Terminal Services and WSRM
The Windows System Resource Manager (WSRM) was explained in more depth in
Chapter 3. You can use WSRM to control how much CPU and memory resources are
allocated to individual users or individual sessions within Terminal Services.
WSRM is a new feature available in Windows Server 2008. Its ability to
throttle the CPU and memory resource usage on a per-user or per-session
basis can be very valuable on a high-capacity terminal server.


program.
Click a link on a website by using TS Web Access.

Exercise 7.2 shows you the steps to follow to add a RemoteApp program to your Terminal
Services server and how to make it accessible from another system.
These exercise assumes you can find a Windows Installer file (
*.msi) to use. If this is not
possible, you can skip the steps of installing an application and instead make an installed
application available as a RemoteApp program. Not all applications will work if they weren’t
installed when the terminal server was in install mode. However, the Server Manager applica-
tion will work for this exercise.
EXERCISE 7.2
Installing a RemoteApp Program
1. Launch a command prompt by clicking Start and entering CMD in the Search line.
2. On the command line, enter change user /install.
The command should respond with the text “User Session is Ready to Install
Applications.”
3. Launch an application’s Windows Installer file (.msi file). The program you install
isn’t as important as the process of installing an application from the Windows
Installer file. For example, you could download the Windows Automated Installa-
tion Kit (WAIK), burn it to a CD, and launch the WAIK installation program by clicking
StartCD and then clicking the Windows AIK Setup link.
93157c07.indd 343 8/8/08 9:29:53 AM
344

Chapter 7

Planning Terminal Services Servers
EXERCISE 7.2

11. On the Review Settings page, review the information, and click Finish.
12. Back in Server Manager, ensure the TS RemoteApp Manager is still selected. Select
the application you installed in the RemoteApp Programs pane at the bottom. Right-
click your application to reveal the context menu, as shown in the following image.
13. Select Create .rdp File.
14. On the Wizard Welcome page, click Next.
15. On the Specify Package Settings page, review the settings. Notice that the default
location is the
C:\Program Files\Packaged Programs folder. Click Next.
16. On the Review Settings page, click Finish. Windows Explorer is opened to the folder
you specified, and the
.rdp file is available there.
17. Return to Server Manager, right-click your application in the RemoteApp Programs
pane, and select Create Windows Installer Package.
18. On the Wizard Welcome page, click Next.
19. On the Specify Package Settings page, review the settings. Notice that the default
location is the
C:\Program Files\Packaged Programs folder. Click Next.
20. Review the information on the Configure Distribution Package page, as shown in the
following image. Notice that you can select the shortcut to appear on the desktop or
in a folder that you specify. The default folder is Remote Programs, but you could just
as easily change the folder to the name of the application, so there is no real indication
that it is a remote application. Click Next.
93157c07.indd 345 8/8/08 9:29:53 AM
346

Chapter 7

Planning Terminal Services Servers
EXERCISE 7.2

Terminal Services Servers

347
TS RemoteApp programs The application will run on the server but appear in its own
window on the client’s desktop. For example, you may want users to have access to only a
single application instead of a full desktop.
Remote Desktop–enabled servers and clients Any server or client that has Remote Desk-
top enabled can be accessible via TS Gateway. Administrators can use this to remotely
administer servers. Clients can use this to remotely access their desktops.
For a big picture overview of TS Gateway, take a look at Figure 7.4.
FIGURE 7.4 Using TS Gateway to access Terminal Services resources
Internet
Terminal Server TS RemoteApp
Program
Client Running
RDC
Port 443
Open
TS Gateway
Port 3389
Open
Remote
Desktop–
Enabled Clients
In the figure, you can see that an external client running Remote Desktop Connection
is able to access internal resources from the Internet via TS Gateway. Although Terminal
Services traditionally uses port 3389 at the firewall, opening port 3389 is often frowned
upon by security-conscious firewall administrators.
TS Gateway instead uses the HTTPS port (port 443) that is typically open anyway. TS
Gateway uses the Remote Desktop Protocol over Secure Sockets Layer (SSL) for encryption

what the security-conscious firewall admin hears when you ask him to open a port on the
firewall. Expect to spend a lot of time and energy justifying the action.
On the other hand, if an application uses a port that’s already open, you don’t have to ask
for any changes. Since port 80 and port 443 are often already open for HTTP and HTTPS,
respectively, using these ports for other purposes (such as RDP over SSL) makes sense.
One of the benefits of using TS Gateway is that access can be granted without needing to
create a virtual private network (VPN) using a remote access server. A VPN grants access
to an entire network, while TS Gateway can be used to provide access to a specific server or
a specific application.
In addition to the Terminal Services role, the following role services should also be
installed on the server hosting the TS Gateway server:
Web Server (IIS) The Web Server (IIS) service includes the Web Server services and the
Management Tools services. The web server accepts the HTTPS requests from the Internet
and allows predefined connections through to internal resources.
Network Policy and Access Services This service includes the Network Policy Server
(NPS) service. The NPS service can be used to inspect clients for specific health issues (such
as the existence of up-to-date antivirus tools) before access is granted.
Network Access Protection (NAP) can be used to protect the internal network. For example,
you can use NAP to ensure that TS clients have antivirus software installed, or the Windows
Firewall is enabled. NAP was covered in more detail in Chapter 4.
93157c07.indd 348 8/8/08 9:29:54 AM
Terminal Services Servers

349
RPC over HTTP Proxy The Remote Procedure Call (RPC) over HTTP Proxy service
performs the intermediary role for RPC clients to connect across the Internet to RPC
server programs.
Windows Process Activation Service This includes the Process Model service. The Windows
Process Activation Service is used to generalize the IIS process model and eliminate the depen-
dency on HTTP. This allows non-HTTP applications to be hosted on IIS.

When you create a TS RAP, you specify that users can connect to any computer on the net-
work or that users can connect only to computers within a group. For example, you may want
users to connect to only three servers, named TS1, TS2, and TS3. You can create a group
named TSServers; add TS1, TS2, and TS2 to the group; and then add the TSServers group to
the Terminal Services resource authorization policy.
93157c07.indd 349 8/8/08 9:29:54 AM
350

Chapter 7

Planning Terminal Services Servers
The difference between the TS CAP and the TS RAP is that the TS CAP is
used to define who can connect (by restricting users) and the TS RAP iden-
tifies the servers they can connect with (by restricting servers).
You can also use TS Network Access Protection (TS NAP) to restrict access to a terminal
server. Network Access Protection was explained in more detail in Chapter 4, “Monitoring
and Maintaining Network Infrastructure Servers, but in short you can use TS NAP to restrict
clients based on their health or configuration.
For example, a NAP policy can inspect a client to ensure anti-malware software is
installed and up-to-date or the Windows Firewall is enabled. If the client doesn’t meet the
requirements, a health certificate will not be issued and the client will be prevented from
accessing the network.
Terminal Services Session Broker
TS Session Broker is needed only when you are running multiple TS servers. TS Session
Broker provides two primary functions:
Load balancing With load balancing, you can distribute the load between multiple servers
in a load-balanced terminal server farm. Once installed and configured, the TS Session Broker
will automatically send new sessions to the server with the fewest sessions.
Session state management Sessions state is information about a user’s session when con-
nected to a TS server. If a user disconnects and reconnects, you would want them to be recon-

Round-Robin TS1
TS2 TS3
(Running TS
Session Broker)
TS4
1. In step 1, the user queries DNS for the IP address of a terminal server.
Round-robin DNS could be used.

With round-robin, DNS gives the IP address of TS1 first. For the next request, DNS

gives the IP address of TS2, and so on, until all terminal servers have been included.
DNS then starts back on TS1.
2. In step 2, the user authenticates with the terminal server identified by DNS. In the
figure, the user has been referred to TS2 by DNS and authenticates with TS2.
3. In step 3, the authenticating terminal server queries the terminal server running TS
Session Broker (TS3). The TS Session Broker identifies the TS server that has the fewest
connections (TS4 in the figure). The authenticating terminal server redirects the client
to TS4.
4. The client connects to TS4 in step 4.
Of course, all of this is transparent to the user. The user starts the session, authenticates,
and then connects to the session.
Terminal Services Web Access
TS Web Access is used to provide access to Terminal Services RemoteApp programs via a
web browser. Additionally, users can connect to computers where they have Remote Desk-
top access.
Although TS Web Access and TS Gateway may sound similar, the difference
is in how they connect. Users connect via TS Gateway using Remote Desk-
top Connection, while users connect via TS Web Access via a web browser.
93157c07.indd 351 8/8/08 9:29:55 AM
352

can be an Internet-facing server to accept connections but have access to an internal termi-
nal server hosting TS RemoteApp programs.
As mentioned earlier in this chapter, you can access a test-drive of the TS Web Access at
the following link:
/>Terminal Services Licensing
When using Terminal Services (TS) to allow users to remotely create desktops or run TS
RemoteApp applications, you often need a TS Client Access License (TS CAL) for the con-
nection. Creating, tracking, and maintaining these licenses can be quite challenging.
TS Licensing is an additional role service you can add after installing the Terminal Services
role for the management of TS licenses. You must have at least one license.
When you first install the Terminal Services role, you are granted a
grace period of 120 days on Windows Server 2008 servers. During
the grace period, a terminal server can accept connections without
licenses. The grace period begins the first time a terminal server accepts
a client connection. When a permanent TS Cal is issued by a license
server to a client connecting to a terminal server, the grace period ends
even if the 120-day grace period hasn’t been reached.
93157c07.indd 352 8/8/08 9:29:55 AM