You are on page 1of 719

www.it-ebooks.

info
PUBLISHED BY
M crosoft Press
A D v s on of M crosoft Corporat on
One M crosoft Way
Redmond, Wash ngton 98052-6399
Copyr ght © 2010 by Chr sta Anderson
A r ghts reserved No part of the contents of th s book may be reproduced or transm tted n any form or by any
means w thout the wr tten perm ss on of the pub sher
L brary of Congress Contro Number 2010934986

Pr nted and bound n the Un ted States of Amer ca

M crosoft Press books are ava ab e through bookse ers and d str butors wor dw de For further nfor­mat on
about nternat ona ed t ons, contact your oca M crosoft Corporat on off ce or contact M crosoft Press
Internat ona d rect y at fax (425) 936-7329 V s t our Web s te at www m crosoft com/mspress Send comments to
ms nput@m crosoft com

M crosoft and the trademarks sted at http //www m crosoft com/about/ ega /en/us/Inte ectua Property/
Trademarks/EN-US aspx are trademarks of the M crosoft group of compan es A other marks are property of
the r respect ve owners

The examp e compan es, organ zat ons, products, doma n names, e-ma addresses, ogos, peop e, p aces, and
events dep cted here n are fict t ous No assoc at on w th any rea company, organ zat on, product, doma n name,
e-ma address, ogo, person, p ace, or event s ntended or shou d be nferred

Th s book expresses the author’s v ews and op n ons The nformat on conta ned n th s book s prov ded w thout
any express, statutory, or mp ed warrant es Ne ther the authors, M crosoft Corporat on, nor ts rese ers, or
d str butors w be he d ab e for any damages caused or a eged to be caused e ther d rect y or nd rect y by
th s book

Acquisitions Editor: Mart n De Re


Developmental Editor: Karen Sza
Project Editor: Va er e Woo ey and Megan Sm th-Creed
Editorial Production: Custom Ed tor a Product ons, Inc
Technical Reviewer: A ex Jusch n; Techn ca Rev ew serv ces prov ded by Content Master, a member of CM
Group, Ltd
Cover: Cover Des gn Tom Draper Des gn; I ustrat on Todd Daman
Body Part No X17-21601

www.it-ebooks.info
I dedicate this book to my family, who has always been supportive, always pushes me to do
my very best I can do, and always has a “Go team!” waiting when I really need one.
—Chr sta

I dedicate this book to Elizabeth Nelson Lyda and Michael B. Smith for taking me under your
wing back in the day, and for always believing in me. You were great mentors and are great
friends.
—Kr st n

www.it-ebooks.info
www.it-ebooks.info
Contents at a Glance

Acknowledgments xv
Introduction xvii

CHAPTER 1 Introducing Remote Desktop Services 1


CHAPTER 2 Key Architectural Concepts for Remote Desktop Services 39
CHAPTER 3 Deploying a Single Remote Desktop Session Host Server 117
CHAPTER 4 Deploying a Single Remote Desktop Virtualization
Host Server 175
CHAPTER 5 Managing User Data in a Remote Desktop Services
Deployment 225
CHAPTER 6 Customizing the User Experience 291
CHAPTER 7 Molding and Securing the User Environment 363
CHAPTER 8 Securing Remote Desktop Protocol Connections 401
CHAPTER 9 Multi-Server Deployments 423
CHAPTER 10 Making Remote Desktop Services Available from
the Internet 507
CHAPTER 11 Managing Remote Desktop Sessions 589
CHAPTER 12 Licensing Remote Desktop Services 643

Index 677

www.it-ebooks.info
www.it-ebooks.info
Contents
Acknowledgments xv
Introduction xvii

Chapter 1 Introducing Remote Desktop Services 1


Where D d RDS Come From? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
C tr x Mu t W n 2
W ndows NT, Term na Server Ed t on 2
W ndows 2000 Server 3
W ndows Server 2003 3
W ndows Server 2008 4
W ndows Server 2008 R2 and RDS 4
The Evo v ng Remote C ent Access Exper ence 6
What Can You Do w th RDS?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
mproved Secur ty for Remote Users 8
Prov s on ng New Users Rap d y 9
Enab ng Remote Work 9
Br ng ng W ndows to PC Unfr end y Env ronments 10
Bus ness Cont nu ty and D saster Recovery 11
Support ng Green Comput ng 11
mproved Command L ne Support 12
RDS for W ndows Server 2008 R2: New Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
The Chang ng Character of RD Sess on Host Usage 13
New RDS Techno ogy n W ndows Server 2008 R2 19
RDS Ro es n W ndows Server 2008 R2 24
How Other Serv ces Support RDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
The C ent Connect on 33
Host ng VMs 34
Authent cat ng Servers w th Cert ficates 34
Enab ng WAN Access and D sp ay ng Remote Resources 34
Updat ng User and Computer Sett ngs 35
Funct ona ty for RDS Scr pters and Deve opers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Add t ona Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

What do you think of this book? We want to hear from you!


M crosoft s nterested n hear ng your feedback so we can cont nua y mprove our
books and earn ng resources for you. To part c pate n a br ef on ne survey, p ease v s t:

microsoft.com/learning/booksurvey

vii

www.it-ebooks.info
Chapter 2 Key Architectural Concepts for Remote Desktop
Services 39
Know Your App cat on De very System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
RD Sess on Host Servers 40
RD V rtua zat on Host Servers 40
Re evant W ndows Server 2008 R2 nterna s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
W ndows Server 2008 R2 s 64 B t On y 41
How Does an RD Sess on Host Server Do e Out Processor
Cyc es? 43
How Do RD Sess on Host Servers Use Memory More
Effic ent y? 45
How Does D sk Affect App cat on De very? 56
How Does V rtua zat on Affect Resource Usage? 59
Determ n ng System Requ rements for RD Sess on Host Servers . . . . . . . . . . . . . . . 66
Des gn ng a L ve Test 69
Execut ng the Tests 70
Us ng the RD Load S mu at on Too 77
An A ternat ve to Fu Test ng: Extrapo at on 91
Other S z ng Quest ons 95
Support ng C ent Use Profi es. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
C ent Hardware: PC or Th n C ent? 99
What s the Best L cense Mode ? 100
What App cat ons Can Run on an RD Sess on Host Server? 101
What Vers on of Remote Desktop Connect on Do Need? 109
What Ro e Serv ces Do Need to Support My Bus ness? 114
Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Add t ona Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

Chapter 3 Deploying a Single Remote Desktop Session Host Server 117


How RD Sess on Host Servers Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Serv ces Support ng RD Sess on Host 117
Creat ng and Support ng a Sess on 119
nsta ng an RD Sess on Host Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
nsta ng an RD Sess on Host Server Us ng the Adm n strat ve
Too s nterface 134
nsta ng an RD Sess on Host Server from the Command L ne 142
Essent a RD Sess on Host Configurat on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
A ocat ng Processor T me 145
Enab ng P ug and P ay Red rect on w th the Desktop Exper ence 150
Adjust ng Server Sett ngs w th Remote Desktop Configurat on 150
nsta ng App cat ons on an RD Sess on Host Server. . . . . . . . . . . . . . . . . . . . . . . . 164
Wh ch App cat ons W Work? 165
Stor ng App cat on Spec fic Data 168
Avo d ng Overwr t ng User Profi e Data 170
Popu at ng the Shadow Key 171

viii Contents

www.it-ebooks.info
Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Add t ona Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174

Chapter 4 Deploying a Single Remote Desktop Virtualization Host


Server 175
What s VD ?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
How M crosoft VD Works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
The Centra Ro e of the RD Connect on Broker 179
D scover ng a VM 181
Broker ng a Connect on 182
Orchestrat ng a VM 184
Connect ng to a VM Poo 185
Connect ng to a D sconnected Sess on 186
Ro ng Back a VM 186
Connect ng to a Persona Desktop 187
nsta ng Support ng Ro es for VD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
nsta ng the RD V rtua zat on Host 190
nsta ng RD V rtua zat on Host Ro e Serv ce v a W ndows PowerShe 192
nsta ng RD Connect on Broker 193
Configur ng RD Web Access 195
Configur ng the RD Connect on Broker Server 197
Sett ng Up VMs 203
Creat ng Poo s 209
Ass gn ng Persona Desktops 212
Configur ng Persona and Poo ed VM Propert es 216
Us ng RemoteApp for Hyper V for App cat on Compat b ty. . . . . . . . . . . . . . . . . 218
Configur ng RemoteApp on Hyper V 220
Can You Use RemoteApp for Hyper V Without RDS? 222
Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Add t ona Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224

Chapter 5 Managing User Data in a


Remote Desktop Services Deployment 225
How Profi es Work. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Types of Profi es 227
How Profi es Are Created 228
Profi e Contents Externa to the Reg stry 233
Stor ng Profi es 239
Prov d ng a Cons stent Env ronment 241
Des gn Gu de nes for User Profi es. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
Ba ance F ex b ty and Lockdown 243
Use Fo der Red rect on 244
Compartmenta ze When Necessary 244
Prevent Users from Los ng F es on the Desktop 245
Up oad Profi e Reg stry Sett ngs n the Background 246

Contents ix

www.it-ebooks.info
Speed Up Logons 246
Dep oy ng Roam ng Profi es w th Remote Desktop Serv ces. . . . . . . . . . . . . . . . . . 248
Creat ng a New Roam ng Profi e 248
Convert ng an Ex st ng Loca Profi e to a Roam ng Profi e 254
Custom z ng a Defau t Profi e 255
Us ng Group Po cy to Manage Roam ng Profi es 257
Us ng Group Po cy to Define the Roam ng Profi e Share 267
Speed ng Up Logons 268
Centra z ng Persona Data w th Fo der Red rect on 275
Shar ng Persona Fo ders Between Loca and Remote Env ronments 278
Shar ng Fo ders Between W ndows Server 2003 and W ndows Server 2008
R2 Roam ng Profi es 279
Sett ng Standards w th Mandatory Profi es 281
Convert ng Ex st ng Roam ng Profi es to Mandatory Profi es 283
Creat ng a S ng e Mandatory Profi e 284
Creat ng a Safe Read On y Desktop 286
Decrease Logon T mes w th Loca Mandatory Profi es 286
Profi e and Fo der Red rect on Troub eshoot ng T ps. . . . . . . . . . . . . . . . . . . . . . . . . 287
Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
Add t ona Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289

CHAPTER 6 Customizing the User Experience 291


How Remot ng Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
What Defines the Remote C ent Exper ence? 293
The Foundat on of RDP: V rtua Channe s and PDUs 296
Bas c Graph cs Remot ng 299
Advanced Graph cs Remot ng 305
Mov ng the C ent Exper ence to the Remote Sess on. . . . . . . . . . . . . . . . . . . . . . . . 307
Wh ch C ent Dev ces Can You Add to the Remote Sess on? 307
Pros and Cons of Red rect ng Resources 313
Dev ce and F e System Red rect on 314
P ay ng Aud o 326
How the RDC Vers on Affects the User Exper ence or Doesn t 330
Pr nt ng w th RDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
Pr nt ng to a D rect y Connected Pr nter 335
Pr nt ng v a Red rected Pr nters 337
Pr nt ng from Remote Desktop Serv ces 344
When You Cannot Use RD Easy Pr nt 350
Contro ng Pr nter Red rect on 354
Troub eshoot ng Pr nt ng ssues 358
Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Add t ona Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360

Chapter 7 Molding and Securing the User Environment 363


Lock ng Down the Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364

x Contents

www.it-ebooks.info
Restr ct ng Dev ce and Resource Red rect on 365
Prevent ng Users from Reconfigur ng the Server 367
Prevent ng Access to the Reg stry 368
C os ng Back Doors on RD Sess on Host Servers 369
Contro ng L brar es 375
Prevent ng Users from Runn ng Unwanted App cat ons . . . . . . . . . . . . . . . . . . . . . 376
Us ng Software Restr ct on Po c es 378
Us ng AppLocker 381
Creat ng a Read On y Start Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
Keep ng the RD Sess on Host Server Ava ab e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
A ow ng or Deny ng Access to the RD Sess on Host Server 393
L m t ng the Number of RD Sess on Host Server Connect ons 393
Sett ng Sess on T me L m ts 394
Tak ng Remote Contro of User Sess ons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394
Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398
Add t ona Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398

Chapter 8 Securing Remote Desktop Protocol Connections 401


Core Secur ty Techno og es. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
Transport Layer Secur ty 402
Credent a Secur ty Serv ce Prov der 405
Us ng RDP Encrypt on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409
Understand ng Encrypt on Sett ngs 409
Choos ng Encrypt on Sett ngs 410
Authent cat ng Server dent ty (Server Authent cat on). . . . . . . . . . . . . . . . . . . . . . . 410
Estab sh ng a Kerberos Farm dent ty 411
Creat ng Test Cert ficates for a Server Farm 411
Authent cat ng C ent dent ty w th Network Leve Authent cat on (NLA). . . . . . . 415
Speed ng Logons w th S ng e S gn on 416
Configur ng the Secur ty Sett ngs on the RD Sess on Host Server . . . . . . . . . . . . . 417
Configur ng Connect on Secur ty Us ng RD Sess on Host Configurat on 417
Configur ng Connect on Secur ty Us ng Group Po cy 419
Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420
Add t ona Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421

Chapter 9 Multi-Server Deployments 423


Key Concepts for Mu t Server Dep oyments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423
RD Sess on Host Farms 424
RemoteApp nterna s 424
Server S de Components 426
C ent S de Components 427
RemoteApp Programs and Mu t p e Mon tors 428
Creat ng and Dep oy ng a Farm. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431

Contents xi

www.it-ebooks.info
D str but ng n t a Farm Connect ons 432
Connect on Broker ng n a Farm Scenar o 433
RDS Farm Connect on Broker ng n Act on 434
Dep oy ng RD Sess on Host Farms 439
Perm t RD Sess on Host Servers to Jo n RD Connect on Broker 440
Jo n RD Sess on Host Servers to a Farm 447
Pub sh ng and Ass gn ng App cat ons Us ng RemoteApp Manager. . . . . . . . . . . 454
Add ng App cat ons to the A ow L st 455
Configur ng G oba RemoteApp Dep oyment Sett ngs 457
Ed t ng RemoteApp Propert es 464
Ma nta n ng A ow L st Cons stency Across the Farm 469
Configur ng T meouts for RemoteApp Sess ons 471
S gn ng A ready Created RDP F es 472
Sett ng S gnature Po c es 474
D str but ng RemoteApp Programs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475
D str but ng RDP F es 475
D str but ng MS F es 476
De ver ng RemoteApp Programs and VMs Through RD Web Access. . . . . . . . . . 478
RD Web Access Sources 478
nsta ng the RD Web Access Ro e Serv ce 481
Configur ng RD Web Access 482
Custom z ng RD Web Access 488
Troub eshoot ng RD Web Access Perm ss ons 496
Us ng the RD Web Access Webs te 497
Us ng RemoteApp And Desktop Connect ons 502
Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505
Add t ona Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 506

Chapter 10 Making Remote Desktop Services Available from the Internet


507
How RD Gateway Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507
Understand ng RD Gateway Author zat on Po c es 509
RD Gateway Requ rements 510
nsta ng RD Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512
nsta ng RD Gateway Us ng W ndows PowerShe 515
Creat ng and Ma nta n ng RD Gateway Author zat on Po c es 515
Creat ng an RD CAP 516
Creat ng an RD RAP 519
Mod fy ng an Ex st ng Author zat on Po cy 521
Configur ng RD Gateway Opt ons. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521
Tun ng RD Gateway Propert es 522
Us ng RD Gateway Computer Groups to Enab e Access to a Server Farm 530
Bypass ng RD Gateway for nterna Connect ons 533
Us ng Group Po cy to Contro RD Gateway Authent cat on Sett ngs 533
Mon tor ng and Manag ng Act ve RD Gateway Connect ons 534

xii Contents

www.it-ebooks.info
Creat ng a Redundant RD Gateway Configurat on. . . . . . . . . . . . . . . . . . . . . . . . . . . 537
Us ng NLB to Load Ba ance RD Gateway Servers 537
Prevent ng Sp t SSL Connect ons on RD Gateway 542
Ma nta n ng dent ca Sett ngs Across an RD Gateway Farm 543
Us ng NAP w th RD Gateway 554
Troub eshoot ng Dec ned Connect ons 573
P ac ng RD Web Access and RD Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 576
RD Web Access for Externa Access 576
RD Gateway ns de the Pr vate Network 578
RD Gateway n the Per meter Network 579
RD Gateway n the nterna Network and Br dged 581
Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 586
Add t ona Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 586

Chapter 11 Managing Remote Desktop Sessions 589


ntroduc ng RD Sess on Host Management Too s. . . . . . . . . . . . . . . . . . . . . . . . . . . . 590
The Remote Desktop Serv ces Manager 591
Command L ne Too s 595
Connect ng Remote y to Servers for Adm n strat ve Purposes 598
Manag ng RD Sess on Host Servers from W ndows 7 599
Organ z ng Servers and VMs n the Remote Desktop Serv ces Manager. . . . . . . . 600
Mon tor ng and Term nat ng Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 602
Mon tor ng App cat on Use 603
Term nat ng App cat ons 604
Mon tor ng and End ng User Sess ons. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 605
Sw tch ng Between Sess ons 606
C os ng Orphaned Sess ons 608
Prov d ng He p w th Remote Contro . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 610
Enab ng Remote Contro v a Group Po cy 612
Enab ng Remote Contro v a RD Sess on Host Configurat on 614
Shadow ng a User Sess on 615
Troub eshoot ng Sess on Shadow ng 617
Prepar ng for Server Ma ntenance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 619
D sab ng New Logons 619
Send ng Messages to Users 621
Shutt ng Down and Restart ng RD Sess on Host Servers 624
App y ng RDS Management Too s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 631
D fferent at ng RemoteApp Sess ons from Fu Desktop Sess ons 631
Aud t ng App cat on Usage 633
Aud t ng User Logons 639
C os ng Unrespons ve App cat ons 640
Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 641
Add t ona Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 642

Contents xiii

www.it-ebooks.info
Chapter 12 Licensing Remote Desktop Services 643
The RDS L cens ng Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 644
RDS L cens ng. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 644
VD L cens ng. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 646
L cense Track ng and Enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 648
How RD L cense Servers Ass gn RDS CALs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 648
Sett ng Up the RDS L cens ng nfrastructure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 651
nsta ng RD L cense Server 652
RD L cense Server Connect on Methods 653
Act vat ng the L cense Server 653
Background: How RDS CALs Are T ed to an RD L cense Server 657
Add ng L cense Servers to AD DS 660
nsta ng RDS CALs 660
Configur ng RD Sess on Host Servers to Use RD L cense Servers 662
Configur ng RD L cense Servers to A ow Commun cat on From
RD Sess on Host Servers 663
M grat ng RDS CALs from One L cense Server to Another. . . . . . . . . . . . . . . . . . . . 663
Rebu d ng the RD L cense Server Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 665
Back ng Up an RD L cense Server and Creat ng Redundancy. . . . . . . . . . . . . . . . . . 665
Manag ng and Report ng L cense Usage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 667
Revok ng RDS CALs 670
Restr ct ng Access to RDS CALs 671
Prevent ng L cense Upgrades. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 673
Us ng the L cens ng D agnos s Too . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 673
Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 675
Add t ona Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 675
ndex . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 677

What do you think of this book? We want to hear from you!


M crosoft s nterested n hear ng your feedback so we can cont nua y mprove our
books and earn ng resources for you. To part c pate n a br ef on ne survey, p ease v s t:

microsoft.com/learning/booksurvey

xiv Contents

www.it-ebooks.info
Acknowledgments

T h s book sn’t the work of just two peop e We owe many thanks to the com-
b ned efforts of a ot of peop e at M crosoft, our terr fic set of ed tors, and the
greater commun ty (A th s sa d, any errors n th s book are the so e respons b ty
of the authors )
One of the best th ngs about work ng at M crosoft s that a ot of very smart (and
very he pfu ) peop e work there, and we are gratefu for the ns ghts of these peop e
Throughout th s book, you’ find D rect from the Source s debars contr buted by
members of the product team We a so extend our heartfe t thanks to the members
of the product team who sat down w th us to exp a n the finer deta s of how
someth ng worked From the Remote Desktop V rtua zat on (RDV) team, we’d ke
to thank N raj Agarwa a, James Baker, Ara Bernard , Tad Brockway, V kash Bucha,
Yuvraj Budhraja, Hammad Butt, Rommy Channe, Mun ndra Das, S v a Doomra,
Sam m Erdogan, Rajesh Ganta, Cost n Hag u, A Henr quez, Trav s Howe, O ga
Ivanova, Gop kr shna Kannan, Sergey Kuz n, Rob Le tman, Raghu L ngampa y, Meher
Ma akapa , Benjam n Me ster, Ranjana Rath nam, Rajesh Rav ndranath, Ray Reskus ch,
Sr ram Sampath, Bhaskar Swarna, and Janan Venkateswaran Even peop e from other
teams got nvo ved Many thanks to Ky e Beck, Jeff Heatton, M chae K eef, T mothy
Newton, Mark Russ nov ch, Tom Sh nder, Makarand Patwardhan, Bohdan Ve ushchak,
Pau Vo osen, and Jon Wojan for your nva uab e ass stance We’d a so ke to thank
Chr sta’s manager, Ashw n Pa ekar, for h s support dur ng th s project
RDS expert se sn’t m ted to peop e at M crosoft, e ther Remote Desktop
Serv ces MVPs as we as MVPs and experts from other d sc p nes a so p tched n
to contr bute D rect from the F e d s debars and exp a n the ntr cac es of re ated
techno og es Many thanks go to Jan que Carbone, Br an Eh ert, Ross Harvey,
He ge K e n, Russ Kaufmann, Shay Levy, Br an Madden, Patr ck Rouse, Greg Sh e ds,
M chae Sm th, and M tch Tu och
The great team at M crosoft Press had a huge hand n turn ng th s project from
an dea nto the book you ho d n your hands We’d ke to thank Mart n De Re at
M crosoft Press for ask ng us to wr te the first ed t on of the book n the first p ace,
Megan Sm th-Creed at Custom Ed tor a Product ons, Inc , for great ed t ng and
project management on th s ed t on, and A ex Jusch n for tech ed t ng the book
The rest of the ed tor a team at Custom Ed tor a Product ons, Inc , d d a terr fic
job of copyed t ng and proofing th s text Thank you a !
F na y, we’d ke to thank our fr ends and fam es for the r support dur ng
th s b g project We cou dn’t have done t w thout you We prom se to ta k about
someth ng e se now
xv

www.it-ebooks.info
www.it-ebooks.info
Introduction
W e come to the Windows Server 2008 R2 Remote Desktop Services Resource
Kit! Th s s a deta ed techn ca resource for p ann ng, dep oy ng, and run-
n ng M crosoft Remote Desktop Serv ces (RDS) Because some features of RDS
are brand new, th s book s va uab e both for those comp ete y new to RDS and
those who have used Term na Serv ces ( ts former name) n prev ous vers ons of
M crosoft W ndows
W th n th s resource k t, you’ find n-depth nformat on about the mprove-
ments n RDS ntroduced n W ndows Server 2008 R2 Th s book comb nes under-
y ng arch tectura concepts w th pract ca hands-on nstruct ons that a ow you to
set up a work ng RDS ecosystem, understand why t’s work ng, and g ve you some
gu dance about how to fix t when t’s not You’ a so find deta ed nformat on
and task-based gu dance on manag ng a aspects of RDS, nc ud ng dep oy ng
RD Sess on Host servers, ntegrat ng RDS ro e serv ces w th other key parts of the
W ndows Server 2008 R2 operat ng system, and extend ng the reach of RDS to
outs de the corporate network F na y, the compan on med a nc udes add t ona
too s and documentat on that you can use to manage and troub eshoot RDS ro e
serv ces A though we ment on some th rd-party too s n the course of th s book,
th s book s fundamenta y about runn ng RDS us ng on y the too s found n the
operat ng system You can do what we’ve done here us ng only W ndows Server
2008 R2 Nor do we get nto extens ve d scuss on of any of the th rd-party too s
that many peop e use w th nat ve Remote Desktop Serv ces For examp e, many
peop e w th h gh-comp ex ty RDS dep oyments use management software from
C tr x or Quest or other RDS partners, but we don’t d scuss t here because t’s not
nc uded w th the operat ng system

ON THE COMPANION MEDIA  See the team partner page at


http://www.microsoft.com/windowsserver2008/en/us/rds-partners.aspx
for a list of companies that make products complementing or expanding
on Remote Desktop Services in Windows Server 2008 R2.

What’s New in Remote Desktop Services in


Windows Server 2008 R2?
Remote Desktop Serv ces n W ndows Server 2008 R2 took a ot of the mprove-
ments added n W ndows Server 2008 and added the features peop e had asked
for Want nat ve support for VDI? It’s added to RD Connect on Broker Want
xvii

www.it-ebooks.info
fewer ogons, secur ty fi ter ng, s mp fied d scovery of ava ab e app cat ons and
v rtua mach nes (VMs)? It’s n the new vers on of RD Web Access Want to address
prob ems d scovered v a Network Access Po c es (NAP), not just shut peop e out
of the network? It’s n the new ed t on of RD Gateway Want mproved app cat on
compat b ty? See RD Sess on Host for IP address v rtua zat on and dynam c fa r
share schedu ng that proact ve y prevents one sess on from tak ng a the proces-
sor cyc es Want to stop nsta ng pr nter dr vers on both sess ons and VMs? Easy
Pr nt now works for both v rtua zat on opt ons
For those who went stra ght to W ndows Server 2008 R2 from W ndows Server
2003, et’s take a ook at what the new features add to the former mode of a
term na server and a cense server

Simplified Application Delivery and Display


Term na Serv ces n W ndows Server 2003 presented a remote app cat ons from
a desktop, comp ete y separat ng the d sp ay of oca and remote app cat ons
RemoteApp programs ( ntroduced n W ndows Server 2008) aunch from a server,
but ntegrate w th the oca desktop so they ook ke they’re runn ng oca y
Not on y do the app cat ons ntegrate better w th the oca desktop, they’re
eas er to find and d str bute, thus mak ng t eas er to support a arger and more
comp ex dep oyment One of the ssues n enab ng remote access s how to get
the most comp ete and up-to-date set of remote resources to your user base Th s
s espec a y true when you’re prov d ng access to nd v dua app cat ons, not to a
fu desktop Us ng RDS Web Access, you can present nks to nd v dua app ca-
t ons or to ent re desktops and know that these nks w a ways be up to date In
W ndows Server 2008 R2, RD Web Access can present RemoteApp programs from
more than one farm as we as VMs It a so, however, supports secur ty fi ter ng
so that you can manage an aggregated source for a remote resources but on y
d sp ay to peop e the ones they shou d use

Improved Farm Support


The Sess on D rectory serv ce n W ndows Server 2003 offered the beg nn ng of
farm support, but was on y ava ab e for Enterpr se SKUs and d dn’t nc ude any
oad ba anc ng— t just kept track of where connect ons had gone In W ndows
Server 2008 R2, RD Connect on Broker s ava ab e on the Standard SKU, supports
oad ba anc ng, and can broker connect ons to both sess ons and VMs

xviii ntroduct on

www.it-ebooks.info
Secure Internet Access
One of the key benefits of Remote Desktop Serv ces s ts ab ty to support mob e
workers We had a great (and extreme y t nerant) tech ed tor, RDS MVP A ex
Jusch n, for th s ed t on of the book He’s got a great descr pt on of how he used
Remote Desktop Serv ces wh e comp et ng h s part

In your book you can mention that I have been reviewing your
book all over the world using the RDP protocol to connect to my
home in Dublin via 3G or WiFi . I’ve worked while on a smelly
Kebap Bus in Poland, in a freezing hotel in Latvia, while being
driven in a high-end coach in Estonia, on the ferry to England, in
a pub in Ireland, on a train going down the coast from Belfast,
while tasting wine in France, sitting in a nice Brasserie on the
island of Jersey, eating Belgian chocolate in Brussels, on a plane
to Germany, on a bench with a beautiful view in Zurich, in a café
near the Berlin Wall, in a prison in Finland (ok, hotel, but it used
to be a prison), and on the highest point of Germany (Zugspitze).

In W ndows Server 2003, Term na Serv ces d dn’t support secure Internet ac-
cess except across v rtua pr vate networks In W ndows Server 2008 R2, Remote
Desktop Serv ces supports connect v ty over Secure Sockets Layer (SSL) v a RD
Gateway RD Gateway a ows you to set up d fferent ru es for oca and remote
access and does not requ re any c ent-s de setup Introduced n W ndows Server
2008, n R2, RD Gateway now enforces dev ce and resource red rect on dec s ons
made at the gateway and supports NAP remed at on

Simpler and Broader Device Redirection


RDS assumes that a ot of peop e w be work ng from computers w th oca re-
sources, and that those peop e won’t want to be cut off from the r resources when
they’re work ng n the r sess on or VM It a so assumes that the server adm n s-
trators don’t want to spend more t me than necessary mak ng these resources
ava ab e
A though pr nter red rect on, as t’s been known n ear er vers ons of Term na
Serv ces, st works as t d d, Easy Pr nt, ntroduced n W ndows Server 2008, he ps
s mp fy pr nter red rect on Rather than requ r ng adm n strators to nsta pr nter
dr vers on the server, Easy Pr nt a ows red rected pr nters to use the dr vers a -
ready nsta ed on the c ent computer In W ndows 2008 R2, RD Easy Pr nt works
w th even more pr nter types and works from both sess ons and VMs

ntroduct on xix

www.it-ebooks.info
Part of the r ch remote work exper ence s us ng oca dev ces Support for
oca dev ces has been expanded through the P ug and P ay Dev ce Red rect on
Framework, ntroduced n W ndows Server 2008

Simplified License Management


Per-user cens ng was ntroduced n W ndows Server 2003 but d dn’t nc ude any
track ng, so you cou dn’t eas y te f you were n comp ance W ndows Server
2008 R2 a ows you to track Per-User RDS CAL usage Add t ona y, the L cens ng
D agnost cs feature can he p you reso ve cens ng ssues W ndows 2008 R2 RD
L cense servers can now m grate censes from one server to another w thout the
he p of the M crosoft C ear nghouse Th s can be done even f a cense server s
out of comm ss on
Th s s on y a part a st of new features—Chapter 1, “Introduc ng Remote
Desktop Serv ces,” descr bes the Remote Desktop Serv ces features n W ndows
Server 2008 R2, and the rest of the book exp a ns how to use them But these are
some of the h gh ghts that show how the ro e has expanded n management and
user exper ence

ON THE COMPANION MEDIA  The authors will post data that is rel-
evant to the Windows Server 2008 R2 Remote Desktop Services Resource
Kit on the book’s blog, located at http://blog.kristinlgriffin.com/. You can
find this link on the companion media.

How This Book Is Structured


Our goa n wr t ng th s book s to he p you set up a work ng Remote Desktop
Serv ces farm, as we as VDI poo ed and persona VMs us ng a the p eces n the
operat ng system, wh e understand ng the greater context of the c rcumstances
under wh ch Remote Desktop Serv ces s usefu , how t works, and how W ndows
Server 2008 R2 compares to prev ous vers ons Th s book has twe ve chapters
■ Chapter 1, “Introduc ng Remote Desktop Serv ces,” exp a ns where RDS
came from and how t has evo ved as a p atform, what new features are
ava ab e n th s atest terat on, and what you can accomp sh w th th s new
vers on of the product It a so exp a ns how other serv ces support RDS
■ Chapter 2, “Key Arch tectura Concepts for Remote Desktop Serv ces,” d ves
nto RDS nterna s and re evant W ndows Server 2008 R2 nterna s It a so
shows you how to determ ne the hardware and software you w need to
support th s product n your env ronment
xx ntroduct on

www.it-ebooks.info
■ Chapter 3, “Dep oy ng a S ng e Remote Desktop Sess on Host Server,”
shows you how RD Sess on Host servers work, and how to nsta and con-
figure th s ro e serv ce
■ Chapter 4, “Dep oy ng a S ng e Remote Desktop V rtua zat on Host Server,”
exp a ns what VDI s, how M crosoft VDI works, and how to nsta and con-
figure a RD V rtua zat on Host and the support ng ro es
■ Chapter 5, “Manag ng User Data n a Remote Desktop Serv ces Dep oy-
ment,” d scusses the d fferent types of profi es that work w th RDS and how
to dep oy and troub eshoot user profi e so ut ons and fo der red rect on
■ Chapter 6, “Custom z ng the User Exper ence,” d scusses how remot ng
works, promot ng good c ent exper ence n the remote sess on, and how
to pr nt from RDS sess ons
■ Chapter 7, “Mo d ng and Secur ng the User Env ronment,” exp a ns why
you shou d ock down the RDS env ronment and how you shou d do t, and
descr bes how to prov de remote ass stance to users from w th n the user
sess on
■ Chapter 8, “Secur ng Remote Desktop Protoco Connect ons,” d scusses
RDP encrypt on, server and c ent authent cat on, and how to configure
secur ty sett ngs on the RD Sess on Host server
■ Chapter 9, “Mu t -Server Dep oyments,” ntroduces key concepts for mu t -
server dep oyments, shows how to create RD Sess on Host farms, and ex-
p a ns how to pub sh app cat ons and d sp ay resources through RD Web
Access
■ Chapter 10, “Mak ng Remote Desktop Serv ces Ava ab e from the Internet,”
shows you how to nsta and configure RD Gateway to prov de access to
RemoteApps, desktop sess ons, and poo ed and persona VMs to users
ocated outs de the corporate network
■ Chapter 11, “Manag ng Remote Desktop Sess ons,” shows you how to
mon tor and term nate processes and users sess ons runn ng on an RD
Sess on Host server, how to prov de he p w th remote contro , and how to
dra n RD Sess on Host servers for ma ntenance
■ Chapter 12, “L cens ng Remote Desktop Serv ces,” d scusses the new RDS
cens ng parad gm, nc ud ng both RDS and VDI cens ng Th s chapter ex-
p a ns how censes are tracked and enforced; how RD L cense server ass gn
RDS CALs; how to nsta , configure, and ma nta n RDS L cense servers; how
to d agnose cens ng ssues w th the L cens ng D agnos s too ; and how to
m grate censes from one server to another

ntroduct on xxi

www.it-ebooks.info
Document Conventions
The fo ow ng convent ons are used n th s book to h gh ght spec a features or
usage

Reader Aids
The fo ow ng reader a ds are used throughout th s book to po nt out usefu deta s

READER AID MEANING

Caut on Warns you that fa ure to take or avo d a spec fied act on
can cause ser ous prob ems for users, systems, data nteg-
r ty, and so on
Note Underscores the mportance of a spec fic concept or
h gh ghts a spec a case that m ght not app y to every
s tuat on
On the Ca s attent on to a re ated scr pt, too , temp ate, job a d,
Compan on Med a or URL on the compan on CD that he ps you perform a
task descr bed n the text

Sidebars
The fo ow ng s debars are used throughout th s book to prov de added ns ght,
t ps, and adv ce concern ng d fferent Remote Desktop Serv ces features

NOTE  Sidebars are provided by individuals in the industry as examples


for informational purposes only and may not represent the views of their
employers. No warranties, express, implied, or statutory, are made as to the
information provided in sidebars.

SIDEBAR MEANING

D rect from Contr buted by experts from the product group who pro-
the Source v de “from-the-source” ns ght nto how Remote Desktop
Serv ces works, best pract ces, and troub eshoot ng t ps
D rect from Contr buted by experts externa to the product group
the F e d who have rea -wor d exper ence work ng w th Remote
Desktop Serv ces Some experts are M crosoft fie d eng -
neers; others are M crosoft MVPs or other experts
How It Works Prov des un que g mpses of Remote Desktop Serv ces
features and how they work

xxii ntroduct on

www.it-ebooks.info
Command-Line Examples
The fo ow ng sty e convent ons are used n document ng command- ne examp es
throughout th s book

STYLE MEANING

Bold font Used to nd cate user nput (characters that you type
exact y as shown)
Italic font Used to nd cate var ab es for wh ch you need to sup-
p y a spec fic va ue (for examp e, file name can refer to
any va d fi e name)
Monospace font Used for code samp es and command- ne output

%Var ab eName% Used for env ronment var ab es

Companion Media
In add t on to the book tse f, you a so get a CD that conta ns some great too s
and other resources System requ rements for runn ng the CD are at the back of
th s book The CD nc udes the fo ow ng resources

Links
The compan on med a nc udes many nks to URLs that ead to more nformat on
about Remote Desktop Serv ces-re ated top cs, Remote Desktop Serv ces
resources, partner web s tes, and more Some of the URLs are referenced
throughout the book and some are not

Management Scripts
On the compan on med a, you w find a co ect on of scr pts ustrat ng ways
to work w th Remote Desktop Serv ces us ng W ndows PowerShe and VBScr pt
We’ve a so nc uded st ngs n re evant ocat ons n the book so that you can bet-
ter understand how these scr pts support the funct ona ty you’re ook ng for A -
though these scr pts are ntended as samp es nstead of fin shed products, they do
usefu work such as a ow ng you to eas y determ ne the shadow ng perm ss ons
on a server or prov d ng app cat on-usage meter ng not prov ded n the GUI

Find Additional Content Online  As new or updated mater a becomes ava -


ab e that comp ements your book, t w be posted on ne The type of mater a
you m ght find nc udes updates to book content, art c es, nks to compan on
content, errata, samp e chapters, and more Th s webs te s ava ab e at
http://go.microsoft.com/fwlink/?LinkId=203980 and s updated per od ca y
ntroduct on xxiii

www.it-ebooks.info
Support for This Book
Every effort has been made to ensure the accuracy of th s book As correct ons
or changes are co ected, they w be added the O’Re y Med a webs te To find
M crosoft Press book and med a correct ons
1. Go to http://microsoftpress.oreilly.com
2. In the Search box, type the ISBN for the book, and c ck Search
3. Se ect the book from the search resu ts, wh ch w take you to the book’s
cata og page
4. On the book’s cata og page, under the p cture of the book cover, c ck
V ew/Subm t Errata
If you have quest ons regard ng the book or the compan on content that are
not answered by v s t ng the book’s cata og page, p ease send them to M crosoft
Press by send ng an ema message to mspinput@microsoft.com

We Want to Hear from You


We we come your feedback about th s book P ease share your comments and
deas v a the fo ow ng short survey

http://www.microsoft.com/learning/booksurvey

Your part c pat on w he p M crosoft Press create books that better meet your
needs and your standards

NOTE  We hope that you will give us detailed feedback via our survey. If
you have questions about our publishing program, upcoming titles, or
Microsoft Press in general, we encourage you to interact with us via Twitter
at http://twitter.com/MicrosoftPress. For support issues, use only the email
address shown above.

xxiv ntroduct on

www.it-ebooks.info
CHAPTER 1

Introducing Remote
Desktop Services
■ Where D d RDS Come From?  2

■ What Can You Do w th RDS?  7

■ RDS for W ndows Server 2008 R2: New Features  12

■ How Other Serv ces Support RDS  32

■ Funct ona ty for RDS Scr pters and Deve opers  35

Y ou m ght be read ng th s book for any of a number of reasons Perhaps you’re an o d


hand at M crosoft Term na Server and are nterested n see ng what Remote Desk-
top Serv ces (RDS) n M crosoft W ndows Server 2008 R2 can do for you You m ght have
nsta ed W ndows Server 2008 R2 and are now nterested n what a these web accesses,
gateways, and Remote Desktop Sess on Host servers do Maybe you have heard about
RDS and are nterested n how you m ght benefit by ncorporat ng t nto your env ron-
ment For that matter, you m ght be wonder ng how RDS compares to other remote
access techno og es n W ndows Server 2008 R2
Wh chever reason you have to be nterested n RDS, th s book s for you
Th s chapter sets the stage for the rest of the book To understand the evo ut on of M -
crosoft Term na Serv ces (now ca ed Remote Desktop Serv ces), you have to understand
where t came from and the ecosystem n wh ch t operates To understand what you can
do w th the ro es and ro e serv ces, you have to understand the essent a goa s of RDS n
W ndows Server 2008 R2 and the scenar os that t’s des gned for And, because RDS sn’t
an end n tse f but a p ece of the broader W ndows nfrastructure, you’ see how RDS
ro es nteract w th other techno og es, ke W ndows Server 2008 Hyper-V and IIS
After read ng th s chapter, you’ understand the fo ow ng
■ Why Term na Serv ces s now known as Remote Desktop Serv ces
■ What W ndows Server 2008 R2 nc udes for support ng a RDS env ronment
■ What scenar os the RDS ro e serv ces are ntended to support
■ What k nds of new techno ogy enab e those new scenar os
■ How RDS ro e serv ces nteract w th each other

www.it-ebooks.info
■ How RDS ro e serv ces depend on other W ndows Server ro es
■ What app cat on programm ng nterfaces (APIs) ex st for deve opers to use, and what
are some examp es of the k nds of features that deve opers can add to RDS

Where Did RDS Come From?


If you’re ook ng at RDS for the first t me w th W ndows Server 2008 R2, you’d hard y recog-
n ze ts ear est ncarnat ons L ke W ndows Server tse f, RDS has changed a lot over the years
and has become much more comprehens ve It’s not mportant to go through an exhaust ve
feature st for each ed t on, but t’s usefu to see how mu t -user W ndows has deve oped
s nce ts ncept on n the m d-1990s

Citrix MultiWin
The or g na Mu t W n arch tecture was des gned not by M crosoft but by C tr x, who censed
the M crosoft W ndows NT 3 51 source code from M crosoft to create mu t -user W ndows
[Mu t W n was or g na y go ng to be based on IBM Operat ng System/2 (OS/2) when M cro-
soft was part of the OS/2 project, but W ndows won ] C tr x created ts own product ca ed
W nFrame, wh ch was a mu t -user vers on of W ndows NT 3 51 and tota y separate from the
operat ng system that M crosoft produced

A First Experience with Multi-User Windows

C hrista first experienced multi-user Windows through WinFrame 1.7 in 1997 at


an IBM training center in New York’s Hudson River Valley. Training lasted mul-
tiple days, so there were hotel rooms in the training center. Originally, the training
center provided a PC in each guest room, and staff had to deal with the mainte-
nance headaches of that setup. But by that training session in 1997, they’d moved
to setting up thin clients (connected to the WinFrame servers) in all guest rooms so
that guests could check email and work from their rooms. When attendees checked
in, a script automatically created a user account for that person. This is all com-
mon now, of course, but at the time, it was heady stuff and a big change from the
desktop-centric model of Windows.

Windows NT, Terminal Server Edition


W nFrame was bu t on W ndows NT 3 51 M crosoft censed Mu t W n back from C tr x n
1995 and p ugged th s mu t -user core nto the W ndows NT 4 0 base operat ng system to
make a new product W ndows Server w th mu t -user capab t es The resu t was W ndows
NT 4 0 Term na Server Ed t on C tr x no onger prov ded a stand-a one product but re eased
MetaFrame, wh ch ran on top of Term na Server Ed t on ( n much the same way that C tr x
XenApp runs on W ndows Server now) and added some new features and management too s

2 Chapter 1  ntroduc ng Remote Desktop Serv ces

www.it-ebooks.info
Term na Server Ed t on was very much a start ng po nt The operat ng system was pretty
bas c, to put t m d y A most every nsta at on of Term na Server Ed t on ran MetaFrame
on top of t, because the base product d d tt e more than prov de a mu t -user operat ng
system Even bas c funct ona ty such as c pboard mapp ng was not nc uded The fact that
Term na Server Ed t on and the core operat ng system were d fferent products wasn’t great
for e ther M crosoft or ts customers M crosoft had to dea w th two sets of operat ng system
serv ce packs, and customers had to purchase a separate product to test server-based com-
put ng and jugg e two d fferent serv ce packs that were not re eased at the same t me On
the p us s de, when there was a prob em w th Serv ce Pack 6 (SP6) for W ndows NT 4 0, t was
so ved by the t me SP6 for Term na Server Ed t on was re eased

Windows 2000 Server


The first rea breakthrough n Term na Serv ces was n M crosoft W ndows 2000 Server For
the first t me, Term na Serv ces was a server ro e n the base server operat ng system, not a
separate product Why d d th s matter? There are severa reasons F rst, the game of jug-
g ng ncompat b e serv ce packs for s ng e-user and mu t -user operat ng systems was over
Second, there was a fundamenta change n the way that server-based comput ng and remote
access were perce ved Before W ndows 2000, f you wanted to manage a W ndows server
from the graph ca user nterface (GUI), you genera y sat down n front of t—there was no
capab ty for remote management us ng M crosoft Remote Desktop Protoco (RDP) The
prob em was that there s a m t to the number of servers that you can s t n front of dur ng
the day, espec a y when those servers are n d fferent bu d ngs—or even n d fferent c t es
W ndows 2000 Server ntroduced Remote Adm n strat on as an opt ona component, a ow ng
server adm n strators to manage servers even when they weren’t s tt ng n front of them Not
on y d d th s make server adm n strat on a ot eas er, t a so came to the a d of Term na Ser-
v ces, because t gave peop e a good use case for remote usage and mu t -user comput ng
Hav ng Term na Serv ces n App cat on Server mode ava ab e n the core operat ng
system a so meant that try ng Term na Server for users requ red comparat ve y tt e effort—
sett ng up a bas c p ot cou d be done w th as tt e effort as nsta ng the ro e n App cat on
Server mode and ett ng peop e use Notepad In add t on, because RDP n W ndows 2000
Server added some bas c funct ona ty such as c ent pr nter red rect on and a shared c p-
board between oca and remote sess ons, try ng Term na Server and gett ng a fee for how
users cou d benefit from shared comput ng was poss b e even w th on y the too s n the core
operat ng system

Windows Server 2003


The next b g step was M crosoft W ndows Server 2003, wh ch took some of the dec s ons
made n the W ndows 2000 Server t meframe to the r next og ca conc us ons If Remote
Adm n strat on s a good th ng, why shou d t be an opt ona component? Instead, enab e
t for a W ndows server ro es and make t an opt on for the c ent And a though the bas c
funct ona ty n W ndows 2000 Term na Server s usefu , t doesn’t prov de a suffic ent y r ch

Where D d RDS Come From?  Chapter 1 3

www.it-ebooks.info
c ent exper ence Let’s enab e dr ve mapp ng, fu co or, sound, and other features that were
prev ous y poss b e on y w th th rd-party products, so that the remote exper ence can be a ot
more ke the oca desktop exper ence
Another b g change to W ndows Server 2003 was n management W ndows 2000 term na
servers cou d be managed on y s ng y You cou d configure them remote y, but not co ect ve y
W ndows Server 2003 ntroduced some Group Po cy sett ngs for configur ng and manag ng
term na servers, and Term na Server Manager supported management of remote servers

Windows Server 2008


M crosoft W ndows Server 2008 represented a b g breakthrough n Term na Serv ces func-
t ona ty Prev ous vers ons of Term na Serv ces had nc uded on y two ro es the term na
server and a cense server

NOTE  Although Windows Server 2003 included the Session Directory Server for basic
farm support, this role was available only in the Enterprise Edition and was not widely
deployed.

If your needs extended beyond remote access to a fu desktop on the oca area network
(LAN), then you needed th rd-party add t ons to the ro e to he p you fu fi them W th W n-
dows Server 2008, Term na Serv ces ga ned the fo ow ng advantages
■ V sua ntegrat on between oca y and remote y runn ng app cat ons
■ A web nterface for present ng app cat ons on the term na servers nd v dua y
■ A secure gateway to enab e support for secure access v a the Internet
■ A sess on broker to route ncom ng connect ons to the most appropr ate term na
server
■ A pr nt ng subsystem that d d not requ re pr nt dr vers to be nsta ed on the term na
servers
■ Red rect on of new types of dev ces

Windows Server 2008 R2 and RDS


W ndows Server 2008 R2 s techn ca y a “m nor re ease” ke other R2 re eases, but t ntro-
duces a ot of changes for RDS The ro e serv ce has expanded aga n to add v rtua desktop
support (often ca ed VDI, for Virtual Desktop Infrastructure) It has a so ga ned some new
features, some of the most mportant be ng the fo ow ng
■ Support for connect on to Hyper-V based v rtua mach ne (VM) poo s of shared VMs
and persona VMs ass gned to an nd v dua
■ Changes to Remote Desktop (RD) Web Access that a ow the porta to d sp ay resources
from mu t p e RD Sess on Host servers (former y known as term na servers) or farms,
and that enab e secur ty fi ter ng for RemoteApp programs and VMs

4 Chapter 1  ntroduc ng Remote Desktop Serv ces

www.it-ebooks.info
■ Improved app cat on compat b ty and resource management on RD Sess on Host
Support for Aero G ass remot ng and other user exper ence mprovements to RDP 7
■ Support for forms-based s ng e s gn-on through RD Web Access so that users need
authent cate on y once n the webs te to get to a the RemoteApp programs ass gned
to them
■ Improvements to Remote Desktop Gateway to enforce dr ve red rect on po c es and
enab e c ent remed at on when c ents do not conform to software ru es
■ Improved d scoverab ty for cense servers for a more re ab e connect on

DIRECT FROM THE SOURCE

Why VDI?
Michael Kleef, Senior Product Manager
Windows Server Marketing

M icrosoft added VDI support to Windows Server 2008 R2 to allow customers


further desktop delivery choice in thin client computing. Although Remote
Desktop Session Host is a mature product and still provides relevant customer value
at the right TCO (total cost of ownership) point, there are times when the level of
personalization and isolation that VDI with Windows 7 delivers are important for
specific use cases. Applications that require elevated permissions are hard to sup-
port on an RD Session Host because one elevated-privilege mistake could affect
all users of the server. The isolation of VMs makes it possible to support this type
of application using VDI. Another example is native application compatibility; this
was largely solved by Microsoft App-V, but it can’t solve all application issues in
which the application requires a Windows client installation. It’s for reasons like this
that Microsoft invested in delivering a VDI platform in Windows Server 2008 R2
and extended it further in Service Pack 1 with Dynamic Memory and RemoteFX, to
increase VM density and improve the rich user experience.

Most obv ous y, Term na Serv ces s now ca ed Remote Desktop Serv ces, and a subro es
are renamed to go a ong w th the change The serv ce was renamed to reflect the much
broader scope of the server ro e, nc ud ng sess ons and the ro e serv ces needed to get peo-
p e connected to them, but a so host ng of VMs and secure w de area network (WAN) access

NOTE  Because this book is about Windows Server 2008 R2, it uses the current names
for the server role and its role services. See Table 1-1 for a list of some of the names you’ll
come across most often. For a complete mapping of the old and new name for RDS, see
http://technet.microsoft.com/en-us/library/dd560658(WS.10).aspx.

Where D d RDS Come From?  Chapter 1 5

www.it-ebooks.info
TABLE 1-1  Mapp ng TS Names o RDS Names

FORMER NAME WINDOWS SERVER 2008 R2 NAME

Term na Serv ces Remote Desktop Serv ces


Term na server Remote Desktop Sess on Host server
Term na Serv ces L cens ng Remote Desktop L cens ng (RD L cens ng)
(TS L cens ng)
Term na Serv ces Web Access Remote Desktop Web Access
(TS Web Access) (RD Web Access)
Term na Serv ces Gateway Remote Desktop Gateway (RD Gateway)
(TS Gateway)
Term na Serv ces C ent Access L cense Remote Desktop Serv ces C ent Access
(TSCAL) L cense (RDSCAL)
Term na Serv ces Manager Remote Desktop Serv ces Manager
Term na Serv ces Configurat on Remote Desktop Serv ces Configurat on

The pattern s pretty obv ous; f any names you see don’t make sense, ook at the st pro-
v ded at the nk

The Evolving Remote Client Access Experience


A though th s book focuses on the server shared-computer exper ence, not the c ent, t s
mportant to know that RDS a so changed on the c ent s de as the server-s de capab t es
evo ved M crosoft W ndows 2000 Profess ona d d not support ncom ng remote access con-
nect ons (nor d d M crosoft W ndows 9 x), but M crosoft W ndows XP, W ndows V sta, and
W ndows 7 a do Support ng ncom ng remote connect ons enab ed severa new ways to use
W ndows c ents, nc ud ng
■ Remote access to a phys ca computer from home or another area of the bu d ng
■ Remote Ass stance
■ V rtua desktop host ng
■ Host ng RemoteApp programs to be d sp ayed n another c ent operat ng system (for
app cat on compat b ty)
Remote access from another computer reflects the rea ty that many peop e use more than
one computer, and that a home m ght have more than one computer Remote Ass stance uses
the remote contro feature of RDS—the ab ty to perm t a second person to see or even take
over a remote sess on—for enab ng he p desk support, even on desktops V rtua desktop
host ng was one of the ch ef compet tors to sess on host ng for a ong t me (and s now part
of the serv ce) Features ke RemoteApp on Hyper-V a ow peop e to run app cat ons on an
o der operat ng system wh e see ng them on a newer one, even f the app cat on won’t run
on W ndows 7 for some reason

6 Chapter 1  ntroduc ng Remote Desktop Serv ces

www.it-ebooks.info
NOTE  Generally speaking, most 32-bit applications can run on a 64-bit platform as long
as these applications don’t include drivers and don’t have a 16-bit installation routine. Web
applications designed to run in Microsoft Internet Explorer 6 are one exception to this
rule. Internet Explorer 6 is included with Windows Server 2003, but can’t be installed on
Windows Server 2008 R2. Therefore, if you have Internet Explorer 6–dependent applica-
tions and want to display them as RemoteApp programs, you can host them in VMs using
RemoteApp for Hyper-V.

RDS shows up n the c ent vers ons of W ndows even when you don’t expect t It’s the
techno ogy that enab es Fast User Sw tch ng and Remote Ass stance (to name just two), and a
vers on of the RDP protoco s the bas s of L ve Mesh
In short, the story of Remote Desktop Serv ces s the story of how mu t -user comput ng
has become ess of a n che techno ogy and more of a M crosoft strategy for enab ng var ous
scenar os that b ur the ne between the PC and the data center Even when they’re not ca ed
RDS, mu t -user comput ng and the Remote Desktop Protoco have become cruc a parts of
the core W ndows p atform

What Can You Do with RDS?


The preced ng sect on prov des a (very fast) ook at where RDS came from and how t became
part of the core W ndows p atform for both c ent and server You w earn about the tech-
no ogy n depth n ater chapters But what do you do w th t?
Fundamenta y, RDS breaks the hard nks between ocat on, c ent operat ng system, and
capab ty
In many ways, th s s a natura extens on of network ng If you’re us ng a s ng e computer
unconnected to any networks, you’re m ted to the app cat ons and data stored on that
computer If you attach that computer to a network and enab e fi e shar ng, you can use data
that s not stored on your aptop, and a systems adm n strator can both back up that data
( mposs b e for someone e se to do on an so ated desktop) and secure t W th RDS, you can
use not on y data stored somewhere e se but a so app cat ons stored somewhere e se They
don’t even have to be capab e of runn ng on the c ent computer as ong as they’ run on the
host Presentat on remot ng mproves fi e shar ng because the fi es you use don’t have to be
access b e to the c ent computer as ong as they’re ava ab e to the back-end app cat on
W th an so ated PC, you are abso ute y t ed to what that computer can do W th presenta-
t on remot ng, the capab t es are more flex b e, because what you see sn’t necessar y run-
n ng on the computer where you’re work ng, or even n the same country Th s has benefits
for secur ty, ocat on, and dev ce ndependence

What Can You Do w th RDS?  Chapter 1 7

www.it-ebooks.info
Improved Security for Remote Users
Tota y PC-based comput ng has prob ems w th data secur ty More and more peop e work
on aptops, and aptops are meant to be taken p aces But aptops w th data stored on them
are a secur ty r sk, even f you password-protect the aptop Un ess you take the aptop w th
you everywhere, nc ud ng ugg ng t a ong to d nner nstead of eav ng t n the hote room
when you’re on the road, the data on your aptop s vu nerab e to theft And f someone
really wants the aptop, t doesn’t matter f you take t w th you Th s doesn’t even address
the d emma of eav ng the aptop n a tax or on a tra n by acc dent It happens B tLocker
techno ogy on W ndows 7 and W ndows V sta protects aga nst theft but does not protect
aga nst oss from a m sp aced or broken aptop that wasn’t backed up
If the data s on the aptop and you ose the aptop, the data’s gone The obv ous so ut on
s not to keep the data on the aptop—store t n the data center nstead But f you’re access-
ng the data center from a remote ocat on v a a v rtua pr vate network (VPN) and work ng
w th arge fi es ( n th s day of heavy-duty formatt ng, what fi e isn’t arge?), t’s tempt ng to
keep the fi e on the oca dr ve wh e work ng on t remote y and then copy t back to the net-
work when you’re done w th t However, f you work th s way, you’re back where you started
w th the data on the oca dr ve

Information Insecurity

I t’s not practical to make sensitive information accessible only to people within the
four walls of the office, but it’s been shown again and again what happens when
that information leaves the data center. In November 2009, the Army Corps of Engi-
neers lost a hard drive containing the names and social security numbers of as many
as 60,000 current and former Army service members and some civilians. As of this
writing, the drive has not yet been recovered. This isn’t the first time that sensitive
data has been lost to a misplaced laptop or other portable media.

It’s not always feasible to store sensitive information only in the data center, acces-
sible solely via secure connection to a Remote Desktop Session Host server behind
the perimeter network. Sometimes, the information must be available even when
a network connection isn’t. But when it is feasible, it’s much more secure to keep
information where it’s least likely to be compromised, stolen, or lost: in the data
center.

One so ut on to the d emma of how to secure data wh e keep ng t access b e to the peo-
p e who need t s to keep everything n the data center, nc ud ng the app cat ons requ red to
ed t the data If both the app cat ons and the confident a data are on the network, then t’s
e ther mposs b e to ed t the data oca y (because no app cat on for do ng the ed t ng s n-
sta ed oca y) or not as des rab e to do so because there’s no reason to down oad the remote
fi e to the oca computer for a more respons ve exper ence No sens t ve data ends up on the
c ent computer; t a stays w th n the boundar es of the data center

8 Chapter 1  ntroduc ng Remote Desktop Serv ces

www.it-ebooks.info
NOTE  Given a sufficiently long distance or sufficiently slow Internet connection, the
remote connection will also be slow; and if the network connection isn’t totally reliable, it
can be frustrating as the session disconnects. As you know all too well, even high-speed
networks experience some latency when you’re working on one continent and the data
center is on another one. But these problems apply to any remote-access scenario and
have less chance of accidentally corrupting the original document by attempting to write
to it over a slow connection. A disconnected session doesn’t lead to data loss—it’s just
there waiting for its user to reconnect to it.

What f you want peop e to be ab e to ed t confident a documents when they are n a


secure ocat on but not when they’re access ng the corporate network from the oca cof-
fee shop? Us ng RDS n W ndows Server 2008 R2, you can set up ru es that determ ne wh ch
app cat ons a remote user has access to, whether the user has any oca dr ves mapped, and
even whether t’s poss b e to cut and paste text between oca and remote app cat ons Secu-
r ty needs can determ ne the restr ct ons p aced on remote access wh e st keep ng the data
eas y ava ab e when t shou d be

Provisioning New Users Rapidly


Th s s espec a y usefu for temporary workers If you are prov d ng computer serv ces for
someone who w on y be around temporar y (for examp e, a consu tant need ng a tempo-
rary desktop or a temporary worker) then t’s good not to need to spend much t me on set-
t ng up a computer for her, but a so good to g ve her a c ean work env ronment that doesn’t
requ re her to work around the detr tus eft by the prev ous user of the computer Through
RDS, you can get a new user set up and work ng a most as qu ck y as you’re ab e to get her a
doma n account In add t on, the poo ed VM or remote desktop sess on the person uses w
be brand new, w th no o d sett ngs eft from a prev ous user, wh ch shou d s mp fy troub e-
shoot ng and tra n ng

Enabling Remote Work


Re ated to secur ty for mob e workers s remote work Te ecommut ng s becom ng more
common n the workp ace Some he p desk supp ers and U S government agenc es don’t
even have desks for a the r workers, s nce the r workp aces are des gned for most peop e
to be work ng from home most of the t me Accord ng to the Status of Te ework Report
to the Congress (see http://www.telework.gov/Reports and Studies/Annual Reports
/2009teleworkreport.pdf ), over 100,000 peop e work ng for the U S government te eworked
dur ng 2008, w th 64 percent of these te ework ng at east 1 to 3 days per week Th s
represents an ncrease of just under 9 percent s nce 2007
Nor s te ework a so e y North Amer can phenomenon In 39 percent of western European
compan es, some peop e work at home at east part of the t me, accord ng to “IT and the
Env ronment,” a 2007 paper by the Econom st Inte gence Un t

What Can You Do w th RDS?  Chapter 1 9

www.it-ebooks.info
But work ng from home has ts own set of cha enges, not east be ng the quest on of
how the company can support the desktop env ronment Home-based computers can’t be
eas y managed by Group Po cy; they can break down w th no IT staff mmed ate y ava ab e
to prov de ass stance, and peop e work ng from home can’t a ways read y ta k through a
computer-based prob em w th he p desk staff And how do you update an app cat on when
t’s t me to move from, say, M crosoft Office 2007 to Office 2010? If you’ve worked remote y
for even a br ef span of t me, you probab y have exper enced the advantages of mob ty and
the d sadvantages of ack of oca support It’s great be ng ab e to work from the coffee shop,
hote , or a rport obby; t’s not so great act ng as your own he p desk
Server-based comput ng he ps enab e remote scenar os n severa ways You don’t have
to worry about home users nsta ng app cat ons that they shou dn’t run on the Remote
Desktop Sess on Host servers f you fo ow bas c secur ty procedures (more ater on th s top c)
S nce the app cat ons are stored on the RD Sess on Host servers, they’re nsta ed and up-
dated there, not on the c ents And, as d scussed n the prev ous sect on, “Prov s on ng New
Users Rap d y,” us ng RDS a ows the adm n strator to determ ne the k nd of resource shar ng
that the oca and remote computers shou d do and wh ch app cat ons are ava ab e, depend-
ng on the ocat on from wh ch a user s connect ng

Bringing Windows to PC-Unfriendly Environments


Not a the peop e who need a PC work n an env ronment that a ows them to have one One
examp e s e ectron cs firms If you’re mak ng c rcu t boards, you make them w th n what’s
ca ed a clean room, a room w th no dust and wh ch requ res a t me-consum ng process to
enter If you need to use W ndows app cat ons n a c ean room, you can’t use PCs The fans
ns de the case k ck up dust ns de the computer and spread t nto the room In add t on, t’s
not pract ca to have PCs that m ght need serv c ng n any room that takes extens ve prepara-
t on to enter as a c ean room does Therefore, you need RDS to prov de W ndows app cat ons
to the term na s
Th n c ents are a so good for env ronments where you want access to W ndows app ca-
t ons but the c rcumstances are not PC-fr end y, f they’ve got too much dust or v brat on
to be good for the PC Sma term na s that can be wa -mounted or carr ed work better n
these c rcumstances than PCs do But s nce these sma term na s have very m ted memory
and CPU power and no d sks, you can’t run W ndows 7 on them To get access to the atest
operat ng system and app cat ons, you need an RD Sess on Host server for the term na s to
connect to
PC- ess W ndows env ronments nc ude p aces such as upsca e hea th c ubs or c ty apart-
ment obb es Management wants to attract customers by offer ng the conven ence of a
persona computer n the obby or cafe but doesn’t want to support computers n these
ocat ons (Bu k can a so be an ssue when you’re try ng to squeeze five user work areas nto a
sma counter space ) W ndows term na s can connect to an RD Sess on Host server and pres-
ent the app cat ons They’re a so sma er, coo er, and more re ab e than PCs, wh ch can get
m sconfigured

10 Chapter 1  ntroduc ng Remote Desktop Serv ces

www.it-ebooks.info
It has been sa d that there’s no po nt to gett ng th n c ents because f you buy PCs, you
get more power for the same money W th th n c ents, you’re not pay ng for the comput ng
power; you’re us ng very tt e, comparat ve y speak ng You’re pay ng for the reduced adm n-
strat on and sma er phys ca footpr nt and energy use Th s so ut on s not for everyone, but
somet mes th n c ents are a better cho ce than PCs

Business Continuity and Disaster Recovery


One advantage of RDS s that t enab es you to set up user work env ronments qu ck y As
ong as the servers are ava ab e n the data center, they can be made ava ab e to users
a most as qu ck y as the user’s computer s p ugged n and turned on Us ng a comb nat on of
centra zed app cat on nsta s and Internet access, t’s poss b e to set up a new branch office
qu ck y even f the RD Sess on Host servers are ocated offs te For max mum flex b ty and
ease of setup, th s mode assumes that the RD Sess on Host servers are user-agnost c (that s,
a user nformat on, nc ud ng profi es, s stored e sewhere) and dent ca y configured

Supporting Green Computing


One of the hot top cs (no pun ntended) these days s how to make compan es and govern-
ments greener—how to he p them use ess energy IDC, a market-research firm, says that
power consumpt on s now one of systems managers’ top five concerns Compan es now
spend as much as 10 percent of the r techno ogy budgets on energy, says Rakesh Kumar of
Gartner, a consu tancy (On y about ha f of th s amount s used to run computers; much of t
goes toward coo ng them, s nce for every do ar used to power a server, you spend a do ar to
coo t ) Dropp ng power usage s a w n-w n s tuat on, rea y—because compan es have to pay
for the r power, us ng ess energy means that they spend ess money on power

NOTE  A December 2007 paper from McKinsey & Company, “Reducing U.S. Greenhouse
Gas Emissions: How Much at What Cost?” (http://www.mckinsey.com/clientservice/ccsi/pdf
/US ghg final report.pdf ), shows the marginal costs of reducing carbon dioxide emissions.
The cost of reducing the carbon emissions for combined heat and power in commercial
buildings is negative. That is, it pays companies to go green.

There’s a lot of waste n desktop-centr c comput ng Accord ng to IDC, average server


ut zat on eve s range from 15 to 30 percent Average resource ut zat on rates for PCs have
been est mated at ess than 5 percent Because you have to power the processor and memory
whether you’re us ng them or not, th s represents a ot of waste Therefore, depend ng on
the needs of the c ent, there m ght be qu te a b t of room for peop e access ng the r desk-
tops—or at east the r app cat ons—from an RD Sess on Host server For compan es that can
reasonab y exchange desktop computers for W ndows-based term na s, th s can represent a
huge sav ngs, both n terms of the power drawn by the fu desktops and n terms of the a r
cond t on ng requ red to coo the bu d ng heated by hundreds of powerfu PCs

What Can You Do w th RDS?  Chapter 1 11

www.it-ebooks.info
Improved Command-Line Support
W ndows Server 2008 had a w de array of programmab e nterfaces that dup cated—and
even extended—the capab t es of the GUI What t d dn’t have was the best way to get at
them W ndows PowerShe supported W ndows Management Instrumentat on (WMI) but
had no remote access capab t es (and find ng the r ght WMI object sn’t tr v a un ess you
a ready know what you’re ook ng for), so you cou dn’t use W ndows PowerShe to manage
sett ngs on a server farm VBScr pt d d support remote access and WMI, but t requ red know-
ng how to scr pt (You a so need to earn to use W ndows PowerShe to use t, but t’s s mp er
and a ot of bas c tasks have cmd ets a ready prepared )
Command- ne management s s mp er n W ndows Server 2008 R2 for two reasons F rst,
the W ndows PowerShe team ntroduced remote access support n W ndows PowerShe
2 0 Second, the RDS team created W ndows PowerShe objects to map to ts WMI structure
It’s now poss b e to eas y find the capab ty that you want accord ng to server ro e, and the
objects are fu y supported by standard W ndows PowerShe cmd ets You’ be rev ew ng
throughout th s book how to use W ndows PowerShe to manage the RDS farms

RDS for Windows Server 2008 R2: New Features


So far, you’ve seen an overv ew of some of the ways you m ght app y server-based comput ng
to meet your company’s needs for support ng remote workers or PC-unfr end y env ronments
Many new features n W ndows Server 2008 he p you support these scenar os spec fica y
Th s book s devoted to ett ng you know what’s new n RDS and how to use t Th s sect on
d scusses some of the features and how th s vers on of RDS d ffers from prev ous vers ons n
ways arger than nd v dua features

12 CHAPTER 1 ntroduc ng Remote Desktop Serv ces

www.it-ebooks.info
For example, did you know that its Dynamic Fair Share Scheduling ensures that
each user on the same server gets an equal amount of processor attention? With it,
a lightweight user running Microsoft Word can collocate with a heavyweight user
performing a software build, or crunching a database query, or any other CPU-
intensive activity. Neither session is impacted by the actions of the other.

Remote Desktop IP Virtualization is also new for those finicky applications that
require unique IP addresses to function. Without it, all applications running from
the same RD Session Host will appear to have the same IP address. With it, an RDS
server can virtualize a set of IP addresses so that those applications execute without
problems.

Even Windows Installer gets improved with Windows Server 2008 R2. In previous
operating system versions, Windows Installer wasn’t fully Terminal Services–aware.
This limitation made the installation of some applications very difficult as concur-
rent installs would block each other. That awareness is finally present in R2, improv-
ing the success rate of installing applications to RDS. Installing MSI packages on an
RD Session Host server is the same as installing them on a client computer—they
serialize and don’t block.

With R2, your options for connecting users to applications become as important as
the application delivery itself. This “feature” isn’t so much a feature as a completely
new way of thinking about application delivery. The incorporation of RemoteApp
and Desktop Connection in Windows 7 with the RD Web Access in Windows Server
2008 R2 gives you more options for how you connect users to their applications.
Depending on your needs, you can deliver RemoteApp programs and VMs via a web
page in Internet Explorer, through an .RDP file delivered to the user, or, for those
using Windows 7, you can simply populate your users’ Start menu.

The Changing Character of RD Session Host Usage


One RDS change n W ndows Server 2008 R2 s n the usage assumpt ons W ndows Server
2003, for examp e, assumed that adm n strators w genera y run nd v dua servers from the
corporate LAN (and probab y on y one or two of them) s nce the sess on broker ng p ece s
ava ab e on y n the Enterpr se ed t on of the software W ndows Server 2008 assumed that
term na servers wou d be hosted n farms, that peop e wou d run both oca y nsta ed ap-
p cat ons and RemoteApp programs, and that at east some peop e wou d be access ng the
RD Sess on Host servers from the Internet
RDS n W ndows Server 2008 R2 expands on the assumpt ons n W ndows Server 2008 to
assume the fo ow ng, among other th ngs
■ Many users access the corporate LAN from the Internet at east some of the t me
■ Users don’t a ways og on from doma n-jo ned computers

RDS for W ndows Server 2008 R2: New Features  Chapter 1 13

www.it-ebooks.info
■ Users are more ke y to use a PC (w th some oca y nsta ed app cat ons) than a term -
na dev ce
■ Users m ght work from a branch office but st are connected to the doma n
■ Some users w run very demand ng app cat ons from the data center
■ App cat ons w be served from a farm of dent ca servers more often than a s ng e
server
■ Some users w be a owed to nsta app cat ons even n a hosted workspace
■ Some app cat ons shou d be so ated for best compat b ty
You w earn about some RDS ro e serv ces here, but a techn ca wa kthrough of these
features s ess mportant r ght now than understand ng the bus ness prob ems that they’re
des gned to so ve The rest of th s book w prov de des gn, dep oyment, and operat ons
gu dance

Supporting VM Users
Sess ons are a good way to enab e that a ot of peop e use the same phys ca hardware How-
ever, sess ons don’t work for everyone, espec a y not f desktop rep acement s the goa A
sess on can’t perm t ts users fu adm n strat ve access to tweak sett ngs through the Contro
Pane , sn’t a ways fr end y to resource-hungry app cat ons (at east, the resource-hungry
app cat ons are not a ways fr end y to the other sess ons), and doesn’t perm t users to nsta
app cat ons to use ater n exact y the same env ronment Nor can you h bernate a sess on to
eas y save not just data, but a so the work that you were n the m dd e of comp et ng when
you dropped everyth ng and ran to catch the bus Us ng a VM, t s tera y poss b e to save
your work state
One new feature n W ndows Server 2008 R2 s nat ve support for V rtua Desktop Infra-
structure (VDI), wh ch s a short name for “managed v rtua mach nes ” M crosoft VDI supports
two k nds of VMs Personal desktops are ass gned to an nd v dua and can be custom zed ac-
cord ng to whatever ru es are n p ace n the organ zat on Pooled desktops are genera y ava -
ab e to anyone w th access to the poo A though t s poss b e n some cases to make changes
to them, there s no guarantee that a user chang ng a poo ed desktop w get the same one
the next t me they og n—ro ng back changes s often norma , to avo d peop e contam nat-
ng the desktop poo w th app cat ons and sett ngs they w never reuse
Each k nd of desktop s des gned for a d fferent purpose Persona desktops are for fu
desktop rep acement A though access b e on y v a RDP, a persona desktop s contro ed by
the user t s ass gned to, and f a person has a persona desktop, the RD Connect on Broker
w a ways attempt to connect them to t first A persona desktop can rep ace a phys ca
computer and even has the advantage of mak ng the mach ne state easy to back up, so mov-
ng to a new phys ca p atform doesn’t mean os ng a sett ngs
Poo ed desktops are more for support ng peop e who need to run app cat ons that aren’t
we hosted on an RD Sess on Host server, even w th the new support for fa r share process ng

14 Chapter 1  ntroduc ng Remote Desktop Serv ces

www.it-ebooks.info
that prevents a s ng e sess on from us ng a the processor power They can be pre nsta ed
w th any app cat ons that the peop e who need the poo w need
Poo ed desktops can a so support an app cat on-compat b y feature re eased after
W ndows Server 2008 R2 sh pped RemoteApp on Hyper-V Th s feature a ows you to run
RemoteApp programs from a VM rather than from an RD Sess on Host server It’s des gned
to a ow computers runn ng W ndows 7 that need to run an app cat on that can’t run on
W ndows 7 (for examp e, a web app cat on based on Internet Exp orer 6) from a computer
runn ng W ndows XP ocated n the data center A though each VM can st on y support one
ncom ng connect on at a t me, RemoteApp for Hyper-V makes t poss b e to support these
o der app cat ons wh e reta n ng the features of W ndows 7 on the desktop

How to Get RemoteApp Technology from a Client

R emoting technology is great for displaying applications that can’t run on the
client. For example, you can run really demanding applications from a session
or a VM to integrate with an older operating system or on hardware that won’t
support them.

Supporting older applications that won’t run on an operating system later than
Windows Server 2003 and Windows XP is a bit more problematic. Windows
Server 2003 didn’t include support for RemoteApp technology, so to run the
older applications there would mean publishing only from a full desktop. And up
until now, Windows XP didn’t support RemoteApp connections (although some
companies had solutions that did something functionally similar).

Microsoft has several different technologies that support RemoteApp from client
operating systems such as Windows XP. They’re all intended for different user
scenarios.

XP Mode uses Virtual PC technology to run a Windows XP VM on a computer run-


ning Windows 7. People with their own computers would run this to enable them-
selves to run applications locally that will not run on Windows 7. To get XP Mode,
go to http://www.microsoft.com/windows/virtual-pc/download.aspx.

MED-V is essentially managed XP Mode (see http://blogs.technet.com/medv


/archive/2009/04/30/windows-xp-mode-in-windows-7-how-it-relates-to-future-ver-
sions-of-med-v.aspx). You’d use this to deploy XP Mode in an organization so that
you don’t rely on individuals to update their own RemoteApp guest machines.

The catch to XP Mode is that it requires the RemoteApp VM to run locally. Not all
computers have the hardware to run two full machines at the same time (required
with Type 2 hypervisors like Virtual PC). To make it possible to support RemoteApp
from Windows XP, there’s RemoteApp for Hyper-V. This model runs the Windows XP
guest VMs hosting the RemoteApp programs in a data center and uses RDP to

Continued on the next page

RDS for W ndows Server 2008 R2: New Features  Chapter 1 15

www.it-ebooks.info
display them on a computer running Windows 7. To get the updates required to use
RemoteApp for Hyper-V, go to http://support.microsoft.com/kb/961742.

MED-V and XP Mode are outside the scope of this book because they do not use
the RDS infrastructure, but RemoteApp for Hyper-V is discussed in more detail in
Chapter 3, “Deploying a Single Remote Desktop Session Host Server.”

Supporting Telecommuters and Mobile Workers Securely


The way that peop e work n nformat on fie ds has changed a great dea over the years At
one t me, most nformat on workers (the best way to descr be peop e who need regu ar ac-
cess to a shared poo of data to do the r jobs) went to where the nformat on was name y, to
the office When they eft the office, they stopped work ng on anyth ng that depended on
that centra poo of nformat on S m ar y, when they were n the office, they cou d eas y add
to th s centra poo of nformat on—after a , a th s nformat on s created by peop e—and
when they eft, they cou d not cont nue add ng to the centra poo of nformat on
Laptops changed th s by g v ng te ecommuters a computer that they cou d eas y take w th
them, but aptops st d dn’t have access to the centra poo of nformat on that peop e cou d
access at the office W despread Internet access comb ned w th the ncreas ng use of ema as
a persona nformat on store gave add t ona access, but ema doesn’t nc ude everything your
company knows—just that nformat on nc uded w th n ema s you’ve sent or rece ved
The next stage was secure y connect ng to the corporate network, retr ev ng the nforma-
t on requ red, and then down oad ng t to the aptop Th s, of course, requ red both broad
access to h gh-speed networks for down oad ng the documents to the oca computer and
a so for the app cat on to be nsta ed oca y It a so meant that peop e needed some way for
the aptop to access the data center w thout creat ng a secur ty breach or spread ng a v rus on
the corporate network
Much of the ndustr a zed wor d today has access to the necessary components ap-
tops and h gh-speed networks that are ava ab e both at home and n pub c p aces such as
a rports and hote s The tr cky prob ems that ar se nc ude how to regu ate wh ch computers
are a owed access to the network and how to keep sens t ve data off computers vu nerab e to
theft or oss There’s a so the prob em of ga n ng access to the data that mob e workers cre-
ate wh e on the road Data stored on a aptop won’t make t back to the corporate network
unt the road warr ors get back from the tr p, or at east get some free t me to up oad a the r
new data to the centra data poo
RDS ong he d prom se n support ng te ecommuters and mob e workers, but the so u-
t on nc uded w th the operat ng system d dn’t have a the too s needed to make th s work
unt W ndows Server 2008 W ndows Server 2008 Term na Serv ces changed th s, ntroduc ng
Term na Serv ces Gateway (TS Gateway) TS Gateway enab ed author zed users to access au-
thor zed corporate resources secure y v a RDP tunne ed through the Internet W ndows Server
2008 R2 added some enhancements for ncreased secur ty n the new vers on of TS Gateway,
ca ed Remote Desktop Gateway (RD Gateway)

16 Chapter 1  ntroduc ng Remote Desktop Serv ces

www.it-ebooks.info
RD Gateway enab es users to access the corporate network—and the centra zed data
poo —secure y v a SSL from the hote or a rport or even the beach ( f you can keep sand out
of your aptop) When comb ned w th RDP fi e s gn ng and server authent cat on, RD Gate-
way prov des secure Internet access, g v ng users some assurance that the RDP fi e that they
aunch s a eg t mate resource and not a spoofed server set up to capture the r ogon cre-
dent a s RD Gateway can a so set po cy to protect the data center, contro ng wh ch peop e
and computers are a owed to access the data center v a th s path and ett ng adm n strators
contro what resources they have access to once they get there

NOTE  RD Gateway and SSL aren’t the only ways to create a secure connection to the data
center from a remote location—VPNs and Direct Access are other access options. But RD
Gateway has some advantages, including controlled access to specific resources, which is
discussed in detail in Chapter 10, “Making Remote Desktop Services Available from the
Internet.”

Using Public Computers Without Storing Connection Data


The prev ous sect on d scussed persona aptops, and that’s what most peop e use to access
the data center wh e on the road However, t’s not reasonab e to expect that peop e w
never og on except from a computer that they own For examp e, you cou d be connect ng
to the corporate RD Sess on Host servers from a computer at your fam y’s home n Tucson,
or from a k osk at an Internet cafe n Darmstadt In both cases, you need a way to access work
resources w thout eav ng any persona data cached on those computers, nc ud ng an RDP
fi e used to po nt to the data center
Remote Desktop Web Access (RD Web Access) has features that enab e you to do th s
Rather than stor ng connect on sett ngs n an RDP fi e that you can get n ema or save to a
desktop, RD Web Access s a secured webs te that d sp ays cons represent ng shared desktops
and RemoteApp programs When a user c cks a nk, RD Web Access generates the RDP set-
t ngs for the resource to wh ch the user s attempt ng to connect W th the advent of forms-
based authent cat on n W ndows Server 2008 R2, users can og onto the webs te once, then
use the same credent a s to access a RemoteApp programs d sp ayed n the browser
RD Web Access and RD Gateway are ndependent ro e serv ces, but they can be comb ned
to prov de secured Internet access w thout depend ng on saved RDP fi es

Integrating Locally Installed Applications and RemoteApp Programs


RDS n W ndows Server 2008 R2 doesn’t requ re a spec fic c ent operat ng system to work;
you can connect to a VM or to an RD Sess on Host server us ng c ents as o d as RDP 5 2
(Prev ous vers ons of RDP aren’t supported because of secur ty mprovements n RDP 5 x.)
However, you’ defin te y get the best exper ence us ng RDP 7 Th s vers on of the c ent en-
ab es some new v sua remot ng not poss b e w th prev ous vers ons L ke Term na Serv ces n
W ndows Server 2008, RDS cont nues to b ur the ne between c ent and server

RDS for W ndows Server 2008 R2: New Features  Chapter 1 17

www.it-ebooks.info
One feature of RDS depends on a capab ty n the c ent operat ng system and s ava ab e
on y to c ents runn ng W ndows 7 RemoteApp and Desktop Connect ons (For those us ng
W ndows Server 2008 R2 as a c ent, t’s a so poss b e to set up th s feature from th s operat ng
system ) You w earn about th s feature n deta n Chapter 9, “Mu t -Server Dep oyments,”
but n short, t a ows users to add cons automat ca y from app cat ons runn ng n the data
center to the r Start menu

NOTE  For the best user experience, you should use the latest version of RDP (7, as of
this writing) but many features are available even to older versions of the RDP client. See
Chapter 6, “Customizing the User Experience,” for more details.

Supporting High-Fidelity User Experience over RDP


Ear y vers ons of Term na Serv ces made t very obv ous that you were connect ng to a
remote computer The co or qua ty was ow, you cou dn’t red rect dev ces, you cou dn’t use
more than one mon tor, the qua ty of aud o red rect on wasn’t the best, and so forth
W ndows Server 2008 R2 makes t eas er to work remote y by support ng the fo ow ng
features
■ True mu t -mon tor support, nc ud ng vary ng ayouts and both andscape and portra t
or entat ons
■ Aero remot ng for s ng e-mon tor sess ons on W ndows 7
■ C ent-s de render ng of mu t med a and aud o W ndows Med a P ayer fi es
■ Improved d sp ay of v deo from S ver ght and W ndows Med a Foundat on
■ B -d rect ona aud o remot ng, nc ud ng sound record ng to a remote sess on

Working from Branch Offices


Work ng remote y sn’t a abe just for those work ng from home or wh e on the road
“Remote” workers m ght operate n a separate office, but one w th resources s m ar to the
corporate office In th s scenar o, the network s re ab e, the computers are doma n-jo ned     
but the data center s not n the same phys ca ocat on as the branch office workers, and
ons te IT staffing m ght be m n ma

Supporting Larger Server Farms


RDS dep oyments don’t cons st of just one or two servers anymore, but the too s ava ab e n
W ndows Server 2003 d dn’t rea y support farms (Sess on D rectory Server was ava ab e on y
on the enterpr se ed t on of W ndows Server 2003 ) W ndows Server 2008 R2 RDS s more
su ted to manag ng access to mu t p e servers because t adds add t ona group po c es for
server management and the RD Connect on Broker enab es users to connect to farms nstead
of s ng e servers

18 Chapter 1  ntroduc ng Remote Desktop Serv ces

www.it-ebooks.info
Other Business Cases for RDS

A dministrators benefit from RDS, too.

Regulatory Compliance Requirements


For the IT department, data security and the ability to meet regulatory require-
ments both remain top priorities. RDS helps secure an application and its data in a
central location, reducing the risk of accidental data loss caused by, for example,
the loss of a laptop. Key features of RDS, such as RD Gateway and RemoteApp com-
bined with RD Web Access, help ensure that partners, or users, who do not need full
access to a company network or computers can be limited to a single application, if
needed.

Complex Applications
In an environment with complex applications such as line-of-business (LOB) or
customized older software, or in situations in which large and complex applications
are frequently updated but are difficult to automate, RDS can help simplify the
process by reducing the burden of managing multiple applications across the entire
environment. The client machines can access the applications they require from a
central source, rather than requiring applications to be installed locally.

Merger Integration or Outsourcing


In the case of a merger, the affected organizations will typically need to use the
same LOB applications, although they might be in a variety of configurations and
versions. In addition, organizations might also find that they are working with
outsourced or partner organizations requiring access to specific LOB applications
but not to the full corporate network. Rather than performing a costly deployment
of the entire set of LOB applications across the extended infrastructure, these ap-
plications can be installed on an RD Session Host server and made available to the
employees and business partners who require access, when they need it.

New RDS Technology in Windows Server 2008 R2


New techno ogy n RDS n W ndows Server 2008 R2 does a ot to mprove the user exper -
ence Part of the goa of th s re ease was to make the remot ng unobtrus ve so that an ap-
p cat on execut ng remote y shou d appear to be execut ng oca y In th s sect on, you w
earn about some of the techno ogy n th s re ease that enab es th s The rest of th s book w
go nto more deta

RDS for W ndows Server 2008 R2: New Features  Chapter 1 19

www.it-ebooks.info
Integration of RemoteApp Programs and Desktops into the Start Menu
Techn ca y, t was poss b e to ntegrate RemoteApp cons w th the Start menu n W ndows
Server 2008 To do so, you had to
1. Package the RemoteApp from the RD Sess on Host server as a M crosoft W ndows
Insta er (MSI) fi e
2. Pub sh th s MSI fi e through Group Po cy
3. Repackage and repub sh manua y as requ red when the RemoteApp sett ngs
changed
It’s not a bad system, and MSI pub sh ng s st the on y way that you can support fi e
assoc at ons w th RemoteApp programs (It’s a so the on y way you can ntegrate RemoteApp
programs w th the Start menu on W ndows XP and W ndows V sta ) However, t doesn’t up-
date automat ca y, and you can’t add more RemoteApp programs to the Start menu w th-
out ed t ng Group Po cy F na y, s nce t requ res Group Po cy, you can’t use th s method to
pub sh app cat ons to computers outs de the doma n
A new feature ca ed RemoteApp and Desktop Connect ons avo ds these drawbacks A new
app cat on Contro Pane tem n W ndows 7 (and W ndows Server 2008 R2) ca ed Remote-
App and Desktop Connect ons can accept a Un form Resource Locator (URL) for the publish-
ing feed created from the farm Th s feed aggregates a the RemoteApp programs, VM poo s,
and persona desktops ava ab e When a user connects to the URL for the feed and presents
the r credent a s, RD Web Access fi ters the d sp ay so that they get nks on y to resources that
they are perm tted to use These nks then popu ate the c ent’s Start menu
Us ng RemoteApp and Desktop Connect ons has the fo ow ng advantages
■ It a ows users to start oca y nsta ed app cat ons and RemoteApp programs n the
same way through the Start menu
■ It does not requ re the computer runn ng W ndows 7 to be connected to the doma n
■ It updates automat ca y whenever RemoteApp programs or VMs are added to or
removed from the feed, or when perm ss ons change
■ Users have to og on on y once to create the connect on
■ F na y, th s feed s wr tten n XML, an ndustry standard, and s ava ab e to deve opers
to consume n other ways

Aero Glass Remoting


One of the v sua m tat ons of W ndows Server 2008 was that W ndows V sta had th s great
Aero G ass nterface but th s wasn’t ava ab e from term na server sess ons Today, Aero
remot ng s ava ab e when connect ng to W ndows 7 VMs and W ndows Server 2008 R2
sess ons from a c ent runn ng W ndows 7—even f the endpo nt can’t d sp ay Aero tse f (for
examp e, f connect ng to a head ess computer)
Aero G ass remot ng from W ndows 7 s enab ed by defau t; to enab e t from W ndows
Server 2008 R2 requ res turn ng on desktop compos t on The deta s are d scussed n Chapter 6

20 Chapter 1  ntroduc ng Remote Desktop Serv ces

www.it-ebooks.info
NOTE  Although you can get Aero remoting from Windows Vista to Windows Vista, Aero
remoting from Windows 7 or Windows Server 2008 R2 requires the Windows 7 client oper-
ating system.

Aero G ass remot ng s ava ab e for s ng e-mon tor sess ons on y

Improved Application Compatibility


One of the nterest ng quest ons about app cat ons, espec a y those that are a tt e fussy, s
whether they w work on an RD Sess on Host server Three new techno og es n W ndows
Server 2008 R2 RDS seek to address app cat on compat b ty prob ems
■ Changes to the process of nsta ng MSI packages make the nsta at on process work
more as t does on c ent operat ng systems Chapter 3 goes nto the deta s, but the
mpact s to prevent s mu taneous first-t me uses of app cat ons based on MSI nsta s
from b ock ng each other
■ W ndows Server 2008 has W ndows System Resource Manager (WSRM) for prevent-
ng s ng e sess ons or processes from us ng up a the processor t me W ndows Server
2008 R2 st supports WSRM, but t a so ntroduces a new feature for prevent ng th s
prob em n a more proact ve manner Whereas WSRM dent fies bad y behav ng ap-
p cat ons and sca es back the r processor t me, Dynam c Fa r Share Schedu ng (DFSS)
works w th the schedu er to ensure that a s ng e sess on never starves other sess ons for
processor cyc es You’ earn about th s n more deta n Chapter 3
■ F na y, IP v rtua zat on makes t poss b e for a sess on—or on y certa n app cat ons
runn ng n a sess on—to have a un que IP address In prev ous vers ons of Term na
Serv ces, a app cat ons on a server wou d have the same IP address the server’s IP
A though th s worked much of the t me, t prevented app cat ons or secur ty scenar os
that requ red a d screte IP address Aga n, you’ find out more about th s feature n
Chapter 3

Support for True Multi-monitor Remoting


Vers on 6 of the Remote Desktop Connect on c ent ntroduced mon tor spann ng, so you
cou d use two or more mon tors (up to a reso ut on of 4096 × 2048) to d sp ay a remote ses-
s on To get th s, you connected to the term na server us ng the /span sw tch Span was an
mprovement over be ng m ted to a s ng e mon tor but had some drawbacks
■ The mon tors had to be arranged n a row
■ The remote sess on was st a s ng e-mon tor sess on—just one w th a really b g mon -
tor Because of th s, f you had on y two mon tors, error messages d sp ayed n the
m dd e of your screen somet mes got b sected or obscured In add t on, max m zed
app cat ons wou d take up a the mon tor space
Aga n, the tota supported reso ut on had to be be ow 4096 × 2048 (for examp e, 1600 ×
1200 + 1600 × 1200 = 3200 × 1200)

RDS for W ndows Server 2008 R2: New Features  Chapter 1 21

www.it-ebooks.info
RDS rep aces mon tor spann ng w th true mu t -mon tor support W th mu t -mon tor sup-
port, each mon tor on the c ent mach ne s red rected nd v dua y, so that each mon tor (up
to 16) s seen as a separate mon tor to the remote sess on (Group Po cy m ts t to 10, but t’s
techn ca y poss b e up to 16 f you set th s va ue programmat ca y ) Therefore
■ The mon tors can be arranged n any configurat on that makes sense to the user a row,
a box, an L, and so forth
■ Ind v dua app cat ons w max m ze to the s ze of the mon tor they’re current y d s-
p ayed n, not the ent re row of mon tors
■ Each mon tor can have a max mum reso ut on of up to 4096 × 2048
True mu t -mon tor s not supported w th Aero G ass remot ng If mu t -mon tor and Aero
G ass remot ng are both configured, mu t -mon tor w take precedence
Remot ng huge and h gh-reso ut on d sp ays can take a to on server performance, so you
m ght want to tweak the max mum supported reso ut on and max mum supported mon tors
For more deta s, see Chapter 6

Client-Side Multimedia Rendering


Many modern persona computers, even modest ones, have a ot of power—more than a
server does to render a mu t med a n a sess on on the server and then stream t to the c ent,
at any rate
In W ndows Server 2008 R2, the RDS team has mproved the med a p ayback exper ence
by effic ent y transport ng aud o/v deo-based mu t med a n a compressed format w th n the
RDP protoco Rather than be ng rendered on the server, t’s sent to the c ent to be p ayed
back through W ndows Med a P ayer The content w appear to be d sp ay ng oca y because
t s—even though t was or g na y generated n a remote sess on However, t w a so be
fu y ntegrated w th the remote sess on
Th s approach has severa advantages
■ It reduces bandw dth usage s nce data over the w re w be compressed v deo nstead
of a success on of b tmaps; the exper ence s rough y equ va ent to runn ng from a fi e
share or v deo server Res z ng the w ndow won’t affect the p ayback, e ther
■ It reduces the process ng on the server because the server no onger needs to use
processor t me decod ng the v deo and packag ng t on RDP
To support th s, the c ent must support mu t med a red rect on and the server must be
configured for aud o and v deo p ayback Th s feature s covered n more deta n Chapter 6

Single Sign-On for Farms


S ng e s gn-on, or hav ng to present a password on y once to use resources from your com-
puter, s obv ous y good for users Imag ne com ng to work n the morn ng and ogg ng on to
your computer Then you c ck an con and need to present credent a s aga n Then you c ck
another con and need to present credent a s aga n By 10 A M , you’re probab y ready to just

22 Chapter 1  ntroduc ng Remote Desktop Serv ces

www.it-ebooks.info
go for coffee and forget about work ng, s nce product v ty c ear y sn’t happen ng f you have
to og on every t me you start an app cat on
S ng e s gn-on was ntroduced n W ndows Server 2008, but t was mproved n W ndows
Server 2008 R2 w th forms-based authent cat on Whereas the prev ous vers on a owed you
to cont nue to work w thout re-present ng your credent a s when ogg ng nto the same
server, the current terat on caches your credent a s n a secure web form to present any t me
you attempt to connect to a RemoteApp program

Extending Easy Print to Client Platforms and Eliminating .NET


Dependency
Pr nter dr vers have ong been the bane of the term na serv ces adm n strator’s fe At first,
support ng pr nter dr vers was a gamb e n wh ch, f the dr ver d dn’t crash the term na server,
you’d won Support ng c ent-s de pr nters ncreased the exposure to error-prone dr vers by
essen ng the adm n strator’s contro over the dr vers nsta ed When support ng W ndows NT
dr vers on the term na servers and non–W ndows NT dr vers on the c ent (for examp e, when
us ng W ndows 98 as a c ent to a W ndows 2000 Server term na server), the dr vers m ght
not have the same name Th s wou d requ re the adm n strator to create dr ver mapp ng fi es
that bas ca y say, “When the system refers to this dr ver from w th n the c ent sess on, that
dr ver on the term na server shou d be used ” Otherw se, the pr nt job wou d not pr nt
Over t me, the dr vers got more re ab e as the prob em became better understood When
both the c ent and term na server were based on W ndows NT techno ogy, the dr ver name
m smatch prob em ceased to be an ssue Then W ndows Server 2003 ntroduced a new
Group Po cy that perm tted on y user-mode dr vers by defau t Th s removed the chance of
nsta ng a poor y wr tten kerne -mode dr ver that cou d crash the server, but t st meant
that term na server adm n strators had to test, ma nta n, and support a var ety of dr vers for
both corporate pr nters and mapped c ent pr nters (a though some compan es stopped sup-
port ng mapped c ent pr nters just to avo d the dr ver prob ems)
Another prob em w th prev ous terat ons of pr nt ng was dec d ng wh ch pr nters shou d
be mapped to the remote sess on If pr nter mapp ng was enab ed, then a the c ent pr nters
wou d map to the term na server, regard ess of whether th s was appropr ate Mapp ng a
these pr nters cou d a so be t me-consum ng, not to ment on ncreas ng the number of dr vers
that needed to be nsta ed on a term na server
Term na Serv ces n W ndows Server 2008 addressed these prob ems n severa ways F rst,
and s mp est, Group Po cy a ows adm n strators to map on y the c ent’s default pr nter to a
term na sess on Second, Easy Pr nt techno ogy avo ds the dr ver prob em for c ents runn ng
W ndows V sta and Remote Desktop Connect on 6 1 Bas ca y, Easy Pr nt a ows users to pr nt
from a remote sess on w thout hav ng to nsta any dr vers on the term na sess on at a The
remote sess on gets pr nter sett ngs from the c ent and even makes ca s to the c ent-s de
GUI to show the dr ver configurat on panes for the dr vers
Easy Pr nt had two catches, though It d dn’t work when connect ng to c ent operat ng
systems (wh ch e m nated most common VDI scenar os) and t requ red NET on the c ent

RDS for W ndows Server 2008 R2: New Features  Chapter 1 23

www.it-ebooks.info
operat ng system to work In W ndows Server 2008 R2, both those m tat ons are addressed
Whereas NET s requ red to convert the XPS of the data stream to the GDI commands re-
qu red to pr nt, n W ndows Server 2008 R2 and W ndows 7, the operat ng system does th s
To earn more about Easy Pr nt, see Chapter 6

RDS Roles in Windows Server 2008 R2


Users of Term na Serv ces n W ndows Server 2008 w find most of the ro es n W ndows
Server 2008 R2 RDS fam ar RDS s supported by s x ro e serv ces
■ RD Sess on Host
■ RD V rtua zat on Host
■ RD Connect on Broker
■ RD Web Access
■ RD Gateway
■ RD L cens ng

RD Session Host
The RD Sess on Host (known as the term na server n W ndows Server 2008) rema ns the core
p ece of the Remote Desktop Serv ces arch tecture for de ver ng nd v dua app cat ons and
for gett ng the h ghest user dens ty for fu desktops A RD Sess on Host server s d fferent
from other types of W ndows servers n severa ways Fundamenta y, a server w th th s ro e
nsta ed works a ot more ke a workstat on than a server
For examp e, other server ro es are des gned to serve one genera purpose, such as han-
d ng ema or database quer es The r pr or t es are c ear Whatever s at the foreground of
that server’s purpose gets the on’s share of the processor A shared server s d fferent Many
peop e are us ng t at the same t me, so t can’t just assume that wh chever app cat on s n
the foreground s the one that shou d get a the process ng t me—wh ch foreground of the
40 or so sess ons shou d t p ck? Therefore, a user processes on a Remote Desktop Sess on
Host server have the same pr or ty so that they share the processor more or ess even y
among a remote users

NOTE  In Windows Server 2008 R2, a new feature called Dynamic Fair Share Scheduling
(DFSS) proactively ensures that the scheduler doesn’t allocate too much processor time to
any single session. This feature is on by default.

Users connect to an RD Sess on Host server v a the RDP They make th s connect on by
start ng an RDP fi e that deta s a the sett ngs for the connect on Users can get to th s fi e
from a network share or n ema , and t can be automat ca y generated from a browser or
(for c ents runn ng W ndows 7) the Start menu through RemoteApp and Desktop Connec-
t ons When a user starts a remote sess on, t’s protected from other remote sess ons runn ng
on that computer Users can’t see each other’s sess ons, and the app cat ons runn ng n those

24 Chapter 1  ntroduc ng Remote Desktop Serv ces

www.it-ebooks.info
sess ons don’t share read/wr te memory They can have an mpact on each other nadver-
tent y (for examp e, by us ng demand ng app cat ons that take memory away from other us-
ers) but there’s m n ma secur ty r sk n hav ng mu t p e peop e runn ng sess ons on the same
RD Sess on Host server To say “no secur ty r sk” s, of course, not poss b e, because there are
some except ona cases that cou d be exp o ted by an expert w th the r ght too s, but th s s
genera y true

BEST PRACTICE  RD Session Host servers have a heavy workload supporting all the re-
mote client sessions, so it’s generally best to reserve them only for that use.

Chapter 2, “Key Arch tectura Concepts for Remote Desktop Serv ces,” ta ks about how
to s ze an RD Sess on Host server; nformat on about how to nsta and set up the ro e s n-
c uded n Chapter 3; and how to set up server farms w th the RD Connect on Broker s covered
n Chapter 9

RD Virtualization Host
W ndows Server 2008 R2 ntroduces a new k nd of supported resource VMs (VMs, of course,
are not new w th W ndows Server 2008 R2, but support for them w th n the RDS nfrastructure
s ) Th s ro e serv ce uses Hyper-V to host VMs VMs can be poo ed (genera y ava ab e to
anyone w th access to the VM poo ) or persona (ass gned to a part cu ar user n AD DS)
Why support VMs as we as sess ons? The answer s s mp e both are va d means of v rtua -
z ng the desktop For h gher dens ty, you want sess ons Many more peop e can run sess ons
on a s ng e computer than can run VMs, because sess ons share a ot of bas c nfrastructure n
the operat ng system (even though they can’t see each other) VMs are a v rtua man festat on
of a phys ca mach ne and thus comp ete y separate from each other Th s takes many more
resources to support You can run a dozen sess ons on a server w th 4 GB of RAM and a mod-
ern processor, but th s same server wou d have a hard t me support ng more than a coup e of
VMs runn ng at the same t me

NOTE  True story: At one virtualization event, some people said they had heard about
virtualized desktops through VMs first. They’d never heard of sessions and were excited by
the possibilities of “lightweight VDI.”

The reason why VMs are va uab e s re ated to why they’re so resource- ntens ve they’re a
comp ete y so ated env ronment A VM s configured w th a certa n amount of memory and
a certa n number of processors, reserved for t and not ava ab e to other VMs The operat ng
system s ent re y reserved for the use of the VM That means that whatever happens w th n
the VM does not affect other VMs runn ng on the same phys ca server Users can nsta
app cat ons and they w be nsta ed on y on that VM Users can run the most processor-
ntens ve CAD (computer-a ded des gn) software around and they won’t dra n resources from
other VMs Users can comp ete y m sconfigure a VM and cause t to crash, and th s w affect
on y the person current y us ng t

RDS for W ndows Server 2008 R2: New Features  Chapter 1 25

www.it-ebooks.info
In RDS, VMs are often ass gned to power users Those w th persona desktops are those who
need a comp ete desktop rep acement (a be t one that can be backed up and has a the pro-
tect on of the data center) those who need to be ab e to nsta app cat ons and configure the r
computers Persona desktops are a so good cand dates for app cat ons that requ re a pers s-
tent oca data source (that s, they can’t store a the r data on a network share) Those us ng
poo ed desktops are often those who need to run app cat ons that aren’t good cand dates for
v rtua zat on on an RD Sess on Host for one reason or another—they requ re a prev ous ver-
s on of the browser, are 16-b t (W ndows Server 2008 R2 s 64-b t on y, and 16-b t app cat ons
won’t run on that p atform), or otherw se just don’t fit but w work on a poo ed VM
Chapter 2 covers how to s ze an RD V rtua zat on Host server; Chapter 4, “Dep oy ng a
S ng e Remote Desktop V rtua zat on Host Server,” d scusses how to set up the ro e for a
s ng e-server nsta at on; Chapter 9 teaches you how to dep oy the ro e n a farm; and Chap-
ter 10 deta s how to manage arger dep oyments

RD Web Access
Remote Desktop Web Access (RD Web Access) ntegrates w th M crosoft Internet Informat on
Serv ces (IIS) to d sp ay the cons of author zed RemoteApp programs and VMs n a porta
d sp ayed n Internet Exp orer and aunch the connect ons A user author zes aga nst the por-
ta and can see the cons for a the remote resources a ocated to them by the adm n strator
When he or she c cks an con, t creates and starts a RemoteApp program n much the same
way t wou d f the RDP fi e were stored on the user’s computer Us ng the new forms-based
authent cat on n RDS, after a user authent cates to a porta once, h s or her credent a s can be
used for any resource the user s author zed to access
When a user starts a RemoteApp program, a sess on s started on the RD Sess on Host
server that hosts the RemoteApp program, or the VM back ng the VM con The RD Web Ac-
cess server does not start the app cat on As shown n F gure 1-1, t just d sp ays the app ca-
t on con, creates the RDP fi e for that app cat on when the user doub e-c cks that con (1),
and then passes the RDP fi e to the user to start the app cat on from the RD Sess on Host (2)
RemoteApp programs and desktops started v a RD Web Access do not d sp ay n the browser
but n the r own w ndows (3) and are ndependent of the browser w ndow C os ng the
browser won’t d sconnect or term nate the connect ons to the RD Sess on Host or VM

RemoteApp Perimeter Network

1 2

Mobile User RD Web Access RD Session Host

FIGURE 1-1 RD Web Access d sp ays app cat on cons n a browser for the conven ence of users.

26 CHAPTER 1 ntroduc ng Remote Desktop Serv ces

www.it-ebooks.info
RD Web Access has many benefits, nc ud ng the fo ow ng
■ Users can access RemoteApp programs from a webs te over the Internet or from an
ntranet To start a RemoteApp program, they just doub e-c ck the program con
■ W th the new Web SSO feature, after the user authent cates to the webs te, those
credent a s are stored and prov ded for any other connect ons they n t ate—even con-
nect ons on other servers or other farms
■ RD Web Access can d sp ay resources from more than one farm and aggregate them
nto a s ng e w ndow
■ RD Web Access w d sp ay on y the resources ass gned to a part cu ar person
■ By us ng RD Web Access, there s much ess adm n strat ve overhead than that requ red
to ma nta n and d str bute RDP fi es for connect ng to an RD Sess on Host farm You
can eas y dep oy programs from a centra ocat on and don’t have to worry about
ensur ng that RDP fi es conta n ng connect on nformat on are up to date
■ RD Web Access nc udes Remote Desktop Web Connect on, wh ch enab es users to
connect remote y to the desktop of any computer where they have Remote Desktop
access from the RD Web Access porta
■ RD Web Access works w th m n ma configurat on, but the RD Web Access web page
nc udes a custom zab e Web Part, wh ch can be ncorporated nto a custom zed web
page or a M crosoft SharePo nt s te
That’s how RD Web Access benefits peop e us ng a browser but n W ndows Server
2008 R2, th s ro e serv ce supports even peop e connect ng w thout a browser RemoteApp
and Desktop Connect ons s a new feature n W ndows 7 ( t’s part of the operat ng system,
not the RDP c ent, so t s not ava ab e n prev ous vers ons of W ndows) that a ows Remote-
App and VM cons to be added to a c ent’s Start menu and started from there The tr ck s that
RD Web Access gets ts nformat on about wh ch RemoteApp programs and desktops are ava -
ab e to wh ch users from the pub sh ng serv ce on the RD Connect on Broker and makes those
resources ava ab e through a URL One URL supports the webs te you see w th a browser, and
another supports connect ons de vered to RemoteApp and Desktop Connect ons
Chapter 9 exp a ns how to configure and use RD Web Access and RemoteApp and Desktop
Connect ons

RD Connection Broker
For the sake of redundancy, t’s good pract ce to have more than one RD Sess on Host server
host ng your remote app cat on set and to oad-ba ance your servers And t’s essent a y a
g ven that there w be more than one VM n any dep oyment us ng VDI—there m ght even
qu te poss b y be more than one RD V rtua zat on Host to run those VMs
Hav ng mu t p e endpo nts and servers support ng those endpo nts a ows you to spread
out the user oad and e m nates the poss b ty that one server cou d go down and take out
your ab ty to serve centra zed app cat ons The troub e s that connect ons are fundamen-
ta y made to nd v dua RD Sess on Host servers, not to groups of them That s, the fina

RDS for W ndows Server 2008 R2: New Features  Chapter 1 27

www.it-ebooks.info
connect on s made to the RD Sess on Host server named RDSH01 (or whatever other name
you’ve g ven t)
But f your RDP fi es nc ude the names of nd v dua RD Sess on Host servers, the connec-
t ons won’t be oad-ba anced Nor w they be flex b e enough to determ ne that a user rea y
shou d be connect ng to another RD Sess on Host server when start ng a new app cat on,
because he or she a ready has an app cat on open there If you’ve dep oyed VMs, t’s poss b e
to po nt an RDP fi e to a part cu ar VM w thout mak ng any ass gnments n Act ve D rectory
Doma n Serv ces— t’s essent a y the same th ng as us ng RDP to connect to a phys ca mach ne
dent fied by name But ass gn ng VMs by name doesn’t a ow you to use poo ed VMs Nor can
RDP fi es automat ca y wake up a VM that’s h bernat ng and prepare t for the connect on If
you attempt to make a d rect connect on to a h bernat ng VM, the connect on w fa

HOW IT WORKS

An Introduction to Connection Brokering

T he RD Connection Broker role service handles the problem of how to connect


user requests for sessions or VMs intelligently to the right endpoint, as shown in
Figure 1-2. For RemoteApp connections, RD Connection Broker makes this decision
according to several criteria, including

■ Which farm was the incoming request attempting to connect to?


■ Does the person making the connection request already have an existing
(active or disconnected) session on that farm?
■ If no connection exists, which RD Session Host server has the lowest number
of sessions?

RDSH
Farm 1

RD Connection
Broker

RDSH
Farm 2

FIGURE 1-2  The RD Connect on Broker routes ncom ng connect ons to the appropr ate
RD Sess on Host server.

28 Chapter 1  ntroduc ng Remote Desktop Serv ces

www.it-ebooks.info
For VM connections (see Figure 1-3), the RD Connection Broker makes its decision
based on similar criteria.

■ Is the VM request for a personal VM?


■ If for a pooled VM, does the person requesting already have a disconnected
session on a VM?
If no connection exists, the connection is sent to the RD Virtualization Host server
that has the lowest number of currently active VMs, and the RD Virtualization Host
server prepares a VM for the connection.

Pooled VMs
RDVH1

RD Connection
Broker

Personal VMs

RDVH2

FIGURE 1-3  The RD Connect on Broker a so brokers connect ons to VMs on RD V rtua za
t on Host servers.

The RD Connection Broker includes only one form of load balancing—keeping


track of how many sessions RD Session Host servers have or how many VMs each
RD Virtualization Host is running—but it can be integrated with third-party load
balancers that support other criteria such as processor or memory load, time of day,
or application.

Chapter 9 exp a ns how to use RD Connect on Broker to support RD Sess on Host farms
and poo ed and persona VMs

RD Gateway
In the dark days before W ndows Server 2008, f you wanted to connect to a term na server
from the outs de wor d us ng on y the too s n the box, you m ght have cons dered open ng
port 3389 (the port that RDP stens on by defau t) so that the term na server cou d accept
ncom ng connect ons Most peop e d dn’t do th s, however, because of the secur ty ho e t
opened
One of the ro e serv ces of RDS n W ndows Server 2008 R2 s Remote Desktop Gateway (RD
Gateway) RD Gateway enab es author zed remote users to connect to resources on an nterna
corporate or pr vate network, from any Internet-connected dev ce, whether or g na y part of

RDS for W ndows Server 2008 R2: New Features  Chapter 1 29

www.it-ebooks.info
the doma n or a pub c computer or k osk As shown n F gure 1-4, the network resources can
be RD Sess on Host servers support ng fu desktops or RemoteApp programs, VMs, or com-
puters w th Remote Desktop enab ed In other words, peop e access ng the corporate network
from the Internet can use RDP to connect to fu desktops, nd v dua app cat ons, or even the r
own desktop computers— t a depends on what the adm n strator has set up

Perimeter
Network PC
Mobile User

Pooled VMs
RPC Over HTTPS
Mobile User

RD Gateway RDVH1 Personal VMs

Mobile User
RemoteApp

RDSH Full Desktop


Farm 1 Session

FIGURE 1-4  RD Gateway prov des secure access to the corporate network from other networks such as
the nternet.

RD Gateway uses RDP over HTTPS to estab sh a secure encrypted connect on between
remote users on the Internet and the nterna network on wh ch the r app cat ons run; th s
requ res on y port 443 to be open (wh ch t probab y s a ready for secure Internet connect v-
ty) By do ng th s, RD Gateway does the fo ow ng
■ Enab es remote users to connect to nterna network resources over the Internet by
us ng an encrypted connect on, w thout need ng to configure VPN connect ons
■ Prov des a comprehens ve secur ty configurat on mode that enab es you to contro
access to spec fic nterna network resources
■ Prov des a po nt-to-po nt RDP connect on that can be m ted, rather than a ow ng
remote users access to a nterna network resources
■ Enab es most remote users to connect to nterna network resources that are hosted
beh nd firewa s n pr vate networks and across Network Address Trans ators (NATs)
W th RD Gateway, you do not need to perform add t ona configurat on for the RD
Gateway server or c ents for th s scenar o (as de from open ng port 443 n the firewa )

30 Chapter 1  ntroduc ng Remote Desktop Serv ces

www.it-ebooks.info
The RD Gateway Manager conso e enab es you to configure author zat on po c es to de-
fine cond t ons that must be met for remote users to connect to nterna network resources
For examp e, you can spec fy
■ Who can connect to RD Gateway ( n other words, the users and computers who can
connect)
■ Wh ch network resources (computers or computer groups) users can connect to
■ Whether dev ce and d sk red rect on s a owed
■ Whether c ents must use smart card authent cat on or password authent cat on, or
e ther one
To enhance secur ty further, you can configure RD Gateway servers and RDC c ents to use
Network Access Protect on (NAP) NAP s a hea th po cy creat on, enforcement, and remed a-
t on techno ogy nc uded n W ndows XP Serv ce Pack 3 (W ndows XP SP3), W ndows V sta,
W ndows Server 2008, W ndows 7, and W ndows Server 2008 R2 Us ng NAP, system adm n s-
trators can enforce c ent computer hea th requ rements, wh ch can nc ude software requ re-
ments, secur ty update requ rements, requ red computer configurat ons, and other sett ngs to
connect to RD Gateway
You can a so use RD Gateway server w th M crosoft Internet Secur ty and Acce erat on (ISA)
Server or Forefront Threat Management Gateway (TMG) to enhance secur ty In th s scenar o,
you can host RD Gateway servers n a pr vate network rather than a per meter network and
host ISA or TMG n the per meter network The SSL connect on between the RDC c ent and
ISA or TMG Server can be term nated at the Internet-fac ng server
The RD Gateway Manager conso e prov des too s to he p you mon tor RD Gateway con-
nect on status, hea th, and events W th RD Gateway Manager, you can spec fy events (such as
unsuccessfu connect on attempts to the RD Gateway server) that you want to mon tor
RD Gateway can be used w th RDP fi es stored on c ents, w th RD Web Access, or w th
RemoteApp and Desktop Connect ons Comb ned w th RD Web Access or RemoteApp and
Desktop Connect ons, you can set up a remote workspace that presents a webs te w th
the appropr ate app cat on cons and then makes sure that the person connect ng or the
computer he’s connect ng from meets the RD Gateway ru es
RD Gateway uses few resources and f s zed proper y can support hundreds of ncom ng
users, so t can safe y be comb ned w th other ro es that m ght be n the per meter network

RDS Licensing
The RDS L cens ng ro e serv ce s respons b e for keep ng track of who has a cense to use the
RD Sess on Host servers Not who’s authorized to use the RD Sess on Host server—AD DS user
r ghts or RD Gateway makes that ca , depend ng on what eve the adm n strator s author z-
ng th s connect on RDS L cens ng s the cense management system that enab es RD Sess on
Host servers to obta n and manage RDS c ent access censes (RDS CALs) for dev ces and us-
ers that are connect ng to an RD Sess on Host server

RDS for W ndows Server 2008 R2: New Features  Chapter 1 31

www.it-ebooks.info
NOTE  RDS Licensing supports previous versions of terminal servers as far back as
Windows 2000 Server. Also, the operating system supports two concurrent connections to
administer a computer remotely, so you do not need a license server for these connections.

RD Sess on Host servers can be configured to requ re e ther per-user or per-dev ce RDS
CALs You’ earn more about the deta s of RDS L cens ng n Chapter 12, “L cens ng Remote
Desktop Serv ces,” but the bas c story s th s Each RD Sess on Host server determ nes f the
user or the computer connect ng to t has a va d cense If t does (and the user has perm s-
s on to og on), then the RD Sess on Host server grants the connect on If t does not, then the
RD Sess on Host server attempts to contact a cense server to see f a cense for that dev ce
or user s ava ab e The cense server then e ther a ocates a cense to the dev ce (per-dev ce
RDS CAL) or ed ts the propert es of the user’s account n AD DS to show that a cense has
been used (per-user RDS CAL) If the RD Sess on Host server cannot connect to an RDS
L cens ng server, t w ssue a temporary cense f the RD Sess on Host server s w th n ts
grace per od Access w be granted for up to 120 days
Servers support ng the RDS L cens ng ro e ma nta n a database that tracks how RDS CALs
have been ssued For per-dev ce RDS CALs, the cense s ass gned to a computer For per-
user RDS CALs, the cense s not actua y ass gned but ts usage s reg stered n AD DS and
can be tracked
RD L cens ng s a ow- mpact serv ce, requ r ng very tt e processor t me or memory for
regu ar operat ons Memory usage s ess than 10 MB Its hard d sk requ rements are sma ,
even for a s gn ficant number of c ents The cense database grows n ncrements of 5 MB for
every 6,000 RDS CALs ssued The cense server s act ve on y when an RD Sess on Host server
s request ng an RDS CAL, and ts mpact on server performance s very ow, even n h gh- oad
scenar os Therefore, n sma er dep oyments, the RDS L cens ng ro e serv ce can be nsta ed
on the same computer as the RD Sess on Host ro e serv ce In arger dep oyments, the RD
L cens ng ro e w often be on a separate computer
A though on y access ng the RD Sess on Host ro e w tr gger the consumpt on of an RDS
CAL, us ng any part of the RDS nfrastructure requ res an RDS CAL (or, for VDI-on y dep oy-
ments, a VDI CAL)

How Other Services Support RDS


The RDS ro e doesn’t ex st n a vacuum Severa ro es he p to support the var ous ro e ser-
v ces of RDS, and w thout them, the so ut on doesn’t work In add t on to the core RDS ro e
serv ces and the r re at onsh p w th each other, t’s mportant to understand the r re at onsh p
w th other W ndows Server ro es Th s sect on covers these ro es and how they support RDS
funct ona ty
What are the ro es and how do they fit together? How do they fit w th the other non-RDS
parts of the W ndows nfrastructure (Hyper-V, IIS, cert ficates, and AD DS, among others)?

32 Chapter 1  ntroduc ng Remote Desktop Serv ces

www.it-ebooks.info
The Client Connection
Yes, t m ght be obv ous, but t’s st worth ook ng at The way the c ent nteracts w th the
ro e serv ces of RDS defines what the user exper ence to a part cu ar endpo nt w be
Whether the endpo nt s a sess on on an RD Sess on Host server, a VM hosted on RD V rtu-
a zat on Host, or even a phys ca mach ne, the fundamenta re at onsh p between c ent and
endpo nt has three parts the RDC c ent, the RDP connect on, and the endpo nt
■ The RDC c ent component n t ates the connect on to the endpo nt and rece ves the
data that the server sends to t
■ The server component on the endpo nt nteracts w th the core operat ng system and
takes the nformat on rece ved (for examp e, sounds be ng produced, b tmaps be ng
d sp ayed), converts t to RDP commands, and ser a zes t to be passed to the c ent
■ The protoco enab es the connect on between the c ent and the endpo nt; t defines
the k nd of nformat on that s passed between them v a v rtua channe s

NOTE  Why the distinction between RDP and RDC? RDP is the Remote Desktop Protocol,
the protocol that passes user input and application output between client and server. RDC
is the Remote Desktop Connection, the client component that initiates and manages the
RDP connection.

In short, the c ent requests the connect on, the endpo nt formats the ca s to the ap-
p cat ons and operat ng system n a way that the c ent (or server, depend ng on wh ch way
the nformat on flow s go ng for a part cu ar transact on) can understand, and RDP passes
the r ght nformat on that ets the user commun cate w th the app cat ons on the server as
though they were runn ng oca y
Th s commun cat on re es on virtual channels, b -d rect ona connect on streams prov ded
through RDP They estab sh a data p pe between the RDC c ent and the endpo nt to pass
spec fic k nds of nformat on, such as dev ce red rect on or sound, between c ent and server
V rtua channe s are a way to extend the funct ona ty of RDP that’s been ava ab e s nce W n-
dows 2000 Server, and they are a so used by some features of RDS, such as dev ce and sound
red rect on
But a ot has changed s nce W ndows 2000 Server, and one of the components that’s
changed s that the 32 stat c v rtua channe s or g na y made ava ab e w th RDP 5 1 aren’t
enough anymore More k nds of data are now ava ab e, and t’s c ear that there m ght be
more not yet cons dered In add t on, stat c v rtua channe s had a prob em They were cre-
ated at the beg nn ng of the connect on and torn down at the end If you added a dev ce
dur ng the sess on, t cou dn’t use v rtua channe s un ess you term nated the connect on and
then reconnected

IMPORTANT  Terminating a connection ends it completely on the server. A disconnected


session still exists on the server and a user can reconnect to it

How Other Serv ces Support RDS  Chapter 1 33

www.it-ebooks.info
Therefore, RDS supports dynamic virtual channels, v rtua channe s that the c ent creates
on demand and then shuts down when t’s done w th them If you’re cur ous about the nter-
faces to make dynam c v rtua channe s work for you (or how they work at a ), see the PDF
t t ed “Funct ona ty for RDS Scr pters and Deve opers” on the compan on CD

Hosting VMs
For some t me, t has been poss b e to v rtua ze Term na Serv ces ro es, but Hyper-V was not
a requ red component of a Term na Serv ces dep oyment In RDS, Hyper-V s requ red to use
the VM host ng feature
Hyper-V s nsta ed automat ca y f you choose to nsta the RD V rtua zat on Host Ro e
serv ce Because RD V rtua zat on Host requ res Hyper-V, t s the on y RDS ro e serv ce that
cannot be v rtua zed

Authenticating Servers with Certificates


A though you don’t need a Cert ficate Author ty (CA) server to use RDS, you w defin te y
need cert ficates from somewhere
One of the cur ous th ngs about RDS s the trust requ red between c ent and server Obv -
ous y, the server has to trust the c ent, s nce the server s a part a portho e to the corporate
network But the c ent has to trust the server as we The c ent s prov d ng the user name
and password for the corporate network, so t’s mportant that the server the c ent s con-
nect ng to s a eg t mate endpo nt and not a rogue server set up to stea ogon credent a s
To ensure that an endpo nt’s dent ty can be trusted, you can nsta a cert ficate on the
server and on the c ent To do th s, you’ need to get cert ficates from your own n-house PKI
so ut on, or you’ need to purchase cert ficates from a pub c CA

IMPORTANT  All RD Session Host servers in the same farm must use the same certificate
for certificate-based authentication.

Cert ficates are a so used to


■ Authent cate the dent ty of an RD Gateway server and a ow t to set up a secure chan-
ne w th the c ent
■ S gn RDP fi es
■ Prov de HTTPS access to the RD Web Access webs te

Enabling WAN Access and Displaying Remote Resources


Two components of RDS requ re IIS RD Web Access and RD Gateway RD Web Access’s need
for IIS s pretty apparent It prov des nformat on about the RemoteApp programs and desk-
tops ava ab e to a user through two URLs One URL supports d sp ay for RD Web Access and
one supports RemoteApp and Desktop Connect ons

34 Chapter 1  ntroduc ng Remote Desktop Serv ces

www.it-ebooks.info
IIS s a so requ red for RD Gateway RD Gateway encapsu ates RDP traffic over HTTPs, so t
requ res certa n components of IIS
IIS s nsta ed automat ca y when you nsta an RDS ro e serv ce that requ res t

Updating User and Computer Settings


It’s such an obv ous cho ce to use AD DS for a support ro e that you m ght not have thought
of t, but t’s cruc a to a funct on ng centra zed comput ng nfrastructure n severa ways—not
a of wh ch you m ght have expected AD DS manages
■ The group po c es that configure RD Sess on Host servers and the user sess ons run-
n ng on them
■ Whether or not a user has the r ght to connect to an RD Sess on Host server
■ The process of show ng that a user has consumed a per-user RDS CAL

Functionality for RDS Scripters and Developers


It’s cruc a to understand that RDS s not just a product—a though t’s defin te y that—but t’s
a so a deve opment p atform for both ndependent software vendors (ISVs) and consu tants
creat ng custom so ut ons W ndows Server 2008 added a ot of new APIs for partners, and
W ndows Server 2008 R2 adds even more A though a descr pt on of how to use a of these
APIs s beyond the scope of th s book, nformat on ava ab e on the compan on med a h gh-
ghts some of the p atform extens ons ava ab e to RDS partners through pub c nterfaces

ON THE COMPANION MEDIA  For a detailed description of the RDS API, please see
“Functionality for RS Scripters and Developers” on the companion media. Detailed
instructions for using this API are on MSDN.

NOTE  Public interfaces (also known as APIs) are interfaces that are, well, publicly available
and documented on MSDN so that developers can use them. Private interfaces are not
documented. The main difference is supportability. A private interface might change at
any time if required by the people who developed it (in this case, Microsoft). An API won’t
change without notice. Even if you had the option to build solutions based on private
interfaces, it would be better to build on the public APIs than on private ones.

Summary
Th s chapter ntroduced you to RDS n W ndows Server 2008 R2 At th s po nt, you shou d
understand
■ How th s ro e has deve oped s nce t became part of W ndows 10 years ago

Summary  Chapter 1 35

www.it-ebooks.info
■ What RDS s used for
■ The new bus ness cases that W ndows Server 2008 R2 RDS now supports
■ The RDS ro es that support these new bus ness cases and how they nteract
■ How other W ndows ro es (and the c ent) support RDS funct ona ty
■ How RDS s a deve opment p atform and some of the funct ona ty that scr pters and
deve opers can add to t
In Chapter 2, you’ find out how W ndows arch tecture supports RDS

Additional Resources
These resources conta n add t ona nformat on and too s re ated to th s chapter
■ To earn more about some fundamenta concepts of the operat ng system that affect
RD Sess on Host and RD V rtua zat on Host funct ona ty (and s z ng), see Chapter 2,
“Key Arch tectura Concepts for Remote Desktop Serv ces ”
■ To earn how to set up an RD Sess on Host server, see Chapter 3, “Dep oy ng a S ng e
Remote Desktop Sess on Host Server ”
■ To earn how to set up an RD V rtua zat on Host server to support poo ed VMs and
persona desktops, see Chapter 4, “Dep oy ng a S ng e Remote Desktop V rtua zat on
Host Server ”
■ To earn how to set up user profi es w th RDS, see Chapter 5, “Manag ng User Data n a
Remote Desktop Serv ces Dep oyment ”
■ To understand how RDP ntegrates the c ent and server operat ng systems for d sp ay,
pr nt ng, and aud o and dev ce red rect on, see Chapter 6, “Custom z ng the User Expe-
r ence ”
■ To earn how to ock down the user env ronment w th Group Po cy, see Chapter 7,
“Mo d ng and Secur ng the User Env ronment ”
■ To earn how RDP connect ons are secured for LAN connect ons, see Chapter 8, “Secur-
ng Remote Desktop Protoco Connect ons ”
■ To earn how to use RD Connect on Broker to dep oy a farm of RD Sess on Host servers
or a poo of RD V rtua zat on Host VMs, see Chapter 9, “Mu t -Server Dep oyments ”
■ To earn how to pub sh resources to RD Web Access and RemoteApp and Desktop
Connect ons, see Chapter 10, “Mak ng Remote Desktop Serv ces Ava ab e from the
Internet ”
■ To earn how to use RDS on the Internet, see Chapter 10, “Mak ng Remote Desktop
Serv ces Ava ab e from the Internet ”
■ To earn how to manage sess ons on an RD Sess on Host server, see Chapter 11, “Man-
ag ng Remote Desktop Sess on Host Sess ons ”

36 Chapter 1  ntroduc ng Remote Desktop Serv ces

www.it-ebooks.info
■ To earn how RDS cens ng works and how to use an RD L cense server, see Chapter 12,
“L cens ng Remote Desktop Serv ces ”
■ To earn about RDS fe-cyc e management, see Chapter 13, “L fe-Cyc e Management
for Remote Desktop Serv ces ”
■ For more deta s on the APIs ava ab e to deve opers, see the RDS Reference at
http://msdn.microsoft.com/en-us/library/aa383494(VS.85).aspx or, for onger
documents and source code, see the RDS Code Ga ery s te at
http://code.msdn.microsoft.com/rdsdev
■ For n-depth deve oper resources ( nc ud ng code samp es and deta ed documents),
see the RDS team Code Ga ery s te at http://code.msdn.microsoft.com/rdsdev

Add t ona Resources  Chapter 1 37

www.it-ebooks.info
www.it-ebooks.info
CHAPTER 2

Key Architectural Concepts


for Remote Desktop Services
■ Know Your App cat on De very System  40

■ Re evant W ndows Server 2008 R2 nterna s  41

■ Determ n ng System Requ rements for RD Sess on Host Servers  66

■ Support ng C ent Use Profi es  99

B efore you start nsta ng Remote Desktop Serv ces (RDS) ro e serv ces, you must
understand the bus ness and techn ca dec s ons you’ need to make Th s chapter
addresses those quest ons, nc ud ng both the deta s of the system arch tecture that
are essent a to support ng the two mode s of app cat on de very that RDS supports
and some of the bus ness dec s ons that you’ need to make before mp ement ng the
techno ogy Both w he p you better p an for the resources requ red to support what
you want to do The chapter covers such top cs as
■ W ndows Server 2008 R2 nterna s part cu ar y re evant to s z ng RDS ro es
■ How to s ze Remote Desktop (RD) Sess on Host and RD V rtua zat on servers
■ The c ent requ rements for us ng some new features of RDS
■ Character st cs of an app cat on that w run proper y on an RD Sess on Host
server
■ Techno ogy dec s ons rooted n bus ness needs, such as the cens ng mode or the
k nds of c ent hardware that make the best bus ness sense for your company

NOTE  In parts of this chapter, you’ll learn about how to do performance scaling on
an existing RD Session Host server. When determining how to order the chapters in
this book, the decision was made to put planning before installing. For details of the
installation process, see Chapter 3, “Deploying a Single Remote Desktop Session Host
Server,” or Chapter 4, “Deploying a Single Remote Desktop Virtualization Host Server.”

39

www.it-ebooks.info
Know Your Application Delivery System
Before gett ng too deep y nto the quest on of the nterna s of memory arch tecture or t ps
for server s z ng, you need to know what an RD Sess on Host server and an RD V rtua zat on
Host server do Understand ng how each app cat on de very p atform works s essent a to
understand ng s z ng gu de nes
RDS supports two app cat on de very p atforms sess ons on an RD Sess on Host and VMs
on an RD V rtua zat on Host

RD Session Host Servers


A RD Sess on Host server s a shared workstat on for mu t p e concurrent users When n use,
the server starts app cat ons and oads fi es nto memory It saves users’ fi es When users og
on to an RD Sess on Host server, t oads the r user profi e so that they get the custom zed
work env ronment that they’ve come to know and ove Th s server does everyth ng a work-
stat on does but t does t for many users s mu taneous y
In pract ca terms, th s means that an RD Sess on Host server must
■ Try to spread the use of processor t me across a sess ons so that one sess on sn’t
consum ng a of t and starv ng the other sess ons
■ Support new users as they og on wh e st ma nta n ng current users
■ Run many nstances of the same app cat ons as effic ent y as poss b e
■ Keep track of how much phys ca memory s ava ab e and use t as effic ent y as
poss b e for the greater good of the ent re server
■ Iso ate the sess ons so that the users runn ng app cat ons on the same computer can’t
see each others’ data

RD Virtualization Host Servers


The RD V rtua zat on Host app cat on de very mode s a b t d fferent A RD V rtua zat on
Host server sn’t a shared workstat on; t’s a p atform for a co ect on of nd v dua worksta-
t ons runn ng n v rtua mach nes (VMs), each w th an so ated operat ng env ronment The
VMs on an RD V rtua zat on Host server are comp ete y so ated from each other They can
run d fferent operat ng systems, use ncompat b e dev ce dr vers, run demand ng app cat ons,
and even crash w thout d sturb ng the other VMs on the same host As ong as the RD V rtua -
zat on Host tse f s not comprom sed, the VMs w not be affected by each other
When you’re sett ng up VMs (more deta s about th s can be found n Chapter 4), you w
need to configure how much memory each VM has and the number of processors t’s got
Unused memory or processor power won’t be shared among the other VMs on the same host
server Therefore, you shou d have a pretty good dea of what the needs of each VM w be
and what hardware you’ requ re to support them

40 Chapter 2  Key Arch tectura Concepts for Remote Desktop Serv ces

www.it-ebooks.info
Each mode for app cat on de very works a b t d fferent y, but they’re fundamenta y
do ng the same th ng ett ng a arge number of peop e use the same hardware at the same
t me Both mode s requ re a b t of jugg ng on the part of the operat ng system Your job s to
g ve each type of server enough resources to jugg e as effic ent y as poss b e To do your job,
t’s he pfu to know how the RD Sess on Host does a these th ngs

Relevant Windows Server 2008 R2 Internals


Th s sect on covers the nterna work ngs of some system components that are most he pfu
to understand ng how an RD Sess on Host or RD V rtua zat on Host server a ocates system
resources to the users t s host ng, nc ud ng
■ What t means to the RD Sess on Host that W ndows Server 2008 R2 comes on y n
64-b t
■ How VMs work
■ How app cat on de very servers a ocate processor cyc es to a the users on them
■ How app cat on de very servers perform memory management for sess ons and VMs
The fo ow ng sect ons w dea ma n y w th the RD Sess on Host servers because they’re
the most d fferent A though VM hosts are jugg ng resources among VMs, the VMs them-
se ves are n many ways ke s ng e-user operat ng systems These sect ons d scuss v rtua za-
t on and how processor schedu ng, memory management, and d sk and network access work
n that context

Windows Server 2008 R2 Is 64-Bit Only


One of the most bas c th ngs to understand about RDS s that n W ndows Server 2008 R2, a
server p atforms are 64-b t W ndows 7 comes n both 32-b t and 64-b t ed t ons, but server
SKUs no onger have th s opt on W ndows Server 2008 was the ast 32-b t server p atform
from M crosoft

NOTE  The Windows Server 2008 edition of this book discussed Physical Address Exten-
sions (PAEs) and Address Windowing Extensions (AWEs). However, neither is supported—or
necessary—on a 64-bit operating system, so neither has been included in this edition.

For RD Sess on Host servers, the move to 64-b t s a most ent re y good news (You’ earn
why t’s an “a most” n just a moment ) On 32-b t operat ng systems, the b ggest bott eneck
for term na servers has genera y been memory, w th d sk reads and wr tes com ng a c ose
second A 32-b t operat ng system can’t address more than 4 GB of v rtua memory, no matter
how much phys ca memory you nsta on the server W ndows Server Standard Ed t on d dn’t
even support the nsta at on of more than 4 GB of phys ca memory, so t cou d not take ad-
vantage of such workarounds as PAEs and AWEs that et the operat ng system store and refer

Re evant W ndows Server 2008 R2 nterna s  Chapter 2 41

www.it-ebooks.info
to data n more than 4 GB of phys ca memory even f t cou dn’t “see” t a at one t me Now,
64-b t W ndows can “see” up to 44 exabytes of v rtua memory addresses, so t can use a the
memory t cou d ever need w thout the memory tr cks that the 32-b t vers on of the operat ng
system wou d have to use
The reason why 64-b t W ndows s a most ent re y good news nvo ves the support for
o der dev ce dr vers and o der app cat ons You’ find that 32-b t app cat ons w genera y
run on a 64-b t operat ng system w thout ssues In most cases, an app cat on that can run
successfu y on a 32-b t term na server shou d run on a 64-b t RD Sess on Host However, a
64-b t operat ng system requ res 64-b t dr vers O der c ent pr nters that you’re st attempt-
ng to support, for examp e, m ght not have 64-b t dr vers
However, even reca c trant pr nter dr vers don’t have to crush your p ans to v rtua ze app -
cat on de very F rst, f you can use Easy Pr nt (d scussed n Chapter 6, “Custom z ng the User
Exper ence”) for your pr nters, then you won’t need pr nter dr vers on the RD Sess on Host
Servers and can just use the dr vers nsta ed on the c ent Second, f Easy Pr nt sn’t an opt on,
you can use RD V rtua zat on Host to support the users who need the o d pr nt dev ces
For RD V rtua zat on Host, hav ng the host run a 64-b t operat ng system s an unm t -
gated w n—the reason why Hyper-V has a ways been 64-b t The guest VMs on the host don’t
have to run a 64-b t operat ng system, so they rea y don’t have any app cat on or dr ver
ssues as ong as the user env ronment w work n W ndows XP SP2 or ater Hav ng 64-b t
operat ng systems just mean that you can nsta as much memory as you need to support a
your VMs

DIRECT FROM THE FIELD

How Does 64-Bit Windows Perform as an RD Session Host


Server?
Jeff Heatton
Operations Engineer, Microsoft

W e have recently moved to 64-bit on many of our servers. We see that the
same physical server that could support, say, 55 users in 32-bit mode with
4 GB of RAM, can support 150 users with little stress on 64-bit with 8 GB of RAM.
The 64-bit solution seems to work extremely well, and I suspect that in our environ-
ment, we could scale up further just by adding more RAM. Some servers have seen
more than 300 sessions with no performance issues.

We find that with our application the workload is variable by region for the same
application, because users have different work patterns in the different regions. The
European folks are heavy hitters, whereas the folks in the United States and Asia
give the RDS farms an easier time.

42 Chapter 2  Key Arch tectura Concepts for Remote Desktop Serv ces

www.it-ebooks.info
How Does an RD Session Host Server Dole Out Processor
Cycles?
Noth ng happens on a computer w thout a processor When a computer serves dozens of
users, there’s a ot of compet t on for any ava ab e processor cyc es Here, you’ earn about
how the RD Sess on Host server dec des who’s go ng to get processor t me
Users run app cat ons, but operat ng systems don’t know anyth ng about app cat ons The
operat ng system dea s w th processes and threads that support the app cat on executab e
A process defines the work ng env ronment for an app cat on, nc ud ng ts pr or ty when t
comes to be ng a ocated processor t me, the mage name of the app cat on assoc ated w th
the process (for examp e, W nword exe), the process dent fier (process ID, or PID) that the
operat ng system uses to un que y dent fy the process, the memory reg ons a ocated to th s
process by the memory manager, nks to parent processes that spawned th s new process,
and anyth ng e se the app cat on wou d have to know to run and cooperate w th other run-
n ng app cat ons

HOW IT WORKS

Why Processes Need Both Names and PIDs

W hy does a process need both an image name (this is the same as the execut-
able name) and a PID? The reason is that image names are not necessarily
unique on a server, particularly on an RD Session Host, it’s highly likely that more
than one instance of the same application will be running, and it is guaranteed that
more than one instance of required system processes will be running (see Chapter 3
for more information about the processes common to all sessions).

Since more than one instance could be running in the same session, you can’t iden-
tify the processes by session. To give Windows and the administrator more control
over individual processes, the process manager creates new processes with a PID.
You’ll often work with PIDs when using the Remote Desktop Manager and query
process command-line tools, both discussed in Chapter 11, “Managing Remote
Desktop Sessions.”

Processes don’t do anyth ng themse ves Rather, they define the execut on env ronment
and re at onsh ps that the executab e part of a process, the thread, must know about Threads
know deta s such as the process they’re assoc ated w th, and the r secur ty nformat on, such
as the r access token (the record of the r ghts the thread has, g ven the dent ty of the account
who started t) and impersonation information (the secur ty credent a s be ng used) They a so
keep track of the r pend ng nput/output (I/O) requests L ke processes, threads have a pr or-
ty They nher t the r pr or ty range from the r process but can adjust the r own pr or ty w th n
that range

Re evant W ndows Server 2008 R2 nterna s  Chapter 2 43

www.it-ebooks.info
One key property of a process or thread s ts pr or ty, s nce that determ nes how often
a thread gets some processor cyc es As you m ght guess, the h gher the pr or ty, the more
often a thread gets processor t me S nce noth ng happens on a computer w thout processor
t me to execute nstruct ons, th s s cr t ca

NOTE  If you’re curious to see how a processor thread priority compares to that of other
types of processes, use the Process: Priority Current or Thread: Priority Current perfor-
mance counters in the Performance Monitor. For example, the Win32 Subsystem process
(which has the image name Csrss.exe) has a higher base priority than user applications, so
it will get more processor time. This is intentional, as it doesn’t matter if an application is
responsive if Windows isn’t.

One way n wh ch RD Sess on Host servers d ffer from other types of servers s n the r use
of process pr or ty Other types of servers are genera y des gned to do one th ng rea y we
They search databases, or manage ema , or support webs tes The r pr or t es are c ear The
app cat on n the foreground s the one to support Therefore, the processes and threads
be ong ng to the app cat on n the foreground have a h gher pr or ty than those n the
background

NOTE  Just because the application in the foreground is the main one supported doesn’t
mean that the foreground application processes have the highest priority. See Microsoft
Windows Internals, Fifth Edition, by Mark E. Russinovich and David A. Solomon, with Alex
Ionescu (Microsoft Press, 2009), for more background on the relative priority of various
types of processes.

Un ke other servers, RD Sess on Host servers don’t have one c ear pr or ty ( n contrast to
a server runn ng M crosoft Exchange Server, for examp e, wh ch focuses on one task “I must
get the ma through!”) They have dozens of users to support, a of whom are do ng d fferent
th ngs and a of whom are expect ng a respons ve work env ronment Because of ts confl ct-
ng pr or t es, the on y way for a server w th the RD Sess on Host ro e nsta ed to cope s to
pr or t ze a user app cat on processes and threads equa y Because the processes back ng
user app cat ons have the same pr or ty, you can approx mate the oad a server can take by
determ n ng how much of the tota processor t me a user sess on w requ re You’ find out
more about how to do th s w th the Performance Mon tor ater n th s chapter n the sect on
ca ed “Us ng Performance Mon tor ” But a key po nt to remember s that the act on of nsta -
ng the RD Sess on Host ro e opt m zes the operat ng system for p ay ng th s ro e n your net-
work An RD Sess on Host server does not pr or t ze processes n the same way as a database
server or ma server, because the needs of th s server are d fferent
If one sess on were runn ng a arge number of demand ng app cat ons, t cou d potent a y
affect the performance of other sess ons, even though the user app cat ons a have the same
pr or ty W ndows Server 2008 addressed th s w th the W ndows System Resource Manager

44 Chapter 2  Key Arch tectura Concepts for Remote Desktop Serv ces

www.it-ebooks.info
(WSRM), wh ch wou d reduce a thread’s pr or ty f other user threads n other sess ons were
be ng starved for processor cyc es WSRM made sure that processor t me was d v ded even y
among sess ons, but t engaged on y f a sess on was be ng affected W ndows Server 2008 R2
adds a new feature ca ed Dynam c Fa r Share Schedu ng (DFSS), wh ch changes the way that
the schedu er works n the kerne W th DFSS engaged—as t s by defau t—the schedu er w
make sure that the processor t me s schedu ed even y among sess ons from the beg nn ng
You’ earn more about how DFSS works n Chapter 3

How Do RD Session Host Servers Use Memory More


Efficiently?
RD Sess on Host servers spread processor t me among nd v dua sess ons by pr or t z ng a
user app cat on processes n the same way and us ng DFSS to ensure that no one sess on uses
up a the processor t me just because t’s runn ng demand ng app cat ons Next, you’ earn
how memory works on an RD Sess on Host server, nc ud ng
■ The d fferences between user mode and kerne mode
■ The re at onsh p between phys ca storage and v rtua memory
■ The ro e of the page fi e n prov d ng add t ona phys ca storage
■ How the memory manager opt m zes the use of memory
■ How memory usage, d sk reads/wr tes, and processor t me are re ated
■ How 64-b t on y affects v rtua memory management on RD Sess on Host servers

Understanding User-Mode and Kernel-Mode Virtual Address Space


You can’t do anyth ng on a computer w thout a processor, but the threads gett ng processor
t me can’t do anyth ng w thout memory to store data n Operat ng systems store data that
they’re current y work ng w th n memory (Data that they are not current y work ng w th,
such as fi es you’ve saved and don’t current y have open, are stored on the hard d sk ) Th s
data can nc ude user data such as fi es or app cat ons, or system data such as po nters to
where data s stored n memory (Memory s b g—really b g Even the operat ng system needs
a map to avo d gett ng ost )
There are two k nds of memory n your computer One s phys ca memory, determ ned by
the amount of RAM nsta ed n the computer If you have 24 GB of RAM, there are 24 GB of
phys ca memory ava ab e to the operat ng system (m nus memory taken by other hardware
components) The other s v rtua memory, wh ch s determ ned by the s ze of the operat ng
system address ng structure A 32-b t operat ng systems have a 4-GB v rtua memory ad-
dress space; 64-b t operat ng systems have a 16-terabyte v rtua memory address space—
8 terabytes for user-mode processes and 8 terabytes for kerne mode (If you’ve heard t sa d
that the 64-b t operat ng system removes the memory m tat on on a term na server, but
you weren’t qu te sure what that meant, th s shou d put the d fference nto perspect ve ) You’
see the 8-terabyte mode referred to n the exp anat on V rtua memory s supported by two

Re evant W ndows Server 2008 R2 nterna s  Chapter 2 45

www.it-ebooks.info
phys ca storage p aces the phys ca memory of RAM and an area on the hard d sk ca ed the
page file or swap file Therefore, even f a computer runn ng a 64-b t operat ng system has on y
8 GB of RAM nsta ed, t st has an 8-terabyte range of v rtua addresses for data storage

NOTE  If you’ve done the math, you’ll notice that 2 to the 64th power is more than 16
terabytes—it’s actually 16 exabytes. Windows (and currently available processors) don’t
currently support 264 bytes, however—they support only up to 244, or 16 terabytes split
evenly between kernel mode and user mode.

Th s 16 terabytes of v rtua memory address space s d v ded nto two reg ons kerne space
and user space, and the processes that store data n each reg on are ca ed user-mode or
kerne -mode processes Kerne space, the upper 8 terabytes, s shared by a processes that
store data here User space s spec fic to each user-mode process Conceptua y, the memory
ayout ooks ke that shown n F gure 2-1 A kerne -mode processes know they must share a
memory reg on, but a user-mode processes—not just a sess ons, but a processes—th nk
they have the r own persona 8 terabytes of user-mode storage Because th s means that
v rtua memory addresses are dup cated from process to process, one key job of the memory
manager s to make sure that user-mode processes don’t affect each other when stor ng
memory n the r v ew of user-mode memory

KERNEL MODE

8 TB
Virtual Memory

Winword.exe

Outlook.exe

Taskmgr.exe

Explorer.exe
iexplore.exe

Excel.exe
Visio.exe
8 TB

8 TB

8 TB

8 TB

8 TB

8 TB

8 TB

USER MODE

FIGURE 2-1  Kerne mode memory s common to a processes that store nformat on there; user mode
memory appears spec f c to each process.

Understand ng both user-mode and kerne -mode storage s mportant to understand ng


how an RD Sess on Host server uses memory

46 Chapter 2  Key Arch tectura Concepts for Remote Desktop Serv ces

www.it-ebooks.info
HOW IT WORKS

Why Does It Matter Whether Drivers Are User-Mode or


Kernel-Mode?

P revious versions of Windows introduced Group Policy to require users to em-


ploy user-mode printer drivers. If it’s not obvious to you why a policy to require
user-mode drivers might be necessary or desirable, read on.

Every component of the Windows operating system is designed to call on memory


from a particular section of memory, which is organized into blocks. The amount
of memory an operating system can access depends on the addressing scheme
it supports. For example, 64-bit operating systems can call on up to 16 terabytes
of memory, and this memory is normally divided into two pieces: The upper 8
terabytes is kernel-mode memory and the lower 8 terabytes is user-mode memory.
Kernel-mode components have access to actual physical memory structures. User-
mode components have access only to a mapped view of these structures.

Think of the memory structures are a set of interoffice mailboxes. The kernel-
mode components have access to the mailboxes themselves—the physical bins
that line the wall. User-mode components don’t have access to the boxes; instead
they indicate that a piece of data should go into the box belonging to, say, Kim
Abercrombie or to Michael Pfeiffer. The kernel-mode component creates the
mapping that identifies which physical location is associated with Kim Abercrombie
and routes the data there, so that even if the boxes are shuffled or Kim gets a new
mailbox, the data ends up in the right place. Similarly, if a user-mode component
needs data from a location, that component doesn’t know the physical location
of the data, but calls on it according to its virtual data—“I need the data stored
in Kim Abercrombie’s mailbox.” The kernel-mode component then maps Kim
Abercrombie’s name to a mailbox location and retrieves the data. The area of
memory that a component is designed to use depends on what that component
needs to do, how quickly it needs to do it, and how likely it is to have a problem
doing it. Almost everything that you see happening on a computer occurs in user
mode: applications open, windows move, characters appear on the screen as you
type, and so forth. Operations running in user mode are protected from each
other because they write to virtual locations, not to physical ones. Kernel-mode
components ensure that these operations don’t write to the same physical locations.
For this reason, user mode is also called protected mode. If an application running in
user mode crashes, it does not affect other applications.

Kernel-mode components are slightly faster than user-mode components because


they don’t have to translate virtual memory addresses to physical ones; however,
they are more vulnerable to error. (That said, “slightly faster” in this context is not a
difference that a human can detect.) Kernel mode references the physical memory

Re evant W ndows Server 2008 R2 nterna s  Chapter 2 47

www.it-ebooks.info
structures shared among all components on the same computer, so it’s possible that
two applications could attempt to store information in the same memory space.
When this happens, the components crash and it might crash the entire operating
system. Printer drivers running in kernel mode on a shared server, therefore, put not
just one person’s workspace at risk but that of everyone using that same computer.
Although printer drivers are more reliable on shared servers than they used to be,
it’s best to use only user-mode drivers. If you absolutely must use kernel-mode driv-
ers, you must test them before putting them into production.

Technically speaking, the user-mode drivers are only partially user-mode—or at


least, they are not able to do all their work from within user mode. They still com-
municate with a kernel-mode component that puts the data in the physical location
where it must go. However, if the user-mode piece fails, this does not affect the
kernel-mode area of memory.

The Role of the Memory Manager


How does a th s pag ng take p ace? Who’s n charge of mapp ng v rtua address space to
phys ca memory so that when you try to br ng a fi e nto memory, you get the r ght one?
How s t poss b e that each user-mode process th nks that t has ts own 8 terabytes of user-
mode memory? A th s s hand ed by a key part of the operat ng system ca ed the memory
manager The memory manager has four ma n jobs
■ Mapp ng the v rtua address space nto phys ca memory
■ Protect ng the address space of processes from each other and from the operat ng
system
■ Pag ng data to and from d sk
■ Manag ng key system resources such as the paged and non-paged memory poo s and
system cache
The memory manager works w th the I/O manager (respons b e for wr t ng to and read-
ng from d sk) and the cache manager (some storage for the system cache) to ensure that
processes have the data they need as qu ck y as poss b e
In the next sect ons, you’ earn more about how the memory manager does ts job

Mapping Virtual Memory to Physical Memory


A 64-b t operat ng system can see 16 terabytes of v rtua memory addresses, but the
computer n wh ch the operat ng system s runn ng won’t have 16 terabytes of RAM nsta ed
As you can see from Tab e 2-1, no ed t on of W ndows Server 2008 R2 or W ndows 7 supports
more than 2 terabytes of nsta ed RAM (M crosoft doesn’t support what t can’t test, and
systems w th more than 2 terabytes of RAM d dn’t ex st )

48 Chapter 2  Key Arch tectura Concepts for Remote Desktop Serv ces

www.it-ebooks.info
TABLE 2-1 Phys ca Memory m s by SKU (Ed ons Suppor ng RDS On y)

VERSION RAM SUPPORTED

W ndows Server 2008 R2 Datacenter 2 terabytes


W ndows Server 2008 R2 Enterpr se 2 terabytes
W ndows Server 2008 R2 Standard 32 GB
W ndows Server 2008 R2 Foundat on 8 GB

Not on y does the amount of v rtua memory exceed the nsta ed RAM, but each user-
mode process th nks that t has a ded cated 8 terabytes of storage Someth ng has to sort out
where the data that a process th nks t stored at a part cu ar ocat on s rea y ocated That
funct on s hand ed by the memory manager

The way the memory manager keeps track of how v rtua addresses correspond to phys -
ca ocat ons s much the way you’d do t f someone gave you the same job It ma nta ns sts
mapp ng each v rtua address to a phys ca ocat on These sts are ca ed page tables. The co -
ect on of page tab es s organ zed n the page table directory (A page s a cont guous b ock of
memory and the sma est un t of data that the memory manager can work w th ) An nd v dua
entry on the page tab e s ca ed a page table entry (PTE) A PTE conta ns the po nter to an
area of phys ca memory If you find page d rector es and PTEs confus ng, th nk of t th s way
The page tab e d rectory s ke a te ephone book for each process W th n the te ephone
book are the pages of st ngs—the pages are the page tab es Ind v dua addresses on the
page tab es are the page tab e entr es W th any one of the addresses, you can find a phys ca
ocat on for the nformat on (the page)

Re evant W ndows Server 2008 R2 nterna s CHAPTER 2 49

www.it-ebooks.info
Page tab es and page tab e d rector es are stored n an area of kerne -mode memory re-
served for th s memory mapp ng nformat on The re at onsh p between v rtua memory, PTEs,
and phys ca storage s shown n F gure 2-2

Page at
address: Page Table RAM
11111111 Virtual Memory Directory
Addresses

11111111
22222222
33333333
44444444
PTE
55555555
66666666

MYAPP.EXE
Page Table

FIGURE 2-2  V rtua addresses get mapped to phys ca ocat ons w th PTEs.

W ndows ma nta ns a two- eve page tab e structure of page tab e d rector es and page
tab es Each process has ts own page tab e d rectory W th n that page d rectory are the page
tab es st ng the pages (A process has to have more than one page tab e—and hence the
page tab e d rectory—because the page tab es are m ted n s ze ) W th n the page tab es,
the entr es are ndexed accord ng to where they are on the page The va ue of the ndex te s
the memory manager wh ch area of phys ca storage a v rtua memory address po nts to A
v rtua address conta ns a po nter to the correct page tab e d rectory, ndex ng nformat on
that po nts to the correct page tab e, and ndex ng nformat on po nt ng to the correct PTE, as
shown n F gure 2-3

50 Chapter 2  Key Arch tectura Concepts for Remote Desktop Serv ces

www.it-ebooks.info
Virtual Memory
Addresses

11111111
Page Directory Page Table Byte
22222222 Index Index Index
33333333
44444444
55555555
66666666
PTE RAM
MYAPP.EXE

Page
Table

FIGURE 2-3  V rtua memory addresses store ndex ng nformat on that po nts to the page tab e d rectory,
the page tab e, and the PTE

One of the m tat ons of Term na Serv ces on 32-b t W ndows s that the te ephone book
can be on y so b g because there’s a m ted amount of space to store the pages It’s as f the
s ze of a commun ty were m ted by the s ze of the te ephone book that wou d fit n each
ma box No more space ava ab e nd cates there can be no add t ona pages n the te ephone
book Th s means that you’ never be ab e to v s t the new fam y n the ne ghborhood
because they have no entry n the te ephone book and you can’t find them In the same
way, the s ze of the space ava ab e to store PTE records m ts the number of processes that
can run even f you have a the RAM n the wor d ava ab e The number of v rtua memory
addresses ava ab e to user-mode processes appears enormous because each process sees the
ent re 8-terabyte area But for th s area to be usefu , the memory manager must be ab e to
map the v rtua address to a phys ca ocat on, wh ch means creat ng a page d rectory, page
tab es, and PTEs for each process If the memory manager can’t do the mapp ng, then the
process can’t start
Before W ndows Server 2008, the area of kerne -mode memory ded cated to PTEs was
fixed n s ze In W ndows Server 2008 and ater, kerne -mode memory for these storage struc-
tures s a ocated dynam ca y, so that f the memory sn’t needed for one structure, t m ght
be ava ab e to another W ndows Server 2008 R2 uses more memory than W ndows Server
2003, due n part to some changes n the user she But f W ndows Server 2003 Term na
Server was constra ned by the amount of space ava ab e for PTEs, t’s poss b e that on the
same hardware, the W ndows Server 2008 R2 RD Sess on Host Server cou d support more
users

Re evant W ndows Server 2008 R2 nterna s  Chapter 2 51

www.it-ebooks.info
Note that 64-b t W ndows has another advantage It’s got a ot more room to store System
PTEs (the PTEs used to map the ocat on of memory the system s us ng) The amount of stor-
age n 32-b t W ndows s 660 MB; 64-b t W ndows has 128 GB

How Virtual Memory Is Supported


Idea y, the v rtua memory a process uses to organ ze ts storage w map to the RAM com-
m tted to that process But RAM s fin te, and somet mes t’s necessary to store that data
e sewhere and then add t to the process work ng set when requ red “E sewhere” trans ates to
the page fi e or another area of memory To start, cons der the page fi e
The page fi e s one of those p eces of the memory structure that you’ve probab y heard
s very mportant but perhaps you aren’t qu te sure what makes t so mportant Bas ca y,
the page fi e he ps make v rtua memory work by add ng data storage to the server above
and beyond what phys ca RAM supp es When RAM gets fu , data that sn’t be ng used gets
moved to the area of hard d sk ca ed the page file or swap file—that s, the data s paged to
d sk When th s data wr tten to d sk s ca ed on, th s produces a hard page fault When a pro-
cess searches for that data, t goes to where the data was ast stored n v rtua memory The
memory manager ntercepts th s request and retr eves the requested data from ts ocat on n
the page fi e, pag ng the data back nto phys ca memory where the process can access t The
page fi e ncreases the amount of phys ca storage for the v rtua address space the operat ng
system recogn zes and can be used to store the data, but keep n m nd that swapp ng data to
and from the hard d sk takes some t me When memory s on the hard d sk, retr ev ng t takes
onger than f the data s stored n RAM, where t can be ca ed up more qu ck y Each page
fau t takes processor cyc es to comp ete Each request to read or wr te to d sk has to get n the
I/O queue for the hard d sk (more about th s short y) And the system s owdowns do add up
The page fi e sn’t sound ng ke much of a barga n, s t? You m ght be wonder ng why
t’s mportant The sens b e th ng to do wou d be to nsta as much RAM as poss b e, so that
the operat ng system w have p enty of very fast RAM to store data, nstead of swapp ng
data between the RAM and the page fi e To a po nt, you’d be r ght More RAM w genera y
resu t n a more respons ve operat ng system (and th s was espec a y true on 32-b t operat ng
systems, where memory was ke y to be the performance bott eneck)
However, you can’t just oad up an RD Sess on Host or RD V rtua zat on Host server w th
an equa amount of phys ca and v rtua memory There are two reasons for th s F rst, the
64-b t operat ng system supports 16 terabytes of v rtua memory, and the most phys ca
memory you can nsta on any W ndows SKU s 2 terabytes (For W ndows Server Standard,
the max mum amount of phys ca memory supported s 32 GB, and for W ndows Foundat on
Server, the max mum s 8 GB ) Second, a user-mode processes th nk that they have the r very
own 8-terabyte area of user-mode v rtua memory Support dozens or hundreds of users on a
s ng e server, and they’ often use more v rtua memory than you can back w th RAM

52 Chapter 2  Key Arch tectura Concepts for Remote Desktop Serv ces

www.it-ebooks.info
BEST PRACTICES  Microsoft’s best practices for RD Session Host servers suggest that your
page file should be two to three times the size of the installed RAM to support all the indi-
vidual user-mode memory areas for each process. The reasoning is that process creation is
expensive—two or three times more so than maintaining the process in memory. Because
many people are using the same computer, it’s likely that the computer will be creating
a lot of processes for all those people. Therefore, every time users start an application,
they’re engaging in this expensive activity. To keep the RD Session Host server running
smoothly, you need more memory than just enough to keep the processes running.

L ke other key structures, the page fi e s arger n 64-b t W ndows than 32-b t W ndows;
64-b t W ndows supports a 256-terabyte page fi e, and for 32-b t W ndows, the max mum
s ze s 16 terabytes

HOW IT WORKS

Improvements to the Page File System in Windows Server


2008 and Beyond

O ne change to memory management in Windows Server 2008 (and still relevant


in Windows Server 2008 R2) lies in the way the page file works. It’s designed
to be more efficient than previous versions of Windows in two important ways that
allow it to write less often.

First, the fewer write actions the operating system has to take, the better, because
every action has a cost. To reduce the number of necessary write options in
Windows Server 2003, the memory manager could write only up to 64 KB of data
in a single action. Today, that limit has been removed so the memory manager can
write data in larger chunks. Most write operations now are approximately 1 MB.

Another improvement to the page file beginning in Windows Server 2008 is that
it takes the amount of free physical memory into account before writing to the
page file. In previous versions of Windows, the decision to write to the page file
was based on the number of dirty pages in RAM, or areas where data had been
modified. Now, if there’s no shortage of RAM, the memory manager will leave the
modified data in RAM.

Not a data can be paged to d sk Some mportant data ( mportant to the funct on ng of
the operat ng system, not mportant to a user) must be ma nta ned n RAM at a t mes Data
that never gets paged s stored n an area of kerne -mode memory ca ed the non-paged pool
Kerne -mode processes that store data that can be paged to d sk store t n the paged poo In
prev ous vers ons of W ndows, paged poo s and non-paged poo s had fixed s zes depend ng
on the amount of RAM nsta ed on the server; beg nn ng w th W ndows Server 2008, these

Re evant W ndows Server 2008 R2 nterna s  Chapter 2 53

www.it-ebooks.info
memory areas had no fixed s ze but cou d fluctuate depend ng on the needs of the operat ng
system (see F gure 2-4)

WINDOWS 2003 KERNEL MODE MEMORY

Fixed Fixed Fixed


Size Size Size
PAGED POOL

NON-PAGED POOL

SYSTEM CACHE

WINDOWS 2008 R2 KERNEL MODE MEMORY


Sizes Adjustable

PAGED POOL

NON-PAGED POOL

SYSTEM CACHE

FIGURE 2-4  Kerne mode memory areas support ng mportant system structures are s zed dynam ca y n
W ndows Server 2008.

On 64-b t W ndows, the max mum s ze of the non-paged poo s 128 GB, as opposed to
256 MB for 32-b t W ndows
Not a page fau ts are hard page fau ts Somet mes, the data s st stored n RAM, but not
n the process work ng set For examp e, t’s poss b e another process m ght be us ng the data
(see the next sect on, “Memory Shar ng and Copy-on-Wr te”) Soft page fau ts cost tt e n
terms of t me or system resources, so you don’t need to worry about them Hard page fau ts,
n wh ch the memory manager has to n t ate a process to retr eve the data from d sk, are
much more expens ve When a computer s very ow on ava ab e RAM and must store a ot of
data n the page fi e, the constant reads and wr tes are ca ed thrashing
The fo ow ng po nts sum up th s sect on
■ A user process expects to find the data t’s ook ng for n ts work ng set
■ If the data s not n the work ng set, then the memory manager w check to see f t’s
stored anywhere e se n RAM and add t to the process work ng set (a soft page fau t)
■ If the data s not n memory, then the memory manager prompts the I/O manager to
find the data n the page fi e on hard d sk so t can be added to the process work ng
set (a hard page fau t)

Memory Sharing and Copy-on-Write


Ear er you earned that a user-mode processes th nk they have an 8-terabyte user-mode
memory area to themse ves You a so d scovered that th s forces the need for a page fi e to
back the v rtua memory addresses, s nce there’s no way that RAM can do t But the memory

54 Chapter 2  Key Arch tectura Concepts for Remote Desktop Serv ces

www.it-ebooks.info
oad of many modern app cat ons s qu te arge On an RD Sess on Host server support-
ng dozens or hundreds of sess ons, each runn ng memory-hungry app cat ons that are not
des gned to be effic ent w th memory (because app cat ons are st typ ca y des gned for a
s ng e-user computer), how do you avo d runn ng out of page fi e as we as RAM?
One way, of course, s to ensure that you’ve got enough page fi e Another way that
doesn’t requ re any work on your part s a memory-shar ng techn que mp emented n
W ndows that a ows processes to share memory space—somet mes Th s techn que s ca ed
copy-on-write and s re ated to shared memory
At the bas s of copy-on-wr te s the fact that there’s a ot of redundancy n a computer If
two processes need to use the same dynam c- nk brary (DLL), for examp e, t s better f they
can use the same one— f one can “read over the shou der” of the other So ong as ne ther
process s mod fy ng the data, th s works fine, and t decreases the amount of data that a
process must store n memory to support a ts threads
The tr cky b t comes when a p ece of data that two processes are us ng needs to be
changed by one of them There are two ways you can avo d hav ng a change by Process B
make an mpact on Process A One way s to make a copy of the data for Process B as soon as
Process B accesses the shared memory area Th s can be wasted effort, though—what f the
second process won’t change the shared data?
Another way that avo ds th s wasted effort s the approach that W ndows takes When
Process B needs to change the data at the shared ocat on, the memory manager cop es the
ed ted data to a new ocat on The or g na data s not affected, and the process that must
change the data can cont nue, now us ng ts own copy, as shown n F gure 2-5 W ndows
works ke th s; other operat ng systems m ght make a copy of the page at the t me the sec-
ond process must access the same data as the first process

Need to
make a change!

Process A Process B Process A Process B Process A Process B

Shared.dll
Shared.dll Shared.dll Shared.dll
(Copy)

Memory Manager Memory Manager Memory Manager

Step 1 Step 2 Step 3

FIGURE 2-5  Copy on wr te a ows for more eff c ent use of phys ca memory.

Re evant W ndows Server 2008 R2 nterna s  Chapter 2 55

www.it-ebooks.info
The catch to copy-on-wr te s that app cat ons must be wr tten n a way that a ows them
to take advantage of t The W ndows operat ng system can use copy-on-wr te for tse f, but
deve opers must p an for ts use n user app cat ons

How Does Disk Affect Application Delivery?


The ast tem n our server nterna s overv ew s d sk performance A though not everyone
cons ders hard d sks when des gn ng an RD Sess on Host or RD V rtua zat on Host server, for
best resu ts, t’s mportant to keep d sk performance and data storage n m nd

Keep Shared Work Environments Generic


Whether you’re de ver ng app cat ons through VMs on an RD V rtua zat on Host or through
sess ons on an RD Sess on Host, t’s best to keep the app cat on de very system homogenous
A the RD Sess on Host servers n the same farm shou d have the same app cat ons nsta ed
and the same sett ngs configured; a the VMs n the same poo shou d have the same app ca-
t ons and configurat on On y the fo ow ng four k nds of data shou d be on the servers
■ The page fi e
■ The cached user profi es current y n use (wh e the profi es themse ves are stored on a
separate fi e server)
■ The operat ng system
■ The app cat ons
You shou d never store user-spec fic data ke user profi es or user data on a shared ap-
p cat on de very ro e ke an RD V rtua zat on Host poo ed VM or an RD Sess on Host server
Do ng so comp cates backups (s nce data sn’t on a centra server) and can ead to an ncon-
s stent user exper ence as users move from VM to VM or connect to a new sess on A poss b e
except on to th s ru e s the persona desktop ass gned to a user, because that user w a ways
return to that VM However, even stor ng persona data on a desktop has t downfa s because
t w comp cate restor ng fi es f the on y backup s of the VM tse f

IMPORTANT  User profiles should not be stored on an RD Session Host server, but rather
on a central file share so that there’s only one copy of the profile. However, the profile will
be cached on the RD Session Host server for the duration of the session it’s supporting.
See Chapter 5, “Managing User Data in a Remote Desktop Services Deployment,” for more
details about combining profiles and RDS.

You not on y need to th nk about where you’re stor ng data to fac tate backups and
prov de a cons stent user exper ence, you need to take d sk performance nto account One
approach to stor ng a the data that shou d be on the RD Sess on Host or the VMs s to get
one b g hard d sk and keep a the data on t That way, you can m rror the hard d sk and have
a backup configurat on For sma env ronments or p ot programs, th s m ght work fine

56 Chapter 2  Key Arch tectura Concepts for Remote Desktop Serv ces

www.it-ebooks.info
For arger dep oyments, best pract ce s genera y to d v de up the three types of data
(page fi e, user profi e cache, and the operat ng system and app cat ons) among three
separate hard d sks, to avo d wa ts for d sk I/O requests The prob em s that a user act v ty
requ res a ot of d sk reads and wr tes Beg nn ng a user connect on, oad ng a user profi e,
start ng an app cat on, pag ng some data n memory to d sk (or read ng data prev ous y
paged to d sk back nto memory)—these are just some of the events that generate d sk I/O
requests If these requests beg n to stack up, users w see de ayed response t mes Pag ng
data back nto memory from d sk, for examp e, s a ready re at ve y s ow compared to access-
ng the same data from phys ca memory
Processors and memory are extreme y fast D sks, a though fast, are much s ower than
e ther RAM or processors (If you’ reca from the sect on t t ed “How V rtua Memory Is
Supported” ear er n th s chapter, th s s why t’s good to m n m ze use of the page fi e, even
though t’s cr t ca to your server funct on ng we ) Idea y, try to have one hard d sk sp nd e
for every 20 to 30 users on a g ven RD Sess on Host or RD V rtua zat on Host server That way,
the users’ d sk requests w be ess ke y to de ay each other

Understanding the System Cache


As you’ve seen, wr t ng data to the page fi e or read ng from t s expens ve and re at ve y
s ow What f you’ use the data aga n soon but need to free up some RAM now? What f a
user requests one p ece of data but s ke y to need re ated p eces c ose to t n storage? In
e ther case, the memory manager can store some data n an area of kerne -mode memory
ca ed the system cache
The fi e system cache ho ds data pu ed from d sk W thout gett ng too deep y nto the
m nute deta s of the dec s on tree (see the “Add t ona Resources” sect on at the end of th s
chapter for some deta ed references), when a process requests some data, the request goes
first to the area n v rtua memory where the process stored the data If the data s n RAM,
then the process can cont nue w th whatever t was do ng
If the data s not n the RAM mapped to the user’s v rtua address space, the next stop
s the system cache, wh ch s a co ect on of v rtua addresses backed by RAM If the ent re
request can be sat sfied from the system cache (that s, f the process has asked for data A
through E, and the cache conta ns A, B, C, D, and E), then the request never gets as far as the
fi e system If on y part of the data s n the system cache (say, A and B), then the cache man-
ager forwards the request to the memory manager, wh ch then generates a hard page fau t
and gets the data from the page fi e or from d sk as appropr ate
The arger the system cache, the more effic ent the process of retr ev ng data s The cache
grows as needed (a refinement ntroduced n W ndows Server 2008) but n 64-b t W ndows
the system cache can be as arge as 1 terabyte—much arger than the 1 GB poss b e on 32-b t
W ndows

Re evant W ndows Server 2008 R2 nterna s  Chapter 2 57

www.it-ebooks.info
How Does RAID Affect Disk Performance?
What about RAID? RAID (wh ch stands for “redundant array of ndependent d sks”) s one way
to ncrease the upt me of your servers by decreas ng the ke hood of a d sk fa ure The bas c
dea of RAID s that, rather than us ng a mono th c d sk for a your storage, you comb ne
part t ons on mu t p e d sks nto a s ng e og ca un t The part t on can encompass the ent re
phys ca d sk or on y part of t
The purpose for comb n ng the mu t p e d sks depends on the scenar o Some forms of
RAID are ntended for data secur ty by nk ng two or more d sks n a way that ma nta ns a
copy of your data Some ncrease d sk throughput by ett ng you use two or more I/O paths
to support a s ng e og ca d sk (one spann ng mu t p e phys ca d sks)

NOTE  Not all forms of RAID increase server reliability. Some even reduce it by linking
two physical disks and making a volume spanning both, so that if one disk fails the entire
volume is inaccessible. For the purposes of this book, assume that references are only to
the fault-tolerant forms of RAID.

There are two bas c k nds of fau t-to erant RAID d sk m rror ng (RAID 1) and str pe sets
w th par ty (RAID 5) (RAID 10 s fau t-to erant, but essent a y comb nes 5 and 1 ) M rror ng s
the obv ous w nner when t comes to RD Sess on Host servers, but we’ rev ew both to make t
c ear why t s a better cho ce

DISK MIRRORING
D sk m rror ng s the preferred configurat on for an RD Sess on Host server In th s RAID con-
figurat on, you have two d sks back ng a s ng e og ca vo ume One d sk conta ns the pr mary
part t on, and one conta ns the m rror part t on Each t me you wr te data to the pr mary
part t on, t’s a so wr tten to the m rror part t on When you read data from the pr mary part -
t on, t can be read s mu taneous y, on some mp ementat ons, from the m rror part t on Th s
means that reads from a RAID 1 configurat on cou d theoret ca y be tw ce as fast as read ng
from a vo ume encompass ng on y a s ng e phys ca d sk Wr tes do not take tw ce as ong
because they can happen asynchronous y
If one d sk of a m rror set fa s, then a perfect and a ways up-to-date copy rema ns on the
other d sk If one d sk fa s, you can restore redundancy eas y by break ng the m rror set and
rep ac ng the fa ed d sk, then add ng the new d sk to the m rror set The d sks w re-create
the nformat on on the ex st ng d sk onto the one you’ve just added to the m rror set
RAID 1 reduces the t me requ red to read from d sk wh e not rea y affect ng the wr te
t me It a so makes t easy to recover from a d sk fa ure s nce the data s a ready fu y assem-
b ed About the on y d sadvantage s that t does not make very effic ent use of space because
there are two fu cop es of a data

58 Chapter 2  Key Arch tectura Concepts for Remote Desktop Serv ces

www.it-ebooks.info
STRIPE SETS WITH PARITY
Another contender for a fau t-to erant system s RAID 5, or str pe sets w th par ty RAID 5
works d fferent y from RAID 1 Whereas RAID 1 ma nta ns a perfect copy of a the data on a
part t on on a second d sk part t on, RAID 5 takes a more space-effic ent approach It wr tes
a s ce of data to each d sk n the array (a m n mum of three d sks), but on y once across the
ent re array Each phys ca part t on then conta ns both actua data and par ty nformat on
for data stored on another dr ve Therefore, so ong as no more than one d sk fa s, you have
e ther the or g na data or the par ty nformat on requ red to create the or g na data

CAUTION  Be aware that if a second disk fails before you replace one failed disk in a
stripe set, you will lose data. This is why some people choose RAID 10, which mirrors
striped volumes.

RAID 5 has ts advantages It can use many more d sks than RAID 1, and t s more effic ent
n the way that t stores data because t’s not ma nta n ng dup cates of a data—just some
of t, p us par ty nformat on needed to re-create t n case of d sk fa ure It can a so be more
effic ent for reads because more than one I/O path can be used But wr t ng data takes more
t me w th RAID 5 because every t me you wr te data, you must a so ca cu ate and wr te ts
par ty nformat on G ven the arge number of reads and wr tes that an RD Sess on Host or RD
V rtua zat on Host server w necessar y do, th s sn’t a good RAID mode
One caut on about us ng RAID on an RD Sess on Host server Don’t use software RAID
In part cu ar, don’t use software RAID 5 (str pe sets w th par ty), because the ca cu at ons
requ red w ut ze processor cyc es that cou d be used more profitab y e sewhere Hardware
RAID systems have the r own processor and w ncrease d sk performance

How Does Virtualization Affect Resource Usage?


V rtua zat on was an nterest ng footnote for W ndows Server 2008 Term na Serv ces (TS)
Most TS ro es could be v rtua zed for conven ence, w th the except on at the t me of the
term na servers themse ves (You’ earn short y about the hardware arch tectura changes
that have made v rtua z ng an RD Sess on Host server no onger a bad dea, g ven the r ght
processor arch tecture ) It wasn’t a core scenar o, however In RDS, however, one of the ro es
depends on v rtua zat on RD V rtua zat on Host re es on Hyper-V Therefore, you’ exp ore
how v rtua zat on works for a ocat ng processor t me, memory, d sk nput/output paths, and
network ng

Re evant W ndows Server 2008 R2 nterna s  Chapter 2 59

www.it-ebooks.info
HOW IT WORKS

Distinguishing Type 1 and Type 2 Hypervisors

T here are two kinds of hypervisors supporting Windows virtualization today:


type 1 and type 2, as illustrated in Figure 2-6. If you’re not sure of the difference
or why it’s important, read on.

Parent Guest Guest Guest Guest


Partition OS 2 OS 3 OS 1 OS 2

Hypervisor Host OS Hypervisor

Hardware Hardware

Type 1 Hypervisor Type 2 Hypervisor

FIGURE 2-6  Contrast ng Type 1 and Type 2 hyperv sors

A Type 1 hypervisor, in a model also known as bare metal virtualization, interacts


directly with the computer hardware. In a Type 1 hypervisor such as Microsoft
Hyper-V, the hypervisor is the go-between for the system hardware and the parent,
or root, partition, the part of the operating system that manages the VMs. The VMs
are also known as the guests or the child partitions. A Type 1 hypervisor has a parent
partition and as many child partitions as it can support and needs.

Type 2 hypervisors (also known as host-based virtualization), such as Microsoft


Virtual PC, are part of the host operating system. Guest VMs communicate with the
host operating system to work with the system hardware.

The main reason to choose each right now depends on where you’re planning on
running the VM: the data center or the desktop. Since RDS is a data-centric comput-
ing model, you’d expect that this model would prefer running the VMs from the
data center on a Type 1 hypervisor, and you’d be right. However, if there is a valid
reason to use a VM on a desktop computer (for example, to run a demo), as of 2010,
it will most likely be on a Type 2 hypervisor. (Type 1 client hypervisors aren’t a trivial
problem, in part due to the wide variety of client hardware; servers are certified for
Hyper-V support.) Because RDS uses Hyper-V, a Type 1 hypervisor, you’ll focus on
that model in our discussion of virtualization.

You’ve earned a ot n th s chapter about how v rtua memory, d sk, and processor work
n W ndows Server 2008 R2 As you’d expect, when VMs are nvo ved, the story gets a b t

60 Chapter 2  Key Arch tectura Concepts for Remote Desktop Serv ces

www.it-ebooks.info
more comp cated To understand t, you’ wa k qu ck y through the arch tecture of a Type 1
hyperv sor, nc ud ng
■ The ro e of the parent part t on
■ How ch d part t ons use memory and processor cyc es
■ How ch d part t ons access other hardware
■ Why you w get better performance us ng a v rtua zat on-aware guest operat ng
system
If you’d ke more deta s on how hyperv sors work, the add t ona resources at the end of
th s chapter po nt you to some sources to earn more about hyperv sor arch tecture

The Role of the Parent Partition


The parent part t on, or root part t on, s the a son for the hyperv sor (and occas ona y the
hardware) and the ch d part t ons The root part t on typ ca y runs a stub operat ng system
such as W ndows Server Core to save on memory requ rements W th n the root part t on are
■ The true dev ce dr vers for nteract ng w th hardware
■ The v rtua zat on serv ce prov ders (VSPs) used to manage access to synthet c dev ces
from the ch d part t ons (more about th s n the sect on t t ed “Dev ce Access from
Ch d Part t ons” ater n th s chapter)
■ The VM Serv ce that connects the parent part t on to the hyperv sor
■ Worker processes that manage the state of a ch d part t on and perform dev ce emu-
at on (more about th s ater)
You’ find out more about what a these p eces actua y do n the rema nder of th s sect on

How Memory and Processor Allocation Works on Child Partitions


You have been ntroduced to some of the prob ems of memory and processor t me manage-
ment across sess ons on the same host As you can mag ne, traffic contro s comp cated
when a processor or memory manager must figure out how to coord nate mu t p e serv ce
requests not just from d fferent sess ons, but from d fferent VMs—and mach nes that m ght
not a be runn ng the same operat ng system
Processor schedu ng and memory management are both hand ed by the hyperv sor tse f
Th s component of the v rtua zat on stack has both a processor schedu er and a memory
manager bu t n The schedu er manages the access to processor t me across a the ch d
part t ons and correspond ng to the v rtua processors n each VM, and the memory manager
hand es the track ng of where the v rtua address for each VM maps to n phys ca memory

PROCESSOR TIME
Ch d part t ons don’t d rect y access the processor schedu er; f they d d, they’d nterfere w th
each other and t wou d be mposs b e to coord nate a the requests A og ca processor (a
core n a phys ca processor s referred to as a logical processor) m ght be used by more than

Re evant W ndows Server 2008 R2 nterna s  Chapter 2 61

www.it-ebooks.info
one VM (and ke y s), and a VM m ght be us ng more than one og ca processor To manage
a the processor t me requests, the hyperv sor represents processors n a ch d part t on as
v rtua processors (VPs) A ch d part t on can have zero (a though you won’t get a ot done
ke that) or more VPs The number of VPs s not re ated to the number of og ca processors—
aga n, a processor m ght be accessed by more than one ch d part t on or not accessed at a
by some A v rtua processor can be
■ Runn ng, when t’s act ve y execut ng nstruct ons
■ Ready, when t’s not execut ng nstruct ons but s ready to
■ Wa t ng, when the VP s wa t ng for nstruct ons that te t what to do next
■ Suspended, when t’s temporar y d sab ed and won’t execute nstruct ons aga n unt
taken out of the suspended state
The hyperv sor keeps track of the state of each VP and wh ch og ca processor a VP s
us ng The root part t on can access th s nformat on

MEMORY MANAGMENT
Memory management s a so more comp ex on a VM host than on a phys ca mach ne The
VMs themse ves can’t share memory for many reasons, nc ud ng secur ty so at on, and the
memory manager has three areas of memory to manage, not just two (see F gure 2-7) These
three areas are
■ The system phys ca address (SPA) space
■ The guest phys ca address (GPA) space
■ The guest v rtua address (GVA) space
The GPA s the representat on of phys ca memory from the perspect ve of the guest Op-
erat ng systems expect the r memory addresses to be numbered beg nn ng at 0 and expect
some structures to be n memory at a certa n address range, so guests can’t rea y share a
v ew of phys ca memory w thout gett ng confused The GPA s mapped to the SPA more or
ess n the same way that the memory manager maps v rtua memory addresses to phys ca
memory addresses, as d scussed n the sect on t t ed “How Do RD Sess on Host Servers Use
Memory More Effic ent y?” ear er n th s chapter When a guest operat ng system accesses
memory n the GVA, the request s mapped to the GPA, and from there mapped to the actual
phys ca address of the SPA
A th s memory management can use up processor cyc es, so VMs—espec a y those w th
a ot of memory reads and wr tes, ke RD Sess on Host servers—w benefit from Second-
Leve Address Trans at on (SLAT) techno ogy, as d scussed n the sect on “Can I Run RDS n a
VM?” ater n th s chapter

62 Chapter 2  Key Arch tectura Concepts for Remote Desktop Serv ces

www.it-ebooks.info
Parent Partition Child Partition

Guest Virtual
Address
Guest Physical (GVA) Space
Address (GPA) Space
GVA memory
GPA memory page in use
Guest System Physical page in use
Virtual Address Address (SPA)
Empty GVA
(GVA) Space Space
memory page
GVA memory System memory
page in use page in use

Empty GVA GVA memory


memory page page on disk

Guest Page File

GVA memory Child Partition


page on disk
Guest Virtual
Address
Guest Physical (GVA) Space
Address (GPA) Space
GVA memory
GPA memory page in use
page in use
Empty GVA
memory page

System Page File GVA memory


page on disk

Guest Page File

FIGURE 2-7  Memory management w th a hyperv sor, from “Second Leve Address Trans at on Benef ts n
Hyper V R2,” by Jan que Carbone. Used w th perm ss on.

Re evant W ndows Server 2008 R2 nterna s  Chapter 2 63

www.it-ebooks.info
Device Access from Child Partitions
Dev ces other than processors and RAM are managed separate y Rather than be ng managed
d rect y by the hyperv sor, other types of dev ces ( ke network cards and hard d sks) use VM
worker processes that contro the v rtua dev ces (VDs) and g ve the VMs a way to nteract
w th the dev ces nd rect y VDs can be emulated or synthetic
Emu ated dev ces are access b e to a guest VMs They’re bas ca y a set of I/O ports, mem-
ory ranges, and nterrupts (a represent ng dev ce access) that the guest can access and wh ch
the hyperv sor contro s When a guest tr es to use an emu ated dev ce (for examp e, a Legacy
Network Card), then the VM worker process s not fied The worker process bas ca y emu ates
the act on requested (for examp e, a d sk read) Wh e the guest VM s d stracted, the worker
process sends the request to the hyperv sor to be executed by the actua d sk, then works the
resu ts back up the cha n to the guest VM
Emu at on s s ow but s mp e, and t works even f the operat ng system sn’t v rtua zat on-
aware It’s a so ava ab e dur ng nsta at on (wh ch s why, after t s nsta ed, you need to n-
sta a too set onto the guest operat ng system to mprove the VM performance and d sp ay)
But t’s not rea y up to the demands of modern hardware For better performance, you’ use
synthet c dev ces
Synthet c dev ces are supported by VSPs, v rtua zat on serv ce c ents (VSCs), and the VMBus
VSPs run n the parent part t on When a ch d part t on attempts to use a synthet c dev ce (for
examp e, to read a fi e from a v rtua d sk), the VSC n charge of that part cu ar dev ce sends the
request to the VMBus The VMBus nks the ch d part t on and the parent part t on The VMBus
then sends the request to the VSP for d sk, and th s trave s v a the m n port dr ver to the hard-
ware The hyperv sor doesn’t get nvo ved at a , and th s mode s much faster

Enlightenment, or Why Windows 7 Guests Might Scale Better


There are reasons to run W ndows XP as the guest operat ng system n a VM, app cat on
compat b ty (the dr ver beh nd the RemoteApp for Hyper-V feature) be ng one of them
(more on th s n Chapter 4) However, one of those reasons shou dn’t be so you can run more
VMs on a s ng e host Contrary to what you m ght expect, c ents runn ng W ndows V sta and
W ndows 7 m ght sca e better, a e se be ng equa (Th s assumes that a VMs are us ng the
same amount of memory If you’re us ng ess memory for the W ndows XP VMs, then they w
sca e better ) The reason for th s s that these more recent operat ng systems were des gned
to be v rtua zed and W ndows XP was not
The current operat ng system kerne conta ns a techno ogy ca ed enlightenments, ntro-
duced n W ndows V sta and W ndows Server 2008 and present n W ndows Server 2008 R2
and W ndows 7 Bas ca y, en ghtenments are code that runs on y when the operat ng system
s v rtua zed When the code s runn ng, the en ghtenments coord nate act ons w th the
hyperv sor to make sure that they’re nteract ng w th the hardware as effic ent y as poss b e
For examp e, f updat ng a cached memory mapp ng for the ch d process, w thout en ghten-
ments, the operat ng system wou d nstruct the processor to flush the cache for that entry
w thout any caveats, wh ch wou d s ow memory mapp ng for any other ch d part t on us ng

64 Chapter 2  Key Arch tectura Concepts for Remote Desktop Serv ces

www.it-ebooks.info
that cache En ghtenments a ow the guest operat ng system to et the processor know that
t shou d flush th s cache on y for the ch d part t on do ng the request ng Other parts of the
kerne operate w th the same nte gence When poss b e, they ask the hyperv sor to pass on
nstruct ons to carry out only for the ch d part t on request ng them, not the ent re host and
every guest runn ng on t
W ndows 7 and W ndows V sta were des gned w th v rtua zat on n m nd W ndows XP,
however, was bu t before Hyper-V Therefore, you m ght d scover that you can host more
W ndows 7 VMs than W ndows XP VMs per RD V rtua zat on Host for VMs w th the same re-
source profi e S nce W ndows 7 guest VMs w a so g ve the best user exper ence due to the r
fu support for RDP 7 features and W ndows XP endpo nts can on y d sp ay RDP 5 2 features,
n most cases W ndows 7 VMs w be the best cho ce

DIRECT FROM THE SOURCE

How Windows 2008 Improves VM Performance


Mark Russinovich
Technical Fellow at Microsoft and co author of W ndows nterna s, 5th edition

O ne way Windows improves the performance of child VM operating systems


is that both Windows Server 2008 and Windows Vista implement enlighten-
ments, which are code sequences that activate only when the operating system
is running on a hypervisor that implements the Microsoft hypercall application
programming interface (API). By directly requesting services of the hypervisor, the
child VM avoids virtualization code overhead that would result if the hypervisor had
to guess the intent of the child operating system.

For example, a guest operating system that does not implement enlightenments
for spinlocks, which execute low-level multiprocessor synchronization, would
simply spin in a tight loop waiting for a spinlock to be released by another virtual
processor. The spinning might tie up one of the hardware CPUs until the hypervisor
scheduled the second virtual processor. On enlightened operating systems, the
spinlock code notifies the hypervisor via a hypercall when it would otherwise spin
so that the hypervisor can immediately schedule another virtual processor and
reduce wasted CPU usage.

Another way Windows Server 2008 improves VM performance is to accelerate VM


access to devices. Performance is enhanced by installing a collection of compo-
nents, collectively called the VM integration components, into the child operating
system.

If you run a VM without installing integration components, the child operating


system configures hardware device drivers for the emulated devices that hypervisor
presents to it. The hypervisor must intervene when a device driver tries to touch a

Re evant W ndows Server 2008 R2 nterna s  Chapter 2 65

www.it-ebooks.info
hardware resource to inform the root partition, which performs device I/O using
standard Windows device drivers on behalf of the child VM’s operating system.
Since a single high-level I/O operation, such as a read from a disk, might involve
many discrete hardware accesses, it can cause many transitions, called intercepts,
into the hypervisor and the root partition.

Determining System Requirements for RD Session


Host Servers
You’ve ooked at d sk, processor, and memory nterna s n some deta Armed w th your
newfound know edge, answer th s If you have a server runn ng 64-b t W ndows Server 2008
R2 Standard Ed t on w th 16 GB of RAM, a three-d sk array, two quad-core processors, and a
g gab t network, how many concurrent sess ons can th s RD Sess on Host server support?
The answer, of course, s that t depends on what the users ogged nto those sess ons are
do ng Many t mes, when you’re choos ng hardware to support a g ven s tuat on, you can take
a we -estab shed path to choose the hardware Look at the product documentat on for the
operat ng system that you p an to run and the software that you want to buy, and t’s easy to
te what the hardware requ rements are Fo ow those gu de nes and you shou d be a r ght
W th RD Sess on Host servers, t’s not that easy Defin ng hardware requ rements for th s
server ro e s more d fficu t than defin ng them for a server runn ng Exchange Server, for
examp e A server runn ng Exchange Server has a more pred ctab e oad It sends ma and t
rece ves ma The ma boxes can be of a predeterm ned s ze m t, and the process of send-
ng or rece v ng an ema takes a pred ctab e number of processor cyc es G ven a that, f you
know how many users are ut z ng the server, you can determ ne what hardware to buy
RD Sess on Host servers, n contrast, support nd v dua s who m ght be do ng var ous k nds
of act v t es w th d ffer ng types of app cat ons It’s poss b e to pred ct the hardware profi e
requ red to support 50 users gett ng ema w th a fa r degree of accuracy It’s much harder to
pred ct the hardware needed to support 50 users on an RD Sess on Host server who are us ng
a comb nat on of the thousands (to be conservat ve) of bus ness app cat ons ava ab e To
know the oad that an RD Sess on Host server can manage, you must have a very good dea
what the nd v dua s us ng t w be do ng
Th s m ght be frustrat ng to hear, but the most re ab e way to determ ne how many
peop e can use an RD Sess on Host server s mu taneous y s to try t Insta the server and the
app cat ons, get a representat ve group of users together, and keep add ng users unt per-
formance s ows to an unacceptab e eve A ternat ve y, you can make some guesses based on
a test run or on nformat on der ved from one sess on Read on for more deta s about do ng
a test run or extrapo at ng usage nformat on from a s ng e representat ve sess on

66 Chapter 2  Key Arch tectura Concepts for Remote Desktop Serv ces

www.it-ebooks.info
Baseline RD Session Host Requirements

S aying that you can’t know how many people can use an RD Session Host server
at the same time given a certain hardware profile isn’t to say that there are no
guidelines at all. Before getting into some procedures for load testing, let’s look at
some basic recommendations for RD Session Host hardware.

Memory
Load up on memory. This is always true for an RD Session Host server, because
many people will be using applications and loading data into memory at the same
time, all in parallel. One person working on eight Microsoft PowerPoint presenta-
tions at the same time is bad enough, but 50 individuals doing the same thing can
take quite a toll on a server.

Memory was an issue with terminal servers running Windows Server 2003, but it will
be more of an issue for RD Session Host servers running Windows Server 2008 R2.
The base operating system uses more memory now, for reasons that have nothing
to do with RDS. First, the server operating system runs Windows Internet Explorer
8, which uses more memory than Microsoft Internet Explorer 6. Any scenarios that
require the Microsoft native browser will be affected by this. Second, the shell
in Windows Server 2008 R2 and Windows 7 is more memory-intensive than that
in Windows Server 2003 and Windows XP. And with Windows Server 2008, these
additional memory consumers will affect an RD Session Host server in particular,
because these programs are all about the user experience.

Remember that 64-bit Windows uses more memory than 32-bit; a lot of the stan-
dard processes use more memory in the 64-bit version than they do in the 32-bit
version. You need about 8 GB of RAM in an RD Session Host Server to bring it to
parity with a 32-bit terminal server with 4 GB. However, at 16 GB, the RD Session
Host server will start being able to support more users than the 32-bit server can.

Disk
As you saw previously, you must be sure to pay attention to your physical hard
disk layout. Everyone thinks about memory when sizing an RD Session server, with
processor power another obvious consideration. Not everyone takes disk I/O into
consideration, but a server supporting reads and writes for many users needs a wide
and unobstructed I/O path. Split data among multiple hard disks (20 to 30 users to a
disk spindle, as a guideline) for best performance and use hardware RAID 1 for disk
fault tolerance.

Network
Of course, network speed is important to a centralized computing environment. In-
house, bandwidth should not be a problem, although you might consider a multi-

Determ n ng System Requ rements for RD Sess on Host Servers  Chapter 2 67

www.it-ebooks.info
homed server so you can dedicate one network card to Remote Desktop Protocol
(RDP) traffic and one to serving file and print requests. Out of the corporate
network, you’re dependent on networks you might not be able to control. To
support remote users, consider a test run to determine the usability via the
networks your users have available. What works well on the LAN might be difficult
over a digital subscriber line (DSL); what works well via DSL is likely to be difficult
over dial-up. Disable any features that use a large amount of bandwidth but aren’t
required and be sure to set the RDP clients’ network hint appropriately for their
connection type (see Chapter 6 for more about RDP).

Processor
Processor speed was unlikely to be your biggest bottleneck when running the 32-bit
version of Windows Server 2008, but it’s more important in 64-bit Windows where
memory is no longer constrained. Quad-core processors are common these days;
get a motherboard that has additional sockets. The amount of cache is more critical
to processor responsiveness than the processor’s speed. More cache provides more
space to store instructions that are quickly available to the processor to execute.
Incremental changes in megahertz (MHz) made a lot more difference when you
were moving from 66 MHz to 100 MHz. DFSS, introduced in Windows Server 2008
R2, automatically apportions processor time evenly among sessions.

DIRECT FROM THE FIELD

RDP Network Requirements


Jon Wojan
Senior Premier Field Engineer

Timothy Newton
Support Escalation Engineer Defining Acceptable Performance

H ow much network bandwidth does a typical remote session require? The


answer depends on a variety of factors, including but not limited to the
following.

■ Pixel dimensions of the RDP session


■ Color depth of the RDP session
■ Redirected devices in the RDP session and their usage patterns
■ Amount of screen redraw done by user workload/multitasking and application
repaints in the RDP session
■ Compression schemes being used on the RDP channel
■ Version of RDP being used

68 Chapter 2  Key Arch tectura Concepts for Remote Desktop Serv ces

www.it-ebooks.info
Due to the number of factors involved, any estimate would likely be wrong for
more than 90 percent of all scenarios. However, if you want to do some testing on
your own, you can use a third-party application that measures network traffic. One
option Tim uses is a tool called NetMeter, which shows a little graph of upload and
download in real time. Using a tool like this, you can easily see how much is going
up and coming down from a given client (or you could run it on the server and see
the overall load).

Your goa s to create an effic ent and effect ve user exper ence That user exper ence w
be defined subject ve y by three ma n cr ter a
■ The ogon process, nc ud ng both how ong t takes to og on, whether the server
seems unrespons ve or g ves some feedback data, and how many t mes the user needs
to supp y credent a s A though the dea user exper ence s to avo d ogons tota y—
just s tt ng down and hav ng app cat ons open s eas est—you can create a reasonab e
exper ence f the wa t sn’t unacceptab y ong and the process s fa r y transparent
■ App cat on respons veness s cruc a Users must fee as though app cat ons are re-
spons ve from the RD Sess on Host server or VM A tt e ag m ght be acceptab e, but
not much, and f the de ay s so great that users are typ ng ahead of the d sp ay, the IT
department w ke y rece ve comp a nts
■ F es shou d oad qu ck y when requested, and pr nt jobs shou d pr nt When us ng the
centra zed app cat on mode , you m ght get better response t mes than are poss b e
w th desktop-based app cat ons

NOTE  Consider each of these criteria separately when designing a live test. That is, don’t
try to measure performance data at the same time you’re measuring the number of simul-
taneous logons the server can support. If you mix scenarios, the two tests will interfere
with each other. How can you tell how a server will perform on a daily basis if it’s stressed
out at that moment from too many logons? Sort out the logon bottleneck, and then look
to see how the servers will respond to day-to-day usage requirements.

Designing a Live Test


To create a ve test, you need to know wh ch app cat ons are go ng to be run and how the
users runn ng them work so you can p ck a representat ve group of users and app cat ons
What s the p an for these RD Sess on Host servers?

Root the Test in Reality


There’s a ot of d fference between runn ng a ow- mpact po nt-of-sa e app cat on and
runn ng computer-ass sted des gn (CAD) app cat ons requ r ng ots of render ng For a ess
extreme examp e, there’s even a d fference between runn ng M crosoft Office 2003 and
M crosoft Office 2007, s nce the Office 2007 nterface s more resource ntens ve Test w th the

Determ n ng System Requ rements for RD Sess on Host Servers  Chapter 2 69

www.it-ebooks.info
app cat ons you expect to be runn ng, not w th a random or nvented scenar o that does not
app y to your rea - fe expectat ons If the server sn’t do ng the work under norma c rcum-
stances, then your test resu ts w be mean ng ess

NOTE  Because of the memory sharing discussed earlier, the first RD Session Host server
session might use more memory than that of subsequent consecutive sessions—it depends
on the application usage profile. This is why running the live test helps: It shows the effect
of multiple instances running.

Generate Typical User Behavior


S m ar y, you need to know how your users work Are they ntens ve workers who pound
at the r app cat ons a day (for examp e, nputt ng data or wr t ng a ong document)? Or
w they be up and down, engag ng the RD Sess on Host server on an occas ona bas s? Just
check ng the number of open sess ons on an RD Sess on Host server doesn’t g ve you the
nformat on you need Even f there are 100 open sess ons, how many are act ve? How ong
have the nact ve ones been d e?

NOTE  You might see references to knowledge workers and task-based workers when
researching RD Session Host server sizing. Knowledge workers conform to the profile that
was described in Chapter 1, “Introducing Remote Desktop Services”; they need access to
the data stored in the data center to do their job. Knowledge workers use many business
applications such as Office. Task-based workers generally input or review discrete chunks
of data, such as working a cash register displayed as a Windows application. Each profile
can involve light, medium, or heavy usage. Someone who’s using an RD Session Host server
to check their email a few times a day is a knowledge worker, but a light one.

If your fina env ronment w be runn ng a m x of users, try to get that m x represented n
your ve test Does your work group nc ude 75 know edge workers and 25 task-based work-
ers? If so, se ect three know edge workers for every task-based worker for your test run
Idea y, get rea workers to part c pate n th s test so that you can rece ve usage data that
accurate y dep cts typ ca user act ons and needs throughout your workday For nstance, you
m ght know that users typ ca y open fi es ocated on a fi e server from the r RD Sess on Host
sess ons You m ght not know that these fi es are typ ca y 100 MB each It wou d be best f
th s s d scovered dur ng your test phase and not dur ng ro out

Executing the Tests


If your ma n concern s to determ ne how many users an RD Sess on Host server can support
dur ng the day, you’ need to bu d an RD Sess on Host server us ng the nstruct ons n
Chapter 3 Insta the app cat ons you ntend to use and make some representat ve fi es
ava ab e to the users nvo ved n the test These are the steps you’ fo ow

70 Chapter 2  Key Arch tectura Concepts for Remote Desktop Serv ces

www.it-ebooks.info
1. Start an nstance of the Performance Mon tor, the W ndows Server 2008 R2 perfor-
mance mon tor ng too Beg n mon tor ng the counters that are not sess on-spec fic
2. Have the users og on
3. Tune the Performance Mon tor to record performance data for the act v ty n each of
the user sess ons for sess on-spec fic counters
4. Ask ogged-on users to start app cat ons, oad fi es, check ema ( f that’s a part of your
test), surf the Web— n short, have them work as they wou d norma y
5. Let the test cont nue for a reasonab e amount of t me—perhaps an hour, or even
onger
6. Rev ew the resu ts and see the stra n on the RD Sess on Host server as recorded by
Performance Mon tor

Using Performance Monitor


Most of these steps are fa r y se f-exp anatory, but us ng performance counters m ght be new
to you If so, read on for a wa kthrough of how the mon tor ng process works

COLLECTING THE DATA


To start the too , c ck Start, Adm n strat ve Too s, and Performance Mon tor

NOTE  The process name for this tool hasn’t changed from previous versions of Windows
Server. You can also start it by selecting Start, Run, Perfmon.exe.

F rst, bu d a data co ector set Browse to Data Co ector Sets R ght-c ck User Defined and
se ect New, Data Co ector Set, as shown n F gure 2-8

FIGURE 2-8  Start by mak ng a new data co ector set.

Determ n ng System Requ rements for RD Sess on Host Servers  Chapter 2 71

www.it-ebooks.info
BEST PRACTICES  Although you can monitor the counters from the Performance Monitor,
creating a data collector set makes it easier for you to reproduce your results.

Name your data co ector set us ng a descr pt on of what you are co ect ng, such as “RDS
User Test 1 ” As shown n F gure 2-9, choose Create Manua y (Advanced) and c ck Next

FIGURE 2-9  Create a new data co ector set manua y.

The goa s to og data, not n t ate a erts for error cond t ons, so choose to create data ogs
based on performance counters, as shown n F gure 2-10 C ck Next

FIGURE 2-10  Create a data og us ng performance counters.

72 Chapter 2  Key Arch tectura Concepts for Remote Desktop Serv ces

www.it-ebooks.info
Next, you need to add performance counters to the co ect on set What counters shou d
you nc ude as part of a fu test pass? S nce you’re oad ng the server w th many users, you
can take a ho st c v ew of the server rather than just focus ng on what’s happen ng w th n a
s ng e sess on See Tab e 2-2 for an examp e of counters that can te you about the stra n on
the server

TABLE 2-2 Per ormance Mon or Coun ers or a Fu Tes Pass

COUNTER DESCRIPTION

Processor % Processor T me The percentage of e apsed t me that the processor spends


to execute a non- d e thread ( n other words, the percent-
age of t me the processor s do ng anyth ng usefu )
Term na Serv ces Sess on Tota number of bytes sent to and from th s sess on v a
Tota Bytes v rtua channe s G ves an dea of the traffic com ng n and
out of the sess on due to red rected dev ce ca s
Phys ca D sk Avg D sk Average number of I/O requests wa t ng for the d sk Th s
Queue Length number shou d not be more than 2
Memory Page Fau ts/Sec The rate at wh ch the RD Sess on Host server s read ng
from and wr t ng to the page fi e H gher numbers nd cate
that the server m ght be ow on memory for ts user oad
Term na Server Sess on The peak amount of v rtua memory backed by RAM
Work ngSetPeak for a g ven sess on Th s shows the demand for phys ca
memory
Term na Server Sess on The percentage of processor t me a g ven sess on uses
% Processor T me

To add a counter, find the appropr ate object n the st, as shown n F gure 2-11 C ck the
con to expand the st of counters for that object If you’re choos ng a sess on-spec fic coun-
ter, choose the sess ons to add t to; to choose a of them, choose <A Instances>

Determ n ng System Requ rements for RD Sess on Host Servers CHAPTER 2 73

www.it-ebooks.info
FIGURE 2-11  Choose counters for each object that you want to mon tor.

When you’re done se ect ng counters, c ck OK to d sp ay the st of counters that you’re


mon tor ng The defau t samp e se ect on shou d be fine C ck Next
Choose the ocat on where you’d ke to save the data (as shown n F gure 2-12) and c ck
Next

FIGURE 2-12  Spec fy the ocat on to save your data co ect on set.

You can e ther save the data co ector set to be n t ated manua y or ed t the propert es to
set a schedu e of when t shou d start and how ong t shou d ast For the moment, assume
that you’re go ng to start t manua y, so choose that opt on from the st shown n F gure 2-13
and c ck F n sh

74 Chapter 2  Key Arch tectura Concepts for Remote Desktop Serv ces

www.it-ebooks.info
FIGURE 2-13  Save the data co ector set to start t ater.

When you’re ready to beg n test ng, return to the ma n screen of Performance Mon tor
and choose the saved set from the fo der of user-defined data co ector sets R ght-c ck to
open the context-sens t ve menu and choose Start, or c ck the green Start button, as shown
n F gure 2-14

FIGURE 2-14  Start the data co ector set.

When you have fin shed w th the test, go back to Performance Mon tor, r ght-c ck the co -
ector set, and choose Stop, or c ck the square-shaped Stop button ocated to the r ght of the
green Start button

REVIEWING THE DATA


To rev ew the resu ts of your test, go to the Reports area shown n F gure 2-15 to find the
report dent fied w th the name that you spec fied

Determ n ng System Requ rements for RD Sess on Host Servers  Chapter 2 75

www.it-ebooks.info
FIGURE 2-15  F nd your report.

A report doesn’t have to show a the counters that you nc uded n the or g na data co ec-
tor set, but by defau t t does To remove a counter that you don’t need, h gh ght t n the bot-
tom sect on on the r ght pane and c ck the red X button at the top of the pane (or press the
De ete key on your keyboard) Converse y, to add counters you want to show, c ck the green
p us s gn at the top of the pane on the r ght to open the d a og box shown n F gure 2-16 On y
the objects for wh ch you se ected counters for the spec fied report w be ava ab e

FIGURE 2-16  Choose the counters and spec f c object nstances to d sp ay n your report.

Choose the object and the counters that you want to nc ude, and because you are
measur ng the tota user oad, make sure that <A Instances> s se ected n the Instances Of
Se ected Object st <A Instances> s represented by the aster sk (*) symbo n the pane at
r ght C ck OK when you’ve chosen a the counters

NOTE  The Total option makes a total count for all selected instances; <All instances> tabs
each instance individually but monitors all of them.

76 Chapter 2  Key Arch tectura Concepts for Remote Desktop Serv ces

www.it-ebooks.info
F na y, c ck the Change Graph Type drop-down menu to the eft of the green p us s gn
and choose to d sp ay the nformat on as a report (or press Ctr +G tw ce), as shown n
F gure 2-17

FIGURE 2-17  Change the report v ew to Report.

You shou d see data s m ar to F gure 2-18, d sp ay ng the resu ts of your tests

FIGURE 2-18  V ew the f na report.

Using the RD Load Simulation Tool


Performance Mon tor w graph or report on set act v ty per ods on your RD Sess on Host
server, but t does not create act v ty on an RD Sess on host And before you go ve w th a
new RD sess on host env ronment or add a new app cat on to an ex st ng env ronment, you
shou d have a good dea that the server can hand e the amount of act v ty that your users w
mpose upon th s mach ne

Determ n ng System Requ rements for RD Sess on Host Servers  Chapter 2 77

www.it-ebooks.info
One way to do th s s to go through a test ng phase, where you have test users og n and
use the system wh e you take read ngs w th Performance Mon tor Th s s fine f you have
those test users and they can spare the t me to do th s k nd of test ng
Another way to understand what your RD Sess on Host can and can’t hand e s to s mu ate
user sess ons and user act v ty and mon tor the server’s performance wh e t’s be ng taxed
The RD Load S mu at on Too (RDLST) does just that It s mu ates user sess ons and nd v dua
user act v ty on an RD Sess on host server, g ven a set of parameters You spec fy how many
users you want to s mu ate, and what you want these users to do (for examp e, open a docu-
ment, type some text, create a graph c mage, or save the document) The too w program-
mat ca y start remote desktop sess ons to the spec fied RD Sess on Host from the des gnated
c ents and execute spec fied act ons w th n each sess on Based on how the server reacts to
the oad you put on t, you can get an dea of whether your server hardware s adequate for
your needs, exceeds your needs (so you cou d add more users), or about r ght By rev ew ng
the performance data, you can a so see wh ch counters are show ng stra n

ON THE COMPANION MEDIA  The RDLST is available at


http://www.microsoft.com/downloads/details.aspx?FamilyID=c3f5f040-ab7b-4ec6-
9ed3-1698105510ad&displaylang=en. This link is also located on the CD.

RDLST nc udes a contro er component, a c ent agent, and a server agent, as shown n
F gure 2-19

Simulation Script
Simulation Configuation File Controller
Contains simulation
configuration parameters
Starts, controls, and ends
the simulation

Switch

RD Session Host
Hosts client sessions
Clients Machines 1...n
Initiates a remote desktop
connection for each test user

FIGURE 2-19  The RDLST cons sts of the contro er, server agent, and c ent agent.

78 Chapter 2  Key Arch tectura Concepts for Remote Desktop Serv ces

www.it-ebooks.info
The contro er s respons b e for configur ng the test parameters The test c ents and RD
Sess on Host agents connect to the contro er The contro er starts the test, mon tors ts prog-
ress, and ends the test
The c ents are used to start remote desktop sess ons on the RD Sess on Host Then the RD
Sess on Host hosts the remote desktop sess ons started from the c ents
The RDLST s not a so ut on on ts own It requ res scr pts to perform the act ons t s bu t
to run, ke start ng user sess ons, runn ng app cat ons, and perform ng act v t es n each user
sess on (such as open ng an app cat on and do ng some work) Scr pts a so perform other
pre-test and post-test funct ons, ke start ng and stopp ng Performance Mon tor on the RD
Sess on Host server and end ng user sess ons
The RDLST comes w th nsta at on nstruct ons, gu dance on how to bu d scr pts to
perform tasks spec fic to your env ronment, and a reference gu de, so there’s no need to
dup cate that effort However, you shou d wa k you through an examp e of how to set up and
run a s mp e test aga nst an RD Sess on Host server us ng the fo ow ng bas c steps
1. Insta the agents on the des gnated test servers and c ents
2. Create test user accounts n Act ve D rectory Doma n Serv ces (AD DS)
3. Create the scr pt that w automate the user act v t es ns de the user remote desktop
sess on
4. Start the server and c ent agents
5. Configure Performance Mon tor on the RD Sess on Host
6. Take a base ne Performance Mon tor capture on the RD Sess on Host
7. Configure the contro er test parameters
8. Start a Performance Mon tor capture on the RD Sess on Host
9. Start the s mu at on from the contro er
10. Run the s mu at on
11. Stop the s mu at on
12. Stop Performance Mon tor data co ect on on the RD Sess on Host
13. Rev ew the Performance Mon tor report
In the next sect ons, you’ go through these steps n more deta

Install the Agents on the Designated Test Servers


To beg n, set up the contro er, the c ents, and the server for the test as fo ows
■ Insta the contro er too s on a des gnated server The contro er s respons b e for the
s mu at on configurat on, and t a so starts and ends the test To nsta the contro er,
run the RDLoadS mu at onToo s MSI fi e on the contro er, and choose the Contro er
Too s opt on
■ To set up the c ents, run RDLoadS mu at onToo s MSI on each of the c ents that you
w use to generate the user sess ons, and choose the C ent Too s opt on

Determ n ng System Requ rements for RD Sess on Host Servers  Chapter 2 79

www.it-ebooks.info
■ To set up the server, run RDLoadS mu at onToo s MSI on the RD Sess on Host server
and choose the Server Too s opt on Take care to run the 32- or 64-b t vers on of the
MSI that matches your operat ng system vers on

NOTE  This simulation tool example assumes the availability of basic networking services
(AD DS, Domain Name System, Dynamic Host Configuration Protocol) and that all test
servers and clients can communicate with the other test machines.

Create Test User Accounts in AD DS


For the s mu at on to start remote desktop sess ons, t needs user accounts to og n and start
the remote desktop sess ons To be used w th the too , these user accounts need to be set up
as fo ows
■ User account names need to have the same prefix fo owed by a number suffix (for
examp e, TEST01, TEST02, TESTnn)
■ A user accounts a need to use the same password
Create these test user accounts n AD DS and add these accounts to the Remote Desktop
Users group on the test RD Sess on Host The fo ow ng PowerShe code (a so on the CD as
“Create30Users ps1”) w create mu t p e user accounts automat ca y, w th the same prefix,
fo owed by a number, and p ace them n a spec fied organ zat ona un t (OU) In our examp e,
the scr pt creates 30 user accounts, named ASHTEST1, ASHTEST2…ASHTEST30, w th the pass-
word “P@ssword”, p aced n the ASH Users OU

1..30 | ForEach-Object {
New-QADUser `
-ParentContainerASH_Users `
-Name "ASHTEST$_" `
-UserPassword "P@ssword" `
-UserPrincipalName "ASHTEST$_" `
-DisplayName "ASHTEST$_" `
-SamAccountName "ASHTEST$_" `
}

NOTE  This script uses Quest Software’s free Windows PowerShell commands for AD DS,
which you can download at http://www.quest.com/powershell/activeroles-server.aspx (the
link is also provided on the CD).

80 Chapter 2  Key Arch tectura Concepts for Remote Desktop Serv ces

www.it-ebooks.info
Create the USER ACTIVITY Script
As noted ear er, the RDLST doesn’t run any app cat ons on ts own— t’s the eng ne that
makes t poss b e You’ need to create scr pts to execute the app cat ons and s mu ate user
act v ty The RDLST gu des te you how to create these scr pts, but they a so nc ude one
examp e to get you started For the purpose of demonstrat ng how to use the too , you’
use the samp e nc uded n the box me ded nto a s ng e scr pt and nc uded on the CD as
Notepad vbs Th s scr pt starts a remote desktop sess on, ogs n a user, opens Notepad, wr tes
some text, and saves the text fi e It s started for each of the user sess ons nvoked by the
contro er

NOTE  The SendKeys method will be very helpful to you in developing an interactive
script. See http://msdn.microsoft.com/en-us/library/8c6yea83(VS.85).aspx.

Start the Client and Server Agents


Log on to the c ents and servers w th an Adm n account Insta ng the c ent and server
agents adds the r cons to the Start menu, so you can start the agents from there or by re-
boot ng the computers Make sure the firewa s on the c ent and server mach nes are turned
off or have firewa except ons for th s app cat on n p ace so that the firewa gnores the
agents For th s examp e, the firewa s are turned off on a part c pat ng mach nes
The c ent agents automat ca y connect to the contro er upon execut on When they do,
the d a og box for the c ent agent w say that t s “Connected ” The server agent shou d a so
connect automat ca y If t does not, type the contro er server’s name nto the Contro er
nput box and c ck Connect

Configure the Controller Test Parameters


Next, configure the contro er w th the nformat on that t needs to run the test Start the
Contro er software from the Start menu or by start ng the executab e ( n th s case, on an x86
operat ng system) as fo ows

C:\Program Files (x86)\TSPerfTools\RDLoadSimulationController.exe

Th s starts the Remote Desktop Load S mu at on Contro er, shown n F gure 2-20 The con-
tro er shows the mach nes that connect successfu y n the Status Events sect on

Determ n ng System Requ rements for RD Sess on Host Servers  Chapter 2 81

www.it-ebooks.info
FIGURE 2-20  The Remote Desktop Load Contro er shows the test progress on and act ve test users.

In the Target Server nput box, type the name of the RD Sess on Host server Then c ck
Configure to open the Configurat on d a og box shown n F gure 2-21

82 Chapter 2  Key Arch tectura Concepts for Remote Desktop Serv ces

www.it-ebooks.info
FIGURE 2-21  Conf gure the Genera tab to d ctate events that shou d occur on the RD Sess on Host server
before and after the s mu at on runs.

Man pu ate the data on each tab to create the deta s of how the s mu at on w work In
the upper sect on of the Genera tab, d ctate events that shou d occur on the RD Sess on Host
server before and after the s mu at on has run ts course For nstance, to reboot the server
before the test (one way to start the server agent and to end any pre-ex st ng user sess ons),
se ect the Reboot Server Before Test check box The three nput boxes n th s sect on are for
nputt ng paths to opt ona scr pts that can be run before or after a s mu at on to prepare or
c ean up the RD Sess on Host server For nstance, at the end of a s mu at on, you m ght want
to stop the Performance Mon tor capture and og off the test users The second sect on per-
forms s m ar tasks for the c ents

ON THE COMPANION MEDIA  Note that the first two sections in this simulation
example are not used here, but you might need to use them in your testing. A script
to log off the test users is located on the CD in the LogOffUsers.cmd file. A script to
stop the Performance Monitor capture is on the CD in the StopPerfMon.cmd file.

Determ n ng System Requ rements for RD Sess on Host Servers  Chapter 2 83

www.it-ebooks.info
The Test End Mode drop-down box prov des four cho ces that govern when the contro er
w conc ude that the test s ended
■ Stay Alive  The test does not end
■ Users Finished  The test ends when a users te the contro er that they are fin shed
us ng the EndScr pt funct on
■ Users Launched  The test ends as soon as the contro er starts the ast user scr pt
■ Users Launched –Timeout  The contro er w wa t for the spec fied t meout after
aunch ng the ast user before the test ends
Th s examp e uses the Users Launched opt on
F rst, configure the user accounts On the User sect on of the Genera tab, spec fy the
user names of your test user accounts, the password for these accounts (now you see why
they shou d a have the same password), the name of the server runn ng Exchange Server ( f
needed), and the doma n name Test user account names n AD DS shou d match the sett ngs
here User Name Pad Count s the number of d g ts that w be added to the user name prefix
to reference the user names n the s mu at on For nstance, f the User Prefix s TEST and the
User Name Pad Count s 3, then the test w reference the user names TEST001, TEST002, and
TEST003
Next, c ck the C ents tab and check that the r ght c ents are se ected and that each s
runn ng the r ght number of sess ons A c ents current y commun cat ng w th the contro er
w be added automat ca y as test subjects on th s tab Se ect the Run Test On y On Se ected
C ents opt on to mod fy the part c pat ng c ent st At the bottom of the page, enter the
number of user sess ons that you w run from each c ent Th s examp e spec fies that 20 user
sess ons w be run per c ent (M crosoft has tested the too w th up to 50 users per c ent, but
the number that w be ab e to run u t mate y depends on the c ent hardware )
Next, des gn how the oad bu ds from the Test Progress on tab Enter the fo ow ng num-
bers accord ng to the s mu at on needs and then c ck Add to add the data to the s mu at on
configurat on
■ User range  Spec fies how many users you w act vate w th th s s mu at on
■ User Group Size  Spec fies how many users n a group
■ Interval between users (sec)  Spec fies the number of seconds that the contro er
wa ts before start ng the next user w th n the group
■ Interval Between Groups (sec)  Spec fies how many seconds w pass n between
the end ng of one group’s sess ons start ng and the beg nn ng of the next user group’s
sess ons start ng
■ Speed Factor  Spec fies how fast the scr pts w be run The scr pts w run at the nor-
ma speed when the speed factor s set to 1 They w run at doub e speed when speed
factor s 2, and so on
F gure 2-22 shows the numbers used n th s examp e s mu at on

84 Chapter 2  Key Arch tectura Concepts for Remote Desktop Serv ces

www.it-ebooks.info
FIGURE 2-22  Add a st entry on the Test Progress on tab.

Next, c ck the Scr pts tab to p ck the scr pt or scr pts that you’ use for the s mu at on C ck
Add Scr pt to open the Add Scr pt d a og box, shown n F gure 2-23

FIGURE 2-23  Enter the fu f e path to the scr pt to be used n the s mu at on.

Enter the fu path or browse to each scr pt that the RDLST too w ca to start the user
sess ons on the c ents, open remote desktop sess ons on the test server, and do some work
Enter a fr end y name of each scr pt The fr end y name w be used as the name of the con-
figurat on INI fi e created next Enter any opt ona parameters to be passed to the scr pt n the

Determ n ng System Requ rements for RD Sess on Host Servers  Chapter 2 85

www.it-ebooks.info
Parameters nput box Th s can be eft empty f no opt ona parameters are requ red In th s
examp e, none are needed Ignore the Scr pt type pu -down menu because t s d sab ed n
th s vers on of the too C ck OK Now h gh ght the scr pt n the Ava ab e Scr pts pane and
c ck the Add>> button n the m dd e pane to add the scr pt to the Se ected Scr pts st, as
shown n F gure 2-24

FIGURE 2-24  Add the s mu at on scr pt to the Scr pts tab.

C ck the Custom Command Schedu e tab Th s examp e does not use any extra added
commands, but th s tab box a ows for custom commands that w be run on servers based
on user events For examp e, you cou d configure the test to run a scr pt on the servers when
50 user sess ons are started and aga n when 100 user sess ons are started After you have
configured the contro er parameters, c ck OK n the bottom-r ght corner Then c ck the Save
Configurat on button on the Genera tab of the contro er Th s saves the configurat on to an
INI fi e that can be used to popu ate the contro er configurat on for future tests Ca the con-
figurat on fi e when start ng the program to autopopu ate the contro er configurat on w th
the parameters from the INI fi e The examp e’s INI fi e ooks ke th s

86 Chapter 2  Key Arch tectura Concepts for Remote Desktop Serv ces

www.it-ebooks.info
[SCALCONTROLLER]
UserIndexMode=0
ServerAgentMode=1
TClientMode=0
RebootServerMode=0
RebootClientMode=0
UserPadCount=1
UsersPerMachine=20
TestEndMode=2
CommandTimeout=25
TestEndTimeout=0
UserPrefix=ASHTEST
UserPassword=P@ssword
DomainName=ash.local
ExchangeServer=
ServerName=LOGAN
ServerPreRebootCommand=
ServerPreTestCommand=
ServerTestCleanupCommand=
ClientPreRebootCommand=
ClientPreTestCommand=
ClientTestCleanupCommand=
TestDescription=Test to launch 30 user sessions, open Notepad, type some text and
;save the file...;
ProgressionListCount=1
Progression1=1-30-5-5-10-1
CommandListCount=0
ScriptListCount=1
ScriptName1=test.vbs - Notepad Test
[AVAILABLESCRIPTS]
ScriptsCount=1
ScriptName1=test.vbs - Notepad Test
[test.vbs - Notepad Test]
filepath=C:\test.vbs
parameters=
type=3

If you’re runn ng the 32-b t vers on, the INI fi e w be saved by defau t to the c \Program
F es (x86)\TSPerfToo s\ fo der The name of the fi e s the same name as the fr end y name of
the scr pt nput on the Scr pts tab To ca t n the future, open a Run box on the Start menu
and type

"C:\Program Files (x86)\TSPerfTools\RDLoadSimulationController.exe" SCRIPT-NAME.ini

Determ n ng System Requ rements for RD Sess on Host Servers  Chapter 2 87

www.it-ebooks.info
Configure Performance Monitor on the RD Session Host
Configure Performance Mon tor on the RD Sess on Host server to capture data that shows the
oad that the user sess ons p ace on the server Refer to the sect on t t ed “Us ng Performance
Mon tor” ear er n th s chapter for how to set up a data co ect on set Th s examp e uses a
data co ector set conta n ng the counters sted n Tab e 2-2

Take a Baseline Performance Monitor Capture


It’s mportant to know what the performance resu ts ook ke before you start the test so
that the true mpact of the sess ons s c ear To find out, make sure no users are ogged onto
the RD Sess on Host server and run the capture by se ect ng the Data Co ector Set made for
the s mu at on and then c ck ng the green P ay button n the top of the r ght pane Run the
capture for a m nute or two F gure 2-25 show the resu ts of th s examp e’s base ne capture
report As expected, very tt e act v ty s ogged n the resu t ng report

FIGURE 2-25  The RD Sess on Host server s base ne Performance Mon tor resu ts show tt e act v ty.

Start the Performance Monitor and Start the Simulation


Performance Mon tor needs to run dur ng the sess on to capture the data You can e ther
start t manua y or from a scr pt; f you’d prefer the atter, use StartPerfMon cmd on the CD
Th s scr pt w start Performance Mon tor automat ca y and start a capture g ven the name of
the data co ector set Add th s scr pt to the Server Setup Before Test nput box on the Genera
tab of the contro er configurat on
To start Performance Mon tor manua y, se ect the same data co ector that was used n the
base capture and c ck P ay Then mmed ate y start the s mu at on on the contro er server by
c ck ng Launch Test

NOTE  You can only start Performance Monitor manually if you are not choosing the
Reboot Server Before Test option on the General tab. Otherwise the perfmon log will stop
when the server reboots. In the reboot case, you need to set the Perfmonstart.cmd script
to run by adding it to the Server Setup Before Test box on the General tab of the controller.

88 Chapter 2  Key Arch tectura Concepts for Remote Desktop Serv ces

www.it-ebooks.info
Run The Simulation
After you start the s mu at on, the first th ng you’ see s the user sess ons start ng on the
c ents The act ve test users w beg n appear ng n the Act ve Test Users box on the Contro -
er graph c user nterface (GUI) The user sess ons w a so start appear ng n the RD Sess on
Hosts Users tab n Task Manager, as we as n the S mu at on agent on the c ent
As the s mu at on progresses, the contro er ogs status events; you can a so v ew them n
rea t me on the contro er’s GUI, as shown n F gure 2-26

FIGURE 2-26  The Remote Desktop Load S mu at on Contro er shows user sess on act v ty and ogs
s mu at on status events.

Dur ng the s mu at on, Task Manager on the RD Sess on Host w g ve a qu ck overv ew of


how the sess ons are tax ng the server

Determ n ng System Requ rements for RD Sess on Host Servers  Chapter 2 89

www.it-ebooks.info
Stop the Simulation and Performance Monitor
The s mu at on s cons dered over when the Test End Mode spec fied on the contro er’s
configurat on Genera tab occurs Th s examp e spec fies Test End Mode Users Launched Th s
means that when a the users have been started, the contro er cons ders the test comp ete
When the spec fied Test End Mode s reached, a Test Comp eted event w be ogged on the
contro er n the Status Events w ndow
At th s t me, the user sess ons need to be ogged off from the RD Sess on Host e ther
manua y us ng Task Manager or the Remote Desktop Manager or programmat ca y us ng a
scr pt that s spec fied n the s mu at on configurat on
Next, stop the Performance Mon tor capture; aga n, you can e ther do th s manua y by
c ck ng Stop or programmat ca y by us ng a scr pt spec fied n the s mu at on configurat on
F gure 2-27 shows the act v ty n th s examp e s mu at on from beg nn ng to end

FIGURE 2-27  The Task Manager on the RD Sess on Host shows the act v ty throughout the s mu at on.

Where the peak starts to drop on the Phys ca Memory usage h story s where the s mu a-
t on ends The very next p ateau shows the user sess ons d sconnect ng Then the fina drop
shows the user sess ons ogg ng off

Review the Performance Monitor Report


To get the resu ts of your effort, v ew the report correspond ng to the s mu at on capture n
Performance Mon tor on the RD Sess on Host The report w be ocated n the Reports\User
Defined fo der Se ect the report by name, se ect the opt on to change the graph type, and
se ect Report Compare th s report to the base ne report taken before the s mu at on was
started Th s examp e’s base ne report s shown n F gure 2-28, and the s mu at on report s
shown n F gure 2-29

90 Chapter 2  Key Arch tectura Concepts for Remote Desktop Serv ces

www.it-ebooks.info
FIGURE 2-28  The report conta ns data captured when mon tor ng an RD Sess on Host base ne
conf gurat on.

FIGURE 2-29  The report conta ns data captured when mon tor ng a RD Load S mu at on test runn ng on a
RD Sess on Host server.

In short, us ng the RDLST w he p you determ ne how many users can work s mu tane-
ous y on your RD Sess on Host servers and how we the oad corresponds to the hardware
you have

ON THE COMPANION MEDIA  See the book’s CD for a link to the RDLST to help
you programmatically determine how many people can use an RD Session Host
server based on your application set.

An Alternative to Full Testing: Extrapolation


Runn ng a test pass of the RD Sess on Host server s the best way for you to get a true p cture
of the sess on oad that your hardware can hand e before runn ng a fu p ot program There
m ght be s tuat ons, however, n wh ch you w be unab e to run through a test pass If no one
s ava ab e to he p you, and you cannot use the RDLST, you can do a s ng e pass on your own,

Determ n ng System Requ rements for RD Sess on Host Servers  Chapter 2 91

www.it-ebooks.info
record the resu ts w th the Performance Mon tor, and extrapo ate the number of users that
the server can hand e from the resu ts
You w st need to set up your RD Sess on Host server and oad the app cat ons that you
w host (To earn how to set up an RD Sess on Host server, see Chapter 3 ) Where you can
save t me s n user test ng Instead of m m ck ng your user env ronment w th mu t p e user
sess ons and w th rea user he p, you can make some est mates by test ng w th one represen-
tat ve user sess on and do ng some math
In th s test mode , most of the counters checked for the fu test pass w not he p you
You can’t rea y te much about page fi e usage w th on y one user, and w th on y one sess on
you’re not ke y to be putt ng much stra n on d sk I/O You can, however, te what’s go ng on
w th n the sess on tse f
To find out, create a data co ector as d scussed ear er n th s chapter, nc ud ng on y the
Term na Server Sess on counters for Work ng Set Peak and % Processor T me

NOTE  Because your report doesn’t have to include every counter you collect data for, you
can reuse the one from the earlier walkthrough if you created it as you read.

Run the test as descr bed prev ous y, try ng to m m c a user sess on (that s, open programs
your users w open, do some work, pr nt pages, save fi es, and so on) When you’ve fin shed
co ect ng data, se ect the counters to v ew, as descr bed prev ous y n th s chapter, and
choose to show a report of what’s happen ng n that sess on (as opposed to choos ng counter
data for <A nstances> as n the test pass) V ew th s step n F gure 2-30

FIGURE 2-30  The report s based on sess on extrapo at on.

Now that you have th s report, what does t mean and how can you use t? You can v ew
the data n severa ways

92 Chapter 2  Key Arch tectura Concepts for Remote Desktop Serv ces

www.it-ebooks.info
The data shows that the % Processor T me s approx mate y 10 percent To determ ne the
max mum users that can be supported w th th s processor, d v de 100 percent by 10 percent;
the resu t s 10 users

NOTE  You might have multiple processors in your RD Session Host server. Be aware that
two processors don’t render twice the power of one. Instead, there is a sliding scale.
■ Approx mate y 1.8:1 when go ng from one to two processors
■ Approx mate y 1.65:1 when go ng from two to four processors
Therefore, if you have four processors in your RD Session Host server, you would use the
following calculations to compute Max Users.
100 percent divided by 5 percent = 10 users. Now take into account the other three pro-
cessors: 10*1.8*1.65 = 30 users at full load.

The processor n th s examp e wou d be the bott eneck, but that m ght not a ways be
the case You must ook at the peak work ng set for the sess on and we gh that aga nst the
amount of RAM n the computer In th s examp e, the peak work ng set was about 179 MB
D scount ng for the requ rements of the operat ng system, take the rema nder and d v de
t by 250 As you can see, f the RD Sess on Host has 4 GB of RAM (a very ow number for a
product on RD Sess on Host server), the RAM shou d be ab e to support 16 users runn ng the
app cat ons that you ran n your test
So can th s server support 30 users or 16 users? For best resu ts, t pays to be conservat ve
You shou d a ways use the ower number On a server w th th s processor, w th th s amount of
RAM, t’s safe to guess that you can reasonab y support rough y 16 concurrent users

DIRECT FROM THE SOURCE

Server Sizing Tips


Costin Hagiu
Remote Desktop Services Test Architect, Microsoft

Hammad Butt
Software Development Engineer II (Test), Microsoft

I f detailed information about user activity on the RD Session Host or RD Virtualiza-


tion Host server is not available, then you can make some estimates about how
many resources each session will need as follows.

■ Allocate a percentage of a processor to a user based on how much CPU you


expect users to need for running their tasks. For example, if you expect your
users to need approximately 5 percent of the CPU’s capacity for their work,
expect to have about 20 users per CPU.

Determ n ng System Requ rements for RD Sess on Host Servers  Chapter 2 93

www.it-ebooks.info
94 CHAPTER 2 Key Arch tectura Concepts for Remote Desktop Serv ces

www.it-ebooks.info
■ You will have to buy RD Session Host servers. This is especially true if you
propose to virtualize the RD Session Host servers and want to get the benefits
of Second-Level Address Translation (SLAT). Older servers won’t have this
technology.
■ You will have to buy RDS client access licenses (RDS CALs) for users to connect
to those servers, regardless of how many servers they’re connecting to. If
you’re using any additional management software on those RD Session Host
servers, you’ll need to purchase those components as well. For example, if
you install Citrix XenApp on your RD Session Host servers, you’ll also need to
purchase both RDS CALs and per-connection licenses from Citrix.
People use RDS for many, many reasons and frequently discover that it’s possible
to reduce long-term costs and increase productivity. Upfront costs aren’t the best
way to determine how to build a sustainable platform, however. Reducing capital
expenditure isn’t generally the goal; reducing operations cost is.

Going back to the original question: Should you have one large server or two (or
more) smaller ones? Most often, you’ll find more servers—scaling out, not up—to
be the more cost-effective and fault-tolerant option. The larger the dual inline
memory modules (DIMMs), the more they’ll cost. More servers also means more
disk I/O paths. In addition, even in a small deployment, with a second or third
server, you create some redundancy in your environment by not relying solely on
one RD Session Host server.

Other Sizing Questions


Thus far, th s d scuss on has focused on what you need to know to s ze an RD Sess on Host
server proper y when that server s runn ng on a phys ca computer Let’s take a ook at other
s z ng scenar os

Sizing RD Virtualization Host Servers


The prev ous d scuss on about s z ng focused ma n y on RD Sess on Host servers What about
RD V rtua zat on Host servers—how many VMs can you support per host?
A though the answer to th s quest on st depends on what peop e are do ng on those
VMs, s z ng VMs s a b t more ke s z ng phys ca desktops than ke est mat ng the number
of peop e who can concurrent y use an RD Sess on Host server W th W ndows Server 2008
R2, you ass gn a certa n amount of RAM to each VM when creat ng t, so f you have 10 VMs
and x RAM, the abso ute max mum of memory that each runn ng VM can have s x/10, m nus
whatever the hyperv sor needs to operate After t’s created, you can a so tweak the other
hardware sett ngs A decent ru e to remember for VMs us ng RDP for remote d sp ay s that
you can run 4 VMs per core A ways test, though, because the configurat on for those VMs
w make or break the s z ng

Determ n ng System Requ rements for RD Sess on Host Servers  Chapter 2 95

www.it-ebooks.info
One cons derat on you m ght not th nk of s the operat ng system that you’re us ng n the
guest VMs Counter ntu t ve as t m ght seem, W ndows 7 m ght sca e better than W ndows XP
even though the W ndows XP she uses ess memory The reason, as d scussed ear er n th s
chapter, s that W ndows 7 was des gned to take advantage of v rtua zat on and W ndows XP
was not Therefore, W ndows XP s ess effic ent when t comes to memory management and
processor requests—or any kerne act v ty, rea y A though you m ght need to run W ndows
XP for app cat on compat b ty reasons n some cases, t m ght be better to use W ndows 7
Aga n, try t and see

What About Sizing Other RDS Roles?


Do other RDS ro e serv ces face the same constra nts as a RD Sess on Host server?
The short answer s “Not rea y ” You w earn about the nterna work ngs of each server
ro e as t’s ntroduced n th s book, but here’s a qu ck overv ew of what other ro e serv ces are
do ng
■ An RDS L cens ng server prov des per-dev ce RDS CALs or updates AD DS to show
usage of a per-user RDS CAL on a user account object, depend ng on whether the RD
Sess on Host server us ng the cense server s n per-user mode or per-server mode
Th s s not a demand ng work oad
■ A Remote Desktop Gateway (RD Gateway) server exam nes ncom ng connect ons and
perm ts them or refuses them based on the ru es that you set up If a connect on to a
resource s perm tted, the connect on w be prox ed through the RD Gateway server
The ma n constra nt on RD Gateway performance s the number of s mu taneous n-
com ng connect ons and the number of network packets n each one compared to the
network speed; keep n m nd that the server can ma nta n hundreds of connect ons
■ A Remote Desktop Connect on Broker (RD Connect on Broker) exam nes ncom ng
connect on requests and determ nes wh ch endpo nt (RD Sess on Host server or VM)
that they shou d be routed to based on ts broker ng og c and the type of endpo nt
requested After a connect on has been made, the RD Connect on Broker s no onger
nvo ved, but a ncom ng connect ons to a sess ons and VMs w go through th s
server ro e
■ A Remote Desktop Web Access (RD Web Access) server accepts ncom ng Hypertext
Transfer Protoco (HTTP) connect ons to generate RDP fi es on the fly When de vered,
those RDP fi es prov de a d rect connect on to an RD Sess on Host server Th s server
can be s zed ke any other web server
In short, w th the except on of RD Gateway, other RDS ro e serv ces genera y hand e short
transact ons and then pass the more substant a dut es to an RD Sess on Host or RD V rtu-
a zat on Host server The oad rea y sn’t very arge except dur ng heavy ogon t mes, when
they’re process ng a ot of connect ons Ensure that the RD Gateway (and RD Web Access,
wh chever users are go ng to first) has suffic ent bandw dth to hand e the expected oad of
concurrent ncom ng connect ons Otherw se, the servers shou d be ab e to funct on we f
they meet the requ rements for W ndows Server 2008 R2

96 Chapter 2  Key Arch tectura Concepts for Remote Desktop Serv ces

www.it-ebooks.info
Can I Run RDS in a VM?
V rtua zat on s one of the hot top cs today Does v rtua zat on m x w th RDS?
The answer to the quest on s, of course, that t depends
Part of the answer depends on what ro es you want to v rtua ze Obv ous y, RD V rtua -
zat on Host requires you to use Hyper-V to host the VMs For many other ro e serv ces (for
examp e, RD Gateway, RD Connect on Broker, RD Web Access or RD L cens ng), runn ng n
a VM w probab y work fine, a though you m ght be ab e to support fewer s mu taneous
connect ons n a VM than you can n a phys ca mach ne In fact, for years, Term na Serv ces
adm n strators have run cense servers n v rtua computers to make t eas er to ma nta n a
backup (Th s sn’t necessar y supported by M crosoft, depend ng on the VM p atform used,
but t s done )
V rtua z ng RD Sess on Host servers on Hyper-V s supported, but the performance w
depend on a few factors The b ggest factor s whether the hardware p atform supports SLAT
As was d scussed ear er n th s chapter, v rtua z ng comp cates memory management Any
operat ng system has to map v rtua memory addresses to phys ca RAM to retr eve data
Hyperv sors have a harder job n that they must keep track of three th ngs
■ Phys ca memory
■ The phys ca memory each VM guest s us ng
■ The v rtua memory each VM guest s us ng
Remember the page tab e that the memory manager uses to map v rtua memory ad-
dresses to RAM? The hyperv sor ma nta ns a shadow page tab e for every guest VM On a
memory- ntens ve server ke an RD Sess on Host, that’s a ot of memory mapp ng for the
hyperv sor to keep track of Every t me the guest VM updates the page tab e, the hyperv sor
has to update ts shadow page tab e A though these tab es have to be stored n memory,
the prob em sn’t rea y runn ng out of memory addresses—on a 64-b t operat ng system ke
W ndows Server 2008 R2, that’s not ke y to be an ssue It’s actua y a prob em of processor
cyc es, because the processor has to chew up cyc es updat ng the shadow page tab es
SLAT-enab ed processors mprove the s tuat on by ma nta n ng the address mapp ngs n
hardware, not software In other words, on a SLAT-enab ed server, the hyperv sor does not
need to ma nta n the shadow page tab es, but th s can be done n hardware The resu t s that
a v rtua zed RD Sess on Host server can support more sess ons than the number of a v rtua -
zed RD Sess on Host runn ng on non-SLAT hardware Both memory usage and processor
overhead w drop

Determ n ng System Requ rements for RD Sess on Host Servers  Chapter 2 97

www.it-ebooks.info
DIRECT FROM THE FIELD

How SLAT Reduces Overhead on Virtualized RD Session Hosts


Janique Carbone
Co author of M crosoft W ndows Server 2008 Hyper V Resource K t

W ith respect to memory management, Windows Server 2008 R2 Hyper-V sup-


ports a new feature named Second-Level Address Translation (SLAT). SLAT
uses AMD-V Rapid Virtualization Indexing (RVI) and Intel VT Extended Page Tables
(EPT) technology to reduce the overhead incurred during virtual to physical address
mapping performed for VMs. Through RVI or EPT respectively, AMD-V and Intel VT
processors maintain address mappings and perform (in hardware) the two levels
of address space translations required for each VM, reducing the complexity of the
Windows hypervisor and the context switches needed to manage VM page faults.
With SLAT, the Windows hypervisor does not need to shadow the guest operating
system page mappings. The reduction in processor and memory overhead associ-
ated with SLAT improves scalability with respect to the number of VMs that can be
concurrently executed on a single Hyper-V server. As an example, the Microsoft RDS
team recently blogged about performance tests conducted using an internal simu-
lation tool on a Windows Server 2008 Terminal Services configuration running as a
VM on Windows Server 2008 R2 Hyper-V. The results showed that a SLAT-enabled
processor platform increased the number of supported sessions by a factor of 1.6 to
2.5 when compared with a non-SLAT processor platform. Overall, Microsoft reports
that with SLAT-enabled processors, the Windows hypervisor processor overhead
drops from about 10 percent to about 2 percent and reduces memory usage by
about 1 MB for each VM.

Although RVI is not required to support workloads running on Windows Server


2008 R2 Hyper-V, if you intend to run memory-intensive workloads like RDS, Micro-
soft SQL Server, or web services, you should strongly consider using a SLAT-enabled
AMD-V or Intel VT platform to take advantage of the performance improvements
provided for your virtualized workloads.

If you’re runn ng the RD Sess on Host servers on o der Hyper-V hosts that don’t support
SLAT, then t’s st supported f you’re us ng Hyper-V, but your resu ts w depend on how
heav y used the RD Sess on Host servers are If the oad s very ght—say on y a few users per
server—then th s m ght be pract ca and a ow you to avo d ded cat ng a phys ca server to an
undemand ng ro e For RD Sess on Host servers w th heav er usage, however, th s sn’t ke y to
be a good fit for severa reasons

98 Chapter 2  Key Arch tectura Concepts for Remote Desktop Serv ces

www.it-ebooks.info
■ Disk I/O bottlenecks  You’ve earned about how best pract ces for RD Sess on Host
servers recommend that you have one d sk sp nd e—one phys ca d sk, usua y—for
each 20 to 30 users
■ Memory constraints  RD Sess on Host and RD V rtua zat on Host servers are
memory-hungry A VM host must have a ot of RAM to support many RD Sess on Host
servers Th s VM host cou d a so end up be ng very expens ve Most servers top out at
e ght s ots for RAM As of th s wr t ng, 8-GB DIMMs cost three to four t mes as much
as 4-GB DIMMs F nanc a y, you’re better off w th a second server than one server w th
tw ce as much RAM—just us ng sma er DIMMs
There s a p ace for host ng RDS ro e serv ces (such as a cense server) on VMs, however—
even f the host does not support SLAT Connect on brokers and cense servers don’t need a
ot of resources to keep runn ng

Supporting Client Use Profiles


You’ve heard a ot about servers—and spec fica y the RDS ro e— n th s chapter But you a so
need to cons der your users when p ann ng What k nds of computers do they need? What
cens ng mode shou d you fo ow to best support the r work patterns?

Client Hardware: PC or Thin Client?


Th s s another one of those “ t depends” s tuat ons The reasons that make th n c ent dev ces
a requ rement for some peop e just don’t app y to a s tuat ons, and the same s true for PCs

NOTE  For those new to RDS, a thin client is a simple computer that is intended to act
entirely or almost entirely as a client to a remote endpoint (for example, RD Session Host
or VM on an RD Virtualization Host). Clients supporting RDP connections typically run
Microsoft Windows CE or an embedded version of Windows. (You’ll see some Linux-based
thin clients, but the RDP clients on Linux are neither developed by nor supported by
Microsoft.)

PCs w th oca process ng power have become so nexpens ve that they’re a commod ty
tem n many p aces— ook at netbooks for one examp e Purchas ng th n c ents won’t gener-
a y save you money on hardware The reasons why you’d choose th n c ents are d fferent, as
fo ows
■ When or where PCs won’t work we because of space, v brat on, and other env ron-
menta ssues
■ When the cost of ma nta n ng nd v dua , persona zed computers s very h gh because
of frequent user turnover

Support ng C ent Use Profi es  Chapter 2 99

www.it-ebooks.info
■ When c ent ockdown s v ta S nce th n c ents don’t genera y run app cat ons oca y
and don’t have access to data un ess they’re connected to the remote endpo nt, t’s
eas er to secure them—a secur ty s on the endpo nt
■ When a user desktop needs to be extreme y rep aceab e If a PC stops work ng and
you need to rep ace t, a fu rep acement s bu ky and, f the PC s custom zed at a for
the user, t me-consum ng Rep ac ng a th n c ent means unp ugg ng one term na and
p ugg ng n the new one
Th n c ents genera y work best when t’s acceptab e for a app cat ons to execute on the
remote endpo nt (sess on or VM) It s techn ca y poss b e to pre oad a th n c ent runn ng a
fu W ndows operat ng system such as W ndows XP Embedded w th app cat ons, but th s
wou d be extreme y expens ve because of the amount of flash memory and RAM requ red to
store and run those app cat ons oca y

NOTE  As of this writing, thin clients running Windows CE Embedded do not support
RemoteApp programs, discussed in Chapter 3 and Chapter 9, “Multi-Server Deployments.”

Outs de of those spec a zed sett ngs where term na s sh ne, PCs (whether desktops,
netbooks, or aptops) are genera y the preferred opt on for one or more of the fo ow ng
reasons
■ Not a app cat ons m ght be runn ng remote y If some app cat ons don’t remote we ,
they m ght need to be nsta ed on the c ent
■ The user needs access to the app cat ons when d sconnected Mob e workers often do
we w th RDS, as d scussed n Chapter 1, but trave ers a so go offl ne at t mes, such as
when they are on a rp anes
■ You p an to use secure access from the Internet v a RD Gateway At th s t me, RD Gate-
way does not work w th W ndows CE, so the ghtest-we ght th n c ents won’t work
■ You need oca process ng power to opt m ze the remote exper ence RDP 7 sends
W ndows Med a P ayer content from the remote endpo nt to the c ent for process ng,
wh ch ooks terr fic However, th s requ res be ng ab e to process the content oca y
In short, you’re most ke y to use th n c ents to support task-based workers runn ng app -
cat ons on a LAN, and PCs for users w th more comp ex usage scenar os (offl ne access, WAN
access, and/or a m x of oca y execut ng app cat ons and RemoteApp programs)

What’s the Best License Model?


You’ earn about RDS L cens ng and how t works n deta n Chapter 12, “L cens ng Remote
Desktop Serv ces,” but RDS CALs are worth a ment on when you’re p ann ng your RDS
dep oyment
RD Sess on Host servers support e ther per-dev ce or per-user RDS CALs Per-dev ce RDS
CALs are assoc ated w th a part cu ar computer (e ther PC or th n c ent) Per-user RDS CALs

100 Chapter 2  Key Arch tectura Concepts for Remote Desktop Serv ces

www.it-ebooks.info
are assoc ated w th a part cu ar user A RD Sess on Host knows wh ch type of censes to ask
for based on whether you’ve configured t to be n per-user or per-dev ce mode RDS does
not have concurrent-user cens ng
The answer to “Wh ch cense mode s better?” can best be answered by “Wh ch w cost
the east amount of money wh e st a ow ng us to comp y w th the End User L cense Agree-
ment (EULA)?” To ca cu ate the answer, just cons der whether you have more computers or
more users Organ zat ons do ng sh ft work, where three peop e m ght use the same com-
puter, w benefit from the per-dev ce mode Organ zat ons n wh ch the rat o s one user to
every computer, or even two computers to every user (for examp e, f many users have both a
desktop computer and a aptop), w benefit from the per-user mode
Each cens ng mode has a m tat on, or at east a cons derat on Per-user cens ng works
on y w th W ndows Server 2003 or ater and requ res Act ve D rectory/AD DS; you cannot
use t n a workgroup or w th n a doma n pr or to W ndows Server 2003 Th s s because the
cense usage s stored as a property to the user’s account object In add t on, the cense
server must be ab e to update the doma n contro er to wr te th s property A though per-
dev ce cens ng does not have th s m tat on, the cense s assoc ated w th a part cu ar dev ce
Th s can somet mes ead to comp cat ons when you ret re a PC or are us ng a th n c ent that
does not store the per-dev ce RDS CALs proper y and keeps request ng a new one whenever
t connects (not often a prob em anymore, but t used to be w th some mode s)
There is one other major d fference between per-user and per-dev ce cens ng n
W ndows Server 2008 R2 per-dev ce cens ng s enforced, whereas per-user cens ng s on y
tracked Th s does not mean t s okay to break the EULA You st need to buy a per-user
cense for each person access ng one of your RD Sess on Host servers

NOTE  Only RD Session Host enforces or even tracks licensing, but using any RDS role
service (RD Gateway, RD Connection Broker, etc.) requires an RDS CAL. To learn more about
how licensing works, see Chapter 12.

What Applications Can I Run on an RD Session Host Server?


OK, you’re conv nced You’d ke to add RD Sess on Host servers to your IT nfrastructure One
quest on rema ns Can you use these servers to host a your current app cat ons?
Th s s a great quest on to wh ch there s no defin t ve answer M crosoft does not ma nta n
a st of th rd-party app cat ons tested w th RDS No current ogo program requ res ISVs to
test app cat ons on RD Sess on Host severs Therefore, not a app cat on vendors test the r
app cat ons on RD Sess on Host servers How can you find out what w work we , what w
work we w th a tt e he p, and what won’t work at a ?

Support ng C ent Use Profi es  Chapter 2 101

www.it-ebooks.info
NOTE  Although application vendors might not test on RD Session Host servers, if an ap-
plication is certified to run on Windows 7, it should run on an RD Session Host server. Not
all features might work as well as they would if the application was installed locally (it de-
pends on what you want the application to do and whether that strains what can be done
on a shared server displaying the application on a remote client), but the main features
of most applications certified to run on Windows 7 should work on Windows Server 2008
R2RD Session Host servers.

There are three ma n ways that you can find out f an app cat on w work on an RD Sess on
Host server (or what you’ need to do to t to make t work we ) before actua y nsta ng t
■ Ask f the vendor supports the app cat on on an RD Sess on Host server, and ask about
the recommended configurat on If the vendor has not tested the app cat on on a
shared server, you m ght need to get nto some deta s about the app cat on des gn
Tab e 2-3 nc udes some of the deta s that you shou d earn about an app cat on
before attempt ng to run t on an RD Sess on Host server Th s s espec a y app cab e
to o der or propr etary app cat ons; most app cat ons cert fied to run on W ndows 7
shou d not have any prob ems runn ng on a W ndows Server 2008 R2RD Sess on Host
server They m ght be resource- ntens ve, depend ng on the app cat on (few app ca-
t on deve opers des gn w th a shared computer n m nd), but they w avo d the des gn
flaws that prevent an app cat on from runn ng proper y
■ Check to see f anyone e se has successfu y run the app cat on on an RD Sess on Host
server Th s can be as s mp e as do ng a web search for the name of the app cat on
p us “RD Sess on Host server” (“term na server” shou d a so work and m ght generate
more h ts, because that name has been around onger) or go ng to the webs te of an
ndependent software vendor (ISV) who packages app cat ons for automat c dep oy-
ment on an RD Sess on Host server Know ng that t’s been done m ght not te you
how to tweak the app cat on to make t work on an RD Sess on Host server, but t w
at east nform you that t’s been done

NOTE  See the Remote Desktop Services Comunity Verified Compatibility Center for
a list of applications that have been tested on RDS. The site is at http://www.microsoft.
com/rds/compatibility/Default.aspx.

■ Use the RDS App cat on Ana yzer to exam ne how the too operates and whether t’s
do ng anyth ng that w cause prob ems n a mu t -user env ronment n wh ch a user
does not have adm n strat ve pr v eges

102 Chapter 2  Key Arch tectura Concepts for Remote Desktop Serv ces

www.it-ebooks.info
TABLE 2-3  App ca on Des gn Ques ons

CHARACTERISTIC BACKGROUND IMPLICATIONS

W the app cat on setup An RD Sess on Host server has If an app cat on does
automat ca y beg n Add/Re- a spec a mode ca ed Insta not nsta n Insta
move Programs? (App es to Mode for nsta ng app cat ons Mode, t w not support
non-MSI programs on y ) proper y for mu t p e users, persona zat on for each
wh ch the adm n strator can set person us ng t
from the command ne or by
us ng Add/Remove Programs If
the setup rout ne s started from
W ndows Exp orer or the com-
mand ne, the server shou d
change modes
W the app cat on perm t D fferent vers ons of an ap- If more than one vers on
mu t p e vers ons to be run p cat on m ght use dent ca y of an app cat on s
on the same RD Sess on Host named but d fferent DLLs runn ng on the same RD
server? Sess on Host server, the
app cat ons m ght have
a DLL confl ct and not
run proper y Th s ssue
often can be avo ded by
creat ng a server farm to
dep oy app cat ons or by
us ng App-V
Does the app cat on separate App cat ons m ght store S nce many peop e are
per-user and per-mach ne configurat on data n runn ng app cat ons on
reg stry data, or does t as- HKEY LOCAL MACHINE the same RD Sess on Host
sume that one user equates (the reg stry h ve re at ng to server, for persona zat on
to one computer? the computer) or n to be supported, the
HKEY CURRENT USER (the app cat on must separate
reg stry h ve re at ng to the per-mach ne and per-user
current y ogged- n user) RD data
Sess on Host servers w have
one nstance of HKCU for each
ogged- n user
Does the app cat on separate App cat ons m ght store con- S nce many peop e are
per-user and per-mach ne figurat on data n the system runn ng app cat ons on
configurat on data, or does t fi es, but these m ght not be the same RD Sess on Host
assume that one user equates (and shou d not be) ava ab e server, for persona zat on
to one computer? to everyone ogged on to the to be supported, the
shared server App cat ons app cat on must separate
shou d store persona zed data per-mach ne and per-user
structures by user data
Continued on the next page

Support ng C ent Use Profi es  Chapter 2 103

www.it-ebooks.info
CHARACTERISTIC BACKGROUND IMPLICATIONS

Does the app cat on a ow (or Some adm n strat ve app ca- More than one nstance
d sa ow) mu t p e nstances of t ons shou d on y be started of a management
tse f to run as appropr ate? once to work best (A d sk-man- app cat on cou d end up
agement ut ty that can mount n ncons stenc es n user
or format d sks s one good or mach ne configurat on
examp e ) Bus ness app cat ons that m ght resu t n
on an RD Sess on Host server ser ous prob ems For
shou d start more than once, bus ness app cat ons,
but o der apps m ght perm t f t w run on y one
on y one nstance of themse ves nstance, t’s use ess on an
RD Sess on Host server
It m ght st run n a VM,
however
Does the app cat on separate Some o der network app ca- If an app cat on dent fies
computer and user dent t es? t ons dent fy themse ves by tse f by the computer t’s
computer name (or IP) address, runn ng on, then t can’t
but on a shared computer, th s map to a spec fic user
doesn’t work proper y Ap- runn ng that app cat on
p cat ons that have a network on a shared computer IP
presence shou d be user-spec fic v rtua zat on n W ndows
( ke MSN Messenger, for exam- Server 2008 R2 does not
p e), not computer-spec fic ( ke enab e stat c mapp ngs
the o d W nChat used to be) of user dent ty to IP
addresses
Does the app cat on assume App cat ons shou d not assume If an app cat on assumes
that the W ndows Exp orer that the W ndows Exp orer w the W ndows Exp orer
she s a ways present? be ava ab e—espec a y now she s be ng used, then t
that RemoteApp programs are m ght not work proper y
used (In add t on, your user w th RemoteApps
configurat on for F e-Save Loca-
t ons shou d not assume that
the Desktop s ava ab e )
How does the app cat on If the app cat on needs to Hardware requ r ng ports
commun cate w th any exter- commun cate w th any exter- that are not supported
na hardware resources? na hardware resources, then t for red rect on won’t work
shou d use ports that are sup- from w th n an RD Sess on
ported for red rect on Host server sess on
Does the app cat on assume A user’s TEMP d rectory w be If the app cat on stores
that the TEMP d rectory s c eaned up when the user ogs data n Temp fi es, then
pers stent? off a sess on that data w be de eted
w th the TEMP d rectory
when the user ogs off

104 Chapter 2  Key Arch tectura Concepts for Remote Desktop Serv ces

www.it-ebooks.info
CHARACTERISTIC BACKGROUND IMPLICATIONS

Does the app cat on re y on a You can’t nsta Internet If a web app cat on
part cu ar vers on of Internet Exp orer 6 (for examp e) on an requ res a prev ous
Exp orer? RD Sess on Host server, wh ch vers on of Internet
comes w th W ndows Internet Exp orer, then you’ need
Exp orer 8 to run t on an operat ng
system that supports t
Th s m ght be worked
around by us ng W ndows
XP n a VM as a host
The app cat on s ava ab e n W ndows Server 2008 R2 s a A 16-b t app cat on w
16-b t on y 64-b t operat ng system It can not run on W ndows
run both 32-b t and 64-b t ap- Server 2008 R2
p cat ons, but not 16-b t

If an app cat on won’t work on RD Sess on Host for one of the reasons sted ear er, that
doesn’t necessar y mean that you must nsta t on the c ent, as shown n the fo ow ng
examp es
■ If the app cat on requ res a prev ous vers on of Internet Exp orer and won’t work w th
Internet Exp orer 8, then you can run the app cat on on a VM runn ng W ndows XP
As Chapter 4 w d scuss, you can run t e ther from a desktop or as a RemoteApp pro-
gram from the c ent operat ng system
■ If an app cat on stores data n Temp fi es, you m ght be ab e to keep t work ng us ng
the Flattemp command to keep a temporary data n one fo der nstead of d v d ng t
dur ng each sess on
■ If an app cat on assumes that the she w be Exp orer exe, then you can run t from a
fu desktop
■ If you need to support mu t p e vers ons of an app cat on, then you can dep oy the
app cat on us ng a server farm or so ate t w th App-V
■ If an app cat on requ res adm n strat ve pr v eges to run, you m ght be ab e to host t
n a VM on RD V rtua zat on Host
■ You m ght be ab e to run 16-b t app cat ons on 32-b t guest VMs runn ng W ndows 7
or ( f requ red) W ndows XP

Using the RDS Application Analyzer


Not sure why an app cat on won’t work proper y? The RDS team deve oped the RDS App ca-
t on Ana yzer (ava ab e from https://connect.microsoft.com/tsappcompat/Downloads) to he p
you answer such quest ons In short, the too w te you whether an app cat on, runn ng as
you wou d expect to run t on an RD Sess on Host, w work n that env ronment, and t can
a so offer some spec fic suggest ons about why there m ght be prob ems Th s too does not
need to be run on a W ndows Server 2008 R2 RD Sess on Host; t works fine from a c ent

Support ng C ent Use Profi es  Chapter 2 105

www.it-ebooks.info
Us ng the too s fa r y stra ghtforward To beg n, down oad and nsta the too and make
sure that the RDS Ana yzer Serv ce s runn ng (a though the too does not requ re a reboot,
the serv ce won’t start just by be ng nsta ed) When the serv ce s runn ng, start the too You
shou d see a screen ke the one shown n F gure 2-31

FIGURE 2-31  Start the RDS App cat on Ana yzer by c ck ng the Launch button.

Don’t worry about the Log F e sect on; that’s used on y f you’re oad ng a og fi e from
memory To test an app cat on, c ck Browse to ocate the program executab e fi e or type the
path to the executab e You don’t need to change the symbo s path Before c ck ng Launch,
ook at the Launch Opt ons st and choose the r ght opt on depend ng on what you want to
test, as fo ows
■ To run the app cat on w th adm n strat ve pr v eges, se ect E evate Users won’t gener-
a y have these pr v eges, but se ect ng th s opt on w a ow you to get past any n t a
pr v ege ssues that m ght norma y shut the app cat on down For n t a test ng, don’t
se ect th s box
■ To run the app cat on as a norma user, c ear the E evate opt on and eave D sab e
V rtua zat on c eared as we
■ To rea y check an app cat on’s compat b ty, se ect D sab e V rtua zat on Th s w turn
off the reg stry v rtua zat on enab ed n W ndows V sta and ater to work around ap-
p cat on compat b ty ssues (see the How It Works s debar here for more deta s)

106 Chapter 2  Key Arch tectura Concepts for Remote Desktop Serv ces

www.it-ebooks.info
HOW IT WORKS

Registry Virtualization

R egistry virtualization redirects writes from protected areas of the registry to


places where the person executing the application has the right to write. For
example, if an application attempts to write to HKEY LOCAL MACHINE\Software
\ASH\, it will redirect automatically to HKEY USERS\< User SID > Classes
\VirtualStore\Machine\Software\ASH. (Although this write is stored in the user
profile, it’s stored in the non-roaming section of the profile.)

The goal of this feature is to enable support for applications that write to areas of
the registry that the user doesn’t have permission to edit or view.

■ If an application attempts to open a virtualized key, then the key will be


opened with the Max Allowed rights instead of the security credentials of the
person who started the application.
■ If an application attempts to write to a virtualized key, then the virtualization
intercepts the write and sends it to the virtualized location.
■ If an application attempts to read a virtualized key, then the registry will
merge the values of the “real” key and the virtualized key. If it doesn’t have a
virtualized value, then it will report the “real” value. If it has been written to
already, then the registry will report the virtualized value.
If you disable registry virtualization in the RDS Application Verifier, then this will tell
you if the application that you’re testing depends on this feature. If it fails without
registry virtualization, you should take this as a warning. Microsoft implemented
registry virtualization in Windows Vista to solve application compatibility issues
brought about by applications attempting to access protected registry keys, but
this feature is intended to be temporary and it might be removed in future versions
of Windows—basically, when enough applications no longer need it.

When you’ve configured the Launch Sett ngs opt ons appropr ate y, type the path or
browse to the executab e fi e to test and c ck Launch From here, use the app cat on norma y
for a wh e—open and c ose fi es, mport mages, whatever you m ght do—so you can get a
good sense of what fi e ocat ons and reg stry keys t’s touch ng You m ght see some Debug
nformat on updat ng n the background, but th s s on y a sma part of the resu ts When
you’re done, c ose the app cat on Th s w prompt the RDS App cat on Ana yzer to og a
the data t co ected and d sp ay the resu ts, as n F gure 2-32 (show ng saved og data and
obscur ng the name of the app cat on be ng tested, wh ch s not mportant to understand ng
the resu ts)

Support ng C ent Use Profi es  Chapter 2 107

www.it-ebooks.info
FIGURE 2-32  The Compat b ty Summary conta ns the resu ts of runn ng the RDS App cat on Ana yzer.

Let’s wa k through what you’re see ng here


■ File and Registry Access  The F e and Reg stry tabs show what areas of the operat-
ng system the app cat on attempted to access w thout the r ght perm ss ons and what
the resu ts were For examp e, one of the three fa ed wr tes that th s app cat on made
was an attempt to de ete a fo der under Program F es The deta ed nformat on about
th s opt on ooked ke th s

RemoveDirectoryW: Directory (\Device\HarddiskVolume2\PROGRA~1\XXX) only grants


requested 'DELETE' to 'NT SERVICE\TrustedInstaller, NT AUTHORITY\SYSTEM, BUILTIN\
Administrators'

As you read th s, you can see that on y members of the Bu tIn\Adm n strators group
can de ete fo ders n th s ocat on, so the act on fa ed
■ INI Writes  Few modern app cat ons st reference INI fi es, but f you run one that
does, you’ see t here
■ Token  The Token sect on notes perm ss ons aga n If the token requ red for th s app -
cat on to run s Bu tIn\Adm n strators, then that app cat on s un ke y to work we on
an RD Sess on Host, where users do not have adm n strat ve pr v eges An app cat on
m ght use the Adm n strator r ghts to do c eanup w thout assum ng that t has them to
do the ma n funct ons of the app cat on, though

108 Chapter 2  Key Arch tectura Concepts for Remote Desktop Serv ces

www.it-ebooks.info
■ Privilege  Th s tab te s you more about the eve of access that the app cat on
demands If t requ res SeDebugPr v ege, then t won’t run proper y w thout e evated
pr v eges; t’s runn ng as a serv ce SeAud tPr v eges s not a prob em, though—that
just a ows the process to generate secur ty aud t data
■ Name Space  Name space ssues refer to app cat ons attempt ng to create system
objects n a protected namespace App cat ons that try to do th s w need too many
pr v eges to work w thout adm n strat ve r ghts
■ Other Objects  Th s tab nc udes ssues nvo v ng object access that aren’t re ated to
the fi e system or reg stry entr es Anyth ng sted here s a fa ed access attempt The
app cat on m ght st work, but t wasn’t ab e to do someth ng t was attempt ng to do
■ Process  Th s tab sts any ssues w th process e evat on Aga n, th s w po nt to an
app cat on attempt ng to e evate ts pr v eges beyond those of a norma user account
Prob ems here w genera y ead to an app cat on fa ng on an RD Sess on Host
server

What Version of Remote Desktop Connection Do I Need?


Some features of W ndows Server 2008 R2RDS requ re the atest vers on of the Remote Desk-
top Connect on (RDC) As of th s wr t ng, the atest vers on s RDC 7, ava ab e for W ndows XP
Serv ce Pack 3, W ndows V sta Serv ce Pack 1, and nsta ed on W ndows 7
Tab es 2-4, 2-5, and 2-6 are adapted from “How to Detect RDS-Spec fic App cat on Com-
pat b ty Issues by Us ng the RDS App cat on Compat b ty Ana yzer” on the RDS team b og
They show what the user exper ence s ke for peop e us ng RDC 5 2 (the o dest supported
vers on of RDC), 6 1, and 7 to connect to a W ndows Server 2008 R2 or W ndows 7 endpo nt

IMPORTANT  Both the client and server pieces of RDP determine the user experience,
and the earlier version will always take precedence if there is a conflict. For example, if you
are connecting to Windows XP from an RDC 7 connection, you’ll get the remote experience
of RDP 5.2, because Windows XP does not have the RDP 7 server component. If connecting
to Windows Server 2008 from RDC 7, you’ll get the RDC 6 user experience.

Support ng C ent Use Profi es  Chapter 2 109

www.it-ebooks.info
110
TABLE 2-4  The RDC Connec v y Exper ence

WINDOWS 7/
WINDOWS
CONNECTING SERVER 2008 WINDOWS WINDOWS WINDOWS XP WINDOWS XP WINDOWS XP WINDOWS XP DISCUSSED
FROM R2 VISTA SP+ VISTA SP+ SP3 SP3 SP2 SP2 IN

  RDC 7 0 RDC 7 0 RDC 6 1 RDC 7 0 RDC 6 1 RDC 6 1 RDC 5 2


Access to Yes Yes Yes Yes Yes Yes Yes Chapter 3
Remote
Desktop
sess ons
Access to Yes Yes Yes Yes Yes Yes No Chapter 3
RemoteApp
programs
Access to per- Yes Yes Yes Yes Yes Yes Yes Chapter 9

www.it-ebooks.info
sona desktop

Chapter 2  Key Arch tectura Concepts for Remote Desktop Serv ces
by us ng RD
Connect on
Broker
Access to v rtua Yes Yes Yes Yes Yes Yes Yes Chapter 9
desktop poo s
by us ng RD
Connect on
Broker
WINDOWS 7/
WINDOWS
CONNECTING SERVER 2008 WINDOWS WINDOWS WINDOWS XP WINDOWS XP WINDOWS XP WINDOWS XP DISCUSSED
FROM R2 VISTA SP+ VISTA SP+ SP3 SP3 SP2 SP2 IN

Start app - Yes No No No No No No Chapter 9


cat ons and
desktops from
RemoteApp
and Desktop
Connect on on
c ent
Start Yes Yes Yes Yes Yes Yes No Chapter 9
RemoteApp
programs,
v rtua desktop,
and sess on-
based desktop
from RD Web
Access
Status & d scon- Yes Yes No No No No No Chapter 9

www.it-ebooks.info
nect system tray
con

Support ng C ent Use Profi es  Chapter 2


111
112
TABLE 2-5  The RDC User Exper ence

WINDOWS 7/
WINDOWS
CONNECTING SERVER 2008 WINDOWS WINDOWS WINDOWS XP WINDOWS XP WINDOWS XP WINDOWS XP DISCUSSED
FROM R2 VISTA SP+ VISTA SP+ SP3 SP3 SP2 SP2 IN

  RDC 7 0 RDC 7 0 RDC 6 1 RDC 7 0 RDC 6 1 RDC 6 1 RDC 5 2


W ndows Med a Yes Yes No Yes No No No Chapter 6
P ayer Red rec-
t on
B d rect ona Yes Yes No Yes No No No
Aud o
Mu t -mon tor True True Spann ng True Spann ng Spann ng No Chapter 6
Support
Aero G ass Sup- Yes No No No No No No Chapter 6

www.it-ebooks.info
port

Chapter 2  Key Arch tectura Concepts for Remote Desktop Serv ces
Enhanced Yes Yes No Yes No No No Chapter 6
B tmap
Acce erat on
Language Bar Yes No No No No No No Chapter 6
Dock ng
Easy Pr nt Yes Yes Yes Yes Yes Yes No Chapter 6
TABLE 2-6  The RDC Secur y Fea ure Exper ence

CONNECTING DISCUSSED
FROM WIN7/R2 VISTA SP1 VISTA SP1 XP SP3 XP SP3 XP SP2 XP SP2 IN

  RDC 7 0 RDC 7 0 RDC 6 1 RDC 7 0 RDC 6 1 RDC 6 1 RDC 5 2


Per-user fi ter ng Yes Yes Yes Yes Yes Yes na Chapter 9
of RemoteApp
programs
Web s ng e Yes Yes No Yes No No No Chapter 9
s gn-on
Web forms-based Yes Yes Yes Yes Yes Yes No Chapter 9
authent cat on
RD Gateway- Yes Yes Yes Yes Yes Yes No Chapter 10
based contro of
dev ce red rect on
RD Gateway sys- Yes Yes No Yes No No No Chapter 10
tem and ogon
messages
RD Gateway Yes Yes No Yes No No No Chapter 10

www.it-ebooks.info
Background
Author zat on &
Authent cat on
Gateway Id e & Yes Yes No Yes No No No Chapter 10
Sess on T meouts
NAP remed at on Yes Yes No Yes No No No Chapter 10
w th RD Gateway

Support ng C ent Use Profi es  Chapter 2


113
What Role Services Do I Need to Support My Business?
A though W ndows Server 2008 R2 has severa ro e serv ces to support the ma n ro e of RDS,
you don’t necessar y need a of them, or you m ght add them as your needs grow Some of
these m ght seem obv ous, but you m ght have quest ons about a of these subjects, so they
are worth address ng d rect y
■ You a ways need an RDS cense server The RD Sess on Host server w not cont nue to
accept connect ons w thout one, and to be n comp ance, you need RDS CALs to use
any RDS ro e
■ You need RD Gateway to support secure access from the Internetv a port 443 You do
not need RD Gateway to prov de secure access w th n the firewa
■ You need RD Web Access and an Internet Informat on Serv ces (IIS) server f you ntend
to d sp ay app cat on nks n a web browser RD Web Access w work on both a cor-
porate ntranet and on the Internet
■ You don’t need RD Connect on Broker un ess you have more than one server to de ver
sess ons It’s defin te y worth t to have two servers, however Hav ng an RD Connect on
Broker a ows you to address your servers as a farm rather than as nd v dua s You w
a ways need RD Connect on Broker to support VM de very

Summary
After read ng th s chapter, you shou d have a good understand ng of the nterna work ngs
of W ndows Server 2008 R2 and how they app y to the RDS ro es You shou d a so have some
not on of how to des gn a test program, how to use the Performance Mon tor to est mate the
number of users that a server can support, and how to use the Load S mu ator You’ve cov-
ered the c ent requ rements and d scussed what server ro es you’ need to support d fferent
bus ness needs (for examp e, remote workers)
Best pract ces for p ann ng a W ndows Server 2008 RDS dep oyment nc ude the fo ow ng
■ Try to have one d sk sp nd e for each 20 to 30 s mu taneous users of the term na server
to avo d I/O bott enecks
■ Don’t nsta the RD Sess on Host ro e serv ce on a VM un ess the host supports SLAT
VMs aren’t we su ted to the d sk I/O and memory demands of term na servers
■ Choose app cat ons w se y App cat ons cert fied for W ndows 7 shou d genera y
run w thout prob ems on an RD Sess on Host server (as de from any ssues re at ng to
resource- ntens ve app cat ons) A proven track record or offic a support for execut on
on an RD Sess on Host server s dea
■ Use rea -wor d test ng to understand the system and network requ rements for the ap-
p cat ons and usage profi es you want to support Est mates based on theory are ess
usefu than exper ence

114 Chapter 2  Key Arch tectura Concepts for Remote Desktop Serv ces

www.it-ebooks.info
Now that you understand the bas c operat ons of your RD Sess on Host and RD V rtua za-
t on Host servers, the next step s to start sett ng t up In Chapter 3, you’ go through the
process of sett ng up your bas c RD Sess on Host env ronment, and n Chapter 4, you’ do the
same for an RD V rtua zat on Host for a very s mp e dep oyment

Additional Resources
A ot of nformat on s covered n th s chapter, and even more background s ava ab e If
you’d ke more deta s about W ndows nterna s that are re evant to p ann ng RDS dep oy-
ments, these resources conta n add t ona nformat on
■ For some t ps on capac ty p ann ng, see the “Remote Desktop Sess on Host Capac ty
P ann ng n W ndows Server 2008 R2” wh te paper posted at
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=
ca837962-4128-4680-b1c0-ad0985939063.
■ You’ve scratched the surface of RDS nterna s here For more nformat on about
W ndows Server nterna s, see Microsoft Windows Internals, 5th ed , by Dav d So omon
and Mark Russ nov ch, w th A ex Ionescu (M crosoft Press, 2009)
■ See the CD for a nk to the RD Load S mu at on and RDS App cat on Ana yzer too s
■ The RDS Team B og ocated at http://blogs.msdn.com/rds.
■ Jan que Carbone’s art c e “Second Leve Address Trans at on Benefits n Hyper-V R2”
can be found at http://www.virtualizationadmin.com/articles-tutorials
/microsoft-hyper-v-articles/general/second-level-address-translation-benefits-hyper-
v-r2.html.
■ To earn what app cat ons others have tested n RD Sess on Host servers, see
http://www.microsoft.com/rds/compatibility/Default.aspx

Add t ona Resources  Chapter 2 115

www.it-ebooks.info
www.it-ebooks.info
CHAPTER 3

Deploying a Single Remote


Desktop Session Host Server
■ How RD Sess on Host Servers Work  117

■ nsta ng an RD Sess on Host Server  134

■ Essent a RD Sess on Host Configurat on  144

■ nsta ng App cat ons on an RD Sess on Host Server  164

Y ou don’t need a comp ex dep oyment to test Remote Desktop (RD) Sess on Host
server capab t es To beg n, t s more mportant that you understand what the RD
Sess on Host (and the RD V rtua zat on Host, but that w be covered n Chapter 4,
“Dep oy ng a S ng e Remote Desktop V rtua zat on Host Server”) are do ng and how to
get them set up proper y Do ng th s we on a s ng e server w serve you we as you
expand and add other ro es to your dep oyment Therefore, n th s chapter, you’ earn
about the bas cs of th s ro e
■ How RD Sess on Host servers work
■ How to nsta the RD Sess on Host ro e serv ce
■ Configur ng an RD Sess on Host server for the best user exper ence

How RD Session Host Servers Work


You probab y know what an RD Sess on Host server does It accepts ncom ng connect ons
from mu t p e users and runs un que sess ons to support those users as though each per-
son had h s or her own computer What you m ght not know s how t does th s Th s sec-
t on d scusses the components of the operat ng system that et these servers do what they
do It covers both the key serv ces d rect y re ated to support ng the mu t -user remote
access arch tecture and the components that support t for the ent re operat ng system

Services Supporting RD Session Host


Three serv ces support an RD Sess on Host server Remote Desktop Serv ces, Remote
Desktop Configurat on, and Remote Desktop Serv ces UserMode Port Red rector

117

www.it-ebooks.info
NOTE  All three services run on computers running both Windows Server 2008 R2 and
Windows 7 because both can accept remote interactive connections. You’ll use these
services on the client if you deploy the RD Virtualization Host. A major difference between
the two is licensing. A computer running Windows Server 2008 R2 can run multiple active
connections; a computer running Windows 7 can have only one active connection at any
given time. Even if the computer running Windows Server 2008 isn’t an RD Session Host
server, it can still accept multiple connections for remote administration: two remote and
one local.

The Remote Desktop Serv ces serv ce enab es a computer to accept an nteract ve ogon
from another computer Remote Desktop Configurat on enab es system configurat on that
needs to happen n the System Context (mean ng that t’s h gh y pr v eged, even more so
than the adm n strat ve context) The Remote Desktop Serv ces UserMode Port Red rector
enab es remote dev ce mapp ng (used for pr nters, MP3 p ayers, or c ent-s de dr ves)
To see the mpact of these three serv ces, try stopp ng them

CAUTION  Before Windows Server 2008, the Remote Desktop Services service
(known as the Terminal Services service) could not be stopped; if you tried, you’d
get an error message. Today, you can stop it, even from a remote session. However,
unless you’re prepared to either restart the service remotely using VBScript or
Windows PowerShell, or you can get to the console physically to restart the service,
you might want to skip the first experiment!

If you stop Remote Desktop Serv ces, a remote connect ons to the computer— nc ud-
ng the one you’re us ng ( f you stop the serv ce from a remote connect on)—w d sconnect
mmed ate y That s, any app cat ons open n a remote sess on w st run on the RD Sess on
Host server, but the remote connect on s ended and anyone us ng that connect on w need
to og n aga n to reconnect If you need to d sconnect everyone from the RD Sess on Host
server mmed ate y, stopp ng th s serv ce w make that happen It w a so on y d sconnect
the r sess ons, not og them off, so the r app cat ons w rema n open
If you stop the Remote Desktop Serv ces UserMode Port Red rector, any c ent-s de dev ces
or dr ves that you have n the remote sess on w d sappear nstant y from My Computer n
the remote sess on Restart ng the serv ce w not br ng the red rected resources back after
stopp ng the serv ce de etes them If you restart th s serv ce, anyone who has c ent-s de de-
v ces red rected to the r term na sess on must d sconnect from and reconnect to the r sess on
to remap those resources to the remote sess on Th s s because when you stop the serv ce,
you’re c os ng down the v rtua channe s n the Remote Desktop Protoco (RDP) that support
dev ce red rect on To br ng them back, s mp y restart the connect on

118 Chapter 3  Dep oy ng a S ng e Remote Desktop Sess on Host Server

www.it-ebooks.info
NOTE  For more about virtual channels, see Chapter 6, “Customizing the User Experience.”

The Remote Desktop Configurat on serv ce s respons b e for a Remote Desktop Serv ces
and Remote Desktop–re ated configurat on and sess on ma ntenance act v t es that requ re
the SYSTEM context These nc ude per-sess on temporary fo ders, themes, and cert ficates

Creating and Supporting a Session


The prev ous sect on descr bed the serv ces that support Remote Desktop Serv ces app cat on
de very The operat ng system needs to do the fo ow ng to support the sess ons that these
serv ces make poss b e
■ Create the sess ons for each person to use
■ Connect the c ent to the server v a a d sp ay protoco that a ows the two to share
data
■ Create a W ndows env ronment for each sess on
■ Route c ent nput to the correct app cat on on the RD Sess on Host server and route
c ent output to the appropr ate c ent, nc ud ng

• W ndows user nterface and app cat on screens (from endpo nt to c ent)
• Mouse c cks and keystrokes (from c ent to endpo nt)
• Sound (both d rect ons)
• Red rected dev ces such as pr nters and dr ves
• Mu t med a d sp ay (endpo nt to c ent)
■ Package the RDP data for transport over the network protoco [Transm ss on Contro
Protoco (TCP/IP), n th s case]

Key Processes Loaded at Boot Time


In W ndows Server 2008 R2 and W ndows 7, key system serv ces run n Sess on 0, wh ch s not
access b e to users When you boot an RD Sess on Host server, the operat ng system oads
many new serv ces to support tse f The ones mportant to ts funct ona ty nc ude
■ The Sess on Manager (Smss exe)
■ The W ndows Startup Manager (W n n t exe)
■ The Serv ces and Contro er App cat on (Serv ces exe)
■ The Loca System Author ty (Lsass exe)
■ The Loca Sess on Manager (Lsm exe)
■ The euphon ous y named Desktop W ndow Manager Sess on Manager (wh ch runs
ns de an nstance of Svchost exe)
■ The Remote Desktop Serv ces serv ce (runs ns de an nstance of Svchost exe)

How RD Sess on Host Servers Work  Chapter 3 119

www.it-ebooks.info
At boot t me, the server comp etes a ser es of steps to enab e RD Sess on Host funct ona ty
1. The System process oads the Sess on Manager

NOTE  The System process is different from other processes (described in Chapter 2,
“Key Architectural Concepts for Remote Desktop Services”). It does not host an execut-
able image but exists solely to host operating system threads for the memory manager,
cache manager, and other subsystems, as well as device driver threads. See Chapter 2
for more on what these subsystems do.

2. The Sess on Manager oads another nstance of tse f


3. The new Sess on Manager oads the W ndows Startup Manager and then ex ts
4. The W ndows Startup Manager oads the Serv ces and Contro er App cat on, the Loca
Secur ty Author ty, and the Loca Sess on Manager
5. The Serv ces and Contro er App cat on oads nstances of Svchost exe for the Desktop
W ndow Manager Sess on Manager and the Remote Desktop Serv ces serv ce (among
others not as re evant here)
To see a th s, use Process Mon tor Enab e boot ogg ng from the Advanced Boot Opt ons
screen as you reboot and restart the RD Sess on Host server Restart Process Mon tor and
then choose Too s, Process Tree to see the boot order As you can see, the parent nstance of
the Sess on Manager keeps runn ng, but after the ch d nstance has comp eted ts tasks, t
c oses
You can’t find the TermServ ce serv ce (or any other serv ce) n Process Mon tor eas y to
see what t’s start ng, because many serv ces run w th n processes ca ed Svchost exe (to speed
ogon t mes, n part) and you can’t d st ngu sh them by name To find out wh ch nstance of
Svchost exe a g ven serv ce s runn ng n and earn more about t us ng Process Mon tor, run
Task Manager and c ck the Serv ces tab Ed t the v s b e co umns to show the Process ID for
that serv ce (for th s examp e, TermServ ce) and se ect Remote Desktop Serv ces from the st
Now you can fi ter events n Process Mon tor to show on y that Process ID and eas y p ck out
the correct nstance of Svchost exe n the process tree

ON THE COMPANION MEDIA  Download Process Monitor from the following link,
available on this book’s companion media: http://technet.microsoft.com/en-us
/sysinternals/bb896645.aspx.

120 Chapter 3  Dep oy ng a S ng e Remote Desktop Sess on Host Server

www.it-ebooks.info
Gett ng the serv ces runn ng n Sess on 0 sets the stage for the RD Sess on Host server to
beg n accept ng ncom ng sess ons The fo ow ng sect ons w exp a n the ro es these serv ces
p ay n sett ng up the user env ronment for each sess on

NOTE  To see which processes run in Session 0, run Task Manager. From the Process tab,
choose View, Select Columns to open the Select Process Page Columns dialog box. From
the list, make sure that the box is selected for Session ID. On the Process tab, you’ll now be
able to see which processes run in Session 0.

Creating a New Session on the RD Session Host Server


The first stage of creat ng a sess on s to connect to the RD Sess on Host server In W ndows
Server 2008 R2, th s connect on s made through a set of nterfaces ca ed the Remote
Desktop Protoco Prov der Th s app cat on programm ng nterface (API) s pub c, so t can be
used not on y by RDP but by any protoco to make a connect on n a standard zed way
When W ndows Server starts, the Remote Desktop Serv ces serv ce starts as we The
serv ce a so starts stener objects for RDP or any other protoco that s nsta ed, wh ch n turn
sten for c ent connect ons The serv ce and the protoco prov ders are user-mode objects
that commun cate by us ng the APIs d scussed n th s documentat on The first step for a
connect on to be made s to start up the stener When the stener s ready, Remote Desktop
Serv ces s ready to beg n accept ng connect ons
The connect on process sn’t as s mp e as just turn ng on the stener When the stener
detects that a c ent has requested a connect on, the stener creates a connect on object and
passes t to the Remote Desktop Serv ces serv ce to a ow th s serv ce to configure everyth ng
proper y (It a so creates a cens ng object respons b e for mak ng sure the sess on s censed )
Sett ng up the connect on takes a number of steps You’ find out more about the spec fics
short y, but broad y, you can dent fy these steps as fo ows
1. Prepare the computer to accept the sess on and app y the computer sett ngs
2. Confirm that the user or computer mak ng the connect on has a cense
3. Estab sh a connect on, app y the per-user sett ngs, and og the user on
You m ght be used to th nk ng of protoco commun cat on as happen ng between c ent
and server Some of the nteract on s between the server and c ents, but t’s ma n y the pro-
cess of the connect on object ta k ng to the Remote Desktop Serv ces serv ce to ensure that
everyth ng s set up proper y for the sess on

PREPARING THE COMPUTER TO ACCEPT THE CONNECTION


After the stener detects that a c ent s attempt ng to estab sh a connect on, t a erts the
Remote Desktop Serv ces serv ce and creates a connect on object for the Remote Desktop
Serv ces serv ce to configure (shown n F gure 3-1)

How RD Sess on Host Servers Work  Chapter 3 121

www.it-ebooks.info
Connection data
(color depth, redirection
settings, etc.) Creates connection object
3

Connection RDP
request Listener

1 Client error logon policy


RDS Connection
Service 2 Computer policies Object
4 User credentials

FIGURE 3-1  The connect on object prepares the computer to accept a connect on.

Here are the steps n th s process


1. The Remote Desktop Serv ces serv ce te s the connect on object how t shou d
respond f there are any ogon errors
2. The Remote Desktop Serv ces serv ce te s the connect on object about the computer-
w de po c es that shou d app y to th s sess on These po c es can conta n sett ngs such
as the co or depth, whether port red rect on s enab ed, the requ red encrypt on eve ,
and the ke
3. Now, the connect on gets c ent connect on data from the c ent Th s data nc udes
sett ngs such as whether to h de the t t e bar, the co or depth the c ent s request-
ng (wh ch cannot be more than the co or depth spec fied n the connect on po c es
set n Step 2), whether aud o red rect on shou d be enab ed, and so forth The c ent
connect on po c es must fit w th n the connect on po c es defined n Step 2 that s,
a though the c ent m ght be more restr ct ve, t cannot add features that are d sab ed
or restr cted n RDS Configurat on or Group Po cy
4. Next, the Remote Desktop Serv ces serv ce g ves the user credent a s to the connect on
object (It got them from W nLogon, as descr bed n the sect on t t ed “The Ro e of Ser-
v ces n Creat ng a New Sess on” ater n th s chapter ) A though these credent a s are
passed n p a ntext, they’re n p a ntext on y on the server tse f Even at the owest eve
of encrypt on that RDP supports, data sent from c ent to server s a ways encrypted

CONFIRMING THAT A LICENSE IS AVAILABLE


After the user has been authent cated, the protoco can start work ng on cens ng, as shown
n F gure 3-2 It doesn’t do th s before the user s authent cated so that there’s no way for un-
author zed users to dra n per-dev ce RDS c ent access censes (CALs) from the cense server
and prevent author zed users from gett ng censes

122 Chapter 3  Dep oy ng a S ng e Remote Desktop Sess on Host Server

www.it-ebooks.info
License info: includes
name of the client

Connection RDP
request Listener

1 Opens communications

RDS 2 Licensing info or ... License


Service 3 Request license if needed Object

Licensing handshake complete 4

FIGURE 3-2  The Remote Desktop Serv ces serv ce hand es connect on cens ng needs.

Here are the steps n th s process


1. To beg n the cens ng steps, the Remote Desktop Serv ces serv ce opens commun ca-
t on w th the cens ng object
2. The Remote Desktop Serv ces serv ce passes the cens ng nfo from the c ent to the
cens ng object, nc ud ng the name of the c ent
3. Next, the protoco requests a cense from the c ent (If the c ent can’t prov de one,
the Remote Desktop Serv ces serv ce w request a cense )
4. The Remote Desktop Serv ces serv ce te s the cens ng object that the cens ng hand-
shake s comp ete

LOG THE USER ON AND APPLY PER-USER SETTINGS


When the cens ng part of the connect on s comp ete, there are st a few more steps to
estab sh the connect on fu y, as shown n F gure 3-3

Connection RDP
request Listener

1 Session ID and GUID

RDS 2 Video/mouse/keyboard Connection


Service 3 Client allowed connection? Object

4 Allowed multiple connections?

FIGURE 3-3  The rema n ng steps to estab sh a connect on

How RD Sess on Host Servers Work  Chapter 3 123

www.it-ebooks.info
Here are the steps n th s process
1. The Remote Desktop Serv ces serv ce te s the connect on object the Sess on ID and ts
g oba y un que dent fier (GUID) for the new sess on
2. Set up the v deo and mouse/keyboard connect ons for base connect v ty between the
c ent and the sess on At th s po nt, the sess on s n t a zed The user s not connected
to the sess on at th s po nt; the sess on s just prepared for the connect on
3. At th s po nt, the RD Sess on Host does one fina check G ven the user’s name and
doma n (and the r secur ty token) and the sess on ID to wh ch they’re attempt ng to
connect, are they a owed to og onto th s sess on? If so, the connect on cont nues; f
not, the connect on ends
4. Is the user a owed to have more than one sess on? If so, what are the sess on IDs for
the sess ons that they have ava ab e?
At th s po nt, the user ogs on and the Group Po cy sett ngs correspond ng to the user
(reca that the computer po c es were app ed ear er) are app ed to the sess on
Those are the steps to set up a funct on ng connect on Let’s ook a tt e more at how the
serv ces on the RD Sess on Host support th s process

The Role of Services in Creating a New Session


W ndows Server 2008 R2 a ways runs at east one sess on for serv ces (Sess on 0), and add -
t ona sess ons that users or adm n strators can nteract w th The Sess on Manager (Smss exe)
for the RD Sess on Host server s the e ement of W ndows that gets the process started A new
nstance of the Sess on Manager s created It starts a the processes requ red to support the
sess on
When someone attempts to og on to the system, the n t a nstance of Smss exe creates
another nstance (wh ch s of tse f—that s, t starts an add t ona nstance of Smss exe) to
configure the new sess on, just as t d d for Sess on 0 On RD Sess on Host servers runn ng
W ndows Server 2008, mu t p e nstances of Smss exe can run concurrent y, enab ng faster
ogons for mu t p e users (see F gure 3-4) The number of para e sess ons that Sess on Man-
ager can create at a t me depends on the number of v rtua processors n the RD Sess on Host
server For examp e, a server w th four quad-core processors s ab e to create up to 16 new
sess ons s mu taneous y

NOTE  If you’re using Network Level Authentication (NLA) for pre-authentication, the
logon process works a little differently. NLA and securing RDP connections are covered in
Chapter 8, “Securing Remote Desktop Protocol Connections.”

124 Chapter 3  Dep oy ng a S ng e Remote Desktop Sess on Host Server

www.it-ebooks.info
User 1 SESSION 1
User 2
User n SMSS.EXE

CSRSS.EXE

SESSION 0 WINLOGON.EXE

SESSION MANAGER
(SMSS.EXE) SESSION 2

SMSS.EXE
Local Session Manager
(LSM.EXE) CSRSS.EXE

Service Control Manager WINLOGON.EXE


(SERVICES.EXE)

SESSION n

SMSS.EXE

CSRSS.EXE

WINLOGON.EXE

FIGURE 3-4  The Sess on Manager n W ndows Server 2008 R2 can start mu t p e sess ons at once by oad
ng mu t p e cop es of tse f.

When the ch d nstance of the Sess on Manager starts, t starts the W ndows subsystem
(Csrss exe and W n ogon exe) and then ex ts
When Smss exe enab es new sess ons, t does so w th the he p of severa other serv ces
The Loca Sess on Manager accepts the ncom ng connect ons and he ps determ ne whether
a computer can connect to the server The Remote Desktop Serv ces serv ce a ows a server
to nteract w th ncom ng connect ons A these serv ces are managed by the Serv ce Contro
Manager To recap, see Tab e 3-1

TABLE 3-1  Key Sys em Processes or n a ng a Sess on on an RD Sess on Hos Server

FUNCTION SUPPORTING COMPONENT FILE NAME

Create, destroy, enumerate, and man pu ate Loca Sess on Manager Lsm exe
sess ons Pr or to W ndows Server 2008, t
was ncorporated nto the Term na Serv ces
serv ce It s now an ndependent process
Continued on the next page

How RD Sess on Host Servers Work  Chapter 3 125

www.it-ebooks.info
FUNCTION SUPPORTING COMPONENT FILE NAME

Check credent a s co ected by the credent a Loca Secur ty Author ty Lsass exe
prov der and create a token dent fy ng the
user
Start, stop, restart, and pause W ndows Serv ce Contro Manager Serv ces exe
serv ces
Create new sess ons Sess on Manager Smss exe
Enab e mu t p e sess ons on a server and RDS Termsrv d
prov de the run-t me nterfaces for com-
mun cat on between c ent sess on and the
operat ng system A so known as the Remote
Connect on Manager

Want to earn more about what happens w th n that new sess on? Read on

Enabling User Logons to the New Session


Hav ng a sess on sn’t enough To work, you need a way to og on to t In add t on to start ng
the Serv ce Contro Manager and the Loca Sess on Manager on the term na server, the Ses-
s on Manager bu ds the W ndows ogon nfrastructure n each sess on, nc ud ng
■ The C ent-Server RunT me Subsystem (CSRSS), a so known as the W ndows subsystem
■ The W ndows ogon process (W n ogon exe), wh ch starts UserIn t and the Logon User
Interface Host (Logonu exe), wh ch n turn starts the credent a prov der that accepts
the user’s ogon data

NOTE  In versions of Windows prior to Windows Vista, Winlogon.exe started the Graphi-
cal Identification and Authentication (GINA) dynamic-link library (DLL) specified in the
registry. Windows Vista and Windows Server 2008 (as well as Windows Server 2008 R2 and
Windows 7) replaced the GINA with a credential provider, identified (if not the default) in
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provid-
ers. It has a different name, but plays the same basic role for storing credentials. (It doesn’t
do some other things that a custom GINA could do, however.)

In short, the ogon process works by perform ng the fo ow ng steps


1. The W ndows subsystem starts the W ndows ogon process
2. The Loca Sess on Manager determ nes whether the ncom ng connect on s a owed at
a
3. The W ndows ogon process presents the nterface to the credent a prov der so a user
can prov de credent a s such as user name and password, or smart card and persona
dent ficat on number (PIN)

126 Chapter 3  Dep oy ng a S ng e Remote Desktop Sess on Host Server

www.it-ebooks.info
4. The credent a prov der passes the credent a s to the Loca System Author ty, wh ch
checks them aga nst the secur ty database, wh ch s Act ve D rectory Doma n Serv ces
(AD DS) for a doma n account or the oca computer’s secur ty account manager for a
oca account
F gure 3-5 ustrates how these components work together to a ow you to og onto the
RD Sess on Host server

User Session

Windows Subsystem
(CSRSS.EXE)

Logon User Interface Host


(LOGONUI.EXE)

User name
Credential Provider
Password

User Session Token Local Security


Authority Subsystem
(LSASS.EXE)

Active Local Security


Directory Accounts

FIGURE 3-5  The W ndows ogon process

Creating the Base Environment in Each Session


F na y, the W ndows user env ronment needs a she —a user env ronment—even f the ses-
s on w d sp ay on y RemoteApp programs, not a fu desktop When d sp ay ng the fu desk-
top, the usua W ndows she s Exp orer (Exp orer exe) If d sp ay ng RemoteApp programs
on y, t’s the RDP she (RDPShe exe)
When the sess on beg ns, the Remote Desktop Serv ces serv ce and Desktop W ndow Man-
ager runn ng n Sess on 0 each beg n a per-sess on p ece of themse ves The Remote Desktop
Serv ces serv ce starts Rdpc p exe, wh ch supports the shared C pboard between the sess on
and any oca y runn ng app cat ons The Desktop W ndow Manager Sess on Manager starts
Dwm exe, wh ch manages the appearance of w ndows n the remote sess on

How RD Sess on Host Servers Work  Chapter 3 127

www.it-ebooks.info
Tab e 3-2 shows the user-mode processes that create the common user env ronment
(m nus the app cat ons that you’d a so expect to see runn ng) You won’t actua y see a these
from Task Manager

TABLE 3-2  User-Mode Processes Tha Suppor Each Sess on s W ndows Env ronmen

FUNCTION SUPPORTING COMPONENT FILE NAME

Create graph ca effects used n Aero G ass Desktop W ndow Manager Dwm exe
(for examp e, F p and transparent thumbna
v ews of m n m zed app cat ons) n v deo
memory, then sends them to the screen
when composed
D sp ay the W ndows She for desktops W ndows Exp orer Exp orer exe
Enab e c pboard red rect on between the C pboard red rect on too Rdpc p exe
sess on and the c ent
D sp ay RemoteApp programs The W ndows she for Re- RDPShe exe
moteApp programs
Supp y nformat on to management nter- W ndows Remote Desktop Wtsap d
faces on the RD Sess on Host server Serv ces API

Remote sess ons aren’t nterest ng w thout nteract on, however That’s where the ast step
of pass ng data between c ent and server comes n

Passing Data Between Client and Server


An RD Sess on Host server doesn’t have one sess on— t has dozens or even hundreds of ses-
s ons An RD Sess on Host c ent doesn’t necessar y d sp ay a s ng e app cat on runn ng from
the server farm; t has four or five or perhaps even more and not a of those four or five
app cat ons are necessar y runn ng on the same server How does the data pass ng between
c ent and server get to the r ght p ace? The answer has three parts
■ The sess on structure
■ The use of Sess on IDs and Process IDs to dent fy nterna y which nstance of an ap-
p cat on the system s referr ng to among the mu t p e nstances runn ng concurrent y
on the RD Sess on Host server
■ Cooperat on between components on the RD Sess on Host server (that s, common to
a sess ons) and n the c ent sess on (exc us ve to one sess on)

SESSION STRUCTURE
One connect on to an RD Sess on Host server s norma y equ va ent to one sess on In other
words, there’s never any quest on on the c ent as to wh ch sess on some nput shou d go to,
because each sess on’s commun cat on w th the RD Sess on Host server w be hand ed sepa-

128 Chapter 3  Dep oy ng a S ng e Remote Desktop Sess on Host Server

www.it-ebooks.info
rate y from w th n the sess on Even RemoteApp programs w a run w th n the same sess on
as ong as they’re on the same server The on y t me you’d have more than one sess on on the
same server s f you de berate y connected to a second desktop and the RD Sess on Host
server was configured to perm t more than one sess on on the same server
Sess on so at on has evo ved over the years As you can see from F gure 3-6, the operat ng
system can be sess on-aware n var ous areas At the kerne eve , the memory manager (for
examp e) must be sess on-aware so t can map data to the r ght set of user-mode addresses
(as d scussed n Chapter 2) New kerne -mode awareness of sess ons was ntroduced n W n-
dows Server 2008 R2 w th Dynam c Fa r Share Schedu er (DFSS), wh ch a ocates processor
t me even y among sess ons (DFSS s part of the Process Schedu er component n F gure 3-6)
At the serv ce eve , a serv ces run n Sess on 0 and are sess on-aware to the extent that
they are not mapped to any s ng e user dent ty In W ndows Server 2008 and ater, even sys-
tem adm n strators don’t nteract w th Sess on 0 anymore
At the sess on eve , there’s a separate nstance of the W ndows subsystem, W ndows
Logon, W n32k sys (to prevent one sess on from be ng ab e to man pu ate w ndows n another
sess on), and now n W ndows Server 2008 R2, even Internet Protoco (IP) v rtua zat on for
W nSock app cat ons (any app cat on wr tten to use the W ndows Socket API for commun -
cat ng w th TCP/IP)

SESSION 1

SESSION 2

SESSION n

WINLOGON

CSRSS New in
Windows Server
Win32K Subsystem 2008 R2

IP Virtualization

Services in Session 0 (used to be the console session in Windows Server 2003)

Memory Management Object Manager I/O Manager Process Scheduler


Session aware kernel mode processes

FIGURE 3-6  There s even more sess on so at on n W ndows 2008 R2.

IDENTIFYING PROCESSES
If you’re n a s ng e sess on, how do you get the r ght data to the r ght nstance of an ap-
p cat on and send the feedback to the correct sess on? One way s that each sess on has a
un que dent fier on the RD Sess on Host server (the Sess on ID that you can see n the Remote

How RD Sess on Host Servers Work  Chapter 3 129

www.it-ebooks.info
Desktop Serv ces Manager d scussed n Chapter 11, “Manag ng Remote Desktop Sess ons”)
Act v ty w th n a sess on s dent fied to the RD Sess on Host server by ts Sess on ID, not by the
name of the person ogged on to the sess on Therefore, even f one person has more than
one sess on open on the same server, the server won’t confuse the sess ons
The RD Sess on Host server a so avo ds confus on through the way the operat ng system
dent fies processes W ndows Server 2008 R2 dent fies processes runn ng on an RD Sess on
Host server not on y by the r names but by the r Process IDs (Th s s true on any W ndows
operat ng system, but on an RD Sess on Host server, t’s even more mportant because of the
ke hood that many processes w be dup cated ) A Process ID s a so un que on an RD Ses-
s on Host server Process IDs are covered n more deta n Chapter 11, as part of the d scus-
s on about manag ng user sess ons and processes

COMMUNICATING BETWEEN SESSION AND RD SESSION HOST SERVER


The fo ow ng port ons of the RD Sess on Host server are respons b e for mak ng sure the
r ght data ends up w th the r ght sess on after the ownersh p of Process IDs and Sess on IDs s
sorted out
■ Rdpwsx d s the path between RDP and the kerne It conta ns

• Gener c Conference Contro (GCC) to manage v rtua channe s, wh ch transport


spec fic types of data between the remote sess on and the c ent

• The Mu t po nt Commun cat on Serv ce (MCS), wh ch ass gns data to v rtua chan-
ne s and sets the pr or ty of each so that GCC can work w th a the v rtua channe s
as a s ng e p pe
■ The RDP stack has three jobs

• Rdpwd sys transforms d sp ay data nto RDP commands to be transm tted to the
sess on

• Wdtshare sys encrypts and packages the RDP stream


• Tdtcp sys packages RDP for transport on TCP/IP so that the data can be passed
between server and c ent
The dr vers and brar es support ng data-pass ng between the RD Sess on Host server and
each c ent sess on are sted n Tab e 3-3

TABLE 3-3  Key Dr vers and Serv ces Sess ons or he En re RD Sess on Hos Server

FUNCTION SUPPORTING COMPONENT FILE NAME

Manage the v rtua channe s, a ow ng the cre- GCC Rdpwsx d


at on and de et on of sess on connect ons and
contro ng resources prov ded by MCSMUX
Accept keyboard nput from the sess ons Keyboard dr ver for Remote Kbc ass sys
Desktop Serv ces

130 Chapter 3  Dep oy ng a S ng e Remote Desktop Sess on Host Server

www.it-ebooks.info
FUNCTION SUPPORTING COMPONENT FILE NAME

Ass gn data to v rtua channe s w th n RDP, set MCS Rdpwsx d


pr or ty eve s, and segment data as requ red
Th s abstracts the mu t p e RDP stacks nto a
s ng e ent ty
Accept mouse nput from the sess ons Mouse dr ver for RDS Mouc ass sys
Encode d sp ay data nto RDP commands RDP W nStat on dr ver Rdpwd sys
Commun cate w th kerne v a I/O Contro Interface between d sp ay Rdpwsx d
Interface; conta ns GCC and MCSMUX protoco and kerne
Package RDP onto TCP/IP TCP dr ver Tdtcp sys
Coord nate and manage RDP protoco act v ty RDS dev ce dr ver Termdd sys
Hand e user nterface (UI) transfer, compres- Wdtshare sys
s on, encrypt on, and fram ng
Manage dev ce red rect on and aud o RDP dev ce red rect on Rdpdr sys
dr ver

The c ent a so has some work to do to pass data between the sess on and the RD Sess on
Host server for process ng (see Tab e 3-4) W n32k sys s the kerne -mode component of the
W ndows subsystem that manages mouse and keyboard nput and sends t to the r ght app -
cat on Rdpdd sys s the d sp ay dr ver that packages W ndows neat y to be processed by the
Remote Desktop Serv ces Dev ce Dr ver

TABLE 3-4  Key Serv ces and Dr vers Runn ng W h n Sess ons on he RD Sess on Hos

FUNCTION SUPPORTING COMPONENT FILE NAME

Manage the W ndows graph ca user Kerne -mode component of the W n32k sys
nterface (GUI) env ronment by tak ng the W ndows subsystem
mouse and keyboard nputs and send ng
them to the appropr ate app cat on
Capture the W ndows user nterface and RDP d sp ay dr ver Rdpdd d
trans ates t nto a form that s read y con-
verted by Rdpwd sys nto the RDP protoco

The commun cat on between each sess on and c ent ogged nto t uses v rtua channe s
Each k nd of data has ts own v rtua channe so that data transfer can be enab ed or d sab ed
se ect ve y For nstance, t’s poss b e to d sab e c pboard red rect on wh e st a ow ng other
types of data to pass between c ent and server
V rtua channe s can be stat c or dynam c Stat c v rtua channe s are created at the beg n-
n ng of a sess on and rema n unt that sess on s d sconnected or term nated You can’t create
new stat c channe s dur ng a sess on Dynam c v rtua channe s are created and torn down on

How RD Sess on Host Servers Work  Chapter 3 131

www.it-ebooks.info
demand, such as when a new dev ce s connected to a term na sess on For more nformat on
about v rtua channe s, see Chapter 6

DIRECT FROM THE SOURCE

Why Do You Need a Separate Instance of Win32k.sys for Each


Session?
Sriram Sampath
Senior Development Lead, Remote Desktop Virtualization

T he Window management and Graphics Subsystem in Windows primarily reside


in a key kernel driver called Win32k.sys. It primarily consists of two subcompo-
nents: the Window Manager (NTUSER) and the Graphics Subsystem (GDI).

In the RD Session Host architecture, there is one instance of this subsystem


(Win32k.sys) for each session. The primary motivation behind this is security
boundary and strong isolation between sessions. To elaborate, the window station/
desktop boundary is considered to be the security isolation boundary for user ses-
sions; it is not possible to send window messages, for example, from one session to
another. This creates a very strong isolation environment. Having one instance of
Win32k.sys in each session aids us with this.

The Win32k.sys driver is also responsible for loading and managing the display
driver associated with each session; this allows different display drivers to be loaded
in different sessions. As an example, the NVIDIA driver can be loaded in the physi-
cal console session and the RD Session Host server display driver, RDPDD, can be
loaded in a different session.

Some other subsystems of the operating system that are session-aware in this man-
ner are

■ Winlogon process  One for each session


■ Csrss process  One for each session
■ Object manager  Some parts of the object, like BaseNamedObjects, are
sessionized
■ I/O manager  One instance for the operating system, but session-aware
■ Plug and Play manager  One instance for the operating system, but session-
aware

Putting It All Together


When you comb ne the key p eces of a work ng RD Sess on Host server env ronment that
both support a sess on and a ow t to commun cate w th the RD Sess on Host server, t ooks
ke the overv ew shown n F gure 3-7

132 Chapter 3  Dep oy ng a S ng e Remote Desktop Sess on Host Server

www.it-ebooks.info
= Protocol-Dependent Component Session Space
System Space LPC/RPC
SVCHOST.EXE LPC/RPC
RDPWSX.DLL Session n
User Mode TERMSRV.DLL
Protocol Session 2
Remote Connection
Extensions Manager Session 1
GCC (Network Service)
WINLOGON.EXE
MCSMUX Windows Logon
Process WINSTA.DLL
Remote
LogonUI Desktop
DMW Services RPC
SMSS.EXE UserInit/RDPInit Client DLL
Session LMS.EXE
Manager Local Session
Manager Explorer/RDP Shell WTSAPI.DLL
(System) LPC RDS
DWM Administration

CSRSS.EXE
Client-Server
Command Channel Runtime Application n
Subsystem Application 2
Application 1
Static Virtual User application
RDPCLIP.EXE
Channel running in session
Clipboard
Redirector
Static Virtual TSAppCompat
RDPENDP.DLL
Channel
Remote Audio
User Mode Endpoint

Kernel Mode

RDPDR.SYS TERMDD.SYS
RDP Device
Redirection
Remote Desktop Services
Driver
protocol-agnostic device WIN32K.SYS
driver. Primary function Beep Channel
Dynamic Virtual Channel Manager

is to load and manage


protocol stack drivers. NTUSER
Mouse Channel
Audio Redirection

GDI
Stack Instance 2 Keyboard Channel
Stack Instance 1 BASEVIDEO
Video Channel
RDPWD.SYS
RDP Winstation
Driver

WDTSHARE.SYS

TDTCP.SYS
TCP/IP Device RDPDD.DLL
Driver RDP Display
Driver

FIGURE 3-7 These are the components of Remote Desktop Serv ces arch tecture n
W ndows Server 2008 R2

How RD Sess on Host Servers Work CHAPTER 3 133

www.it-ebooks.info
Th s mode has been d scussed n the preced ng pages, but there’s a ot of data here F rst,
here s a qu ck descr pt on of what’s happen ng n each quadrant of th s ustrat on, wh ch s
broken out between system space (common to a sess ons on the RD Sess on Host server)
and sess on space (un que to each sess on), and between kerne mode and user mode
In the �����������������������������������������������������������������������������������
upper������������������������������������������������������������������������������
- eft quadrant (System Space, User Mode), the RD Sess on Host server s start-
ng sess ons, accept ng ncom ng connect ons, and organ z ng v rtua channe s In the upper-
r ght quadrant (Sess on Space, User Mode), the sess on runs the fo ow ng ts W ndows ogon
processes, the W ndows subsystem (CSRSS exe) for present ng a aspects of the user nterface,
ts she , and ts app cat ons
In the �������������������������������������������������������������������������������
ower��������������������������������������������������������������������������
- eft quadrant (System Space, Kerne Mode), the server s oad ng and man-
ag ng the protoco -spec fic funct ona ty of the sess on That s, RDP s on y one poss b e
protoco that you can use to nteract w th a RD Sess on Host server ICA, used for connect ng
to servers w th C tr x’s XenApp extens ons to RD Sess on Host nsta ed, s another
In the ower-r ght quadrant (Sess on Space, Kerne Mode), the sess on packages the d sp ay
data and nput data to be processed by the d sp ay protoco when work ng n the Kerne
Mode sect on of System Space

Installing an RD Session Host Server


Now that you’re acqua nted w th the nner work ngs of an RD Sess on Host server, t’s t me to
become fam ar w th the outer work ngs of nsta ng and configur ng t

NOTE  There is a lot of time spent installing roles during the course of this book, and you
might notice some steps are skipped to avoid unnecessary repetition, but it’s worth going
into detail once so you understand the processes involved.

Installing an RD Session Host Server Using the


Administrative Tools Interface
To nsta the RD Sess on Host ro e serv ce, c ck Start, Adm n strat ve Too s, and then Server
Manager R ght-c ck Ro es, choose Add Ro es to open the Add Ro es W zard, and then c ck
Next to move past the open ng page When you get to the next page of the w zard, you’
see a st of ava ab e ro es, as shown n F gure 3-8 Se ect the box next to Remote Desktop
Serv ces and c ck Next
When you choose to nsta Remote Desktop Serv ces, the next page of the w zard offers
you an overv ew of the serv ce C ck Next

NOTE  Do not install the RD Session Host role on a server that already has the Active
Directory Domain Services role installed. First, it’s not good security practice to allow users
to connect to a domain controller. Second, should some problem with a user or applica-
tion require you to bring down the RD Session Host server for maintenance, you’ll have a
domain controller offline.

134 Chapter 3  Dep oy ng a S ng e Remote Desktop Sess on Host Server

www.it-ebooks.info
FIGURE 3-8  Choose the Remote Desktop Serv ces ro e from the st.

Now, you can see why the Add Ro es W zard offered on y Remote Desktop Serv ces on the
Se ect Server Ro es page; from here (see F gure 3-9), you can choose any of the re ated ro e
serv ces For now, st ck w th add ng RD Sess on Host and c ck Next

FIGURE 3-9  Choose Remote Desktop Sess on Host from the st of RDS ro e serv ces.

Next, you’ see the App cat on Compat b ty page te ng you that f you nsta ed app ca-
t ons on the server pr or to nsta ng RDS, some of the ex st ng app cat ons m ght not work n
a mu t p e user env ronment (You’ earn more about the reasons for th s ater n th s chap-
ter ) C ck Next

nsta ng an RD Sess on Host Server  Chapter 3 135

www.it-ebooks.info
Unt now, most quest ons have been fa r y se f-exp anatory As shown n F gure 3-10, how-
ever, you need to make a dec s on about whether you want computers ogg ng nto the RD
Sess on Host server to support NLA

FIGURE 3-10  Choose NLA to protect the server from fa ed ogon attacks or do not requ re t to support
broader access to the RD Sess on Host server.

NLA requ res users to be authent cated before they make a fu connect on to the RD Ses-
s on Host server, thus protect ng the server from den a -of-serv ce (DoS) attacks us ng fa ed
ogon attempts to use up a the server’s processor t me
NLA s supported on y for RDC 6 x and ater, but more mportant y, t emp oys the Creden-
t a Secur ty Prov der (CredSSP) to authent cate the user ear y n the process You’ find out
more about the deta s n Chapter 8, but for now, you need to know three th ngs
■ Requ r ng NLA enab es you to force users to authent cate themse ves before they can
create a connect on to the RD Sess on Host server
■ If you requ re NLA, on y c ents support ng CredSSP (at east those runn ng W ndows 7,
W ndows V sta SP1 or ater, or W ndows XP SP3) w be ab e to connect to the RD Ses-
s on Host server
■ NLA s not ava ab e w th W ndows V sta RTM or W ndows XP SP2; t requ res the ser-
v ce pack updates that add support for CredSSP NLA s not a serv ce of RDP

NOTE  The decision to require NLA isn’t final; as with many configuration settings, you can
change your mind later by reconfiguring the host.

136 Chapter 3  Dep oy ng a S ng e Remote Desktop Sess on Host Server

www.it-ebooks.info
Next, you can choose the cense mode of the RD Sess on Host server (see F gure 3-11) An
RD Sess on Host server can be n per-user or per-dev ce mode—that s, t can accept e ther
per-user censes or per-dev ce censes—but not both at the same t me The ncom ng con-
nect on must present the k nd of cense that the server s expect ng, f the mach ne or user
mak ng the connect on a ready has one It a so means that f the ncom ng connect on doesn’t
present a Remote Desktop Serv ces c ent access cense (RDS CAL) at connect on t me, and
the RD Sess on Host server has to request one from the cense server, then the censes on
the cense server must be a type the RD Sess on Host server s ab e to accept Th s s d s-
cussed n more depth n Chapter 12, “L cens ng Remote Desktop Serv ces ”

NOTE  In Windows Server 2003, you had to choose the license mode when installing a
terminal server. In Windows Server 2008 and later, you can delay this decision until you
are certain what types of licenses will be available. An RD Session Host server in Configure
Later mode will not ask incoming connections for a license, but an RD Session Host server
can be in this mode only during its grace period (120 days). After that, it will not accept
connections without a license server and a licensing mode.

FIGURE 3-11  Choose the appropr ate cense mode or de ay the dec s on unt you have more nformat on.

nsta ng an RD Sess on Host Server  Chapter 3 137

www.it-ebooks.info
HOW IT WORKS

Why Configure Later?

S o, why should people use the Configure Later option? Why not just require
people to choose a license mode when they install the server? After all, they can
change this mode later using the Remote Desktop Session Host Configuration tool.
The reason is simple: That’s the way it worked in Windows Server 2003 and it caused
some problems.

Before Windows Server 2003, there was only one license mode for terminal servers:
per-device. This model was enforced, meaning that a terminal server set up to ac-
cept per-device Terminal Services client access licenses (TS CALs) would eventually
stop accepting connections from computers unable to present one. This model was
also the default mode for terminal servers running Windows Server 2003, but Win-
dows Server 2003 introduced a new license mode for terminal servers: per-user.

The trouble started when people installed the terminal servers without really look-
ing at the license mode option, since this had not mattered before Windows Server
2003. They installed the terminal servers in per-device mode, because that was the
default, but often got per-user licenses, because that model fit their needs better.
Because the terminal servers weren’t set up to use or issue per-user TS CALs, the
terminal servers stopped accepting connections. Although the Event Log recorded
the problem and (with Service Pack 1 for Windows Server 2003) pop-up windows
warned administrators when they logged in, this didn’t entirely fix the problem.

Because RD Session Host servers must now be in one mode or the other, part of
the solution in Windows Server 2008 and later is a Configure Later option. The RD
Session Host licensing mode will eventually need to be configured, but at least the
administrator is making a conscious choice when configuring it.

Next, you’ choose who has access to the RD Sess on Host Server access s part a y
determ ned by user membersh p n the Remote Desktop Users group (see F gure 3-12) On y
members of th s group can connect to the RD Sess on Host server

138 Chapter 3  Dep oy ng a S ng e Remote Desktop Sess on Host Server

www.it-ebooks.info
FIGURE 3-12  Add groups to the Remote Desktop Users group to enab e user connect ons.

By defau t, the oca Adm n strator’s group s added a ready To add more peop e to the
Remote Desktop Users group, c ck Add to open the Se ect Users d a og box Enter the secu-
r ty group or users to add, c ck Check Names to va date the name of the accounts, and then
c ck OK For examp e, you m ght add the Doma n Users group to the Remote Desktop Users
group (You can do th s because Doma n Users s a g oba group and Remote Desktop Users s
a oca group; g oba groups can be members of oca groups ) Then, you can deny access to
groups or users se ect ve y
Why wou d you m t who s a owed to use the server? Three reasons, as fo ows
■ You have a m ted number of RDS CALs ava ab e, and you don’t want to g ve them to
users who don’t rea y need them
■ You have a m ted number of app cat on user censes ava ab e for app cat ons on the
RD Sess on Host server, and you don’t want to use them unnecessar y
■ You s zed the server for a certa n number of users, and you want to m t the number
a owed to og on to your s ze m t

NOTE  You can deny even members of the Remote Desktop Users group the right to log
on by editing their user account properties in Active Directory Users And Computers, or
through Group Policy. They just can’t log on if they’re not members of the Remote Desktop
Users group.

nsta ng an RD Sess on Host Server  Chapter 3 139

www.it-ebooks.info
Another opt on to m t user access s to create a secur ty group ca ed, for examp e, Com-
pany RDS Users Add on y users that need access to the RD Sess on Host server to th s group,
and then add the Company RDS Users group to the Remote Desktop Users group

NOTE  If you’re not sure of the name of the group or user accounts you want to add, click
Advanced, choose the proper domain or computer, and click Find Now to populate the
Search Results area. Then you can select the users or groups to add.

After you have added the appropr ate users and groups, c ck Next On the next page
(shown n F gure 3-13), you have a few opt ons ava ab e to make the user exper ence on the
RD Sess on Host nc ude some funct ona t es users wou d exper ence us ng W ndows 7 Th s
screen s new to W ndows Server 2008 R2

FIGURE 3-13  Opt ons are ava ab e to enhance the user exper ence on the RD Sess on Host server.

The opt ons ava ab e are as fo ows


■ Audio And Video playback  Users can sten to aud o and v ew v deo n the r remote
desktop sess on
■ Audio Recording Redirection  Users can record aud o and have th s record ng red -
rected to the r remote desktop sess on
■ Desktop Composition  Enab es v sua effects nc ud ng W ndows F p, three-d men-
s ona (3-D) w ndow trans t on, and g ass w ndow frames Th s s needed to enab e Aero
G ass remot ng n Remote Desktop sess ons

140 Chapter 3  Dep oy ng a S ng e Remote Desktop Sess on Host Server

www.it-ebooks.info
NOTE  The Desktop Experience feature (which includes features included in the typi-
cal Windows 7 experience such as Windows Calendar, Desktop Themes, Windows Media
Player, and Snipping Tool) will be installed automatically if you select either the Audio And
Video playback or Desktop Composition options.

One th ng to cons der when enab ng these opt ons s the potent a mpact on the band-
w dth prov ded for the sess on connect ons A user p ay ng back aud o and v deo fi es w take
up more bandw dth than a user ed t ng spreadsheets How much more depends on how the
users work, so f you are enab ng these features, t’s a good dea to make sure your RD Ses-
s on Host server oad test ng nc udes representat ve data of these act v t es (See Chapter 2
for more nformat on on oad test ng )
The ast stage s confirm ng the sett ngs that you spec fied dur ng the w zard, as shown n
F gure 3-14

FIGURE 3-14  Conf rm the sett ngs n your setup before nsta ng.

To save the configurat on at setup, c ck the Pr nt, E-ma , Or Save Th s Informat on nk


to create and open a s mp e Hypertext Markup Language (HTML) page that you can then
pr nt, ema , or save as part of your RD Sess on Host server configurat on documentat on
You shou d ser ous y cons der do ng th s so you can make a record of the bas c nsta at on,
part cu ar y f you se ected a cens ng mode Th s nformat on documents the way that the RD
Sess on Host server s set up and w be a gu de to the person sett ng up the second server—
or the 20th—who does not want to nspect the server configurat on manua y to make sure
t’s cons stent across the oad-ba anced farm

nsta ng an RD Sess on Host Server  Chapter 3 141

www.it-ebooks.info
After you c ck Insta , the server w take some t me nsta ng the serv ce When t’s fin-
shed, you’ be prompted to restart the server and get a second chance at pr nt ng or sav ng
the configurat on report When you c ck C ose, you w be prompted to restart the server
After reboot ng, as you start up aga n, the RD Sess on Host server w spend a few m nutes
process ng and mak ng fina recommendat ons, as shown n F gure 3-15

FIGURE 3-15  Comp ete the nsta at on after reboot ng.

You m ght have a ready nsta ed Desktop Exper ence f you chose to enab e aud o and
v deo p ayback and/or Desktop Compos t on features Desktop Exper ence s mportant As
you’ earn n Chapter 6, t’s requ red to enab e the P ug and P ay framework for automat -
ca y detect ng c ent-s de p ug-and-p ay dev ces such as cameras If you don’t nsta Desktop
Exper ence, you won’t be ab e to red rect these dev ces seam ess y to the remote connect on
You’ a so need t for aud o and mu t med a red rect on

Installing an RD Session Host Server from the Command


Line
In W ndows Server 2008, you cou d do a very bas c nsta at on from the command ne w th
Servermanager exe Th s executab e has been deprecated n W ndows Server 2008 R2 and
rep aced by W ndows PowerShe cmd ets

NOTE  To install Windows roles, role services, and features via Windows PowerShell, you
must run Windows PowerShell with elevated privileges.

142 Chapter 3  Dep oy ng a S ng e Remote Desktop Sess on Host Server

www.it-ebooks.info
To run server manager cmd ets n W ndows PowerShe , first mport the Servermanager
modu e ke th s

Import-Module servermanager

To see wh ch commands are ava ab e for th s modu e, ass gn the act on of gett ng the
Servermanager modu e to a var ab e, as shown here

$sm = Get-Module servermanager

Then reference the var ab e ke th s

$sm
ModuleType Name ExportedCommands
---------- ---- ----------------
Manifest servermanager {Remove-WindowsFeature, Get-WindowsFeat...

You can see from the resu t ng text that there are mu t p e ExportedCommands ava ab e
w th th s modu e, but they are a not sted here (some are h dden by the e ps s) To see
c ear y a the commands offered by th s modu e, type the fo ow ng command

$sm.exportedcommands

Name Value
---- -----
Remove-WindowsFeature Remove-WindowsFeature
Get-WindowsFeature Get-WindowsFeature
Add-WindowsFeature Add-WindowsFeature

You want to add the RD Sess on Host server ro e serv ce, so type Add-WindowsFeature to
get a ong st of a the features you cou d nsta on th s server The Remote Desktop Serv ces
ro e serv ces that you can nsta are shown here

[X] Remote Desktop Services Remote-Desktop-Services


[X] Remote Desktop Session Host RDS-RD-Server
[ ] Remote Desktop Virtualization Host RDS-Virtualization
[ ] Remote Desktop Licensing RDS-Licensing
[ ] Remote Desktop Connection Broker RDS-Connection-Broker
[ ] Remote Desktop Gateway RDS-Gateway
[ ] Remote Desktop Web Access RDS-Web-Access

From the resu t ng st, you now know both the d sp ay name (Remote Desktop Sess on
Host) and ts correspond ng “name” (RDS-RD-Server) Insta the Remote Desktop Sess on
Host ro e by referenc ng the server ro e name ke th s

Add-WindowsFeature RDS-RD-Server

nsta ng an RD Sess on Host Server  Chapter 3 143

www.it-ebooks.info
A successfu nsta returns the fo ow ng

WARNING: [Installation] Succeeded: [Remote Desktop Services] Remote Desktop


Session Host. You must restart this server to finish the installation process.

Success Restart Needed Exit Code Feature Result


------- -------------- --------- --------------
True Yes Succes... {Remote Desktop Session Host}

Reboot the server to fin sh the nsta at on process, as nstructed To reboot from W ndows
PowerShe , type

Shutdown /r

Insta ng RD Sess on Host v a W ndows PowerShe doesn’t g ve you the opt on of config-
ur ng any opt ons When you nsta th s way, the RD Sess on Host server w be set up w th a
the defau t sett ngs The Remote Desktop Users group w be empty In add t on, the server
w not prompt you for NLA opt ons or the enhanced user exper ence opt ons (enab ng desk-
top compos t on, and so on)

NOTE  If you have installed and removed this role service in the past, take care to double-
check your settings, because some settings (NLA, users added to the Remote Desktop Users
group, and so on) will retain the information from the previous install, and if Desktop Expe-
rience was installed before, it is likely be installed now unless you specifically removed it.

To remove the ro e serv ce, type the fo ow ng command and then reboot the server as
spec fied by the resu t ng nstruct ons

remove-windowsfeature RDS-RD-Server
WARNING: [Removal] Succeeded: [Remote Desktop Services] Remote Desktop Session
Host. You must restart this server to finish the removal process.

Success Restart Needed Exit Code Feature Result


------- -------------- --------- --------------
True Yes Succes... {Remote Desktop Session Host}

Essential RD Session Host Configuration


After nsta ng the serv ce, you have some bas c configurat on to set up before anyone uses
the RD Sess on Host server Th s sn’t the on y essent a configurat on you’ be do ng—much
of th s book s concerned w th that—but th s s what you shou d do before peop e start us ng
the server

144 Chapter 3  Dep oy ng a S ng e Remote Desktop Sess on Host Server

www.it-ebooks.info
Allocating Processor Time
One of the n ghtmare scenar os for a shared computer s that of the user who s such a heavy
user of RAM and processor t me that he or she affects even ght users Th s s somet mes a
reason for organ z ng users based on how much they w stress a server, and somet mes a
reason for not putt ng heavy users onto the shared server at a
Iso at ng users on the r own computers sn’t a ways dea (or even poss b e), and what do
you do f peop e’s use patterns change over t me? A better answer s to do what you can to
even out resource usage automat ca y
In W ndows Server 2008, to make sure that processor t me wou d be fa r y a ocated
among sess ons, you’d configure the W ndows System Resource Manager (WSRM) Th s
too evens out processor t me by mon tor ng processes and ower ng the r pr or ty f they
start affect ng the performance of the processes runn ng n other sess ons When a process
rece ves more processor t me than others, WSRM owers ts pr or ty for a wh e so that t wa ts
for threads n other processes to execute (It’s s m ar to the way n wh ch a process that sn’t
gett ng enough t me can have ts pr or ty temporar y boosted to get ts threads through
some processor cyc es ) WSRM s react ve; for t to get nvo ved, a process must take too many
processor cyc es

NOTE  A bug in Windows Server 2008 made WSRM very resource-intensive. If you had
this problem on Windows Server 2008, see http://support.microsoft.com/kb/970067 for a
solution. This issue was fixed in Windows Server 2008 R2.

The catch w th WSRM s that t is react ve Not on y that, but t’s not enab ed by defau t In
other words, you have to configure t proper y, and even f you do, there has to be a prob em
before WSRM can respond (the de ay wou dn’t norma y be more than a few seconds, but t’s
worth ment on ng) In W ndows Server 2008 R2, W ndows Server added DFSS, a new feature
that operates n the kerne and makes sure that each sess on s us ng no more than ts fa r
share of processor t me That s, f a server has five sess ons runn ng, then each sess on shou d
get no more than 20 percent of processor t me, but a sess on does not have to use that much
Th s feature s enab ed by defau t You can d sab e th s feature by sett ng the va ue of the fo -
ow ng reg stry entry to 0, as fo ows

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SessionManager\DFSS\EnableDFSS

If a ocat ng processor t me even y across a sess ons works for you, then you’re done If
you’re nterested n we ght ng sess ons—perhaps to et the peop e fac ng a t ght dead ne
crunch numbers n the r spreadsheets faster—then you can set up we ghted sess ons us ng
WSRM, as descr bed n the fo ow ng sect ons

Essent a RD Sess on Host Configurat on  Chapter 3 145

www.it-ebooks.info
CAUTION  WSRM has a memory management feature that can limit the size of a
process’s working set or committed memory. Do not use this feature on an RD Ses-
sion Host server. First, it is not session-aware; it just limits the memory available to
a particular process regardless of where it’s running. Second, starving a process of
memory will make it run more slowly, which is very frustrating in an interactive ap-
plication (less so for an application running in the background). If a process is taking
up too much memory, then add more memory to the RD Session Host server or (as a
last resort) remove the application in question from the farm.

Installing WSRM
To nsta WSRM, start Server Manager R ght-c ck Features and c ck Add Features to start the
Add Features W zard Scro down the st to se ect W ndows Server Resource Manager When
you se ect t, you m ght be prompted to nsta an add t ona component WSRM requ res that
you have a database to store h stor ca data, so f the W ndows Interna Database sn’t a ready
nsta ed (and t cou d be; t’s a so used by severa other features), you’ be prompted to add
that feature Go ahead and nsta t f prompted to do so by c ck ng Add Requ red Features
When you c ck Next, you’ see a confirmat on page show ng the features that you w
nsta C ck Insta to perform the nsta at on
When the nsta at on s fin shed, Server Manager w show you that the two features are
fu y nsta ed C ose the d a og box; you don’t need to reboot
To nsta WSRM from W ndows PowerShe , use the fo ow ng code to mport the modu e
and then start the serv ce

Import-Module servermanager
add-WindowsFeature WSRM
Success Restart Needed Exit Code Feature Result
------- -------------- --------- --------------
True No Success {Windows Internal Database, Windows System...

Configuring WSRM for Weighted Remote Sessions


As d scussed ear er, t m ght make sense to g ve some sess ons more processor t me than
others DFSS doesn’t a ow th s, but WSRM does To configure WSRM for th s purpose, c ck
Start, Adm n strat ve Too s, and W ndows System Resource Manager to open the W ndows
System Resource Manager snap- n shown n F gure 3-16 You’ first be prompted to choose
the computer that you want to manage; for now, choose the oca server (You do not need to
d sab e DFSS for th s to work )

146 Chapter 3  Dep oy ng a S ng e Remote Desktop Sess on Host Server

www.it-ebooks.info
CAUTION  If you have not already configured Weighted Remote Sessions as the
managing policy, then first make sure that no one is logged into the RD Session Host
server that you’re configuring and then put it into drain mode from RD Session Host
Configuration. Changing the managing policy requires a reboot.

FIGURE 3-16  The WSRM management conso e

R ght-c ck the We ghted Remote Sess ons po cy and choose Propert es from the menu
to open the d a og box n F gure 3-17 Th s d a og box shows a the groups for wh ch you’ve
configured th s po cy, so t shou d be empty

FIGURE 3-17  Add groups to We ghted Remote Sess ons.

Essent a RD Sess on Host Configurat on  Chapter 3 147

www.it-ebooks.info
To add a group, c ck Add to open the d a og box n F gure 3-18 The Pr or ty opt ons n the
drop-down st are Prem um, Standard, and Bas c They’re n descend ng order of the r pr or ty
for gett ng processor t me

FIGURE 3-18  Add new users or groups to the st.

C ck Add to add a new user or group to the st Th s w open the d a og box shown n
F gure 3-19 Th s s the standard d a og box for p ck ng users or groups; use t as you norma y
wou d for choos ng user groups

FIGURE 3-19  Set the WSRM propert es.

When you’ve chosen the r ght users, they’ appear n the Add Users Or Groups d a og box,
shown n F gure 3-20 Choose the r ght pr or ty and c ck OK To add more users, c ck Add

148 Chapter 3  Dep oy ng a S ng e Remote Desktop Sess on Host Server

www.it-ebooks.info
FIGURE 3-20  Set user or group pr or ty.

When you c ck OK, a the users you’ve configured so far w be n the We ghted Remote
Sess ons Propert es d a og box, as shown n F gure 3-21 As you can see, the pr or ty of each
s sted here If you need to change a pr or ty, c ck Ed t to return to the Add Users Or Groups
d a og box and change the pr or ty as needed C ck OK when you’re done

FIGURE 3-21  Conf gured user accounts are sted.

To fin sh, c ck Set As Manag ng Po cy n the r ght pane to change the defau t po cy to
We ghted Remote Sess ons; do ng th s makes t poss b e to g ve some groups or users more
we ght Th s w requ re a reboot to start work ng (You can a so take th s step before config-
ur ng the po cy, but one way or another, you’ need to reboot the server after chang ng the
defau t po cy n WSRM )

Essent a RD Sess on Host Configurat on  Chapter 3 149

www.it-ebooks.info
Enabling Plug and Play Redirection with the Desktop
Experience
To enab e P ug and P ay red rect on on the RD Sess on Host server, nsta Desktop Exper ence
Th s feature requ res no configurat on and tt e setup To nsta t, s mp y open the Server
Manager and m grate to the st of features C ck the nk to add a new feature and then wa k
through the w zard to se ect and nsta Desktop Exper ence
You can a so enab e th s feature from W ndows PowerShe n W ndows Server 2008 R2,
us ng the fo ow ng code

PS C:\Users\admin> add-WindowsFeature Desktop-Experience


Success Restart Needed Exit Code Feature Result
------- -------------- --------- --------------
True No NoChan... {}

You w not need to reboot the RD Sess on Host server after nsta ng or un nsta ng
Desktop Exper ence

Adjusting Server Settings with Remote Desktop


Configuration
After you have Desktop Exper ence set up, the next step to the bas c RD Sess on Host server
nsta at on s rev ew ng the configurat on sett ngs n the Remote Desktop Sess on Host
Configurat on MMC snap- n shown n F gure 3-22 Th s too manages sett ngs on a per-
server bas s; to manage sett ngs for many RD Sess on Host servers at a t me, use W ndows
PowerShe or Group Po cy as descr bed n Chapter 7, “Mo d ng and Secur ng the User
Env ronment ”

NOTE  Not all settings are relevant to a single-server RD Session Host deployment like the
one discussed here. For more information about farm and RD Connection Broker settings,
see Chapter 9, “Multi-Server Deployments.”

Open the Remote Desktop Sess on Host Configurat on too by c ck ng Start Adm n s-
trat ve Too s Remote Desktop Serv ces Remote Desktop Sess on Host Configurat on To
change a sett ng (or sett ngs), doub e-c ck any s ng e entry n the Ed t Sett ngs sect on to
open the Propert es d a og box shown n F gure 3-23

150 Chapter 3  Dep oy ng a S ng e Remote Desktop Sess on Host Server

www.it-ebooks.info
FIGURE 3-22  Use Remote Desktop Sess on Host Conf gurat on to ed t each RD Sess on Host server s
conf gurat on.

FIGURE 3-23  C ck ng any sett ng n Remote Desktop Sess on Host Conf gurat on Ed t Sett ngs sect on
opens th s tabbed Propert es d a og box.

Essent a RD Sess on Host Configurat on  Chapter 3 151

www.it-ebooks.info
You can a so configure a these sett ngs through W ndows PowerShe , us ng the new Re-
mote Desktop Serv ces prov der, nsta ed a ong w th the RDS ro e serv ce To use t, first oad
the modu e us ng the mport-modu e command from w th n W ndows PowerShe , as fo ows

PS C:\Users\admin> Import-module remotedesktopservices

Next, nav gate to the RDS prov der by ssu ng e ther the Set-Location rds: or Cd rds: cmd et
(they’re the same; Cd s just an a as for Set-Locat on to make t eas er for those accustomed to
us ng the command- ne nterface), as shown here

PS C:\Users\admin> set-location rds:


PS RDS:\>

To st the contents of the RDS conta ner, use the Dir cmd et as fo ows

PS RDS:\> dir
Directory: RDS:

Name Type CurrentValue GP PermissibleValues PermissibleOperations


---- ---- ------------ -- ----------------- ---------------------
RDSConfiguration Container - Get-Item,
Get-ChildItem
RemoteApp Container - Get-Item,
Get-ChildItem

The configurat on opt ons for an RD Sess on Host server are n the RDSConfigurat on con-
ta ner Nav gate to the RDSConfigurat on conta ner ke th s

PS RDS:\> cd rdsconfiguration
PS RDS:\rdsconfiguration> dir
Directory: RDS:\rdsconfiguration
Name Type CurrentValue GP PermissibleValues PermissibleOperations
---- ---- ------------ -- ----------------- ---------------------
Connections Container - Get-Item,
Get-ChildItem,
New-Item
LicensingSettings Container - Get-Item,
Get-ChildItem
ConnectionBrokerSettings Container - Get-Item,
Get-ChildItem
TempFolderSettings Container - Get-Item,
Get-ChildItem
ProfileSettings Container - Get-Item,
Get-ChildItem
SessionSettings Container - Get-Item,
Get-ChildItem

152 CHAPTER 3 Dep oy ng a S ng e Remote Desktop Sess on Host Server

www.it-ebooks.info
VirtualIPSettings Container - Get-Item,
Get-ChildItem
UserLogonMode Integer 0 - 0, 1, 2 Get-Item,
Set-Item
RDSessionHostServerMode Integer 1 - 0, 1 Get-Item
TimeZoneRedirection Integer 0 No 0, 1 Get-Item, Set-Item

Now that you’ve got the too s to ed t the configurat on from the GUI or command prompt,
the fo ow ng sect ons exp a n the sett ngs found n Remote Desktop Sess on Host Configura-
t on You’ come back to some of these sett ngs throughout th s book

General Session Settings


Most often, you won’t need to adjust any of the sett ngs on the Genera tab shown n
F gure 3-23

TEMPORARY FOLDER SETTINGS


The on y c rcumstance under wh ch you’re ke y to need to change the temporary fo der
sett ngs s f you are support ng an o der app cat on (or a propr etary one) that won’t store
temporary d rector es on a per-user bas s, but on y per computer Most of the t me, there’s no
reason not to de ete per-sess on temporary fi es when the user ends the sess on Do ng th s
a so protects user pr vacy
To configure temporary fo der sett ngs us ng Group Po cy, go to Computer Configurat on
Po c es Adm n strat ve Temp ates W ndows Components Remote Desktop Serv ces
Remote Desktop Sess on Host Temporary Fo ders Then proceed as fo ows
■ To d sab e de et ng a user’s per-sess on temporary fo ders when they ex t, enab e Do
Not De ete Temp Fo der Upon Ex t When th s sett ng sn’t configured, the temporary
fo ders w be de eted un ess you’ve spec fied otherw se us ng RD Configurat on
■ If you enab e the Do Not Use Temporary Fo ders Per Sess on po cy sett ng a user’s
temporary fi es for the user’s sess ons on a server w be stored n the common Temp
fo der n the user’s profi e nstead of each sess on stor ng temporary fi es n separate
subfo ders n th s ocat on
You can a so use W ndows PowerShe to configure these temporary fo der opt ons Con-
figure the Do Not De ete Temp Fo der Upon Ex t opt on ke th s

PS RDS:\RDSConfiguration\TempFolderSettings> Set-Item DeleteTempFolders X

where X s one of these va ues


■ 1 = Yes (se ected n the GUI)
■ 0 = No (c eared n the GUI)

Essent a RD Sess on Host Configurat on  Chapter 3 153

www.it-ebooks.info
Configure the Use Temporary Fo ders Per Sess on opt on ke th s

PS RDS:\rdsconfiguration\tempfoldersettings> Set-Item UseTempFolders X

where X s one of these va ues


■ 1 = Yes (se ected n the GUI)
■ 0 = No (c eared n the GUI)

SESSION COUNT
W th RemoteApp programs, there s a so genera y no reason to a ow users to ma nta n more
than one sess on on the same RD Sess on Host server A RemoteApp programs started from
the same server run n the same sess on, so they can a use the core processes needed to
support the sess on (for examp e, Csrss exe, W n ogon exe, and W n32k sys) and save memory
Runn ng n the same sess on a so a ows a those app cat ons to use the same nstance of
the user profi e (Profi e ssues are d scussed n Chapter 5, “Manag ng User Data n a Remote
Desktop Serv ces Dep oyment,” but for now, understand that t’s good to have on y one copy
of your profi e open )
To configure ogon restr ct ons us ng Group Po cy, go to Computer Configurat on Po c es
Adm n strat ve Temp ates W ndows Components Remote Desktop Serv ces Remote Desk-
top Sess on Host Connect ons The sett ng n quest on s Restr ct Remote Desktop Serv ces
Users To A S ng e Remote Sess on
Configure the opt on to restr ct users to a s ng e user sess on us ng W ndows PowerShe
ke th s

PS RDS:\RDSConfiguration\sessionsettings> Set-Item SingleSession X

where X s one of these va ues


■ 0 = Se ected (restr ct use to a s ng e sess on)
■ 1 = C eared (a ow mu t p e sess ons)

USER LOGON MODE


The sett ngs for user ogon mode depend on whether the RD Sess on Host server s current y
n product on or you’re p ann ng on tak ng t down but don’t want to abrupt y end everyone’s
sess ons One opt on app es f you are p ann ng for a reboot (for examp e, f you cyc ca y
reboot RD Sess on Host servers to fix o d app cat ons w th memory eaks), n wh ch case you
shou d choose the opt on to m t connect ons unt the serv ce restarts If you’re p ann ng on
onger ma ntenance, however, choose to m t connect ons unt you exp c t y re-enab e them
To configure the user ogon mode us ng Group Po cy, go to Computer Configurat on
Po c es Adm n strat ve Temp ates W ndows Components Remote Desktop Serv ces
Remote Desktop Sess on Host Connect ons The sett ng n quest on s A ow Users To Con-
nect Remote y Us ng Remote Desktop Serv ces However, th s s one s tuat on n wh ch Group
Po cy isn’t the best configurat on opt on User ogon mode s most appropr ate y set by
Group Po cy when you’re stag ng a bunch of servers and don’t want any of them to go on ne

154 Chapter 3  Dep oy ng a S ng e Remote Desktop Sess on Host Server

www.it-ebooks.info
unt you’re done If you’re tak ng an RD Sess on Host server offl ne, then t’s much eas er and
faster to adjust th s sett ng us ng the configurat on too s on the server
Configure the user ogon mode from W ndows PowerShe ke th s

PS RDS:\RDSConfiguration\sessionsettings>Set-item USerLogonMode X

where X equa s one of these three va ues


■ 0 = A ow a connect ons
■ 1 = A ow reconnect ons, but prevent new ogons unt the server s restarted
■ 2 = A ow reconnect ons, but prevent new ogons at a t mes

Configuring IP Virtualization
When mu t p e peop e are a work ng from the same server, they’re a us ng the same IP
address For most app cat ons, th s s acceptab e Some app cat ons, however, don’t work
proper y un ess they have a un que IP address for every connect on Some c ent/server ap-
p cat ons, for examp e, requ re th s To a ow app cat ons ke th s to be used on RD Sess on
Host, W ndows Server 2008 R2 added IP v rtua zat on to ass gn a s ng e IP address to each
sess on or to certa n app cat ons w th n a sess on
To configure IP v rtua zat on, open RD Sess on Host Configurat on and choose IP
V rtua zat on (or, f you have the server’s Propert es d a og box a ready open, turn to the
appropr ate tab) to show the sett ngs n F gure 3-24

FIGURE 3-24  Conf gur ng P v rtua zat on

Essent a RD Sess on Host Configurat on  Chapter 3 155

www.it-ebooks.info
Most of the steps here are pretty ntu t ve F rst, enab e IP v rtua zat on You w need a
Dynam c Host Configurat on Protoco (DHCP) server ava ab e for th s, but you won’t need to
do any configurat on on the DHCP server— t’s not aware of th s feature but just ass gns IP
addresses as t wou d norma y
Enab e or d sab e IP V rtua zat on from W ndows PowerShe us ng th s code

PS RDS:\RDSConfiguration\VirtualIPSettings> Set-Item VirtualIPActive X

Where X s one of these va ues


■ 0 = D sab ed (c eared)
■ 1 = Enab ed (se ected)
Second, choose the network nterface adapter to use You must choose one adapter to use
(by defau t, none w be se ected)
To set or mod fy th s sett ng, IP v rtua zat on must be enab ed, and the mode must be set
to Per Program (th s s the defau t cho ce se ected when you enab e IP V rtua zat on) Choose
the network adapter that w be used for IP V rtua zat on us ng W ndows PowerShe ke th s

PS RDS:\RDSConfiguration\VirtualIPSettings> Set-Item NetworkAdapter 00-15-5D-0A-31-68

NOTE  When using Windows PowerShell, you must specify the Network Adapter by the
adapter media access control (MAC) address, not name.

Next, change the v rtua zat on mode f needed Genera y, per-program s the best cho ce
f you can use t You probab y know wh ch app cat ons requ re un que IP addresses, and a
sess on won’t use a v rtua IP address f that app cat on s not runn ng In add t on, per-sess on
IP v rtua zat on won’t work on mu t homed RD Sess on Host servers, even f you on y p ck one
NIC Per-program works on mu t homed servers
Set the V rtua IP mode us ng W ndows PowerShe us ng th s command

PS RDS:\RDSConfiguration\VirtualIPSettings> Set-Item VirtualIPMode X

where X s one of these va ues


■ 0 = Per sess on
■ 1 = Per program
If you choose per-program, you’ need to p ck the app cat ons that shou d use a v rtua IP
address W th th s opt on, a app cat ons configured th s way and runn ng n the same sess on
w have the same v rtua IP address, wh e other app cat ons w be us ng the address of the
RD Sess on Host server’s NIC
Aga n, you can a so configure th s sett ng us ng W ndows PowerShe The fo ow ng com-
mand adds a program (Notepad exe) that ex sts at a spec fied path (C W ndows\System32\
Notepad exe) to the st of programs that w be ass gned a v rtua IP address

PS RDS:\RDSConfiguration\VirtualIPSettings\applications>
New-Item -Name 'Notepad' -AppPath 'c:\windows\system32\Notepad.exe'

156 Chapter 3  Dep oy ng a S ng e Remote Desktop Sess on Host Server

www.it-ebooks.info
Sett ng the exact path s opt ona Add the app cat on name w thout the exact path to
ass gn a v rtua IP address to any program runn ng ns de a user sess on that has the spec fied
app cat on name The fo ow ng s an examp e

PS RDS:\RDSConfiguration\VirtualIPSettings\applications>
New-Item -Name 'Notepad' -AppName 'Notepad.exe'

To remove a program, execute the fo ow ng command

PS RDS:\RDSConfiguration\VirtualIPSettings\applications> Remove-Item Notepad.exe

Two Group Po cy sett ngs contro th s feature F rst, you can enab e the feature from Com-
puter Configurat on Po c es Adm n strat ve Temp ates W ndows Components Remote
Desktop Serv ces Remote Desktop Sess on Host App cat on Compat b ty The sett ng n
quest on s Turn On Remote Desktop IP V rtua zat on Second, you can prevent a sess on from
us ng the RD Sess on Host server’s IP address f no IP address s ava ab e for the sess on by
enab ng the Do Not Use Remote Desktop Sess on Host IP Address When V rtua IP Address s
Not Ava ab e sett ng
One po nt to be aware of w th IP v rtua zat on s that us ng t can doub e the IP addresses
that your organ zat on w need Everyone’s c ent w have a un que IP address, and every-
one’s sess on w have ts own IP address (a be t on y for the durat on of the sess on) There s
no way to configure DHCP to m t the number of addresses n a part cu ar range that shou d
be a ocated to sess ons In add t on, IP v rtua zat on s enab ed on the server, not on a per-
user bas s, so you can’t p ck and choose wh ch peop e shou d use t The best way to use t
s to m t t to certa n app cat ons Many app cat ons don’t need t; use th s feature on y for
app cat ons that do

RD Session Host Licensing Settings


The next tab of the Propert es d a og box a ows you to configure the cens ng sett ngs, both
for the type of cense you’ use and the d scovery method that the server w use to ocate
cense servers Gett ng the correct sett ngs (as shown n F gure 3-25) s cruc a for the success-
fu mp ementat on of RDS w th n your organ zat on

REMOTE DESKTOP SERVICES LICENSING MODE


An RD Sess on Host server can be n e ther per-dev ce mode or per-user mode The mode
that you se ect depends on the type of censes you purchase, wh ch depends ma n y on the
proport on of users to computers If there are more computers than users (for examp e, f
peop e us ng RD Sess on Host servers can og n from e ther a work computer or from a home
computer), then per-user cens ng makes more sense If there are more users (for examp e, f
the peop e us ng the RD Sess on Host servers are sh ft workers and three peop e use the same
th n c ent at d fferent t mes of day) then per-dev ce cens ng makes more sense

Essent a RD Sess on Host Configurat on  Chapter 3 157

www.it-ebooks.info
FIGURE 3-25  Remote Desktop Serv ces L cens ng sett ngs are cr t ca to RD Sess on Host ava ab ty.

You can change the cens ng mode, but wh chever mode you p ck, you must be sure that
the match ng cense types are nsta ed on the cense server that you’re us ng Otherw se,
even f the RD Sess on Host server can find a cense server, t w not be ab e to a ocate
censes to users or computers
To configure the cens ng mode us ng Group Po cy, se ect Computer Configurat on
Po c es Adm n strat ve Temp ates W ndows Components Remote Desktop Serv ces
Remote Desktop Sess on Host L cens ng The sett ng n quest on s Set The Remote Desktop
Serv ces L cens ng Mode Th s s an exce ent sett ng to ed t us ng Group Po cy, as a RD
Sess on Host servers n a farm are ke y to have the same cens ng mode Us ng th s sett ng
avo ds acc denta errors
Set the cense server mode from W ndows PowerShe ke th s

PS RDS:\RDSConfiguration\LicensingSettings> Set-Item LicensingType X

where X s one of these va ues


■ 2 = Per-dev ce
■ 4 = Per-user
V ew the current cens ng mode w th the fo ow ng command
PS RDS:\RDSConfiguration\LicensingSettings> Get-Item LicensingName

158 Chapter 3  Dep oy ng a S ng e Remote Desktop Sess on Host Server

www.it-ebooks.info
SPECIFYING A LICENSE SERVER
Prev ous vers ons of Term na Serv ces supported cense server d scovery, but th s method had
so many cond t ons that cou d cause t not to work proper y that RDS removed th s feature
You must now spec fy a cense server Do th s n the GUI by c ck ng Add on the L cens ng tab
of the Propert es d a og box Then e ther se ect a cense server from the st of known cense
servers or add a cense server by name or IP address and then c ck Add Then c ck OK
To add a cense server us ng W ndows PowerShe , use the fo ow ng command and fi n
the requested parameters

PS RDS:\RDSConfiguration\LicensingSettings\SpecifiedLicenseServers> New-Item
cmdlet New-Item at command pipeline position 1
Supply values for the following parameters:
Path[0]: Liberty.ash.local
Path[1]:

To see the cense server added, run th s command

PS RDS: \RDSConfiguration
LicensingSettings\SpecifiedLicenseServers> dir
Directory: RDS:\RDSConfiguration\LicensingSettings\SpecifiedLicenseServers

Name Type CurrentValue GP PermissibleValues PermissibleOperations


---- ---- ------------ -- ----------------- ---------------------
Liberty.ash.local Container - Get-Item,
Get-ChildItem,
Remove...

Remove a cense server ke th s

PS RDS:\RDSConfiguration\LicensingSettings\SpecifiedLicenseServers>
remove-item LIBERTY.ash.local –force

NOTE  You have to use the –Force parameter if the license server you are removing is the
last or only license server listed.

To configure RDS L cens ng us ng Group Po cy, se ect Computer Configurat on Po c es


Adm n strat ve Temp ates W ndows Components Remote Desktop Serv ces Remote
Desktop Sess on Host L cens ng The sett ng n quest on s Use The Spec fied Remote
Desktop Serv ces L cens ng Servers Aga n, th s s a good sett ng for Group Po cy to make
sure t’s cons stent across a servers and that new ones w be configured automat ca y to
match the ex st ng set
To add one or more servers, type the r names n the text box and then c ck Check Names
to va date the names; you shou d see a confirmat on message say ng “The servers spec fied
are va d term na cense servers ” If you don’t rece ve th s confirmat on, ver fy the name
When you spec fy cense servers, the r names are added to the RD Sess on host server’s reg-
stry n HKLM\SYSTEM\CurrentContro Set\Serv ces\TermServ ce\Parameters\L censeServers\
Spec fiedL censeServers

Essent a RD Sess on Host Configurat on  Chapter 3 159

www.it-ebooks.info
Spec fy ng a cense server sn’t a ways as easy as just typ ng n a server name, for the fo -
ow ng reasons
■ The cense servers that you spec fy must be runn ng W ndows Server 2008 or ater It s
not poss b e for a cense server runn ng W ndows Server 2003 to ssue W ndows Server
2008 R2 RDS CALs (A cense server runn ng W ndows Server 2008 R2 can ssue TS
CALs for term na servers runn ng W ndows Server 2003, however )
■ You can po nt to a cense server outs de the forest However, f th s cense server w
be ssu ng per-user RDS CALs, there must be a trust re at onsh p between the two do-
ma ns When ssu ng per-user RDS CALs, the cense server needs to be ab e to contact
AD DS on beha f of the person request ng an RDS CAL

Protocol-Specific Settings
The Connect ons port on of Remote Desktop Configurat on conta ns nformat on about
any protoco s supported on the server (doub e-c ck RDP-Tcp to see them) In th s examp e,
you’ see on y Remote Desktop Protoco because that’s the nat ve protoco used by Remote
Desktop Serv ces and the on y one that s nsta ed Were C tr x XenApp extens ons to Remote
Desktop Serv ces nsta ed, for examp e, there’d be another entry here for ICA, the defau t
protoco for user sess ons when Xenapp s nsta ed
Most protoco -spec fic sett ngs are contro ed from the user account propert es v s b e
from Act ve D rectory Users and Computers, and the sett ngs that aren’t there are nc uded n
Group Po cy (If they are set us ng Act ve D rectory Users and Computers, Group Po cy can
st overr de them ) The sett ngs n Remote Desktop Configurat on (see Tab e 3-5) are ma n y
adv sory In th s sect on, you’ earn what the sett ngs mean and how you m ght use them

TABLE 3-5  Pro oco Con gura on Se ngs n Remo e Desk op Con gura on

TAB SETTINGS CONTAINED WHEN YOU WOULD EDIT

Genera Ma n y secur ty sett ngs, nc ud ng Hopefu y, not often A modern


the m n mum encrypt on eve set c ents can support Secure Sock-
between c ent and server, whether ets Layer (SSL) connect ons, wh ch
the server must authent cate tse f reduces the chance that a rogue
to the c ent (RDP secur ty ayer vs term na server cou d ntercept c ent
SSL), and whether NLA s requ red authent cat on data
See Chapter 7 for more nformat on NLA requ res at east RDP 6 1 and
about these opt ons CredSSP support on the c ent
Env ronment In t a program path and sett ngs Probab y never Because W ndows
Server 2008 R2 supports RemoteApp
programs, you don’t need to spec fy
startup app cat ons

160 Chapter 3  Dep oy ng a S ng e Remote Desktop Sess on Host Server

www.it-ebooks.info
TAB SETTINGS CONTAINED WHEN YOU WOULD EDIT

Sess ons Sett ngs determ n ng behav or Rare y These sett ngs can be set from
when a sess on has been act ve, Group Po cy or Act ve D rectory
d sconnected, or d e for a certa n Users and Computers, and both w
ength of t me overr de the sett ngs here Use Group
Po cy to set cons stent connect on
po c es across a term na servers;
Act ve D rectory Users and Comput-
ers to set connect on po c es for
nd v dua s
Logon Whether to use the c ent ogon Rare y You m ght use th s sett ng for
Sett ngs nformat on or gener c ogon a spec a -use RD Sess on Host server
credent a s support ng anonymous connect ons,
but genera y you’ want to use the
user ogon credent a s
Remote The ru es govern ng remote contro Rare y These sett ngs can a so be
Contro of a user’s sess on set n Act ve D rectory Users and
Computers and Group Po cy and by
defau t those sett ngs take prece-
dence Remote Contro sett ngs can
a so be defined on a per-mach ne
bas s through Group Po cy
C ent Max mum co or depth and dev ce Occas ona y, to overr de c ent-s de
Sett ngs red rect on ru es Most supported sett ngs
dev ces are enab ed by defau t
Network Chooses the network adapters to Occas ona y, to m t the network
Adapter support RDP traffic and m ts the adapters be ng used for RDP con-
number of connect ons that the nect ons or to keep connect ons to
term na server w support the RD Sess on Host server w th n the
bounds of what t can support

Secur ty Users and groups perm tted access to Rare y As He p w rem nd you when
the term na server you sw tch to th s tab, t s best prac-
t ce to contro access v a contro ng
the membersh p of the Remote Desk-
top Users group because the resu ts
are more pred ctab e

Essent a RD Sess on Host Configurat on  Chapter 3 161

www.it-ebooks.info
NOTE  There are some discrepancies between the user account properties visible in Ac-
tive Directory Users and Computers and the settings visible in Server Configuration on
the Environment and Sessions tabs. The corresponding tab in Active Directory Users and
Computers shows settings that don’t apply to RDP; the Remote Desktop Session Host
Configuration console settings and Group Policy settings are current. (The option on the
Sessions tab of the Active Directory Users and Computers user Properties dialog box to Al-
low Reconnections From Any Client Or Originating Client Only does not apply to RDP.)

You can a so configure most of these sett ngs us ng Group Po cy Some of the more usefu
ones are descr bed n the rest of th s chapter; you’ earn more about what these sett ngs are
for throughout the book The Network Adapter and Secur ty tabs do not have re ated Group
Po cy sett ngs
To configure connect on secur ty ( nc ud ng enab ng server authent cat on and network-
eve authent cat on and c ent encrypt on eve ), se ect Computer Configurat on Po c es
Adm n strat ve Temp ates W ndows Components Remote Desktop Serv ces Remote
Desktop Sess on Host Secur ty Chapter 7 w d scuss the sett ngs n more deta , but the
po c es n quest on are as fo ows
■ Set C ent Connect on Encrypt on Leve
■ Requ re Use Of Spec fic Secur ty Layer For Remote (RDP) Connect ons
■ Requ re User Authent cat on For Remote Connect ons By Us ng Network Leve
Authent cat on
To configure dev ce red rect on and env ronment sett ngs, se ect Computer Configurat on
Po c es Adm n strat ve Temp ates W ndows Components Remote Desktop Serv ces
Remote Desktop Sess on Host Dev ce And Resource Red rect on The Pr nter Red rect on and
Remote Sess on Env ronment subkeys n th s same path a so nc ude po c es to contro the
user env ronment, wh ch s d scussed n more deta n Chapter 5
To configure the ru es for remote contro of a user’s sess on by an adm n strator, se ect
Computer Configurat on Po c es Adm n strat ve Temp ates W ndows Components
Remote Desktop Serv ces Remote Desktop Sess on Host Connect ons The sett ng n
quest on s Set Ru es For Remote Contro Of Remote Desktop Serv ces User Sess ons You’
find out more about the use of remote contro n Chapter 11

Checking Configuration with the Best Practices Analyzer


A though many configurat on cho ces are eft to you to determ ne what’s best for your en-
v ronment, some configurat ons must be done n a certa n way for a feature to funct on For
examp e, users cannot connect to the RD Sess on Host server f they are not n the Remote
Desktop Users Group Other best pract ces aren’t necessar y a prob em, but the server w
funct on better and be ess exposed to r sk f t conforms to them—for examp e, to support
pre-connect on user authent cat on (wh ch prevents DoS attacks from unauthor zed users
n t at ng sess ons that they can’t start), you need to enab e NLA

162 Chapter 3  Dep oy ng a S ng e Remote Desktop Sess on Host Server

www.it-ebooks.info
Best Pract ces Ana yzer (BPA) s a server management too n W ndows Server 2008 R2
BPA can he p you conform to recommended best pract ces by scann ng nsta ed ro es on a
server and report ng any v o at ons (Some v o at ons w requ re mmed ate act on and some
are adv sory, but a are ntended to h gh ght any potent a prob ems w th the server con-
figurat on ) You can run the BPA for the oca computer or remote y, and because t’s bu t on
W ndows PowerShe , t a so works from the command ne so that you can run reports on an
ent re farm programmat ca y
In th s examp e, we’ show you how to run the BPA for Remote Desktop Serv ces The
product group can update BPA as part of recommended updates, so you m ght have add -
t ona opt ons by the t me you read th s book
The BPA works by dent fy ng certa n best pract ces for a ro e and then programmat ca y
check ng the configurat on to make sure that the sett ngs support the best pract ces [A con-
figurat on s stored n W ndows Management Instrumentat on (WMI) ] If a sett ng does not
support a recommended best pract ce, then the report g ves feedback about the ssue and a
recommended fix
To start us ng the BPA, open the Server Manager and scro down to the Remote Desktop
Serv ces ro e, as shown n F gure 3-26 You’ see a nk that says Scan Th s Ro e (c rc ed here)

FIGURE 3-26  Start ng the BPA

C ck the nk to d sp ay the page shown n F gure 3-27 You’ see a progress bar as the
scan cont nues When t’s done, you’ see a report In th s case, t’s show ng that the Remote
Desktop Users Group s not popu ated

Essent a RD Sess on Host Configurat on  Chapter 3 163

www.it-ebooks.info
FIGURE 3-27  The BPA Report on RD Sess on Host

Aga n, add t ona ru es w be added to the BPA as you add W ndows updates, so you
m ght see other ru es to check Other ro es have ru es, too, so the resu ts of the scan w de-
pend on what ro es are nsta ed

Installing Applications on an RD Session Host Server


Insta ng an app cat on on an RD Sess on Host server s d fferent from nsta ng the same
app cat on on W ndows 7 When you nsta an app cat on on W ndows 7 (or W ndows Server
2008 R2 when not configured as an RD Sess on Host server), you’re genera y prompted to
choose whether you want to nsta that app cat on for a users of the computer or just for
the user who s current y ogged on The nsta at on performed for a users d ffers from the
nsta at on performed for a spec fic user The d fferences between these cho ces (there are
some except ons among app cat on vendors, but th s s what M crosoft recommends for v2
profi es) are exp a ned n Tab e 3-6

TABLE 3-6  Recommended ns a a on Op ons or W ndows Server 2008 R2 and W ndows 7

OPTION COMMON SETTINGS CURRENT USER

Shortcuts Insta ed n Pub c profi e Insta ed n current user’s


profi e
L st ng n Programs And For a users For the current user on y
Features n Contro Pane

164 Chapter 3  Dep oy ng a S ng e Remote Desktop Sess on Host Server

www.it-ebooks.info
OPTION COMMON SETTINGS CURRENT USER

COM reg strat on HKLM\Software\C asses HKCU\Software\C asses


Run w th execut ve pr v eges Yes Opt ona
Storage ocat on for cons %W nD r%\Insta er\ %UserProfi e%\AppData\
and transform fi es {ProductCode} M crosoft\Insta er\
{ProductCode GUID}

There are few surpr ses here the per-user nsta at on stores a re evant data n the user’s
profi e An a -users nsta at on stores the re evant data on a per-computer bas s (or n the
Pub c fo der so that the RD Sess on Host server s ready to add more users to the app cat on)

Which Applications Will Work?


Th s subject was br efly ment oned n Chapter 2, n the d scuss on of how to use the RDS Ap-
p cat on Ana yzer, but you’ earn about t n more deta here
Most newer app cat ons w run on an RD Sess on Host server, but you can’t assume that
every app cat on w perform successfu y As you know f you’ve used Term na Serv ces n
the past, not a app cat ons work on a shared server (and that s espec a y true for o der ap-
p cat ons) Somet mes the prob em s that the app cat on s too resource- ntens ve to share,
or t m ght requ re too many graph ca updates to update the c ent-s de d sp ay proper y
(render ng app cat ons come to m nd) But somet mes the prob em s more subt e than that
Broad y speak ng, most app cat on compat b ty prob ems come from one of these
sources
■ M crosoft Internet Exp orer 6 dependency
■ Insta at on
■ Concurrent resource usage
■ Perm ss ons ssues
■ Pr vacy ssues
■ Performance ssues
■ Dev ce red rect on ssues
Let’s ook at each of these n more deta

Internet Explorer 6 Dependency


Some o der web-based app cat ons were wr tten w th a dependency on Internet Exp orer 6
These app cat ons won’t run on W ndows Server 2008 R2 because t uses W ndows Internet
Exp orer 8 Internet Exp orer cannot be v rtua zed w th App-V, so f you need to run these
app cat ons remote y, you’ need to e ther set up a term na server runn ng W ndows Server
2003 or run the app cat on from a v rtua mach ne (VM) runn ng W ndows XP (as descr bed n
Chapter 4)

nsta ng App cat ons on an RD Sess on Host Server  Chapter 3 165

www.it-ebooks.info
Application Installation
Many app cat on nsta at ons are des gned for a s ng e-user computer Th s means that such
an app cat on was created w th certa n assumpt ons—for examp e, that t’s acceptab e to
store persona sett ngs n HKLM (wh ch wou d mean that the app cat on doesn’t custom ze
proper y; mach ne-w de means a sett ngs app y to a users), or to store sett ngs n INI fi es n
the W ndows d rectory (wh ch causes a users to have the same app cat on sett ngs)
One app cat on-compat b ty sett ng that s ava ab e to deve opers to avo d these k nds
of prob ems s the /TSAWARE opt on, wh ch s n a program’s header fi e For examp e,
app cat ons des gned to be mu t -user-aware shou d not use INI fi es to store sett ngs The
/TSAWARE sw tch prov des a workaround for app cat ons that were not necessar y des gned
for a mu t -user env ronment so that f an app cat on does use INI fi es, the RD Sess on Host
server w accommodate th s dur ng nsta at on by creat ng v rtua W ndows d rector es
for each user n wh ch to store the INI fi es W thout th s opt on, app cat ons us ng INI fi es
w have a s ng e configurat on fi e, and everyone us ng the app cat on w have the same
sett ngs
Unfortunate y, there’s no way for an adm n strator to check to see f the /TSAWARE opt on
has been set n an app cat on If you have a homegrown app cat on that depends on INI
fi es, however, you can check w th the deve oper to see f t s TS-aware so that INI fi es w be
stored on a per-user bas s
Another potent a nsta at on ssue ntroduced w th W ndows Server 2008 R2 s that of
16-b t nsta ers, spec fica y the stub component some app cat ons use to check the ma-
ch ne type before the 32-b t nsta at on eng ne runs 32-b t app cat ons can run on a 64-b t
p atform; the 64-b t W ndows Insta er can hand e them 16-b t app cat ons cannot That sa d,
M crosoft rea zed that th s cou d be an ssue and addressed t for certa n nsta ers If an ap-
p cat on uses any of the fo ow ng nsta ers ( sted n HKLM\Software\M crosoft\W ndows NT\
CurrentVers on\NtVdm64)
■ M crosoft Setup for W ndows 1 2
■ M crosoft Setup for W ndows 2 6
■ M crosoft Setup for W ndows 3 0
■ M crosoft Setup for W ndows 3 01
■ Insta Sh e d 5 x
then, when you start the nsta at on, W ndows w remove the 16-b t nsta er that starts the
32-b t nsta at on eng ne and rep ace t w th a 32-b t vers on Th s st can’t be extended If
your app cat on uses another nsta at on eng ne, you w need to convert t to use a 32-b t
nsta er to make t work on W ndows Server 2008 R2

166 Chapter 3  Dep oy ng a S ng e Remote Desktop Sess on Host Server

www.it-ebooks.info
Concurrent Resource Usage
Many nstances of the same app cat on run concurrent y on an RD Sess on Host server If the
app cat ons want to use the same phys ca port, wr te to the same fi es, or wr te to the same
port ons of the reg stry, they won’t work on an RD Sess on Host server If two app cat ons at-
tempt to wr te to the same fi e at the same t me, th s can ead to data corrupt on; f they wr te
to the same fi e at d fferent t mes (perhaps to the same INI fi e, as d scussed n the prev ous
sect on), then th s can ead to unexpected behav or

Privacy Issues
A though the arch tecture of an RD Sess on Host server sess on s des gned to keep sess on
memory areas separate, app cat ons a so must honor th s n the way they share fi es If those
fi es store any pr vate data (for examp e, the web pages that a user has v ewed), then the ap-
p cat ons can’t use the same fi es

Performance Issues
By defin t on, app cat ons runn ng on an RD Sess on Host server must share hardware
resources, nc ud ng d sk nput/output (I/O), processor t me, and phys ca memory If an ap-
p cat on needs a ot of any of those, then t’s probab y not a good fit for an RD Sess on Host
server (Even the DFSS mechan sm on y d v des processor t me more even y— t doesn’t make
more of t ) S m ar y, some app cat ons don’t remote we over h gh- atency networks As
you’ see n Chapter 6, RDP 7 has cont nued the trend of more effic ent usage of resources to
better d sp ay h gh-qua ty mu t med a n W ndows Med a P ayer, but some F ash and S ver-
ght app cat ons m ght not d sp ay we over a w de area network (WAN)

Device Redirection
As d scussed n Chapter 5, W ndows Server 2008 R2 RD Sess on Host servers can red rect new
k nds of resources They can’t, however, red rect everything—or at east, they can’t support a
features (for examp e, Act veSync) f they do Dev ces that need but don’t get th s red rect on
w not work n a remote sess on
What can you do about these m tat ons of app cat ons and dev ce red rect on? F rst,
you can do some check ng ahead of t me so that you w know wh ch app cat ons w work
and wh ch w not One opt on s to search some webs tes to find out what app cat ons have
been packaged to work on a shared server, because f someone e se has been ab e to make
the app cat on work, then at east you know that t can be done (The software prov der
v s onapp, for examp e, ma nta ns a st of th s k nd at http://visionapp.com/1701.0.html?&ftu=
7074772b28 ) Another opt on s to ana yze the app cat ons themse ves, us ng the App cat on
Ana yzer too ava ab e on the compan on CD and descr bed n Chapter 2

nsta ng App cat ons on an RD Sess on Host Server  Chapter 3 167

www.it-ebooks.info
Storing Application-Specific Data
Insta ng app cat ons on a shared server s somewhat d fferent from both the per-user or
a -users nsta at on opt on performed on a s ng e-user operat ng system The s tuat on s d f-
ferent; n th s case, you want a users who access the RD Sess on Host server to be ab e to use
the app cat on, but you a so want them to be ab e to ma nta n the r sett ngs n the r profi es
so those sett ngs w fo ow them between servers Therefore, when you nsta app cat ons
on an RD Sess on Host server, the operat ng system comb nes the two approaches App ca-
t on b nar es are stored to be access b e to anyone connected to the server, but the operat ng
system stores some sett ngs n a part cu ar part of HKLM ca ed the shadow key The ocat on
of th s key w vary w th the operat ng system and app cat on type, as fo ows
■ 64-b t vers ons of W ndows Server 2008 R2 store shadow key nformat on for
32-b t app cat ons n HKLM\Software\Wow6432Node\M crosoft\W ndows NT\
CurrentVers on\Term na Server\Insta \Software
■ 64-b t vers ons of W ndows Server 2008 R2 store shadow key nformat on for
64-b t app cat ons n HKLM\Software\M crosoft\W ndows NT\CurrentVers on\
Term na Server\Insta \Software

NOTE  Like APIs, registry key names didn’t change when Terminal Services became
Remote Desktop Services in Windows Server 2008 R2. That would have broken applications
that relied on the Terminal Server name.

The shadow key stores configurat on sett ngs for a the app cat ons nsta ed on the RD
Sess on Host server, d v ded by pub sher When a user ogs on, the contents of th s key are
cop ed to her profi e, so ong as the contents of the key are newer than the contents n the
profi e The operat ng system determ nes the re at ve age of the configurat on data n the
user profi e and n the shadow key by compar ng t mestamp va ues of two reg stry keys, both
of wh ch have recorded ast wr te-t me n seconds s nce 1970 The key n the user profi e
s LastUserIn SyncT me, stored n HKCU\Software\M crosoft\W ndows NT\CurrentVers on\
Term na Server; the date of the shadow key s stored n LatestReg stryKey n HKLM\
SOFTWARE\M crosoft\W ndows NT\CurrentVers on\Term na Server\Insta \In F eT mes

NOTE  The iniFileTimes key is hidden, so don’t expect to see it in the registry if you look
for it.

If the profi e s newer, the sett ngs aren’t cop ed; f the configurat on n the shadow key s
newer, the user profi e s updated w th the data n the shadow key You don’t want to update
the centra data source, so the user profi e w never update the shadow key

168 Chapter 3  Dep oy ng a S ng e Remote Desktop Sess on Host Server

www.it-ebooks.info
HOW IT WORKS

32-Bit Applications in a 64-Bit World

W indows Server 2008 R2 is only 64-bit, but it’s not practical to assume that
64-bit versions of all applications will be available. To work around this prob-
lem, 64-bit Windows implements the WOW64 emulator. This user-mode emulator
loads a 32-bit version of NTDLL.dll, used by applications to make system calls. When
a 32-bit application calls on NTDLL.dll to interact with the operating system in some
way (for example, to read from or write to disk), WOW64 intercepts the call (this is
not an expensive operation because it, like the application it’s working with, runs in
user mode) and sends the request to the 64-bit operating system. In other words,
the 32-bit application and the 64-bit operating system don’t have to know about
each other.

To enable 32-bit applications to take advantage of some of the additional memory


space 64-bit applications get, application creators can compile the applications with
the IMAGE FILE LARGE ADDRESS AWARE flag set in the image header. Using this
flag doesn’t give the 32-bit applications the full 8 terabytes of user-mode virtual
memory addresses that 64-bit applications can use, but it does double their virtual
memory space to 4 GB.

In addition to needing some way to communicate with the operating system, it’s
important to separate registry data for 32-bit and 64-bit applications so that they
don’t load the wrong DLLs or overwrite each other’s configuration data. Therefore,
64-bit applications on a 64-bit server use the keys and values stored in HKLM\
Software, and the 32-bit applications use the keys and values stored in HKLM\
Software\Wow6432Node. Under each key, the structure is approximately the same.

It would be impossible to support 32-bit applications on a 64-bit operating system


if all 32-bit applications had to be rewritten to support this compatibility key.
Instead, to make this work, 64-bit versions of Windows use registry redirection to
intercept calls to the registry. If a 32-bit application (or component, for that mat-
ter) tries to read from or write to the registry, then the operating system’s WOW64
subsystem intercepts the request and redirects it to the appropriate path of the
registry. If 64-bit applications attempt to access the registry, the WOW64 subsystem
ignores the call.

Sometimes both 32-bit and 64-bit applications need the same data, but they must
read it from their own section of the registry. For data that both versions need, the
operating system employs registry reflection. Registry reflection updates both the
32-bit section and the 64-bit section. This is done mainly for operations such as file
association (HKLM\Software\Classes) to ensure that the same application always
opens a file with a particular extension. Registry reflection ensures that the contents

Continued on the next page

nsta ng App cat ons on an RD Sess on Host Server  Chapter 3 169

www.it-ebooks.info
of the Classes key are maintained in parallel for both the 32-bit and 64-bit sections
of the registry.

For our purposes here, the implications of this are that 64-bit versions of Windows
maintain two areas for shadow keys: one for 32-bit applications and one for 64-bit
applications.

Avoiding Overwriting User Profile Data


You m ght have not ced that the dec s on to overwr te or not overwr te the user profi e s
done so e y by the re at ve age of the data n the profi e and the shadow key If you nsta and
dep oy more servers to the farm, the new servers w have a newer date than the o der serv-
ers Th s can ead to prob ems, because the newer RD Sess on Host servers overwr te the user-
updated data n the user profi e because t’s (apparent y) newer As an examp e of how th s
cou d affect the user, et’s say that you had an RD Sess on Host server w th M crosoft Office
2010 nsta ed on t You a ow users to custom ze the r app cat on exper ence, so they change
wh ch too bars are v s b e When you dep oy a new RD Sess on Host server n the farm, the
defau t sett ngs on the new server w have a newer t mestamp than the user profi e t me-
stamp When the user ogs onto the new server, the changes the user had made and grown to
re y on wou d be overwr tten w th the defau t opt ons on the new server You can get around
th s prob em n one of severa ways
■ Create new servers from mages of o d servers
■ Ensure that the shadow key t mestamps on the new servers are o der than the user
profi e
■ Remove the keys from the shadow key
■ Prevent updates to ex st ng profi e data

Edit the Shadow Key Timestamps


Because the dec s on to wr te or not s based on whether the nformat on n the user profi e
s o der than the data n the shadow key, one approach s to ensure that the shadow key s
a ways o der than any data n the user profi e You can set the c ocks back on new servers
before nsta ng app cat ons The number of seconds s nce 1970 s determ ned by the c ock
on the operat ng system, not the system c ock on the motherboard, so t’s not hard to foo
You just need to ensure that you’re cons stent about the date to wh ch you set the RD Sess on
Host servers

ON THE COMPANION MEDIA  An after-the-fact approach could be to change the


timestamps on the registry keys. One way to do this is with a freeware tool like the
Registry Time Stamp Tool from Immidio, linked from the companion media.

170 Chapter 3  Dep oy ng a S ng e Remote Desktop Sess on Host Server

www.it-ebooks.info
Removing Sections from Shadow Keys
Another way to prevent the keys from be ng updated n the user profi e s to de ete them
from the shadow key If you do so, of course they won’t be added to the user profi e, and
you’ need to app y them w th ogon scr pts
The advantage to th s approach s that t ensures that the keys won’t overwr te the user
profi e The d sadvantage s that t takes some work to set th s up, and more to ma nta n t
You need to de ete the contents of the shadow key on a RD Sess on Host servers, and you
must ensure that a users get the keys added to the r sess on In add t on, f you add more
app cat ons, you must update the ogon scr pts

Selectively Disabling Registry Writes


Rather than remov ng the contents of the shadow key, you can contro reg stry propagat on
se ect ve y To do th s, go to HKLM\Software\M crosoft\W ndows NT\CurrentVers on\Term na
Server\Compat b ty\Reg stryEntr es\PathName, where PathName s the path to the key that
you don’t want updated ( ocated n HKCU\Software) For examp e, f you exam ne the con-
tents of th s path, you’ see that M crosoft\W ndows\CurrentVers on\Exp orer\She Fo ders s
a ready there

NOTE  For 32-bit applications on a 64-bit operating system, edit the path to HKLM\
Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Terminal Server\
Compatibility\RegistryEntries\PathName.

The tr cky part here es n the va ue ass gned to th s key to contro propagat on By de-
fau t, M crosoft\W ndows\CurrentVers on\Exp orer\She Fo ders has a va ue of 108 hexadec -
ma Th s va ue s actua y the resu t of compat b ty b ts A va ue of 8 hex means that the path
po nts to a 32-b t app cat on The 100 hex comes from the configurat on of reg stry mapp ng
If th s b t s set (wh ch means t has a va ue of 100), then new entr es from the system master
reg stry mage w be added to the user profi e when the app cat on s started, but no ex st-
ng data n the profi e w be de eted or changed If th s b t s not set (has a va ue of 0, or sn’t
present), the operat ng system de etes and overwr tes the user’s reg stry data f t s o der than
the system master reg stry data
Therefore, to prevent W n32 app cat on reg stry sett ngs from be ng updated n the user
profi e, prov de the path to the key n HKEY USERS where that app cat on data s stored and
g ve t a va ue here of 108 n hex

Populating the Shadow Key


How does th s data get nto the shadow key n the first p ace? The answer depends on the
type of app cat on nsta at on App cat ons that nsta from M crosoft W ndows Insta er fi es
(MSIs) work d fferent y from app cat ons that nsta from exe fi es, and the changes can have
rea mp cat ons for the way the shadow key captures reg stry sett ngs

nsta ng App cat ons on an RD Sess on Host Server  Chapter 3 171

www.it-ebooks.info
DIRECT FROM THE SOURCE

Two Models for Application Installation on Windows Server


2008 R2
Ara Bernardi
Senior Software Development Engineer

N ot all applications install in exactly the same way. The following information
describes how MSIs differ from applications that do not install from MSIs.

The Pre-MSI Model


In the pre-MSI model, applications are typically installed by running a custom
Setup.exe file or a common installation tool such as InstallShield. Such setups do not
visibly distinguish per-user configuration from per-machine configuration, so there
is no easy way for servers to capture the per-user related changes and propagate
such changes to each user’s hive. Therefore, installations are done in Install Mode,
which records any registry key operation in that session, no matter what process
makes the changes. For example, if the administrator decides to change his or her
home page while installing an application in Install Mode, that change will also be
recorded. Therefore, it is important not to take any actions while an installation
is ongoing that do not pertain directly to the installation. When the installation
finishes, the session should be put back into Execute Mode.

The related commands are Change user /install and Change user /execute.
The “recording” of registry key changes is saved in the registry under HKLM\
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\
Software.

While in Install Mode, changes to the Start menu are also tracked, and then those
changes are moved to the public menu so that shortcuts are visible to all users.

When a user logs on, Userinit.exe checks to see if the user’s hive under HKCU\
Software has or is missing keys from the equivalent path above. If anything is
added, or changed, it compares the two paths and takes appropriate action by
adding keys/values from the HKLM path.

The MSI Model


Applications with MSI-based setup install differently. Since the advent of MSI, a
centralized service is now responsible for installation, so there is no need to track
registry key changes made by any or all programs in a session. Instead, we need to
track only the registry key changes made by the MSI infrastructure. Additionally,
MSI has options to make per-user installation appear as a global installation for all
users (although this is mostly limited to user interface elements such as the Start
menu or Desktop shortcuts). Since applications continue to install registry keys (in

172 Chapter 3  Dep oy ng a S ng e Remote Desktop Sess on Host Server

www.it-ebooks.info
When you run an MSI fi e to nsta an app cat on, th s act on sends a message to the
TSAppCompat component to prepare for nsta at on Th s component then creates a snap-
shot of HKCU\ Defau t\Software and saves t

Now, the TSAppCompat component checks the contents of HKCU\ Defau t\Software to
compare the before and after vers ons, nc ud ng a nsert ons, de et ons, and changes Hav ng
done so, t creates a de ta of a the changes Th s de ta s what now popu ates the shadow key

nsta ng App cat ons on an RD Sess on Host Server CHAPTER 3 173

www.it-ebooks.info
On y the contents of HKCU\ Defau t\Software are mon tored If the MSI starts another DLL
(an nfrequent y used opt on), then the effects of that DLL w be gnored
The Change user command that comes w th RDS and used when you run an nsta at on
rout ne such as Setup exe s another matter When you put the RD Sess on Host server ses-
s on nto Insta Mode w th the command Change user /install, a d fferent component named
Advap 32 mon tors a reg stry changes—all changes, not just the changes that have anyth ng
to do w th nsta ng the app cat on So ong as the server s n Insta mode, then the changes
are recorded and cop ed to the user profi e when they og on For examp e, f you change the
home page for Internet Exp orer, you’ be record ng th s data and chang ng t for everybody

Summary
Th s chapter has d scussed the essent a s of sett ng up a Remote Desktop Sess on Host server
nfrastructure By now, you shou d be fam ar w th how RD Sess on Host servers create ses-
s ons, va date user ogons, and ssue censes to author zed users or computers
Best pract ces for RD Sess on Host server configurat on nc ude the fo ow ng
■ When configur ng more than one server, use Group Po cy, not the RD Sess on Host
Configurat on too When adjust ng sett ngs on a per-server bas s, t’s too easy to
ntroduce ncons stenc es among servers, and ncons stenc es now can ead to a ot of
troub eshoot ng ater
■ DFSS even y d str butes processor t me across user sess ons; you need to use WSRM
on y f g v ng some users greater pr or ty than others
■ Do not use the memory management features of WSRM on an RD Sess on Host server
■ Insta the Desktop Exper ence feature to enab e P ug and P ay red rect on
■ Use the BPA to check RD Sess on Host sett ngs

Additional Resources
The fo ow ng resources conta n add t ona nformat on and too s re ated to th s chapter
■ To earn more about sett ng up Group Po cy objects for manag ng user sett ngs, see
Chapter 6, “Custom z ng the User Exper ence ”
■ To earn more about how to manage RD Sess on Host servers as a group, see
Chapter 9, “Mu t -Server Dep oyments ”
■ For more deta s about re ated W ndows Server 2008 R2 arch tecture, see Chapter 2,
“Key Arch tectura Concepts for Remote Desktop Serv ces ”

174 Chapter 3  Dep oy ng a S ng e Remote Desktop Sess on Host Server

www.it-ebooks.info
CHAPTER 4

Deploying a Single Remote


Desktop Virtualization Host
Server
■ What s VD ?  175

■ How M crosoft VD Works  178

■ nsta ng Support ng Ro es for VD   188

■ Us ng RemoteApp for Hyper V for App cat on Compat b ty  218

P r or to W ndows Server 2008 R2, V rtua Desktop Infrastructure (VDI) was not part
of M crosoft’s presentat on remot ng package [even though M crosoft techno ogy
n the form of Remote Desktop Protoco (RDP) and the W ndows operat ng system was
used to enab e another company’s VDI so ut on] In th s chapter, you w earn about th s
new ro e, how t works, and how to set t up for a s ng e-server dep oyment (Dep oy ng
mu t p e RD V rtua zat on Host servers works the same way as dep oy ng one A though
SCVMM s out of scope for th s book, t w he p you manage VMs across mu t p e hosts
See http://www.microsoft.com/systemcenter/en/us/virtual-machine-manager.aspx for
more nformat on on SCVMM )

What Is VDI?
But first, what is VDI?
At ts most bas c, V rtua Desktop Infrastructure (VDI) s a dep oyment des gn that
puts the user desktop on a v rtua mach ne (VM) n the datacenter, rather than on the
phys ca computer at someone’s desk Some degree of connect on and mage manage-
ment s usua y mp ed n VDI
Speak ng genera y, VDI can range n comp ex ty, as fo ows
■ Examp e 1 One VM ass gned to each person w th a v rtua desktop, w th that per-
son connect ng to that desktop v a the Remote Desktop Connect on (RDC) c ent,
spec fy ng the desktop s name or Internet Protoco (IP) address

175

www.it-ebooks.info
■ Examp e 2 A persona desktop ass gned to a user, but the user doesn’t have to know
what the VM’s name s—just that he or she wants to connect to the mach ne
■ Examp e 3 A poo of desktops ava ab e to a set of users on a temporary bas s
A few th ngs vary w th the d fferent k nds of comp ex ty
■ The d scovery process
■ The user contro over the VM
■ The ease of de very
F rst, there’s the process of d scover ng and connect ng to the r ght VM In the first ex-
amp e, t’s obv ous You go to the desktop that you have spec fied by name n the RDP fi e
and hope that the VM s turned on In the second and th rd examp es, there must be some
nte gence somewhere to get you to the r ght endpo nt and make sure the VM s ready to
accept connect ons
The degree of adm n strat ve contro a so var es w th the type of VDI In the first two
examp es, one user w a ways use the same VM As the IT manager, you can a ow that user
whatever degree of contro over th s v rtua desktop that you see fit In the poo ed case, users
can’t a ter the shared poo of desktops If they d d, they’d e ther ose whatever changes they
made ( f you’d configured the VM to d scard changes and ro back to ts saved state at ogoff)
or they’d be mess ng up the VM for the next user ( f you hadn’t)
F na y, the VDI de very mode s d ffer n how easy t s to persona ze the VM and the
app cat ons nsta ed on t Aga n, the first two mode s make t easy Even f you don’t a ow
users to nsta the r own app cat ons, the VMs can st have a spec fic set of app cat ons
des gned for a spec fic user’s needs The poo ed mode makes t d fficu t to support much
persona zat on because a VMs n the poo must have the r ght app cat ons for a peop e
who use them, and persona nsta s don’t work n th s mode

NOTE  App-V can offer some degree of personalization. For more information on App-V,
see http://www.microsoft.com/systemcenter/appv/default.mspx.

If the VMs n a poo are assumed to be homogeneous, persona changes w ead to user
confus on
In the end, though, t’s a VDI putt ng a c ent operat ng system on a VM to be accessed
remote y The steps requ red for the user to find the VM, the degree of custom zat on the user
can make, and eve of user contro over th s VM are the var ab es
One more th ng about M crosoft VDI It’s not just about a s ng e ro e serv ce A though the
Remote Desktop V rtua zat on Host (RD V rtua zat on Host) ro e serv ce s essent a to en-
ab ng th s VDI mode , t’s comp emented by two other ro e serv ces As shown n F gure 4-1,
RD Web Access d sp ays the VM cons for users to d scover, and RD Connect on Broker gets a
user to the r ght endpo nt based on the k nd of connect on requested and the oad ba anc-
ng ru es n p ace Even the RD Sess on Host gets nvo ved n a sma way Th s ro e serv ce
supports the red rector, an essent a p ece requ red for send ng connect on requests to RD
Connect on Broker

176 Chapter 4  Dep oy ng a S ng e Remote Desktop V rtua zat on Host Server

www.it-ebooks.info
Act ve D rectory Doma n Serv ces (AD DS) a so p ays a key part n support ng VDI AD DS
stores the user account objects that the RDS ro es can use to see what the user shou d see
when they og nto RD Web Access (s nce not a users m ght have access to a poo s) The
user account objects a so store the mapp ngs for persona desktops to users, as app cab e

VM_User1

User 1
VM_User2
RDVH1
Pooled VM 1
Pooled VM 2

RD Session Host in
redirection mode
User 2
VM_User3
IP Address of
Personal Desktop
VM_User4

DesktopPool1
RDVH2
Pooled VM 3
Pooled VM 4
RD Connection
Broker

VM_User5

VM_User6
User n
RDVH n
Pooled VM 5
AD DS Pooled VM 6

FIGURE 4-1  Ro e serv ces support M crosoft VD .

NOTE  The information in the rest of this chapter explains exactly how a user ends up con-
nected to their requested VM. For now, the key take-away is that all of the role services in
Figure 4-1 play a part in the process.

What isn’t VDI? VDI sn’t just about v rtua z ng ex st ng desktops, or us ng a too such as
System Center V rtua Mach ne Manager (SCVMM) to mage a desktop computer and move t
nto the data center It’s true that there s a sma amount of benefit n runn ng a desktop from
a VM It’s easy to back up and therefore to restore, so a crashed desktop computer doesn’t
b ock a user from work ng Fundamenta y, though, there’s a ot more benefit n v ew ng VDI
as part of a strategy for reduc ng management costs than n just putt ng desktops n the data

What s VD ?  Chapter 4 177

www.it-ebooks.info
center Done we , VDI can reduce some operat ng costs; but done poor y, t becomes a some-
what more expens ve way of hav ng phys ca desktops w th a good oca backup

How Microsoft VDI Works


The first sort of VDI—the one that has each user w th an RDP fi e connect ng to a s ng e VM
by name— sn’t rea y part of M crosoft’s vers on of VDI Th s s most y because t’s both very
s mp e to set up and very hard to manage on any k nd of sca e A you have to do to get th s
mode work ng s nsta Hyper-V and then set up some VMs for peop e to use, but there are
no too s to manage the VMs, the connect ons, or ensure that the VMs are ready to accept
connect ons when peop e want to use them
M crosoft VDI s des gned for connect ng to poo ed and persona VMs Poo ed VMs are
ava ab e to anyone who s a member of the Remote Desktop Users group on each VM, and
persona desktops are ass gned to users n AD DS and ava ab e on y to the person to whom
they’re ass gned To support th s d sp ay of and connect on to persona and poo ed VMs, the
RDS components nc ude the fo ow ng
■ A pub sh ng nfrastructure to ass gn VMs or the use of a poo to peop e (opt ona )
■ A connect on broker to route the connect on request to the most appropr ate VM
■ A red rector (an RD Sess on Host n red rect on mode) to send the connect on to the
connect on broker
■ The VM Host agent on the RD V rtua zat on Host to prepare the VMs for connect ons
■ A Hyper-V hyperv sor on the RD V rtua zat on Host
■ A c ent component that d sp ays the user’s set of VMs (and RemoteApp programs)
■ AD DS to store the nformat on about wh ch users have persona desktops ass gned to
them and a p ace to ook up the user SID so that RD Web Access can determ ne wh ch
VM poo s a user shou d see

NOTE  The publishing infrastructure is optional, but it makes connection management


easier. Publishing RemoteApp programs and VMs is discussed in more detail in Chapter 9,
but the basic story is that the publishing infrastructure handles the chores of updating RDP
files and getting them to users as you add more resources or delete existing ones. Without
the publishing service, you’d have to keep sending users updated RDP files.

178 Chapter 4  Dep oy ng a S ng e Remote Desktop V rtua zat on Host Server

www.it-ebooks.info
The term no ogy can get a tt e tr cky For examp e, when you’re ta k ng about connect ng
to a c ent operat ng system runn ng n a VM, wh ch one s the c ent? When d scuss ng VDI,
use the fo ow ng terms to exp a n what’s happen ng
■ The computer that s runn ng the RDC c ent and that someone s ts n front of s ca ed
the client Th s s cons stent w th term no ogy when connect ng to a sess on
■ The VM that th s person s connect ng to s the endpoint, or the guest (a guest of the
RD V rtua zat on Host t’s runn ng on) A sess on on an RD Sess on Host can a so be an
endpo nt
■ Prepar ng a VM to be used (for examp e, br ng ng t out of h bernat on) s ca ed
orchestration.
■ Mov ng a VM to a new RD V rtua zat on Host s ca ed placement. P acement s not
part of the bas c RDS VDI so ut on but m ght be supported v a a fi ter p ug- n
The rest of th s chapter covers the mechan cs of how you nsta and configure the RDS
ro es requ red to support VDI For now, the focus s on the mechan cs of how peop e d scover
persona desktops and poo ed VMs, and how the connect ons they make get to the appropr -
ate endpo nts

The Central Role of the RD Connection Broker


W thout the RD Connect on Broker, there s no VDI As shown n F gure 4-2, the RD Connec-
t on Broker s centra to the operat on of th s feature—the “bra n ” It keeps track of c ent con-
nect ons to persona and poo ed VMs, determ nes the k nd of connect on a user s request ng,
and finds the r ght endpo nt for the request
From the perspect ve of the RD Connect on Broker, t does not matter how a c ent makes
a connect on request Someone can request a connect on by c ck ng an con n RD Web
Access, start ng an RDP fi e from the desktop or a network share, by manua y us ng Remote
Desktop Connect on (RDC), or by connect ng to RemoteApp and Desktop Connect ons on
the c ent runn ng W ndows 7 and c ck ng an con on the Start menu In a these cases, the
request s brokered by RD Connect on Broker RD Connect on Broker works w th RDP c ents
back to RDP 5 2 (wh ch was ava ab e for W ndows XP SP2 and W ndows Server 2003), so the
vast major ty of M crosoft RDP c ents are supported
It a so does not matter to the RD Connect on Broker on wh ch RD V rtua zat on Host the
VM res des RD Connect on Broker s capab e of keep ng track of mu t p e RD V rtua zat on
Hosts, as we as a the r persona and poo ed VMs, even f those poo s span mu t p e servers

How M crosoft VD Works  Chapter 4 179

www.it-ebooks.info
Personal VMs Virtual Desktop
Pools

RD Virtualization
Host

RD Connection
Broker

RD Session Host in
redirection mode

Windows 7

Remote
RDP File Desktop RemoteApp and
RD Web Access Desktop Connection
Connection
(RDWA Feed) (RADC)

Clients request a connection to a personal or pooled VM via RD


Web Access, pre-defined RDP File, Remote Desktop Connection,
or RemoteApp and Desktop Connection.

FIGURE 4-2  RD Connect on Broker s n charge of connect ng users to persona and poo ed VMs.

180 Chapter 4  Dep oy ng a S ng e Remote Desktop V rtua zat on Host Server

www.it-ebooks.info
Discovering a VM
The first step of us ng a VM s d scover ng that a VM ex sts To a ow users to d scover VMs,
the adm n strator ass gns a persona desktop or creates a VM poo from the RemoteApp and
Desktop Connect ons Manager on the RD Connect on Broker When an adm n strator ass gns
a persona VM, th s ass gnment s recorded n the user account propert es n AD DS (Act ve
D rectory n both W ndows Server 2008 and W ndows Server2008 R2 support th s user ac-
count property ) Both persona and poo ed VMs are added to the pub sh ng feed that popu-
ates both Remote Desktop Web Access and RemoteApp and Desktop Connect ons on c ents
runn ng W ndows 7 Th s pub sh ng feed s custom zed for each user’s secur ty credent a s, so
that one user does not see another’s persona desktop RemoteApp program d sp ay s a so
fi tered accord ng to wh ch users have perm ss on to use wh ch app cat ons That sa d, a VM
poo s are v s b e to a consumers of the feed
When a user— et’s ca her K m Akers—nav gates to the RD Web Access page, she’s
prompted for her credent a s Those credent a s go to the pub sh ng serv ce on RD Connec-
t on Broker, wh ch then ooks them up n AD DS to determ ne what resources—RemoteApp
programs and VMs—have been ass gned to those credent a s The browser w then d sp ay
a fi tered ook of the RemoteApp programs and VMs to wh ch K m has access Aga n, K m w
see a the poo s
If K m were connect ng to the feed through RemoteApp and Desktop Connect ons on the
c ent runn ng W ndows 7, the process wou d be pretty s m ar The ma n d fference s that
K m wou d see the VM (as we as RemoteApp cons to wh ch she has access) n a fo der on her
Start menu Conceptua y, her connect on process ooks ke F gure 4-3

RD
Connection
Broker
1 User Credentials

TScPubRPC
(RemoteApp and
Filtered User Resources 3
Desktop Connection
Kim Akers
Management Service)
Kim Akers Resources:
• kim.akers Personal VM
• RemoteApp 1
• RemoteApp 3 2 User SID Check
• RemoteApp 6
• VM Pool X

AD DS

FIGURE 4-3  How VM d scovery works

How M crosoft VD Works  Chapter 4 181

www.it-ebooks.info
NOTE  It’s also possible to save an RDP file that points to a personal VM or pool and
email that file to someone or put it on a network share. If you do that, the connection
process will be the same, but users can skip the discovery step (the process of finding
out what VMs are available to you). Distributing RDP files manually saves a few steps in
publishing but complicates the process of updating available resources, especially in large
environments.

Brokering a Connection
K m n t ates the broker ng phase by c ck ng the persona desktop or poo ed VM con At th s
po nt, she’s requested a type of resource, ke access to a VM poo , and the broker ng must
get her to the most appropr ate ocat on based on the server oad and what she’s asked for
The RD Connect on Broker s bu t to be flex b e both n terms of determ n ng what k nd of
resource K m wants to connect to (a VM or a sess on) and the ru es govern ng wh ch connec-
t on s most appropr ate It does th s by us ng a coup e of d fferent k nds of p ug- ns resource
plug-ins, wh ch are used for a spec fic k nd of resource, and filter plug-ins, wh ch are used n
comb nat on w th a part cu ar resource p ug- n to tweak the ru es govern ng wh ch resource
s chosen and what happens to prepare t for a connect on The broker ng serv ce commun -
cates w th the resource p ug- ns to engage them as appropr ate for the type of connect on It
a so gets the VM IP address back from the VM resource p ug- n to nform the c ent of ts fina
endpo nt See F gure 4-4 for a d agram of the re at onsh p between the component parts

Brokering Service

Check cache of SESSION PLUG-IN VM PLUG-IN


user sessions
Farm Logic Farm Logic Machine Logic

Load Load
Placement
Balancing Balancing

Orchestration
Connection Broker
Database

FIGURE 4-4  The Broker ng serv ce on the RD Connect on Broker engages w th the appropr ate resource
p ug n.

RD Connect on Broker comes w th two resource p ug- ns a sess on p ug- n used for
connect ng to RD Sess on Host servers and a VM p ug- n used to connect to persona and
poo ed VMs Each of these resource p ug- ns comes w th bu t- n nterna og c that the RD
Connect on Broker uses to determ ne where a connect on shou d go and how t’s made

182 Chapter 4  Dep oy ng a S ng e Remote Desktop V rtua zat on Host Server

www.it-ebooks.info
ready to accept connect ons By defau t, the VM p ug- n w d str bute VM requests even y
among a RD V rtua zat on Host servers ava ab e Because our bas c scenar o nc udes on y
a s ng e server, a connect ons w go there, but f more were ava ab e, then t wou d use a
round-rob n techn que to d str bute the VM requests Resource p ug- ns are stored on the RD
Connect on Broker n HKLM/System/CurrentContro Set/Serv ces/Tssd s/Parameters/Resource
F gure 4-5 shows the sett ngs for the VM resource p ug- n (Th s RD Connect on Broker
has on y the VM Resource p ug- n because there are current y no RD Sess on Host farms
configured on t ) The va ue for IsEnab ed must be 1 for the p ug- n to funct on, and the
system must be ab e to dent fy the p ug- n by name, c ass ID (the un que dent fier for a COM
object), and prov der

FIGURE 4-5  Bu t n VM resource p ug n

A though RDS comes w th on y two p ug- ns (aga n, the RD Sess on Host p ug- n doesn’t
show here because th s RD Connect on Broker s not connected to an RD Sess on Host farm),
ndependent software vendors (ISVs) can mp ement resource p ug- ns for other k nds of end-
po nts as we , such as b ade PCs or phys ca desktops The broker ng og c used to connect to
and prepare those resources wou d depend on how the ISV had mp emented the resource
p ug- n and the ru es that were nc uded These ru es cou d be bu t nto the resource p ug- ns
or mp emented as fi ter p ug- ns to the ma n resource p ug- n, as the ISV saw fit
To change the defau t behav or of the resource p ug- n, you’d add a new fi ter p ug- n and
assoc ate t w th that resource p ug- n For examp e, you m ght want to change the way that
oad ba anc ng works Rather than send ng VM requests to each RD V rtua zat on Host n
turn, an ISV m ght create a product to send them to the host server w th the owest processor
stress, or the owest number of current y runn ng VMs In that case, the ISV doesn’t have to
change the under y ng og c to connect to a VM—just the ru es by wh ch t happens F ter
p ug- ns can contro behav or for oad ba anc ng (p ck ng the r ght endpo nt), orchestrat on
(ready ng a VM for a connect on), or p acement (putt ng a VM on a host) F ter p ug- ns are
stored on the RD Connect on Broker n HKLM/System/CurrentContro Set/Serv ces/Tssd s/
Parameters/F ter

How M crosoft VD Works  Chapter 4 183

www.it-ebooks.info
Each fi ter p ug- n s assoc ated w th a s ng e resource p ug- n, and more than one fi ter
p ug- n can be act ve at one t me To determ ne wh ch fi ter p ug- n’s ru es w preva n case
of a confl ct, you can set pr or ty when mp ement ng the fi ter p ug- n F ter pr or ty s set
n HKLM/System/CurrentContro Set/Serv ces/Tssd s/Parameters/F ter/n, where n s a who e
number greater than 0

Orchestrating a VM
D scovery and broker ng get a user 95 percent of the way to a work ng VM, but not 100
percent The fina stage s orchestration, wh ch means to make the VM ready for connect ons
Orchestrat on s an mportant step W thout t, the VM wou d have to be constant y on, wa t-
ng for a connect on Orchestrat on makes t poss b e to put a VM to s eep and wake t up on
demand, sav ng hardware resources on the host

NOTE  Although the Microsoft VDI model also supports placement, RDS alone doesn’t
implement placement; add-ons might. If you’re using RDS only, then the VMs you run will
need to be on the hosts where they will be running.

As shown n F gure 4-6, dur ng orchestrat on, the VM Host Agent finds a VM on the RD
V rtua zat on Host that doesn’t a ready have a connect on and wakes t You can watch th s
from Hyper-V Manager A s eep ng VM w wake up and be ready to accept ncom ng con-
nect ons The key part of th s s the VM Host agent—w thout that, the hyperv sor has no way
to know that t needs to wake up the VM The WTS app cat on programm ng nterface (API)
shown here s for manag ng the VM sess ons In Chapter 11, “Manag ng Remote Desktop
Sess ons,” you w earn more about how you can use too s bu t on th s API to nteract w th
sess ons and VMs

VM Host

Guest VM 1 WTS API

Guest VM 1 WTS API

VM HOST AGENT: Responsible for


waking and monitoring VMs

FIGURE 4-6  The VM Host Agent wakes up and mon tors the VMs on the RD V rtua zat on Host.

184 Chapter 4  Dep oy ng a S ng e Remote Desktop V rtua zat on Host Server

www.it-ebooks.info
Connecting to a VM Pool
When K m gets the con represent ng the VM poo or persona desktop, she can c ck t to
n t ate the connect on process Let’s start w th the poo ed VM case (shown n F gure 4-7) and
assume that she s mak ng a new connect on and does not have any d sconnected sess ons
ava ab e K m wou d proceed w th the fo ow ng steps
1. K m c cks the con represent ng the VM poo Do ng so opens the RDP fi e assoc ated
w th that con, wh ch then popu ates the fie ds of MSTSC DLL w th the nformat on n
the RDP fi e MSTSC DLL sends th s connect on request to the red rector (The red rec-
tor s an RD Sess on Host server that has been configured not to accept ncom ng con-
nect ons, but on y forward requests to the RD Connect on Broker )
2. The red rector sends the request to the RD Connect on Broker A though broken out
as separate mach nes n F gure 4-7, to better ustrate the connect on process, the
RD Connect on Broker can be on the same server as the red rector, and th s s n fact
recommended
3. The RD Connect on Broker nspects the nformat on that MTSC DLL sent and earns that
K m s attempt ng to connect to a VM and the VM s a poo ed VM The RD Connect on
Broker act vates the VM resource p ug- n Know ng that K m requested a VM poo , the
RD Connect on Broker checks ts connect on database to see whether K m a ready has
a d sconnected sess on on a VM n the poo It knows th s because the VM Host Agent
on each RD V rtua zat on Host updates the RD Connect on Broker when a VM’s state
changes
4. Hav ng a found a VM Host, the VM p ug- n sends a request to the VM Host agent on the
RD V rtua zat on Host server and asks that the VM be prepared for K m’s connect on
5. The VM Host agent orchestrates the VM (and restores t to a ready state f t s h ber-
nat ng) and, when t’s ready, gets ts IP address
6. The VM Host agent passes the IP address to the RD Connect on Broker
7. The RD Connect on Broker sends the IP address to the red rector
8. The red rector sends the IP address to the c ent from wh ch K m made the or g na
request
9. K m s seam ess y d sconnected from the RDP connect on to the red rector and recon-
nected to the VM us ng the IP address that the red rector sent to her computer

How M crosoft VD Works  Chapter 4 185

www.it-ebooks.info
Session Plug-in
RDVH Server

VM Plug-in 3
RD Connection
Broker 6 4
Pooled VM 1
5

2 7 Pooled VM 2

Pooled VM 3

1
RD Session Host in
redirection mode

Kim.Akers

FIGURE 4-7  K m Akers connects to a VM poo .

How d d the RD Connect on Broker determ ne that K m wanted to connect to a poo ed


VM? The answer es n the RDP fi e she was us ng The fo ow ng ne entry conta ned n the
RDP fi e connects a user to a poo ed VM because of the 1 after vmresource and the Poo ID
The Poo ID s the way that the RDP fi e and RD Connect on Broker dent fy the poo , as op-
posed to the fr end y name that peop e use

loadbalanceinfo:s:tsv://vmresource.1.VM-POOL-ID-GOES-HERE

If the code nc uded a 2 nstead of a 1 and no Poo ID, that wou d have nd cated a per-
sona VM However, because the defau t oad ba anc ng sends a user to a persona VM f he or
she has one, th s ne sn’t rea y requ red for connect ng to persona VMs

Connecting to a Disconnected Session


If K m had a ready had a sess on, th s process wou d have changed s ght y at Step 3 If K m
a ready has a sess on on a VM, there’s no need to do oad ba anc ng—you want her to return
to the VM where she has that sess on so she can cont nue work ng Therefore, n that case,
the VM P ug- n w contact the VM Host agent on the RD V rtua zat on Host server where
the VM s p aced and ask t to ready the VM to accept connect ons When t’s ready, the IP ad-
dress w be returned to K m’s computer, as descr bed n the prev ous sect on

Rolling Back a VM
Ro ng back a VM means revert ng a VM’s state to a pr or po nt n t me Th s s done by tak ng
a “snapshot” of the VM and then us ng t to return to the state the VM was n when the snap-
shot was taken Th nk of a snapshot as a stat c p cture of a VM When a VM s ro ed back, any
changes made to the VM beyond the po nt when the snapshot was taken are reversed

186 Chapter 4  Dep oy ng a S ng e Remote Desktop V rtua zat on Host Server

www.it-ebooks.info
CAUTION  It’s best to snapshot a VM when it’s turned off, so that the VM doesn’t
preserve any temporary data that you don’t want to be part of the pooled VM. Do
ensure that the VMs are gracefully powered down; if you just turn the VM off in
Hyper-V instead of gracefully shutting down, then the VM will not start normally
and will show the boot menu to choose normal or safe mode.

Those who’ve used Term na Serv ces n the past to access sess ons m ght wonder why
ro back s an ssue When you’re done w th a sess on, you just og off and, except for changes
wr tten to your profi e, any changes that you made wh e the sess on was act ve are gone Th s
s because an RD Sess on Host server s, n best pract ce, proper y ocked down to avo d user
changes to the system tse f
VMs n a poo are d fferent, however Each user who ogs on to a part cu ar VM w see the
same VM that the prev ous user had, not a un que sess on on a server So the changes made
by one user (new app cat on nsta s, and so on) w st be there when one user fin shes and
ogs off and the next user connects to that VM Therefore, the user exper ence over t me
cou d vary cons derab y from VM to VM because changes made (by each user) to the VMs n
the poo wou d be reta ned Troub eshoot ng wou d become more comp cated, because a
VM’s configurat on wou d no onger be pred ctab e Enab ng ro back on a the VMs n a poo
ensures that any changes made to these VMs wh e a user was ogged n w be d scarded,
thus ma nta n ng a cons stent env ronment for a users each t me they connect to a VM n the
poo

CAUTION  Because any changes made while a user is logged on to the VM will be
discarded, it is very important to update VMs while they are not in use and to then
take another snapshot after this maintenance. Otherwise, those updates will also be
discarded.

Connecting to a Personal Desktop


Had K m been attempt ng to connect to a persona desktop, the process wou d have changed
s ght y at Step 3 n F gure 4-7 If K m c cks on the con to og n to her persona desktop, the
VM p ug- n on the RD Connect on Broker shou d make sure she connects to that VM RD Con-
nect on Broker can determ ne that she’s ask ng for a persona desktop by add ng the fo ow-
ng ne n the RDP fi e (e ther created by RD Web Access or stored n a saved RDP fi e)

loadbalanceinfo:s:tsv://vmresource.2

VMResource shows that she’s ask ng for a VM, and 2 nd cates that a persona VM s requested
(A 1 s gn fies a poo )

How M crosoft VD Works  Chapter 4 187

www.it-ebooks.info
When K m c cks the con to connect to her persona desktop, she’s prompted for her cre-
dent a s When she prov des her credent a s to og on, she’s pass ng them to the RD Connec-
t on Broker RD Connect on Broker checks those credent a s aga nst Act ve D rectory and finds
the name of her persona VM, stored n her user account propert es After the persona VM
s ocated, the VM p ug- n on the RD Connect on Broker w contact the VM Host where her
persona desktop s ocated and prompt the VM Host Agent there to orchestrate the VM and
return the VM’s IP address The red rector returns the IP address to K m, and the RDP c ent on
her computer w s ent y d sconnect from the red rector and reconnect to the persona VM

Installing Supporting Roles for VDI


RD V rtua zat on Host s a new ro e serv ce to RDS and s essent a to M crosoft VDI, but, as
d scussed a ready, t doesn’t act a one W thout RD Web Access, there’s no easy way to d scover
the VM poo or persona desktop W thout the RD Connect on Broker, there’s no way for a
connect on to get to the r ght VM and have the RD V rtua zat on Host wake t up W thout
the support ng ro es, RD V rtua zat on Host s essent a y a hyperv sor w th some extra—and
unused—capab t es

NOTE  This implementation assumes that machines are domain joined and AD DS is avail-
able for user SID checks and RemoteApp and VM filtering.

F gure 4-8 shows a b rd’s-eye v ew of what must happen to each ro e serv ce and to the
VMs to support M crosoft VDI It s a so ava ab e n the fi es M crosoft-VDI-Setup-Steps vsd
and M crosoft-VDI-Setup-Steps xps on the compan on med a
To support M crosoft VDI, you’ need to do the fo ow ng
■ Insta the RD V rtua zat on Host
■ Insta and configure the RD Connect on Broker ( nc ud ng the red rector on the same
computer)
■ Insta and configure RD Web Access to a ow users to d scover the VMs
■ Configure the VMs to work w th VDI
■ Create poo s and ass gn persona desktops as requ red
The next sect ons exp a n how to accomp sh each of these steps

188 Chapter 4  Dep oy ng a S ng e Remote Desktop V rtua zat on Host Server

www.it-ebooks.info
• Install RDVH Role
Service For every pooled
• Rename Personal VMs or personal VM:
to match the VM
computer name! • Enable Remote Desktop and add users to
Remote Desktop Users group
• Snapshot each
RDVH1 • HKLM/System/CurrentControlSet/Control/
pooled VM
TerminalServer/AllowRemoteRPC = 1
• Rename each
snapshot: • For RemoteApp for HyperV: HKLM/System/
RDV_Rollback CurrentControlSet/Control/TerminalServer/
fDenyTSConnections = 0
• Make Firewall Exception for Remote Service
Management
• Set RDP Protocol Permissions

• Install RDSH role service

Note: The RD Session Host will be put into redirection mode


by the RD Connection Broker when you run the Virtual
Desktops Wizard.
RD Session Host in
Redirection Mode

• Install RD Connection Broker Service


• Add RD Web Access server to the TS Web Access Computers
group (or add it to the RemoteApp and Desktop Connection
Properties in the Remote Desktop Connection Manager)
• Run Virtual Desktops Wizard, specify:
• The RDVH server
RD Connection • The RDSH server as the Redirector
Broker • The RD Web Access server
• Run the Create Virtual Desktop Pool Wizard

• Install RDWA Role service


• Add appropriate users to the TS Web Access Administrators
group so they can manage the website (local administrators
already have this right)
• Add the RD Connection Broker server as a “source”
RD Web Access

• Run RemoteApp and Desktop Connections from Control Panel–


add the feed referencing the RDWA server:
https://RDWA-Server-Name/RDWeb/Feed/webfeed.aspx
Client PC

FIGURE 4-8  Conf gur ng ro e serv ces to support M crosoft VD

nsta ng Support ng Ro es for VD   Chapter 4 189

www.it-ebooks.info
Installing the RD Virtualization Host
Insta ng the RD V rtua zat on Host ro e serv ce s s mp e Th s feature depends on Hyper-V,
so RD V rtua zat on Host s the on y RDS ro e serv ce that cannot be v rtua zed tse f
Assum ng that no RDS ro es are nsta ed on the server, you w beg n to nsta RD V rtu-
a zat on Host by open ng Adm n strat ve Too s/Server Manager and choos ng Ro es from the
menu n the eft pane C ck the Add Ro es nk You’ see the Before You Beg n page; c ck
Next when you are sure that you have met the recommendat ons to have a strong adm n s-
trator password, have configured requ red Stat c IPs, and have nsta ed the atest updates
From the Se ect Server Ro es page, choose Remote Desktop Serv ces from the st You
shou d see the Hyper-V ro e serv ce a ready nsta ed as shown n F gure 4-9 ( f you don’t,
you’ be prompted to nsta t when you se ect the ro e serv ce)

NOTE  If you have installed RDS on this server already, begin the process from the Add
Role Services link in the Role Status section of the Roles page in Server Manager. This will
skip the first couple of steps and take you directly to the Select Role Services page.

FIGURE 4-9  Hyper V s a requ rement for the RD V rtua zat on ro e serv ce.

190 Chapter 4  Dep oy ng a S ng e Remote Desktop V rtua zat on Host Server

www.it-ebooks.info
C ck Next to open the Introduct on To Remote Desktop Serv ces page and then c ck Next
aga n to open the Se ect Ro e Serv ces page
On the Se ect Ro e Serv ces page, se ect the check box next to the Remote Desktop V rtu-
a zat on Host ro e serv ce and c ck Next, as shown n F gure 4-10

FIGURE 4-10  Se ect the Remote Desktop V rtua zat on Host ro e serv ce.

Confirm your nsta at on se ect ons on the next page and c ck Insta When the nsta -
at on s comp ete, the Insta at on Resu ts screen shou d nd cate that the nsta at on suc-
ceeded C ck C ose
Back n the Server Manager, browse to the Ro es se ect on and h gh ght Remote Desktop
Serv ces, and you w see the Remote Desktop V rtua zat on Host Agent runn ng n the Sys-
tem Serv ces sect on, as shown n F gure 4-11 Th s agent s respons b e for orchestrat ng VMs,
so t’s essent a to th s ro e serv ce’s funct on

nsta ng Support ng Ro es for VD   Chapter 4 191

www.it-ebooks.info
FIGURE 4-11  After the RD V rtua zat on Ro e Serv ce s nsta ed, the Remote Desktop V rtua zat on Host
Agent serv ce appears n the Server Manager.

At th s po nt, the RD V rtua zat on Host s ready to support v rtua desktop poo s and per-
sona desktops Before sett ng those up, et’s cont nue by nsta ng the broker

Installing RD Virtualization Host Role Service via Windows


PowerShell
To nsta RD V rtua zat on Host ro e serv ce v a W ndows PowerShe , mport the
Servermanager modu e as fo ows

Import-Module servermanager

Then run the Add-W ndowsFeature command and reference the RD V rtua zat on Host
ro e serv ce as fo ows

Add-WindowsFeature RDS-Virtualization

The RD V rtua zat on Host ro e requ res the Hyper-V ro e, and t w be nsta ed dur ng
th s nsta at on procedure f t s not a ready present If your mach ne does not meet the
requ rements for Hyper-V, the nsta at on of RD V rtua zat on Host ro e serv ce w fa and
show you th s message

192 Chapter 4  Dep oy ng a S ng e Remote Desktop V rtua zat on Host Server

www.it-ebooks.info
Add-WindowsFeature : Hyper-V cannot be installed. The processor on this computer is
not compatible with Hyper-V. To install this role, the processor must have a supported
version of hardware-assisted virtualization, and that feature must be turned on in the
BIOS…
Success Restart Needed Exit Code Feature Result
------- -------------- --------- --------------
False No Failed {}

Installing RD Connection Broker


Insta ng the RD Connect on Broker ro e serv ce s s mp e The RD Connect on Broker can be
run on a VM f you’ve dec ded to v rtua ze your env ronment
Assum ng that no RDS ro es are nsta ed on the server, you w beg n to nsta RD Con-
nect on Broker by open ng Adm n strat ve Too s/Server Manager and choos ng Ro es from
the menu n the eft pane C ck the Add Ro es nk You’ see the Before You Beg n page; c ck
Next when you are sure you have met the recommendat ons to have a strong password, have
configured requ red Stat c IPs, and have nsta ed the atest updates From the Se ect Server
Ro es page, choose Remote Desktop Serv ces from the st

NOTE  If you have installed RDS on this server already, begin the process from the Add
Role Services Link in the Role Status section of the Roles page in Server Manager. This will
skip the first couple of steps and bring you directly to the Select Role Services page.

C ck Next to open the Introduct on To Remote Desktop Serv ces page and then c ck Next
aga n to open the Se ect Ro e Serv ces page
On the Se ect Ro e Serv ces page, se ect the check box next to Remote Desktop Connec-
t on Broker and c ck Next, as shown n F gure 4-12
The RD Connect on Broker requ res an RD Sess on Host server configured n red rect on
mode (for the sake of conven ence, we’ ca that server the red rector because that’s ts job)
to pass t ncom ng RDP connect ons As d scussed ear er, the RDP requests don’t go d rect y
to the RD Connect on Broker but to the red rector For s mp c ty, set up the red rector on the
same computer as the RD Connect on Broker To do th s, a so choose RD Sess on Host from
the st shown n F gure 4-12

nsta ng Support ng Ro es for VD   Chapter 4 193

www.it-ebooks.info
FIGURE 4-12  The RD Connect on Broker s a ro e serv ce of RDS.

Confirm your nsta at on se ect ons on the next page and c ck Insta When the nsta a-
t on s fin shed, the Insta at on Resu ts screen shou d nd cate that the nsta at on succeeded
C ck C ose The RD Connect on Broker s now nsta ed and ready to be configured for poo ed
and persona VMs
To nsta RD Connect on Broker v a W ndows PowerShe , first mport the Servermanager
modu e as fo ows

Import-Module servermanager

Then run the Add-W ndowsFeature command and reference the RD Web Access ro e
serv ce as fo ows

Add-WindowsFeature RDS-Connection-Broker

The resu ts of a successfu nsta at on w ook ke th s

Success Restart Needed Exit Code Feature Result


------- -------------- --------- --------------

True No Success {Remote Desktop Connection Broker}

To remove the RD Connect on Broker ro e serv ce v a W ndows PowerShe , use th s


command

Remove-WindowsFeature RDS-Connection-Broker

194 Chapter 4  Dep oy ng a S ng e Remote Desktop V rtua zat on Host Server

www.it-ebooks.info
Configuring RD Web Access
RD Web Access s nstrumenta to d scover ng VMs, but ts scope goes beyond that to nc ude
RemoteApp programs, VMs, fu desktop sess ons, and even phys ca desktops For more n-
format on on how to nsta and configure th s ro e serv ce for d fferent scenar os, see Chapter
9 For th s c rcumstance, we w assume that you have nsta ed the ro e serv ce and want to
configure t to serve VMs on y
To pub sh poo ed and persona VMs v a RD Web Access, the ro e serv ce needs to be
configured w th a source for wh ch the webs te w d sp ay persona and poo ed VMs For th s
scenar o, you need to configure RD Web Access to pu nformat on from RD Connect on Bro-
ker, so the first th ng that you need to do s add the RD Web Access server to the TS Web Ac-
cess Computers group on the RD Connect on Broker server After you have done th s, t’s t me
to configure RD Web Access from the webs te tse f Access t by do ng e ther of the fo ow ng
■ Se ect the Remote Desktop Web Access Configurat on too sted n the Remote Desk-
top Serv ces fo der n Adm n strat on Too s
■ Open W ndows Internet Exp orer and type the fo ow ng URL

https://servername/RDWeb

where servername s the name of your RD Web Access server You can a so subst tute
localhost for the server name f you are access ng the webs te from the server tse f
A fresh nsta of the RD Web Access webs te w configure the s te as a secured s te us ng
a Hypertext Transfer Protoco Secure (HTTPS), and t w have a Secure Sockets Layer (SSL)
cert ficate ass gned to t automat ca y The cert ficate w be a se f-s gned cert ficate, w th the
server FQDN represent ng the cert ficate common name For examp e, f you were to nsta
RD Web Access on a server ca ed Co fax ash oca , the se f-s gned cert ficate ass gned to the
cert ficate s made for Co fax ash oca and s gned by Co fax ash oca However, access ng the
s te by e ther of these methods w produce an error page that says the fo ow ng

The security certificate presented by this website was not issued by a trusted
certificate authority.
The security certificate presented by this website was issued for a different website's
address.
Security certificate problems may indicate an attempt to fool you or intercept any data
you send to the server.

Th s s expected behav or; the cert ficate ass gned does not have a common name that s
referenced n the URL opened by the RD Web Access Configurat on too ( t uses oca host n-
stead of the server FQDN), nor s the cert ficate trusted by defau t C ck the Cont nue To Th s
Webs te nk and you w get a ogon screen

NOTE  Chapter 10, “Making Remote Desktop Services Available from the Internet,” ex-
plains how to avoid this error.

nsta ng Support ng Ro es for VD   Chapter 4 195

www.it-ebooks.info
Members of the oca adm n strators group are a owed to configure RD Web Access by
defau t, so og on w th an adm n strator account, as shown n F gure 4-13

FIGURE 4-13  Log on to the RD Web Access webs te.

Enter your user name n the form of domain/user name, enter your password, and c ck
S gn n

NOTE  In the security section of this page, you have the option of selecting whether you
are accessing this website from a public or private computer. If you choose the option This
Is A Public Or Shared Computer, then the timeout for the website login is shorter than if
you choose the option This Is A Private Computer.

Next, you w be taken to the Configurat on tab of the webs te, as shown n F gure 4-14

196 Chapter 4  Dep oy ng a S ng e Remote Desktop V rtua zat on Host Server

www.it-ebooks.info
FIGURE 4-14 Add a source for RemoteApp programs and desktops to RD Web Access.

When you access persona and poo ed VMs, you must spec fy an RD Connect on Broker
server as the source because th s s the server that s aware of those persona VM ass gnments
and VM poo s Se ect the An RD Connect on Broker Server opt on and enter the fu y qua fied
doma n name (FQDN) of the RD Connect on Broker server C ck OK

Configuring the RD Connection Broker Server


After you have the ro e serv ces nsta ed that th s VDI so ut on requ res, t’s t me to do some
bas c configur ng of the RD Connect on Broker server Th s ro e serv ce depends on the ava -
ab ty of other RDS ro e serv ces to do ts job, so you need to te the server about these other
ro e serv ces The Configure V rtua Desktops W zard wa ks you through th s configurat on It
w prompt you for the fo ow ng nformat on

nsta ng Support ng Ro es for VD CHAPTER 4 197

www.it-ebooks.info
■ The name of the RDSH red rector from wh ch t w be rece v ng ncom ng requests,
and to whom t w be send ng fu fi ed request nformat on
■ If you need to prov de red rect on for c ents us ng RDC 6 1 or ear er, then you w
prov de the a ternat ve server name, wh ch bas ca y s the same red rector server, but
uses a d fferent ssued Doma n Name System (DNS) host record
■ If you w requ re connect ons to go through RD Gateway, then you w prov de th s
RD gateway nformat on (you’ find out more about th s n Chapter 11)
■ If you w s gn the RDP fi es created for poo ed and pr vate desktop connect ons, you
w prov de the d g ta cert ficate used to s gn these fi es (d scussed n more deta n
Chapter 8, “Secur ng Remote Desktop Protoco Connect ons”)
Start the w zard by c ck ng the Configure V rtua Desktops nk n the Act ons pane of the
Remote Desktop Connect on Manager As shown n F gure 4-15, th s w open the w zard’s
Before You Beg n page

FIGURE 4-15  The Before You Beg n page te s you the nformat on that you w be prov d ng n the fo
ow ng pages.

C ck Next to se ect the RD V rtua zat on server(s) that w support your VM poo s and
persona desktops, as shown n F gure 4-16 You can use one or more RD V rtua zat on Host
servers to support the poo

198 Chapter 4  Dep oy ng a S ng e Remote Desktop V rtua zat on Host Server

www.it-ebooks.info
FIGURE 4-16  Prov de the names of the RD V rtua zat on servers that w prov de persona and poo ed
VMs.

After choos ng the RD v rtua zat on host server, c ck Next to configure the red rect on set-
t ngs, as shown n F gure 4-17

FIGURE 4-17  Prov de the name (and the a ternat ve name, f you want) of the RD Sess on Host red rector.

nsta ng Support ng Ro es for VD   Chapter 4 199

www.it-ebooks.info
Add the name of the red rector (th s can be the same mach ne as the RD Connect on
Broker f you chose to nsta the two ro e serv ces on the same mach ne) If you need to sup-
port c ents us ng RDC 6 1 or ear er, add an “a ternat ve server name” to make th s work You
create an a ternat ve name by add ng another Host record (an A or AAAA record) to DNS w th
an un que name that po nts to the IP address of the RD Sess on Host server that s n red rec-
t on mode For examp e, F gure 4-17 shows that the a ternat ve name for the red rector server
s pyram d-vmred r, so the DNS entry added to DNS wou d be pyram d-vmred r ash oca and
wou d map to the same IP address as the DNS entry that s a ready created for th s server
name y, pyram d ash oca

Configuring RD Session Host Server Role Service for Redirec-


tion Manually

Y ou don’t have to let the wizard automatically configure the RD Session Host
server appropriately for its redirection duties. If you don’t, however, you will
need to do this manually on the server. Here’s how.

1. Add the RD Session Host server name to the Session Broker Computers group on
the RD Connection Broker server.

2. On the RD Session Host server, open the RD Session Host Configuration tool, and
in the middle pane, double-click Member Of Farm In RD Connection Broker.

3. On the RD Connection Broker tab, click Change Settings.

4. In the Remote Desktop Virtualization section, select the Virtual Machine Redi-
rection option.

5. At the bottom of the RD Connection Broker Settings screen, enter the name of
the RD Connection Broker server and click OK.

You will see a warning dialog box that tells you the changes that will be made to the
RD Session Host if you put it in redirection mode. In short, those changes mean that
people will not be able to use the RD Session Host to run RemoteApp programs or
full desktops. Click Yes and then click OK on the Properties dialog box that appears.

When you’re fin shed, c ck Next to nd cate the RD Web Access server that w enab e
d scovery, as shown n F gure 4-18

200 Chapter 4  Dep oy ng a S ng e Remote Desktop V rtua zat on Host Server

www.it-ebooks.info
FIGURE 4-18  Prov de the name of the RD Web Access server.

Spec fy the RD Web Access server that w prov de access to poo ed and persona VMs to
users In th s examp e, the RD Web Access server and the RD Connect on Broker are the same
server, but they do not have to be When you’ve chosen the server, c ck Next to rev ew the
changes, as n F gure 4-19

FIGURE 4-19  Rev ew and conf rm your se ect ons and then app y them.

nsta ng Support ng Ro es for VD   Chapter 4 201

www.it-ebooks.info
When you’re sure that you have set up the RD Connect on Broker server correct y, c ck
App y to fin sh and v ew a summary of the sett ngs (shown n F gure 4-20)

FIGURE 4-20  Comp ete the w zard to v ew the summary.

Not ce that no persona VMs are yet ass gned—hence the ye ow warn ng symbo Th s sn’t
necessary to configure a VM poo , though
These sett ngs can be adjusted at any t me To access the configurat on pages, n Remote
Desktop Connect on Manager, se ect RD V rtua zat on Host and then r ght-c ck and choose
Propert es to v ew or ed t the sett ngs on the Red rect on Sett ngs tab These sett ngs shou d
be fam ar to you because you configured them us ng the w zard prev ous y

NOTE  Because we haven’t yet discussed the roles of the RD Gateway or digital signature,
we won’t discuss those tabs of the Properties dialog box until Chapter 10 and Chapter 8,
respectively.

  If you use a text ed tor to open a poo ed or persona VM RDP fi e RD Web Access cre-
ated (for examp e, one that was prov ded n RemoteApp and Desktop Connect ons on c ents
runn ng W ndows 7), you’ not ce someth ng a b t odd the pr mary fu address sett ng va ue
w be that of the a ternate server name, and the a ternate fu address sett ng w have the
pr mary server name as ts va ue, ke th s

alternate full address:s:pyramid.ash.local


full address:s: pyramid-vmredir

202 Chapter 4  Dep oy ng a S ng e Remote Desktop V rtua zat on Host Server

www.it-ebooks.info
Th s s more of a cur os ty than anyth ng e se; don’t ed t the RDP fi e to reverse the sett ngs
and do not change the sett ngs n the Remote Desktop Connect on Manager to reflect the
sett ngs n the RDP fi e

Setting Up VMs
VDI s bu t for de ver ng c ent operat ng systems, and the n-box so ut on supports W ndows
XP SP3, W ndows V sta SP1, and W ndows 7 To prepare a VM to be used as a poo ed or per-
sona VM, you need to make a few adjustments to the operat ng system On each VM, you must
do the fo ow ng
1. Enab e Remote Desktop
2. Add the peop e who w be us ng the VM to the Remote Desktop Users group
3. Enab e RemoteRPC on the VM
4. G ve the RD V rtua zat on Host server the requ red perm ss ons to orchestrate the VM
5. Create firewa except ons for Remote Desktop Protoco and Remote Serv ce
Management
6. Reboot to restart the Term na Serv ces serv ce and use the new perm ss ons (requ red
for W ndows XP VMs on y)
We w go through each of these steps n deta , but f th s ooks ke a ot of work to do on
every VM, you’ be g ad to know that you don’t have to M crosoft has prov ded a scr pt to do
th s prep work Down oad the scr pt from http://gallery.technet.microsoft.com/ScriptCenter
/en-us/68462b23-0890-4dbd-95b6-8de5763e4f68 The scr pt works on VMs runn ng
W ndows 7, W ndows V sta, and W ndows XP operat ng systems
When you run the scr pt, you m ght see two more command- ne boxes appear and then
d sappear Th s s expected; the scr pt ca s Netsh exe to make firewa except ons, and you are
see ng Netsh runn ng n a command prompt
Both persona and poo ed VMs must be n a doma n A members of a poo must be n
the same doma n, but there are no spec fic requ rements for the AD DS schema A persona
desktops must be n a nat ve-mode doma n; you can use the add t ona funct ona ty n the
User Account Propert es tab to ass gn a persona VM f you use W ndows Server 2008 R2
(W ndows Server 2008 doesn’t have the graph ca user nterface for th s, so you w need
at east one doma n contro er runn ng W ndows Server 2008 R2 or a computer runn ng
W ndows 7 w th the Remote Server Adm n strat on Too s nsta ed to make the ass gnment )

nsta ng Support ng Ro es for VD   Chapter 4 203

www.it-ebooks.info
Enable Remote Desktop and Add Users to the Remote Desktop Users
Group
Remote Desktop s not enab ed by defau t on c ent operat ng systems To perm t ncom ng
RDP connect ons to a c ent, you must enab e them To do so, go to the Contro Pane and
open System C ck the Remote Sett ngs nk on the eft s de of the d a og box to open the
tabbed d a og box shown n F gure 4-21

FIGURE 4-21  Enab e Remote Desktop.

To enab e connect ons, choose one of the two opt ons If the computers that you’ be
us ng to connect to th s VM are runn ng W ndows V sta or ater, you can choose the opt on
requ r ng Network Leve Authent cat on (NLA), wh ch requ res that a user prov de credent a s
before estab sh ng a sess on w th the endpo nt If they’ be runn ng other operat ng systems
(for examp e, ear er vers ons of M crosoft W ndows CE), a ow connect ons from any vers on
of Remote Desktop

NOTE  Chapter 8 discusses how NLA works.

Before any users can og on to a computer runn ng W ndows v a RDP—server or c ent—


the r user account must be added to the Remote Desktop Users group on the c ent (Adm n-
strators are bu t nto th s group, wh ch s why th s step s not requ red for remote adm n s-
trat on ) To se ect users to be added to th s group, c ck Se ect Users (or Se ect Remote Users
n W ndows XP), as shown n F gure 4-21, to open the d a og box shown n F gure 4-22 (the
doma n and user name are de eted n the d a og box shown here)

204 Chapter 4  Dep oy ng a S ng e Remote Desktop V rtua zat on Host Server

www.it-ebooks.info
FIGURE 4-22  Add users to the Remote Desktop Users group.

If you c ck Add, you’ open the Se ect Users d a og box Browse to the des red user group
(or nd v dua s, as requ red) and add them

Enable RemoteRPC
Remote Procedure ca s (RPCs) a ow other processes to connect w th the operat ng system
They’re requ red to a ow the VM Host Agent to wake up the VM To a ow RPC connect v ty,
set the va ue of A owRemoteRPC to 1 n the ocat on HKLM/System/CurrentContro Set/
Contro /Term na Server, as shown n F gure 4-23

FIGURE 4-23  Enab e RemoteRPC.

Create Firewall Exceptions for RDP and Remote Service Management


By defau t, traffic for Remote Desktop and Remote Serv ce Management (wh ch uses named
p pes and RPCs) are not a owed to pass through the firewa To enab e th s traffic, go to the
Contro Pane and open the W ndows F rewa configurat on too shown n F gure 4-24

nsta ng Support ng Ro es for VD   Chapter 4 205

www.it-ebooks.info
FIGURE 4-24  Enab e Remote Desktop through the f rewa .

Se ect the check boxes for both serv ces to enab e th s traffic through the mach ne firewa
and then c ck OK
For W ndows XP, you w not see these opt ons n F rewa Run these commands at a com-
mand prompt to accomp sh these configurat on changes

netsh firewall set service type=REMOTEDESKTOP mode=ENABLE profile=ALL


netsh firewall set service remoteadmin enable subnet

Configure RD Virtualization Host RDP Permissions


Dur ng th s step, you’re g v ng the RD V rtua zat on Host mach ne account appropr ate RDP
perm ss ons on the VM As you m ght have not ced wh e exp or ng RDP-TCP Propert es on an
RD Sess on Host server, the Secur ty tab has an Advanced button C ck t to v ew the Ad-
vanced Secur ty Sett ngs, and you can c ck Ed t to d sp ay the Perm ss ons Entry d a og box
w th the perm ss on sett ngs shown n Tab e 4 1

206 Chapter 4  Dep oy ng a S ng e Remote Desktop V rtua zat on Host Server

www.it-ebooks.info
TABLE 4-1  Ava ab e and Requ red Perm ss ons or he RD V r ua za on Hos Server o Manage VMs

PROGRAMATIC REQUIRED BY RDVH FOR


SETTING DESCRIPTION VALUE VM MANAGEMENT

Query Informat on Query sess ons and 0 Yes


servers for nformat on
Set Informat on Configure connect on 1 Yes (used to set query,
propert es ogoff, and d sconnect
perm ss ons)
Remote Contro V ew or act ve y 4 No
contro another user’s
sess on
Logon Log on to a sess on on 5 No
the server
Logoff Log off a user from a 2 Yes
sess on
Message Send a message to 7 No
another user’s sess ons
Connect Connect to another 8 No
sess on
D sconnect D sconnect a sess on 9 Yes
Reset Reset (term nate) a 6 No
sess on
V rtua Channe s Use v rtua channe s 3 No

We’ve nc uded the programmat c va ues n th s tab e to make t eas er to fo ow what the
next commands (and the scr pt that you saw a nk to ear er) are do ng Essent a y, t’s a ow-
ng the RD V rtua zat on Host server to query the VM status v a RDP, og off the connect on,
and d sconnect a sess on
To a ow the RD V rtua zat on Host to manage the VM, you’ need to ed t these sett ngs
on each VM Because the c ent operat ng system does not have the RD Sess on Host UI, you’
need to execute the fo ow ng commands at a command prompt

wmic /node:localhost RDPERMISSIONS where TerminalName="RDP-Tcp" CALL AddAccount


"contoso/rdvh-srv$",1
wmic /node:localhost RDACCOUNT where "(TerminalName='RDP-Tcp' or TerminalName='Console')
and AccountName='contoso//rdvh-srv$'" CALL ModifyPermissions 0,1
wmic /node:localhost RDACCOUNT where "(TerminalName='RDP-Tcp' or TerminalName='Console')
and AccountName='contoso//rdvh-srv$'" CALL ModifyPermissions 2,1
wmic /node:localhost RDACCOUNT where "(TerminalName='RDP-Tcp' or TerminalName='Console')
and AccountName='contoso//rdvh-srv$'" CALL ModifyPermissions 9,1
Net stop termservice
Net start termservice

nsta ng Support ng Ro es for VD   Chapter 4 207

www.it-ebooks.info
ON THE COMPANION MEDIA  This code is contained in batch files on the
companion media called RDP-Permissions.bat (for Windows Vista and Windows 7)
and RDP-Permissions-XP.bat (for Windows XP). To use these files, edit the variables
DOMAINAME and RDVH-SERVERNAME to reflect your domain name and RD
Virtualization Host server name.

DIRECT FROM THE SOURCE

Giving RD Virtualization Host Access to VMs Running


Windows XP
Rajesh Ravindranath
Software Development Engineer II, Remote Desktop Virtualization team

T he process of setting up a VM is the same whether or not the VM is running


Windows XP SP3 or Windows 7. However, Windows XP does not make the
RDPERMISSIONS and RDACCOUNT aliases available to WMIC, the Windows Man-
agement Instrumentation (WMI) command-line tool, so you need to call the WMI
interfaces slightly differently from the way you do with Windows 7. To give the RD
Virtualization Host server the right permissions on a Windows XP VM, run the fol-
lowing commands at a command prompt.

WMIC.exe /node:localhost /namespace://root/cimv2 PATH


Win32_TSPermissionsSetting where TerminalName="RDP-Tcp" CALL
AddAccount "contoso/rdvh-srv$",1
WMIC.exe /node:localhost /namespace://root/cimv2 PATH Win32_TSAccount
where "(TerminalName='RDP-Tcp' or TerminalName='Console') and
AccountName='contoso//rdvh-srv$'" CALL ModifyPermissions 0,1
WMIC.exe /node:localhost /namespace://root/cimv2 PATH Win32_TSAccount
where "(TerminalName='RDP-Tcp' or TerminalName='Console') and
AccountName='contoso//rdvh-srv$'" CALL ModifyPermissions 2,1
WMIC.exe /node:localhost /namespace://root/cimv2 PATH Win32_TSAccount
where "(TerminalName='RDP-Tcp' or TerminalName='Console') and
AccountName='contoso//rdvh-srv$'" CALL ModifyPermissions 9,1

Enabling Rollback (Pooled VMs Only)


To keep poo ed VMs n a pr st ne state, you’ need to enab e ro back on them to d scard any
changes made wh e a user was ogged on Essent a y, you’ create a snapshot for each VM
and rename t RDV Ro back When the VM Host Agent puts the mach ne nto a saved state, t
w restore the snapshot

208 Chapter 4  Dep oy ng a S ng e Remote Desktop V rtua zat on Host Server

www.it-ebooks.info
To enab e ro back on a VM, perform the fo ow ng steps
1. Log on to the RD V rtua zat on Host server us ng an Adm n strator account
2. In Adm n strat ve Too s, open Hyper-V Manager
3. Under V rtua Mach nes, r ght-c ck a runn ng VM and then c ck Snapshot Wa t wh e
the system creates the snapshot
4. When the snapshot s comp ete, rename t to RDV Ro back
Ro back occurs when the user ogs off the VM The VM s saved and then mmed ate y
reverted and returned to ts state at the t me of ro back Make sure that the VM s n the state
you want t to be n when you’re ro ng back before mak ng the snapshot

Creating Pools
There’s rea y no re at onsh p between a VM poo and the server on wh ch t’s ocated; the
poo boundar es are not dr ven by the hosts’ capac ty A VM poo can be on a s ng e server, or
t can be spread across mu t p e servers An RD V rtua zat on Host server can have one poo ’s
VMs on t or more than one Because a poo does not have to be ocated on a s ng e server,
you can add capac ty just by add ng new servers and add ng the VMs from those servers to
the poo
To create a VM poo , go to Adm n strat ve Too s/Remote Desktop Serv ces/Remote Desk-
top Connect on Manager on the RD Connect on Broker From the eft pane, r ght-c ck RD
V rtua zat on Host Servers and choose Create A V rtua Desktop Poo to start the w zard, as
shown n F gure 4-25

FIGURE 4-25  Rev ew sett ngs for the poo before beg nn ng.

The adv ce that the w zard g ves here s mportant F rst, the VMs n a poo shou d a be
dent ca , or e se the user’s exper ence w change depend ng on wh ch VM he or she con-
nects to Th s perta ns to operat ng systems too W ndows 7 VMs shou d be n one farm, and

nsta ng Support ng Ro es for VD   Chapter 4 209

www.it-ebooks.info
any W ndows XP VMs shou d be n another In add t on, make sure that the RD Connect on
Broker a ready s aware of about the RD V rtua zat on Host where you’ve set up the VMs to
popu ate the poo When you’re sure of both of these tems, c ck Next to se ect VMs to add to
the poo

FIGURE 4-26  Choose VMs to popu ate the poo .

Choose the VMs by h gh ght ng them (to se ect more than one, ho d down the Ctr key
and c ck each VM that you want to add), as shown n F gure 4-26 Not ce that t s much s m-
p er to choose the r ght VMs f you are very exp c t about the VM configurat on (defin ng the
operat ng system, whether t’s 32-b t or 64-b t, and so forth) A VMs on the RD V rtua zat on
Host w be d sp ayed here, whether they are runn ng c ent or server operat ng systems The
VMs se ected n th s examp e w back a poo of W ndows XP SP3 VMs

NOTE  Microsoft VDI is for supporting client operating systems, but, especially in small
deployments where one piece of hardware supports many roles, it’s possible that an RD
Virtualization Host server could have VMs running a server operating system.

When you’ve se ected a the VMs, c ck Next to cont nue to the Set Poo Propert es page
shown n F gure 4-27

210 Chapter 4  Dep oy ng a S ng e Remote Desktop V rtua zat on Host Server

www.it-ebooks.info
FIGURE 4-27  Conf gure the d sp ay name for the poo .

Type a d sp ay name for the poo (not ce that, to make t eas er to determ ne the poo ’s
contents, we named t accord ng to the operat ng system of the VMs n t) Then enter a Poo
ID for the poo The Poo ID s used by the RDP fi e to dent fy the poo When you are done,
c ck Next to rev ew the sett ngs, as shown n F gure 4-28

FIGURE 4-28  Rev ew the farm sett ngs for the VM poo .

In th s examp e, the VMs are actua y ocated on two d fferent RD V rtua zat on Host serv-
ers, so both are sted here C ck F n sh to c ose the w zard

nsta ng Support ng Ro es for VD   Chapter 4 211

www.it-ebooks.info
Should You Deploy Pooled or Personal VMs?

M icrosoft VDI supports both pooled and personal desktops. Which should you
use?

Personal VMs are best if you’re looking to create an experience very like that of a
desktop computer in a company where users have administrative control over the
computer and will customize it.

Pooled VMs are better for a more generic user experience because they really can’t
be customized. They’re similar to sessions in that way, except that they run in a VM
and are therefore fully protected from affecting people using other machines in the
VM pool. Pooled VMs can be cheaper to manage because they are more generic,
too—if one VM starts being a problem, a user can log out and log back in again and
get a new VM when the other is taken offline. In addition, it’s easier to troubleshoot
issues on a pooled VM because it should be identical to other members of the pool.
The more consistent a set of machines is, the easier it is to update them, as well.

You might end up with a mix, but those who need to give their user base more con-
trol will likely deploy personal desktops for at least those users. Bear in mind that it
might be most appropriate to give pooled VM users sessions on an RD Session Host
server, if their applications will run there. Sessions scale much more than pooled
VMs on the same computer, so this option is more economical.

Assigning Personal Desktops


Persona desktops are ded cated to one person Techn ca y, users cou d connect and use a
VM w thout RDS, just ke a desktop, prov ded they knew the name of the VM and the user
was added to the Remote Desktop Users group on that VM (as part of sett ng up the VM)
Ass gn ng a user a persona desktop n the RD Connect on Broker means that the user does
not need to know the name of the VM, create an RDP fi e, or configure an RDC connect on
to access the VM A of th s s done automat ca y for the user and s prov ded as a nk n RD
Web Access or as a nk on the user’s Start menu on computers runn ng W ndows 7
After you have prepared a VM to be used as a persona VM (see the sect on ent t ed “Set-
t ng Up VMs” ear er n th s chapter for deta s on how to do th s), you are ready to ass gn t
To ass gn a VM, open the Remote Desktop Connect on Manager on the RD Connect on
Broker, expand RD V rtua zat on Host Servers, r ght-c ck Persona V rtua Desktops, and
choose Ass gn Persona Desktops to users, as shown n F gure 4-29 A ternat ve y, n the Ac-
t ons pane, c ck Ass gn Persona Desktops to ass gn to each user

212 Chapter 4  Dep oy ng a S ng e Remote Desktop V rtua zat on Host Server

www.it-ebooks.info
FIGURE 4-29  Ass gn persona desktops to nd v dua users.

C ck ng the nk w start the Ass gn Persona V rtua Desktop W zard shown n F gure 4-30

FIGURE 4-30  Open the Ass gn Persona V rtua Desktop W zard.

The first page of the w zard offers genera gu de nes about persona desktops They can
be ass gned to on y one user at a t me, each person can on y have one desktop at a t me,
both user and VM must be doma n members, and the name of the VM must match the name
n the Hyper-V Manager (For more spec fics about the doma n requ rements for persona
desktops, see the fo ow ng s debar )

nsta ng Support ng Ro es for VD   Chapter 4 213

www.it-ebooks.info
DIRECT FROM THE SOURCE

AD DS Schema Requirements for Personal Virtual Desktops


Janani Venkateswaran
Program Manager II, Remote Desktop Virtualization

M icrosoft’s VDI solution offers two deployment scenarios: virtual desktop pools
and personal virtual desktops. Virtual desktop pools do not depend on a
specific AD DS schema level; however, personal virtual desktops do need a Windows
Server 2008 or Windows Server 2008 R2 schema.

Following are the AD DS requirements for personal virtual desktops.

■ To deploy personal virtual desktops, your schema for the AD DS forest must
be at least Windows Server 2008. To use the added functionality provided by
the Personal Virtual Desktop tab in the User Account Properties dialog box in
Active Directory Users And Computers, you must run Active Directory Users
And Computers from a computer running Windows Server 2008 R2 or from
a computer running Windows 7 that has Remote Server Administration Tools
(RSAT) installed.
■ You must use a domain functional level of at least Windows 2000 Server
native mode. The functional levels Windows 2000 Server mixed mode and
Windows Server 2003 interim mode are not supported.

Next to the User Name nput box, c ck Se ect User and choose a user from AD DS to
whom you want to ass gn the VM When you’ve done so, the V rtua Mach ne drop-down
menu w become act ve From the drop-down menu, se ect the VM to be ass gned to th s
user A ava ab e VMs on a RD V rtua zat on Host servers that are added to RD Connect on
Broker w be sted n the V rtua Mach ne drop-down menu When you’ve chosen the VM,
c ck Next Confirm the ass gnment as shown n F gure 4-31 and then c ck Ass gn
F na y, on the Ass gnment Summary page, e ther c ck F n sh or se ect the check box to
ass gn more VMs Se ect ng the check box w enab e the Cont nue button, a ow ng you to
ass gn more VMs to users Then, when you c ck Cont nue, the w zard w restart, and you w
go through the same procedures for each VM that you want to ass gn
When you are fin shed ass gn ng VMs to users, c ear the Ass gn Another VM To Another
User check box The Cont nue button w change to a F n sh button C ck F n sh, and you are
done

214 Chapter 4  Dep oy ng a S ng e Remote Desktop V rtua zat on Host Server

www.it-ebooks.info
FIGURE 4-31  Conf rm the VM ass gnment.

HOW IT WORKS

Creating an RDP file for a User to Connect to a Personal or


Pooled VM

I f you’d like to experiment with personal VMs without needing to use discovery,
here’s how. Creating an RDP file to give to users to connect to their personal VMs
is a matter of adding a few extra settings to a saved RDP file.

Start by opening Remote Desktop Connection (Mstsc.exe). In the Computer Name


input box, add the name of the Remote Desktop Session Host server that is put in
redirection mode. Enter the user name of the user that will be receiving and using
this RDP file. Doing this adds the following lines to the RDP file (the user name in
this example is Kristin, and the RD Session Host server in redirection mode is
Humpback.ash.local).

username:s:kristin
full address:s:humpback.ash.local

Save the file and then open it in a text editor (like Notepad.exe). Now add the fol-
lowing line (and, of course, save the file once more).

use redirection server name:i:1

nsta ng Support ng Ro es for VD   Chapter 4 215

www.it-ebooks.info
If any consumers of this RDP file will be using RDC 6.1 client or earlier, then you also
need to add the alternative name of the RD Session Host server in redirection mode
that is specified on the Redirection Settings tab of the RD Connection Broker Virtual
Desktop Properties dialog box. The example line of code here specifies the server
name humpback-vmredir.

alternate full address:s:humpback-vmredir

Creating an RDP file used to connect to the VM pool is the same process as creating
an RDP file to connect to a personal VM, with one difference. You must specify the
VM Pool ID, so that the redirector knows that the user needs to connect to the VM
pool, instead of a personal VM. To do so, add the following line to the RDC file.

loadbalanceinfo:s:tsv://vmresource.1.VM-POOL-ID-GOES-HERE

The VM Pool ID is located on the General tab of the VM Pool Properties dialog box
in the RD Connection Broker. The 1 in the previous line signifies that a pooled VM is
requested. A 2 indicates a personal VM, but if a personal VM exists for a user, then
the RD Connection Broker will send them there automatically, even without the 2
specified; that’s how load balancing works for VMs. It’s similar to the way that the
broker will always reconnect a user to a disconnected session instead of starting a
VM.

Configuring Personal and Pooled VM Properties


For both poo ed and persona VMs, you can contro the fo ow ng RDP sett ngs for a per-
sona VMs and on a per poo bas s
■ D sp ay name and poo ID (poo s on y)
■ Whether to show the persona or poo ed VM n RD Web Access
■ Automat ca y sav ng VMs after a g ven t me per od
■ Dev ce and resource red rect on
■ D sp ay sett ngs
■ Custom RDP sett ngs ( ke aud o sett ngs)
To configure RDP sett ngs for a persona VMs, n Remote Desktop Connect on Manager,
expand RD V rtua zat on Host Servers, r ght-c ck the Persona V rtua Desktops, and choose
Propert es Do ng so w br ng up the Persona V rtua Desktops Propert es tabbed d a og
box, as shown n F gure 4-32

216 Chapter 4  Dep oy ng a S ng e Remote Desktop V rtua zat on Host Server

www.it-ebooks.info
FIGURE 4-32  Conf gure persona VM RDP sett ngs v a the Persona V rtua Desktops Propert es tabbed
d a og box.

On the Genera tab, enab e users to see the r persona v rtua desktop (shou d they be as-
s gned one) n RD Web Access and n the r Start menu by se ect ng the check box next to the
opt on Show In RemoteApp And Desktop Connect on

NOTE  You can also toggle showing and hiding personal VMs in RADC and RD Web
Access by right-clicking Personal Virtual Desktops and then choosing the setting from the
shortcut menu.

To save power on your RD V rtua zat on host servers, set your persona VMs to go nto a
saved state when a certa n amount of t me has passed after a user ogs off or s d sconnected
Mach nes are saved n the state they are n at that t me, and they are restored to th s state
when needed aga n To set th s opt on, se ect the Automat ca y Save V rtua Mach nes check
box and then choose a t me n m nutes (w th a m n mum of 5) to wa t before the VM s put
nto a saved state
Next, se ect the Common RDP Sett ngs tab Here you can contro dev ce and resource red -
rect on by se ect ng the check boxes next to the resources you want the user to have access to
n the remote sess on By defau t, a red rect on s a owed You can a so contro the fo ow ng
d sp ay sett ngs
■ Allow Font Smoothing  Font smooth ng s a owed by defau t To d sab e t, c ear the
check box next to A ow Font Smooth ng

nsta ng Support ng Ro es for VD   Chapter 4 217

www.it-ebooks.info
■ Multiple Monitor Use  By defau t, the sess on w use a c ent mon tors when con-
nect ng to the persona VM remote sess on To use on y one mon tor, c ear the check
box next to Use A C ent Mon tors When Connect ng To A Remote Desktop
■ Color Depth  By defau t, th s s set to h gh qua ty (32 b t) Change the sess on co or
depth by open ng the correspond ng drop-down menu and choos ng 15, 16, or 24 b t
To spec fy custom RDP sett ngs (sett ngs that are configurab e n an RDP fi e but not set on
the preced ng two tabs), c ck the Custom RDP Sett ngs tab Here you can nput RDP sett ngs
nc ud ng aud o red rect on sett ngs, custom desktop he ght and w dth, and whether W ndows
key comb nat ons are app ed to the oca or remote computer

NOTE  For details on RDP settings you can customize, see http://technet.microsoft.com
/en-us/library/ff393699(WS.10).aspx. The link is also available on the companion media.
For a full list of RDP settings, see Appendix A.

Custom sett ngs you nput cannot overwr te sett ngs a ready configured n Remote Desk-
top Configurat on Manager If a sett ng s nva d or tr es to overwr te a sett ng that s a ready
configured, you w get an error and you w need to remove the custom sett ng
To configure RDP Sett ngs on a per-VM-poo bas s, r ght-c ck the VM poo you want to
configure and choose Propert es The poo ’s Propert es d a og box w appear These sett ngs
are dent ca to the sett ngs ava ab e to persona VMs, except that on the Genera tab you
can a so ed t the poo d sp ay name (the name that appears n RD Web Access and RADC) as
we as the Poo ID (the ID that RD Connect on Broker uses to dent fy the poo ) Change these
sett ngs by ed t ng the text n the correspond ng text boxes When you are done ed t ng RDP
sett ngs for poo s or persona VMs, c ck OK to save the changes
Persona and poo ed VM RDP sett ngs are a so configurab e v a PowerShe To get to these
sett ngs, mport the RDS Modu e

Import-Module RemoteDesktopServices

Nav gate to the persona or poo ed VMs sect on

cd connectionbroker\virtualdesktops\pools\

Then nav gate further to Persona V rtua Desktops or to a named poo and ed t sett ngs
us ng the set- tem command

Using RemoteApp for Hyper-V for Application


Compatibility
Thus far n th s chapter, you’ve earned about VMs n the context of desktop rep acement
They a so have an add t ona use app cat on compat b ty Us ng VMs, you can upgrade the
c ent operat ng system on the desktop to W ndows 7 wh e cont nu ng to run app cat ons

218 Chapter 4  Dep oy ng a S ng e Remote Desktop V rtua zat on Host Server

www.it-ebooks.info
that requ re W ndows XP One obv ous examp e of th s wou d be a web app cat on requ r ng
M crosoft Internet Exp orer 6 That vers on of Internet Exp orer doesn’t come w th W ndows
7, and you can’t v rtua ze t us ng App-V W ndows Server 2003 Term na Serv ces doesn’t
support RemoteApp programs, e ther W thout th s feature, you’d have one opt on set up a
W ndows Server 2003 term na server and run the app cat on from there on a fu desktop
RemoteApp for Hyper-V makes th s unnecessary Th s feature enab es a c ent runn ng
W ndows XP SP3 (or W ndows V sta, or W ndows 7) to serve RemoteApp programs to a
computer runn ng W ndows 7 (or techn ca y, to any computer runn ng the RDC 7 c ent) The
endpo nt can st support on y a s ng e connect on—that’s how an RDP connect on to a c ent
operat ng system works—but th s feature can enab e you to use W ndows 7 on the desktop
wh e export ng o der app cat ons to the newer p atform
One connect on doesn’t mean one RemoteApp If a VM s prov d ng more than one
RemoteApp program, then a user can run as many as requ red; a w run on the same VM, n
the same sess on

NOTE  This feature also allows Windows 7 and Windows Vista to serve RemoteApp
programs. However, most applications that run on either of those platforms will run on
Windows Server 2008 or Windows Server 2008 R2. Rather than using RemoteApp for
Hyper-V, it might be more cost-effective to run RemoteApp programs that don’t require
Windows XP from a terminal server/RD Session Host. This is because a client operating
system can support only a single active remote connection.

When you run a RemoteApp from a guest operat ng system, t w reta n the ook and fee
of the operat ng system that t’s runn ng on That s, f the endpo nt s runn ng W ndows XP,
the RemoteApp w have the W ndows XP t t e bar and contro s
If you’ve heard of a feature ca ed XP Mode, you m ght have not ced that th s sounds
extreme y s m ar For those who haven’t, when runn ng a computer n XP Mode, you use
M crosoft V rtua PC to run a guest VM of W ndows XP on the oca computer and run
app cat ons from there Th s works we n many cases RemoteApp for Hyper-V d ffers from
XP Mode n be ng appropr ate n the fo ow ng cases
■ When the client can’t run Virtual XP or can’t support two operating systems
running at the same time  Netbook computers are one good examp e of th s s tu-
at on They can run W ndows 7, but you’re not ke y to be happy runn ng W ndows 7,
V rtua PC, and W ndows XP at the same t me on a ow-power computer
■ When the user needs the application only occasionally, or only for a few min-
utes at a time  If someone’s us ng an app cat on for 5 m nutes an hour, t’s e ther a
waste of comput ng resources to keep the W ndows XP VM runn ng or a waste of t me
to keep start ng t whenever you need the app cat on

Us ng RemoteApp for Hyper V for App cat on Compat b ty  Chapter 4 219

www.it-ebooks.info
Configuring RemoteApp on Hyper-V
To use RemoteApp on Hyper-V, you must configure both the c ent and the endpo nt, as
fo ows
■ The VM must be runn ng W ndows XP SP3 (Profess ona Ed t on), W ndows V sta SP1
(Enterpr se or U t mate Ed t on), or W ndows 7 (Enterpr se or U t mate Ed t on)
■ The VM must have the update to enab e RemoteApp de very (W ndows XP and
W ndows V sta on y) and you must ed t the reg stry to a ow the RemoteApp program
to start
■ The c ent must have the RDC 7 c ent nsta ed and an RDP fi e configured to connect
to a RemoteApp
■ Set Group Po cy to d sconnect sess ons on the endpo nt after a certa n amount of t me
Let’s start w th the endpo nt

Configuring the VM
To configure the VM, first nsta the update that enab es th s feature Aga n, th s s not
requ red for W ndows 7, but t s requ red for W ndows V sta SP1 and W ndows XP SP3 The
update s ava ab e on y for 32-b t operat ng systems
To nsta the hotfix for W ndows XP, nav gate to http://www.microsoft.com/downloads
/details.aspx?FamilyID=2f376f53-83cf-4e5b-9515-2cb70662a81b&displaylang=en and choose
to down oad the hotfix
When t’s down oaded and you run t on W ndows XP, you’ be prompted to nsta
KB961742-v3 exe C ck Run to unpack the nsta at on and beg n The steps are s mp e
1. Rev ew the open ng page and note that you m ght need to restart the computer after
nsta ng the hotfix
2. Agree to the cense terms
3. Let Setup check the current configurat on
4. When prompted, c ck F n sh to end the nsta at on and prompt the reboot

IMPORTANT  The hotfix for Windows Vista is located at http://www.microsoft.com


/downloads/details.aspx?displaylang=en&FamilyID=097b7478-3150-4d0d-a85a-
6451f32c459c. When you have installed the update, install the application that you want to
publish as you would normally.

When the app cat on s nsta ed, you’ need to perm t peop e to n t ate a connect on to
the VM by start ng that app cat on To use the M crosoft term no ogy, you’re add ng t to the
a ow st To do so, you’ be ed t ng the Reg stry
On the VM, enab e RemoteApp for Hyper V by chang ng the fo ow ng va ue from 0 to 1

HKLM/Software/Microsoft/Windows NT/CurrentVersion/Terminal Server/TsAppAllowList/


fDisabledAllowList = 1

220 Chapter 4  Dep oy ng a S ng e Remote Desktop V rtua zat on Host Server

www.it-ebooks.info
Readying the Client
The c ent must have RDP 7 nsta ed RDP 7 s pre nsta ed on W ndows 7; you can down oad
t to nsta on 32-b t W ndows XP or W ndows V sta as we (see the sect on ent t ed “Add -
t ona Resources” ater n th s chapter for the ocat on of the down oad)

Editing the RDP File


When the hotfix s nsta ed and the VM rebooted, you’re ready to configure an RDP fi e to
access a RemoteApp program Open an RDC on the c ent PC and configure the RDC as f you
were go ng to access the fu desktop of the VM Save th s fi e, nam ng t someth ng ke the
name of the app cat on that t w u t mate y open (such as Remote Notepad)
R ght-c ck the RDC fi e and open t w th a text ed tor ke Notepad Ed t the fo ow ng two
nes to match the fo ow ng

remoteapplicationmode:i:1
alternate shell:s:rdpinit.exe

Then add the fo ow ng nes (ed t them to su t your needs)

RemoteApplicationName:s:FRIENDLY NAME FOR APP GOES HERE (example: Remote Notepad)


RemoteApplicationProgram:s:PATH TO APP GOES HERE (example: %windir%/system32/notepad.exe)
DisableRemoteAppCapsCheck:i:1
Prompt for Credentials on Client:i:1

Those sett ngs w work f you have just one mach ne But most ke y you w have mu -
t p e computers prov d ng these RemoteApp programs, configured as a VM poo If so, then
the RDP fi e needs adjust ng to connect to the poo The computer name that you enter w
need to be the name of the RD Sess on Host server red rector, and you need to add th s ne
to the RDP fi e

loadbalanceinfo:s:tsv://vmresource.1.POOL-ID-GOES-HERE

After you’ve configured the RDP fi e appropr ate y, then anyone attempt ng to use the
RemoteApp VM poo w be routed to the most appropr ate endpo nt for the r sess on, just as
they wou d for a fu desktop If a user attempts to start a second RemoteApp program that
s prov ded by VMs n the poo , then the RD Connect on Broker w route the r connect on
request to the VM where they’re a ready runn ng a RemoteApp Th s s because the first step
of broker ng s to see f the person attempt ng to connect a ready has a sess on runn ng

Us ng RemoteApp for Hyper V for App cat on Compat b ty CHAPTER 4 221

www.it-ebooks.info
Configuring a Time Limit for Disconnected Sessions on the Endpoint
When a user starts a RemoteApp program on a VM runn ng RemoteApp for HyperV, when
the user c oses the app cat on, the r sess on on that VM rema ns act ve, and stays act ve, even
f the VM s put nto a saved state When the VM s restored, the ast user who had started the
RemoteApp w st be ogged on to that mach ne In add t on, because c ents can have on y
one sess on go ng at a t me, th s computer s now effect ve y on y usab e by that user That s,
no other users w be ab e to start a RemoteApp on th s mach ne
Fortunate y, you can set a t me m t for d sconnected sess ons on the endpo nt v a a Group
Po cy object (GPO) Here’s how
1. Create an organ zat ona un t (OU) for your endpo nt(s) n Group Po cy Manager, add
the endpo nt computers to th s OU, and then create a GPO and enab e th s sett ng

Computer Configuration | Policies | Administrative Templates | Windows Components


| Remote Desktop Services | Remote Desktop Session Host | Session Time Limits |
set the time for disconnected sessions

2. When you have enab ed the sett ng, choose a t me per od after wh ch a d sconnected
sess on w be ended
3. App y the GPO to the Endpo nt OU that you just created and reboot the endpo nts
(because computer po c es are app ed at startup)

Can You Use RemoteApp for Hyper-V Without RDS?


It s techn ca y poss b e to use the RemoteApp feature on any c ent, whether t’s a VM on
Hyper-V (or any hyperv sor, rea y) w thout RD V rtua zat on Host, a b ade, or a phys ca
desktop We do recommend us ng th s feature as part of RDS, however Comb n ng th s
feature w th a connect on broker s ke y to ead to the most effic ent use of resources w th
the s mp est management
As a rem nder, each VM can susta n on y a s ng e connect on at a t me, even though t’s
pub sh ng RemoteApp programs ke an RD Sess on Host server W thout a broker n the m x,
connect ng to one or two peop e can effect ve y monopo ze the farm f they connect to a
d fferent VM each t me
If you ded cated a RemoteApp for each person’s exc us ve use and saved the VM’s name
n the RDP fi e for each RemoteApp, you cou d pu th s off However, th s sn’t a very effic ent
way of a ocat ng resources The VMs won’t be ava ab e for anyone e se’s use, and f you’re
not us ng RD V rtua zat on Host and the RD Connect on Broker, you’ need to make sure that
they’re turned on and ready for the r owners to use It’s more effect ve to arrange the VMs for
RemoteApp on Hyper-V n a ded cated poo Just mod fy the poo ed RDP fi e as descr bed n
th s sect on to support pub sh ng RemoteApp programs from a VM

222 Chapter 4  Dep oy ng a S ng e Remote Desktop V rtua zat on Host Server

www.it-ebooks.info
Troubleshooting: Why Did a Pooled VM Connection Fail?

A user clicked an icon to connect to a pooled VM, and the connection didn’t
work. Why not? Here are two things that can go wrong during the connec-
tion, aside from the standard “you didn’t configure this properly” errors reported at
http://technet.microsoft.com/en-us/library/ee891400(WS.10).aspx.

Waking the VM . . .
This is about the elusive “Waking the VM…” message and eventual timeout. There
are a few reasons for this, all of which have to do with not having the client config-
ured correctly. You will receive this error for the following reasons.

■ The VM has not been prepared properly. You will experience this situation
when any of the preparation was not done, including the exceptions in the
firewall, the registry entry adjustments, or the WMIC commands.
■ The VM was prepared properly, but the Rollback snapshot was taken
before the preparation was finished, and as a result, the VM can ‘t accept
connections.

Unable to Verify Settings . . .


Another scenario that produces obscure errors in the Event Log is one in which the
RD Connection Broker has issues connecting the client to the requested VM. The
user tries to initiate a connection to a pooled or personal VM, but he or she receives
an error message saying that the connection could not be established because
the Connection Broker was unable to verify the settings in the RDP file. On the
Connection Broker, the following two errors are logged in the TerminalServices-
SessionBroker-Client event log.

Event ID 1296:
Remote Desktop Connection Broker Client failed while getting redirection
packet from Connection Broker.
User : ASH/kristin
HRESULT = 0x80070490

followed by

Event ID: 1306:


Remote Desktop Connection Broker Client failed to redirect the user
ASH/kristin.
HRESULT = 0x80070490

Remedy this situation by re-running the Configure Virtual Desktops Wizard on the
RD Connection Broker server. You do not need to change any of the settings (unless
they are wrong, of course). Just re-run the wizard with the same settings as you had
before, and the RD Connection Broker will resume working properly.

Us ng RemoteApp for Hyper V for App cat on Compat b ty  Chapter 4 223

www.it-ebooks.info
Summary
Add ng VM support to RDS ncreases the number of scenar os that RDS can support
A though sess ons st a ow you to get more peop e per server, VMs have the r own
advantages Persona desktops enab e comp ete desktop rep acement, mov ng the persona
computers nto the data center and prov d ng more centra management Poo ed VMs a ow
a set of peop e to share a more so ated env ronment than a sess on can prov de RemoteApp
for Hyper-V a ows you to serve app cat ons from a c ent runn ng W ndows XP to a W ndows
7 desktop, even f the c ent runn ng W ndows 7 can’t run a oca hyperv sor
After read ng th s chapter, you shou d know the fo ow ng
■ When to use VMs nstead of sess ons
■ When to use persona and poo ed VMs
■ How to set up VM poo s and persona desktops
■ How d scovery, broker ng, and orchestrat on work
■ How to use RemoteApp for Hyper-V to pub sh app cat ons from a W ndows XP VM

Additional Resources
The fo ow ng resources conta n add t ona nformat on and too s re ated to th s chapter
■ The hotfixes to enab e RemoteApp d sp ay on W ndows XP SP3 are on ne at
http://www.microsoft.com/downloads/details.aspx?FamilyID=2f376f53-83cf-4e5b-9515-
2cb70662a81b&displaylang=en.
■ The hotfix to enab e RemoteApp d sp ay on W ndows V sta SP1 s ava ab e from
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=
26a2de17-8355-4e8d-8f33-9211e48651fb.
■ Error messages re at ng to RD Connect on Broker are documented at
http://technet.microsoft.com/en-us/library/ee891400(WS.10).aspx.
■ For nformat on on custom z ng the RDP sett ngs used n Persona and Poo ed VMs, see
Chapter 6, “Custom z ng the User Exper ence ”
■ For nstruct ons on nsta ng RD Web Access, and for configur ng RD Web Access to
prov de access to RD Sess on Host desktops and RemoteApps, see Chapter 9, “Mu t -
Server Dep oyments ”
■ For nformat on on us ng RD Gateway to access poo ed and persona VMs, as we as
other RDS resources from outs de your corporate network, see Chapter 10, “Mak ng
Remote Desktop Serv ces Ava ab e from the Internet ”

224 Chapter 4  Dep oy ng a S ng e Remote Desktop V rtua zat on Host Server

www.it-ebooks.info
CHAPTER 5

Managing User Data in a


Remote Desktop Services
Deployment
■ How Profi es Work  226

■ Des gn Gu de nes for User Profi es  242

■ Dep oy ng Roam ng Profi es w th Remote Desktop Serv ces  248

■ Profi e and Fo der Red rect on Troub eshoot ng T ps  287

T hus far n th s book, you have earned how to set up a s ng e Remote Desktop (RD)
Sess on Host server or a s mp e M crosoft V rtua Desktop Infrastructure (VDI) de-
p oyment Those dep oyments aren’t yet product on-ready, though No app cat ons are
ava ab e, the connect ons aren’t secured, you haven’t yet defined the dev ces and exper -
ence to red rect, and the profi es and Fo der Red rect on aren’t yet set up
Proper y configured profi es and Fo der Red rect on go a ong way toward a good user
exper ence for users work ng v a remote connect on to the data center Because profi es
weren’t or g na y des gned for remote work env ronments, th s can somet mes be tr cky
Remote Desktop Serv ces (RDS) ndependent software vendor (ISV) partners have deve -
oped some products to he p make a h gh y flex b e system for comp ex env ronments
Th s chapter, however, shows you how best to configure profi es and Fo der Red rect on
us ng the too s that come w th W ndows
The bas c e ements of a user workspace are the configurat on sett ngs n the user’s
profi e and the defau t ocat ons to save data After read ng th s chapter, you w under-
stand the fo ow ng
■ How roam ng, oca , and mandatory profi es work
■ Why v rtua zat on can comp cate mp ement ng profi e strateg es
■ Best pract ces for stor ng and manag ng profi es
■ How to use Fo der Red rect on to un fy user defau t ocat ons between oca and
remote app cat ons

225

www.it-ebooks.info
■ The benefits and drawbacks of us ng mandatory profi es to ma nta n a cons stent ook
and fee
■ How to secure the desktop to prevent users from sav ng fi es to t and why th s s
mportant
■ How to support profi es across servers runn ng both W ndows Server 2008 R2 and
W ndows Server 2003, or W ndows 7 and W ndows XP v rtua mach nes (VMs)

How Profiles Work


A profile s a co ect on of sett ngs and documents that define a user’s work env ronment,
somet mes referred to as a user’s “persona ty ” A user’s profi e nc udes both configurat on
data and persona data such as documents and p ctures Persona data n the profi e can be
stored on the desktop or n one of the fo ders assoc ated w th the user account (for examp e,
My Documents) The profi e a so nc udes user spec fic sett ngs, such as the fo ow ng
■ Changes that you make to app cat on ayouts, such as add ng buttons, chang ng the
ayout, and add ng a defau t s gnature
■ Changes to system sett ngs that are un que to the user exper ence, such as chang ng
your desktop background, screen saver, and keyboard ayout
Mach ne-w de sett ngs such as firewa sett ngs are not stored n the user profi e
Documents and support ng fi es that are part of your profi e are stored n a un que user
profi e fo der (and subfo ders) Loca and roam ng profi e sett ngs are stored as a s ng e fi e
(ca ed NTUSER DAT), not as a co ect on of nd v dua sett ngs NTUSER DAT s stored n the
root of each user’s profi e fo der Mandatory profi e sett ngs are stored n NTUSER MAN; th s
fi e can be shared among mu t p e users because t s read-on y

NOTE  Super-mandatory profiles label the folder where they’re stored with the .man
suffix, like this: //servername/sharename/mandatoryprofile.man/. Super-mandatory user
profiles are similar to normal mandatory profiles except that users with super-mandatory
profiles cannot log on when the server that stores the mandatory profile is unavailable.
Users with normal mandatory profiles can log on with the locally cached copy of the
mandatory profile. Use super-mandatory profiles only when you want to have absolute
control of the user profile—so much so that you can’t take the chance that a cached copy
might be out of date.

Wh e a user s ogged n, the NTUSER DAT fi e s oaded temporar y nto HKEY CURRENT
USER (HKCU) n the reg stry of the computer that user s ogged on to; the documents are
stored n the subfo ders w th n the profi e fo der, as shown n F gure 5-1 You w find out
n deta about the parts of a profi e—both the reg stry and the data fo ders— ater n th s
chapter But first et’s exam ne the d fferent types of profi es

226 Chapter 5  Manag ng User Data n a Remote Desktop Serv ces Dep oyment

www.it-ebooks.info
Profile Folders with Data NTUSER.dat Loaded in HKCU

FIGURE 5-1  The user prof e conta ns persona sett ngs and data such as fo ders and the user spec f c
reg stry sett ngs.

Types of Profiles
As a uded to n the prev ous sect on, there are three types of profi es oca , roam ng, and
mandatory Loca profi es are stored on and used from a s ng e computer and store data
n NTUSER DAT Roam ng profi es are stored on and used from a network share, so they’re
ava ab e to any computer that can access that part cu ar network share They a so store data
n NTUSER DAT Mandatory profi es are often centra y ocated ke roam ng profi es, but
whereas oca profi es and roam ng profi es are read-wr te, mandatory profi es are read-on y
They store the r sett ngs n NTUSER MAN
Loca profi es are usua y fast to oad because they are stored on the computer the user s
us ng When a user ogs on, the oca profi e w oad from ts oca ocat on on the hard dr ve
and popu ate HKCU When the user ogs off, the contents of HKCU ( nc ud ng any changes
that the user made) w be wr tten back to the oca hard d sk and overwr te the prev ous ver-
s on of the fi e

How Profi es Work  Chapter 5 227

www.it-ebooks.info
NOTE  Local profiles aren’t a good fit for most remoting scenarios because they’re stored
on a single computer. Personal desktops and single RD Session Host server deployments are
possible exceptions to this, but pooled VMs and RD Session Host sessions in a farm larger
than one server will quickly find that local profiles lead to an inconsistent user experience.
This is because the user would have a unique local profile on each machine she logs onto.

Roam ng profi es afford the most flex b ty n a remot ng env ronment because they’re
stored n a centra ocat on access b e to a VMs and RD Sess on Host servers They’re a so
read-wr te, so users can adjust the r sett ngs When a user ogs onto a sess on or VM (or
a computer, for that matter), the roam ng profi e w oad from ts network ocat on and
popu ate HKCU n the reg stry When the user ogs off, the contents of HKCU ( nc ud ng any
changes that the user made) w be wr tten back to the network ocat on and overwr te the
prev ous vers on of the fi e
Mandatory profi es are oaded to HKCU when a user ogs on, just ke a roam ng profi e,
but they aren’t wr tten back to the r storage ocat on at ogoff—a changes to the profi e are
just d scarded

How Profiles Are Created


A user does not start w th a user profi e The profi e s created the first t me that a user ogs
onto a mach ne Mandatory profi es are the except on to th s, and even the mandatory profi e,
wh ch s used by mu t p e peop e, has to n t a y come from somewhere To fu y understand
profi es, you need to know how profi es are n t a y created Th s w come n handy ater n
th s chapter, when you earn how to create a mandatory profi e and a so how to custom ze a
defau t profi e
A profi es are created from a “defau t profi e ” Each RD Sess on Host—actua y, every
computer—has a oca defau t user profi e ( ocated at C \Users\Defau t n W ndows V sta and
ater) for th s purpose Depend ng on wh ch type of profi e w be used and how you have
mp emented the profi e strategy, the process of mak ng user profi es var es s ght y
If your users w use oca profi es (for nstance, f you have on y one RD Sess on Host), new
user profi es w be created by mak ng a copy of the oca defau t profi e ocated on the com-
puter that the user ogs on to Th s copy w go nto a new fo der abe ed by the og n name
of the user
If your users w use roam ng profi es, when a new user ogs on to a server for the first
t me, a new profi e s created for h m by mak ng a copy of a defau t user profi e Doma n
jo ned computers w first ook for a network defau t user profi e (stored n the net ogon
share on a doma n contro er and rep cated to other doma n contro ers) If t does not find
one n the network share, then t w use the oca defau t profi e ocated on the computer to
wh ch the user ogged on

228 Chapter 5  Manag ng User Data n a Remote Desktop Serv ces Dep oyment

www.it-ebooks.info
User Profile and the Registry
The reg stry s organ zed nto sect ons ca ed keys, wh ch a gn w th a part cu ar configurat on
opt on For examp e, computer-w de sett ngs are stored n HKEY LOCAL MACHINE (HKLM),
whereas user-spec fic sett ngs are stored n HKEY CURRENT USER (HKCU) As w th a vers ons
of M crosoft W ndows NT s nce t was first re eased, W ndows Server 2008 R2 and W ndows 7
ma nta n user-spec fic sett ngs n HKCU for each user ogged on to the computer
You can see how HKCU works and reflects changes to the user env ronment by fo ow ng
the process out ned n the fo ow ng How It Works s debar, “Observe How Changes to the
Env ronment Are Reflected n the Reg stry ”

HOW IT WORKS

Observe How Changes to the Environment Are Reflected in


the Registry

O ne easy way to watch how HKCU changes as you customize your environment
is to make a change and watch the contents of the registry, as follows.

1. Run Regedit.exe and confirm that you want to run it when prompted.

2. Navigate to HKCU\Control Panel\Colors\ and look at the value of the Window


key. If you’re using the default Windows 7 color scheme, the value of this entry
should be 255 255 255. (Full saturation of red, blue, and green values show up as
white on a monitor. Values of 0 for all three show up as black. If you ever studied
color theory, this is a demonstration that black is the absence of color.)

3. Right-click the Desktop and choose Personalize from the context menu to open
the Personalization window.

4. Click Window Color And Appearance. In the Appearance Settings dialog box,
click Advanced to open the aptly named Advanced Appearance dialog box. From
here, select Window from the Item drop-down list. Change Color 1 to light gray
and click OK.

5. Click OK in the Appearance Settings dialog box. The screen will adjust for a mo-
ment, and then the background color of windows will turn light gray.

6. If you examine the value of HKCU\Control Panel\Colors\Window, you’ll see that


it’s now 192 192 192.

In W ndows Server 2008 R2 and W ndows 7, HKCU conta ns the subkeys descr bed n
Tab e 5-1 Even f you’re ogg ng on to a W ndows Server 2008 R2RD Sess on Host server from
an ear er operat ng system such as W ndows XP, the profi e n the RD Sess on Host sess on
corresponds to the server p atform These are st the reg stry keys that app y to the sess on,
not the c ent computer operat ng system There m ght be add t ona subkeys n th s sect on;
t depends on wh ch app cat ons you have nsta ed For examp e, f you nsta M crosoft
Out ook, you’ see an Ident t es key

How Profi es Work  Chapter 5 229

www.it-ebooks.info
TABLE 5-1  Subkeys o HKCU n W ndows 7 and W ndows Server 2008 R2

SUBKEY DESCRIPTION MAPS TO

AppEvents Sounds p ayed on system events Contro Pane \Sounds


Conso e Command w ndow sett ngs such as Command Prompt\Propert es
w ndow s ze, co ors, and buffer s ze
Contro Pane User desktop appearance sett ngs, Contro Pane
mouse and keyboard sett ngs, power
po cy, and access b ty
Env ronment Env ronment var ab e defin t ons Contro Pane \System\Advanced
EUDC Custom zed characters that users Contro Pane \Fonts
nsta for v ew ng and pr nt ng
documents when standard fonts
don’t support them App es to East
As an font sets
Keyboard Ed ts the keyboard ayout Usefu f Contro Pane \Reg ona and
Layout your operat ng system s d sp ay ng Language Opt ons
n one anguage but you want to use
the keyboard ayout of another one
(for examp e, d sp ay ng n Eng sh
but arrang ng the keyboard as
though you were n Germany)
Network Network dr ve mapp ngs and Contro Pane \Networks
sett ngs
Pr nters Pr nter connect on sett ngs Contro Pane \Pr nters
Remote Conta ns sett ngs to be app ed
(Remote Access to remote sess ons (for examp e,
n W ndows 7) C earType or wa paper) for each
sess on The subkey corresponds to
the Sess on ID
Sess on Informat on about the current Not stored—popu ated dur ng the
Informat on sess on, such as how many sess on
app cat ons are open
Software Persona sett ngs for a software Ind v dua app cat ons
nsta ed for that user
System Conta ns the current contro set for Not stored—popu ated on startup
that user (dr vers and serv ces to run
at startup)
Vo at e Env ronment var ab es for the current Not stored—popu ated for each
Env ronment ogon sess on sess on

230 Chapter 5  Manag ng User Data n a Remote Desktop Serv ces Dep oyment

www.it-ebooks.info
Data s stored n HKCU on y for the durat on of the sess on, wh e data stored n HKLM per-
s sts unt the reboot Most p eces of the reg stry are saved n fi es ca ed hives and are oaded
as necessary When a h ve fi e s opened, t’s re oaded nto the reg stry Therefore, HKCU s
stored as a h ve n a fi e ca ed NTUSER DAT that s oaded at user ogon Each user ogged on
to an RD Sess on Host server sees h s or her own vers on of HKCU
How does th s data get oaded? When you og on to a computer, the User Profi e Serv ce
oads the h ve fi e from the ocat on spec fied n your user account propert es and popu ates
HKCU for that sess on When you og off the computer, the h ve fi e s wr tten back to ts
storage ocat on as NTUSER DAT If you happen to be ogged on to more than one computer
at a t me, two cop es of your profi e w be open, popu at ng the contents of HKCU on each
computer

NOTE  Profiles can be cached on the server to speed up logons if you set the correspond-
ing Group Policy. However, even if you enable caching, when a user logs off the RD Session
Host server, the corresponding branch of HKCU is cleared. You’ll find out more about cach-
ing user profiles in the section entitled “Caching Roaming Profiles” later in this chapter.

In add t on to oad ng HKCU w th the contents of your profi e, ogg ng on to an RD Sess on


Host server updates two parts of HKLM, the computer-w de sect on of the reg stry HKLM\
Software\M crosoft\W ndows NT\CurrentVers on\Profi e L st (F gure 5-2) conta ns a st of a
profi es cached on the computer It a so sts the profi es used by the System account, Net-
work Serv ce account, and the Loca Serv ce account As you can see, mach ne accounts have
profi es just ke user accounts do
The users are dent fied by secur ty dent fiers (SIDs), but you can d st ngu sh them by
brows ng the keys The va ues show the path to both the oca cache (the Profi eImagePath
key va ue shown n F gure 5-2) and to the roam ng profi e fo der share (the Centra Profi e key
va ue shown n F gure 5-2), so t’s not hard to map user names to profi es

FIGURE 5-2  Load ng a prof e nto a remote desktop sess on updates the Prof e L st key for the ent re RD
Sess on Host server.

How Profi es Work  Chapter 5 231

www.it-ebooks.info
When you og off an RD Sess on Host server, the two keys w th your SID are ocked They
don’t actua y go away, but f you attempt to open the key assoc ated w th a user who s cur-
rent y ogged off, you’ get an error message te ng you that the system cannot find the fi e
spec fied Log on aga n, and the key w th the same SID w be repopu ated
A though oad ng a profi e adds two keys to the reg stry that never go away, most of the
t me t doesn’t matter As d scussed n the sect on ent t ed “The Consequences of De et ng a
Profi e Fo der from W ndows Exp orer” ater n th s chapter, t does matter shou d you choose
to de ete a profi e De et ng the fi e doesn’t de ete the reg stry keys assoc ated w th t There-
fore, a ways use the correct too s to de ete profi es; otherw se those users won’t be ab e to
oad the r profi es proper y when they og on aga n

How Profile Changes Are (Not) Merged


The operat ng system oads the contents of NTUSER DAT nto HKCU at ogon and saves back
to NTUSER DAT at ogoff, n the same way that you m ght open a M crosoft Word document
when you og on, type n t for a wh e, and then save the document when you og off Th s
has some mportant mp cat ons for a remote env ronment
As an examp e, mag ne th s scenar o You are ogged on to two d fferent computers and
you open a new Word document n each sess on In Sess on 1, you type “Every Good Boy
Does F ne ” In Sess on 2, you type “A Cows Eat Grass ” You save the fi e n Sess on 1 as Myfi e
docx Next you save the fi e n Sess on 2 as Myfi e docx n the same ocat on, confirm ng that
you want to overwr te the o d fi e when prompted
The next t me you open Myfi e docx, the fi e w say on y “A Cows Eat Grass ” The phrase
“Every Good Boy Does F ne” has been overwr tten In short, the fi es are not merged; they’re
wr tten back to the save ocat on, and the vers on ast wr tten to that ocat on s the on y one
you’ see
So t s w th profi es, wh ch are just another type of fi e If you og on to two sess ons, each
of wh ch s us ng the same roam ng profi e, you w have two cop es of your profi e open If
you make changes to the open profi e, you’ see them at the t me, but they won’t be saved
nto NTUSER DAT unt you og off (Un ke the Word docx fi e, the fi e system won’t ask f
you want to overwr te the profi e fi e ) As n the prev ous examp e, f you have a profi e open
n Sess on 1 and n Sess on 2, og off Sess on 1 and then og off Sess on 2, on y the changes
made to the Sess on 2 copy of the profi e w appear when you og on aga n and re oad that
profi e The on y d fference from the document scenar o s that the operat ng system won’t
ask you f you want to overwr te the prev ous vers on

CAUTION  One implication of the way profiles work is that you shouldn’t use the
same profile for local sessions and remote sessions. If you do, then by definition, ev-
ery time you log on to your computer and then log on to an RD Session Host server,
you will be opening two copies of your profile. You will almost certainly lose profile
data this way.

232 Chapter 5  Manag ng User Data n a Remote Desktop Serv ces Dep oyment

www.it-ebooks.info
You m ght be wonder ng whether open ng two RemoteApp programs from a s ng e RD
Sess on Host server opens one or two cop es of your profi e The answer depends on the ver-
s on of W ndows Server host ng the sess on, and how you’re start ng the app cat ons On a
term na server runn ng W ndows Server 2003, you cou d create a Remote Desktop Protoco
(RDP) sess on that wou d open a s ng e app cat on nstead of d sp ay ng the ent re desktop
(As noted n Chapter 1, “Introduc ng Remote Desktop Serv ces,” not many peop e d d th s be-
cause the exper ence wasn’t very user-fr end y, but t was poss b e ) If you presented nd v dua
app cat ons th s way, then each t me a user opened an app cat on on the same server, he
wou d open a separate sess on and therefore a separate copy of the profi e
W ndows Server 2008 mproved on th s des gn n two ways F rst, t ntroduced RemoteApp
programs A RemoteApp programs started from the same server by the same user account
run n the same sess on, so they open on y a s ng e copy of your profi e Second, when
dec d ng where to route ncom ng connect ons to an RD Sess on Host server farm, the RD
Connect on Broker w check to see f a user a ready has an open sess on on an RD Sess on
Host server n the farm If t does, then the user w be routed to the same sess on to start the
app cat on So, what s the resu t? You have preference to the server where you a ready have
an open connect on, and, so ong as you’re connect ng to on y a s ng e server, on y one copy
of the profi e w be open because a RemoteApp programs w run n the same sess on

Profile Contents External to the Registry


Not a parts of a profi e are stored n HKCU The same fo der that conta ns the NTUSER DAT
fi e a so conta ns other fo ders that conta n user data as we as app cat on-spec fic data In
W ndows V sta and W ndows Server 2008, the profi e nc udes the fo ders sted n Tab e 5-2
(More fo ders m ght be ava ab e, depend ng on wh ch app cat ons you have nsta ed )

TABLE 5-2  Fo ders Assoc a ed w h a W ndows 7 or W ndows Server 2008 R2 Pro e

FOLDER DESCRIPTION

AppData Defau t root ocat on for user app cat on data and b nar es
Contacts Used to store contact nformat on and s a so the address book for W ndows
Ma , the successor to M crosoft Out ook Express (W ndows Ma s not
nc uded n W ndows 7 or W ndows Server 2008 R2)
Desktop A tems stored on the desktop, nc ud ng fi es and shortcuts
Documents Defau t root ocat on for a user-created fi es (spreadsheets, text
documents, and so on)
Down oads Defau t ocat on for a fi es down oaded us ng W ndows Internet Exp orer
Favor tes Bookmarked Un form Resource Locators (URLs) n Internet Exp orer
L nks F e and fo der shortcuts; these show up under the Favor tes menu on the
eft s de of an Exp orer w ndow
Mus c Defau t root ocat on for a mus c fi es
Continued on the next page

How Profi es Work  Chapter 5 233

www.it-ebooks.info
FOLDER DESCRIPTION

P ctures Defau t root ocat on for a mage fi es


Saved Games Defau t ocat on for saved games
Searches Defau t ocat on for saved searches performed from the Search Programs
And F es nput box on the Start menu
V deos Defau t root ocat on for a v deo fi es

Beg nn ng n W ndows V sta and W ndows Server 2008, the profi e structure changed from
W ndows XP and W ndows Server 2003 (W ndows 7 and W ndows 2008 R2 reta n th s new
profi e structure ) The new structure uses more fo ders to organ ze the data
Not ce that W ndows XP and W ndows 2003 were not ment oned n Tab e 5-2 Th s s
because profi es have evo ved over t me and the structure of profi es has changed W ndows
XP and W ndows Server 2003 profi es are ca ed vers on 1 (V1) profi es; profi es us ng the
structure of W ndows V sta and W ndows Server 2008 and ater are ca ed vers on 2 (V2)
profi es A V2 user profi e fo der s d st ngu shed from ts predecessors by an added V2
extens on
Vers on 2 profi es genera y use more fo ders than those of W ndows XP, but V1 top- eve
fo ders such as NetHood and Pr ntHood were moved ns de the AppData fo der beg nn ng n
W ndows V sta Tab e 5-3 (adapted from the M crosoft document “Manag ng Roam ng User
Data Dep oyment Gu de” ocated at http://technet.microsoft.com/en-us/library
/cc766489(WS.10).aspx) shows the d fferences n the defau t root profi e fo der structure
between V1 and V2 profi es

TABLE 5-3  Pro e Fo der S ruc ures o V1 and V2 Pro es

V2 PROFILE FOLDERS V1 PROFILE FOLDERS


(WINDOWS VISTA AND LATER) (WINDOWS XP AND WINDOWS SERVER 2003)

Now AppData\Roam ng App cat on Data


Contacts Not App cab e
Desktop Desktop
Down oads Not App cab e
Favor tes Favor tes
L nks Not App cab e
Documents My Documents
Mus c In My Documents
P ctures In My Documents
V deos Not App cab e
Saved Games Not App cab e

234 Chapter 5  Manag ng User Data n a Remote Desktop Serv ces Dep oyment

www.it-ebooks.info
V2 PROFILE FOLDERS V1 PROFILE FOLDERS
(WINDOWS VISTA AND LATER) (WINDOWS XP AND WINDOWS SERVER 2003)

Searches Not App cab e


Trac ng Not App cab e
Now n AppData fo der My Recent Documents
Now n AppData fo der NetHood
Now n AppData fo der Pr ntHood
Now n AppData fo der Send To
Now n AppData fo der Start Menu
Now n AppData fo der Temp ates
Now n AppData fo der Loca Sett ngs
Now n AppData fo der Cook es

As you m ght have not ced n Tab e 5-3, the Loca Sett ngs fo der from V1 profi es does
not ex st n V2 profi es, and many V1 profi e fo ders are now conso dated under the AppData
fo der n V2 profi es Why does th s reorgan zat on of data matter?
One b g accomp shment of the V2 profi e reorgan zat on s that mach ne-spec fic data s
now separated from user-spec fic data V1 profi es kept mach ne-spec fic and user-spec fic
data scattered through the profi e V2 profi es sort th s data and do a better job of separat ng
user-spec fic data from data that s e ther too arge to roam w th the user or s spec fic to a
part cu ar mach ne and therefore shou d not roam
In V2 profi es, the AppData fo der now has three subfo ders that separate th s k nd of data
■ AppData\Roaming  Data that s user-spec fic and shou d roam w th the user profi e
■ AppData\Local  Data that s e ther mach ne-spec fic or too arge to roam w th a
user’s profi e fo der, for examp e, an Out ook OST fi e
■ AppData\LocalLow  Data for “ ow- ntegr ty” apps (such as browser-based apps) to
store data
Tab e 5-4 (wh ch was adapted from the M crosoft “Manag ng Roam ng User Data Dep oy-
ment Gu de”) shows where certa n V1 profi e data s stored n the V2 profi e structure

TABLE 5-4  Da a S orage Reorgan za on rom V1 o V2 Pro es

V2 PROFILE DATA LOCATIONS V1 PROFILE DATA LOCATIONS

…\AppData\Loca Loca Sett ngs\App cat on Data


…\AppData\Loca \M crosoft\W ndows\H story Loca Sett ngs\H story
…\AppData\Loca \Temp Loca Sett ngs\Temp
…\AppData\Loca \M crosoft\W ndows Loca Sett ngs\Temporary Internet
\Temporary Internet F es F es
Continued on the next page

How Profi es Work  Chapter 5 235

www.it-ebooks.info
V2 PROFILE DATA LOCATIONS V1 PROFILE DATA LOCATIONS

…\AppData\Roam ng\M crosoft\W ndows\Cook es Cook es

…\AppData\Roam ng\M crosoft\W ndows NetHood


\Network Shortcuts
…\AppData\Roam ng\M crosoft\W ndows Pr ntHood
\Pr nter Shortcuts
…\AppData\Roam ng\M crosoft\W ndows\Recent Recent

…\AppData\Roam ng\M crosoft\W ndows\Send To Send To

…\AppData\Roam ng\M crosoft\W ndows\Start Menu Start menu

…\AppData\Roam ng\M crosoft\W ndows\Temp ates Temp ates

NOTE  The “Managing Roaming User Data Deployment Guide” is available at


http://technet.microsoft.com/en-us/library/cc766489%28WS.10%29.aspx.

Because V1 profi es and V2 profi es are so d fferent, you can’t use the same profi es for
W ndows Server 2008 R2 RD Sess on Host servers that you d d for term na servers runn ng
W ndows Server 2003or W ndows XP VMs The structures of the profi es don’t match
You’ earn ater n th s chapter how to a ow W ndows Server 2003 and W ndows Server
2008 profi es to coex st (See the sect on ent t ed “Shar ng Fo ders Between W ndows Server
2003 and W ndows Server 2008 Roam ng Profi es” ater n th s chapter ) Th s s mportant
both for support ng m xed dep oyments of term na servers runn ng W ndows Server 2003
and W ndows Server 2008 R2 RD Sess on Hosts, and for support ng W ndows 7 VM poo s and
W ndows XP VM poo s (The changes to the profi e structure between the operat ng systems
are one reason why you shou d not comb ne W ndows 7 and W ndows XP VMs n the same
poo )

Introduction to Folder Redirection


A though these data fo ders are stored by defau t n the user’s profi e fo der, they don’t have
to be In fact, n most cases, t’s best f some of them aren’t Here’s why
F rst, keep ng user data w th n the profi e fo der ncreases the profi e s ze Assum ng that
you’re stor ng profi es on a centra share nstead of on nd v dua RD Sess on Host servers
(and, for reasons you’ see short y, th s s a good assumpt on), th s can s ow ogons A arge
profi e ncreases the t me that t takes for users to og on and og off (because the data n the
profi e must be cached on the RD Sess on Host server) In W ndows Server 2008 R2, f the pro-
fi e cache on a server exceeds the quota a ocated to the profi e cache, t w de ete the most
recent y used profi es, but there’s st no reason to fi the cache w th user data

236 Chapter 5  Manag ng User Data n a Remote Desktop Serv ces Dep oyment

www.it-ebooks.info
Second, f you’re us ng mandatory profi es and you don’t red rect fo ders outs de the
profi e fo der, users w not be ab e to save fi es to the standard persona fo ders such as
Documents The fi es w ook ke they’re sav ng, but they won’t be reta ned Th s w cause
users a great dea of gr ef and br ng you many unso vab e ca s to the He p desk

NOTE  The Recycle Bin is a hidden file in the root of the profile folder. You can’t redi-
rect it, and even if you’re using mandatory profiles, you will still be able to send files to
the Recycle Bin.

The th rd reason app es to VMs, whether poo ed or persona In the case of a persona
desktop, sav ng fi es oca y preserves them, but t comp cates fi e restore because the fi es
are stored n the VM To restore the fi es saved on the oca VM, you’d need to restore the
VM from backup Sav ng the fi es separate y makes t eas er to restore them, and the eas est
way to do that s to enab e Fo der Red rect on In the case of pooled VMs, Fo der Red rect on
s essent a As w th mandatory profi es, sav ng fi es to oca fo ders on a poo ed VM can ead
to ost data As d scussed n Chapter 4, “Dep oy ng a S ng e Remote Desktop V rtua zat on
Host Server,” the most common configurat on for poo ed VMs s to ro back changes at user
ogout so the VM rema ns pr st ne That ro back means that any documents saved to the VM
wou d be ost (Some ISV so ut ons actua y de ete the VM on each use and re-create t, wh ch
has the same effect )
For these reasons, t’s good pract ce to use Fo der Red rect on w th RDS, whether connect-
ng to VMs or sess ons You’ earn how to do th s n the sect on ent t ed “Centra z ng Per-
sona Data w th Fo der Red rect on” ater n th s chapter For now, just know that red rect ng
profi e fo ders means just that stor ng profi e subfo ders and the data w th n them, outs de
the ma n root profi e fo der

How Virtualization Complicates Storing User Configuration and Files


Th s top c w be d scussed a ot n th s chapter, but to beg n, you need to be very c ear about
why v rtua zat on comp cates user profi es and the way users store data Fundamenta y, t’s
because profi es were or g na y des gned for ogg ng nto one p ace at a t me, and when us-
ng RDS, you m ght be ogged nto more than one remote sess on
RDS supports five remot ng work scenar os
■ RemoteApp programs runn ng from an RD Sess on Host server and d sp ayed a ong-
s de oca y runn ng app cat ons
■ RemoteApp programs runn ng from a VM (most often a W ndows XP VM)
■ A fu desktop sess on on an RD Sess on Host server
■ A poo ed VM, wh ch m ght be runn ng any vers on of a W ndows c ent operat ng system
■ A persona VM, wh ch m ght be runn ng any vers on of a W ndows c ent operat ng
system

How Profi es Work  Chapter 5 237

www.it-ebooks.info
F gure 5-3 shows the ntr cate matr x of user profi es and red rected fo ders for users who
access mu t p e desktop and RDS env ronments

Personal VMs

File Server

Windows 7 Virtual
Desktop Pools
Personal VM Roaming Profiles

Windows 7 Pool Roaming Profiles

Windows XP Virtual
Desktop Pools Redirected Folders

Windows XP Pool Roaming Profiles (V1)

RDS Mandatory Profile

RD Session Desktop Roaming Profiles


Host Farm

Desktops

FIGURE 5-3  Prov d ng a cons stent env ronment for RDS env ronments becomes more comp cated w th
v rtua zat on.

238 Chapter 5  Manag ng User Data n a Remote Desktop Serv ces Dep oyment

www.it-ebooks.info
So what does t mean to have a these v rtua zat on env ronments ava ab e?
Us ng more than one or two types of v rtua zat on can ead to profi e pro ferat on It’s
re at ve y s mp e f you use one type of v rtua zat on For examp e, f you norma y work from
a desktop runn ng W ndows 7 and use RemoteApp for Hyper-V to run a coup e of W ndows
XP app cat ons as RemoteApp programs, then you w have two profi es—one for the Re-
moteApp sess on and one for oca use Add a sess on to that and you cou d potent a y have
three profi es to manage S m ar y, the more server farms that a person w need to access
to run RemoteApp programs, the more ke y that she w have mu t p e cop es of her profi e
open at once Th s s a good argument aga nst farm pro ferat on
Operat ng systems that use V1 profi es can techn ca y use the same V1 profi e (and the
same goes for operat ng systems that use V2 profi es) Whether th s s a good dea depends
on whether the sett ngs n the profi es are appropr ate to both oca and remote sess ons
A so, keep n m nd that f you have a copy of your profi e open n two sess ons, then you
m ght ose changes f you ed t both cop es

Storing Profiles
By defau t, when you og on to a computer runn ng W ndows 7 for the first t me (un-
ess you’ve set up roam ng profi es), you’ create a new profi e n ts oca profi e d rectory
(%SystemRoot%\Users) Th s profi e d rectory w have your name as a ogon a as; t w
conta n your fo ders and NTUSER DAT (wh ch s a h dden fi e, so you won’t see t un ess you’ve
enab ed v ew ng h dden fi es) If eft a one, thereafter you’ store everyth ng n that ocat on
Documents w defau t to Documents, mages w defau t to P ctures, and where mus c s
stored by defau t s eft as an exerc se for the reader A w be we so ong as that’s the
on y computer you use If t’s not the on y computer you use, however, fe gets somewhat
more comp cated
Thus far, you have earned how to set up on y a s ng e RD Sess on Host server However, to
prov de redundancy and better sca e, you’ need to have mu t p e RD Sess on Host servers or-
gan zed nto a farm When a user ogs on to an RD Sess on Host server farm, the connect on s
passed from an RD Sess on Host server to the RD Connect on Broker If the user try ng to con-
nect has no current sess ons, the RD Connect on Broker p cks the RD Sess on Host server w th
the owest number of act ve sess ons and sends the user there, as shown n F gure 5-4 Each
t me a user connects, the RD Connect on Broker dec des anew wh ch server the user shou d
connect to, based on the number of connect ons that each server s act ve y support ng and
whether the user a ready has a sess on open somewhere The user connects to the server w th
the fewest act ve connect ons or the one where the user a ready has an open sess on It s
ke y (and h gh y recommended) that users w og off when not us ng the r RD Sess on Host
server sess on, so f you use oca profi es for RD Sess on Host server sess ons, then over t me,
a user w have a oca profi e on a the servers n the farm

How Profi es Work  Chapter 5 239

www.it-ebooks.info
RD Session Host Farm

User Local
Profile created
User logs on Wednesday
Monday
RD Session Host Server 1

User Local
Profile created
Tuesday
User logs on RD Connection
Tuesday Broker RD Session Host Server 2

User Local
Profile created
Monday

User logs on RD Session Host Server 3


Wednesday

FIGURE 5-4  f you use oca prof es w th RD Sess on Host or poo ed VMs, a user cou d eventua y have
oca prof es on every server n the farm or every VM.

Th s m ght not sound so bad The user’s ogons w occur qu ck y because the profi e
sn’t oaded from the network but rather from the oca computer But when the user makes
a change here and there, over t me, her desktop w ook comp ete y d fferent depend-
ng on wh ch RD Sess on Host server (or poo ed VM) she ogs on to (If user data s part of
the profi e— f you haven’t red rected profi e fo ders—the user w be even more confused
because the data that she saved n one oca My Documents fo der won’t be n another one )
If she makes a bad change, that change cou d we ead to a He p desk ca that can be tr cky
to figure out unt you determ ne to wh ch RD Sess on Host server she s connected Th s s
espec a y true because the prob em m ght van sh f the user ogs off and then ogs back on
and the RD Connect on Broker sends her to a d fferent RD Sess on Host server
To avo d th s scenar o, a the RD Sess on Host servers shou d use the same copy of the
profi e, wh ch means that you need to use roam ng (or mandatory) profi es stored on a net-
work share When a user ogs on, the User Profi e Serv ce ooks at the user account propert es
to see where the profi e reserved for RD Sess on Host server sess ons s kept and oads t from
there

240 Chapter 5  Manag ng User Data n a Remote Desktop Serv ces Dep oyment

www.it-ebooks.info
When a user ogs off, the profi e s e ther de eted from the RD Sess on Host server or
reta ned n the oca cache, depend ng on the Group Po cy sett ngs app ed to the RD Sess on
Host servers For faster ogons, cache the profi e Just ensure that there’s enough space on the
hard d sk ho d ng the cache to support everyone who m ght need to cache the r profi e there

Providing a Consistent Environment


The ways n wh ch you can prov de app cat ons to users has grown, and keep ng the user ex-
per ence cons stent across these d fferent env ronments has become even more comp cated
Now you must des gn and mp ement a profi e strategy that takes nto account the fo ow ng
■ Users can use more than one endpo nt type at the same t me
■ M crosoft VDI can nc ude both V1 ( n W ndows XP) and V2 profi es ( n W ndows V sta
and ater)
■ One user can have mu t p e profi es

Expect Multiple Profiles


As you offer more ways to present app cat ons to users, de ver ng user configurat on data n
the profi e gets more comp cated For examp e, nstead of hav ng users ogg ng onto a s ng e
desktop and do ng a of the r work on that oca mach ne, you can now offer fu desktops n
a sess on, RemoteApp programs, persona VMs, poo ed VMs, and even RemoteApp pro-
grams from VMs Each of these app cat on de very so ut ons has a un que env ronment, and
therefore, when us ng the RDS, we recommend mp ement ng d fferent user profi es for each
of these un que env ronments The prob em w th th s s that users expect to have the same
exper ence wherever they og on Th s s not rea y poss b e when users have mu t p e un que
env ronments

The Last Write Wins


The benefits of hav ng mu t p e profi es far outwe ghs the profits of not hav ng them Imp e-
ment ng a un que profi e for each env ronment he ps to overcome the “Last Wr te W ns”
prob em Th s s exact y what t sounds ke If a user ogs on to mu t p e p aces (mu t p e RDS
farms, for examp e) and those farms have a been set up so that the user ut zes a s ng e
roam ng profi e, then that s ng e roam ng profi e gets overwr tten each t me the user ogs off
each farm Each t me the profi e used n a sess on s cop ed back to the roam ng profi e share,
t overwr tes what was prev ous y there
The user profi e s made of both fo der data and reg stry data You m ght not exper ence
much data gett ng overwr tten n the fo der areas because you can open on y certa n fi es n
certa n env ronments (as shown n F gure 5-5) However, the user profi e stored n HKCU s a
conta ned n one fi e NTUSER DAT As F gure 5-5 shows, f the user has a profi e open n two
d fferent sess ons, the second ogoff w overwr te any changes saved to the profi e at the first
ogoff

How Profi es Work  Chapter 5 241

www.it-ebooks.info
File Server

Adam Barr
Roaming Profile

Documents
Document X Document Y
..\Appdata\Application Y

..\Appdata\Application X

NTUser.dat

The whole
NTUSER.DAT
file gets
The whole
overwritten
NTUSER.DAT file gets
overwritten again =
Last Write Wins!

RDS Farm1: Adam Barr profile cached RDS Farm1:


Application X in each logged on location Application Y

Adam logs off RDS Farm1 second Adam logs off RDS Farm1 first

Adam Barr

FIGURE 5-5 The Last Wr te W ns.

For th s reason, we recommend creat ng mu t p e farms on y when necessary

Design Guidelines for User Profiles


Each of the fo ow ng affects how you save user-spec fic configurat on sett ngs and data for
use w th RDS

242 CHAPTER 5 Manag ng User Data n a Remote Desktop Serv ces Dep oyment

www.it-ebooks.info
■ Loca profi es genera y aren’t su ted to dep oyments of more than one RD Sess on Host
server because the user exper ence w be d fferent on every RD Sess on Host server
■ Large roam ng profi es can ncrease ogon and ogoff t mes The User Profi e Serv ce
must copy the fi es to the endpo nt and then copy them back to the profi e when stor-
ng fi es on a persona VM can comp cate backups and restor ng data
■ Ro back reverts a changes to a poo ed VM to the state when you took the snapshot
■ Profi e sett ngs are stored as a flat fi e wr tten back to the profi e storage ocat on at
ogoff
The fo ow ng sect ons exp a n how these facts affect your des gn

Balance Flexibility and Lockdown


Loca profi es aren’t a good fit for RDS dep oyments arger than a s ng e server Stor ng oca
profi es on RD Sess on Host servers n a mu t -server env ronment w cause the fo ow ng
prob ems
■ It eads to an ncons stent user exper ence and can create prob ems that are hard to
troub eshoot because they’re nked to ogg ng onto a spec fic RD Sess on Host server
■ It fi s up an RD Sess on Host server hard d sk w th dup cate cop es of a profi e (that s,
the profi e w be stored on each RD Sess on Host server that a user ogs on to)
■ It requ res that you back up the RD Sess on Host server because t now ho ds user data
You have two rema n ng cho ces roam ng profi es and mandatory profi es Ne ther cho ce
s a ways appropr ate The opt on that you p ck depends on the amount of contro you want
and have author ty to mp ement
Roam ng profi es can be free y ed ted by the r owners w th n the m ts defined by Group
Po cy (d scussed n Chapter 6, “Custom z ng the User Exper ence”) That s, f you’ve defined
the wa paper for a user group v a Group Po cy, that w be the wa paper every t me anyone
n that user group ogs on If you haven’t spec fied the wa paper us ng Group Po cy, anyone
s we come to change the wa paper when connect ng to the RD Sess on Host server L ke oca
profi es, roam ng profi es store user configurat on data n NTUSER DAT
Mandatory profi es d ffer from roam ng profi es n that the r owners can ed t them, but
any changes that they make w not be saved to the profi e Th s can speed up ogoff t mes
because noth ng s wr tten back to the network share where you’ve stored the mandatory
profi es More ns d ous y, mandatory profi es don’t save any data to fo ders stored w th n the
profi e fo der You must use Fo der Red rect on f us ng mandatory profi es, f you want users
to be ab e to save data to the r persona fo ders In fact, that’s worth h gh ght ng n a caut on-
ary note

CAUTION  If you use mandatory profiles or pooled VMs with rollback enabled, you
must configure Folder Redirection to allow users to save files to their personal fold-
ers that are part of their profiles.

Des gn Gu de nes for User Profi es  Chapter 5 243

www.it-ebooks.info
The core cho ce between mandatory and roam ng profi es s the tradeoff of flex b ty
versus contro Mandatory profi es e m nate the chance of a user mak ng a bad change that
can’t be fixed by ogg ng off and ogg ng back on aga n Mandatory profi es a so speed ogoff
t mes because they don’t need to be wr tten back to the share
However, mandatory profi es don’t a ow users the degree of persona zat on that many
peop e have come to expect from W ndows In add t on, mandatory profi es don’t a ow other
app cat ons to save data to the profi e e ther Th s means that some secur ty app cat ons that
requ re g v ng users a pr vate key [such as the encrypted fi e system (EFS)] don’t work w th
mandatory profi es The cho ce w depend on your corporate cu ture, your need to use app -
cat ons that requ re pr vate keys, and the ab ty of the IT department to contro the desktop

ON THE COMPANION MEDIA  One solution to the choice between roaming pro-
files and mandatory profiles is not to choose. Use mandatory profiles and combine
them with a mechanism that allows users to save selected settings and have them
applied at logon. Windows Server 2008 does not include this functionality, but
several RDS ISVs or consulting partners do. You can find an example of this function-
ality—a tool named Flex Profiles—from the following link on the companion media:
http://www.immidio.com/flexprofiles.

Use Folder Redirection


Whether you’re us ng roam ng profi es or mandatory profi es, t’s best pract ce to use Fo der
Red rect on w th sess ons or poo ed or persona VMs
If you’re us ng roam ng profi es, Fo der Red rect on w ensure that the profi e stays sma
A arge profi e w s ow both ogon and ogoff t mes The fastest approach s to use oca
profi es, but for reasons a ready d scussed, you don’t want to comb ne oca profi es w th RD
Sess on Host servers
If you’re us ng mandatory profi es, then use Fo der Red rect on se ect ve y Any fo ders
stored n the profi e fo der w become read-on y For some fo ders, th s s very bad news
because peop e won’t be ab e to save the r documents or p ctures n the r persona fo ders
But for some fo ders, th s s exact y what you want For examp e, f you don’t want peop e to
remove cons from the Start menu permanent y, eave the Start Menu fo der n the profi e
fo der See the sect on ent t ed “Centra z ng Persona Data w th Fo der Red rect on” ater n
th s chapter for how to mp ement Fo der Red rect on

Compartmentalize When Necessary


It s genera y best pract ce to ma nta n d fferent profi es for d fferent env ronments because
d fferent types of v rtua zat on can have d fferent user configurat on requ rements Don’t go
crazy creat ng d fferent profi es for every poss b e occas on, but make sure your profi e p an
supports the var ous ways peop e use RDS Compartmenta z ng can a so he p avo d acc den-
ta overwr tes

244 Chapter 5  Manag ng User Data n a Remote Desktop Serv ces Dep oyment

www.it-ebooks.info
■ You m ght need V1 profi es to access term na servers runn ng vers ons of W ndows
ear er than W ndows Server 2008, and V2 profi es to access RD Sess on Host servers
■ Imp ement roam ng profi es for use w th VM poo s to keep the user exper ence cons s-
tent and avo d os ng profi e changes to ro back
■ Persona VMs can use a oca profi e for faster ogons
■ To avo d the Last Wr te W ns prob em, avo d users open ng the same profi e on mu -
t p e mach nes at the same t me

Prevent Users from Losing Files on the Desktop


There are a coup e of cases where t’s rea y mportant to prevent users from sav ng fi es to
the desktop
Users can ose, or m sp ace, data when us ng RemoteApp programs f you’re not carefu
about Fo der Red rect on Here’s why The Desktop fo der conta ns everyth ng that you can
see on the desktop—fi es and shortcut cons Many users are used to sav ng documents to
the desktop Th s s acceptab e f you’re actua y see ng the fu desktop, but f you’re us ng
RemoteApp programs, users don’t see the r desktop n the RD Sess on Host server sess on
Users cou d save data to the desktop and then not know where that data actua y s because
they can’t see t (They cou d open a document f they moved to the Desktop path when
open ng a fi e, but just doub e-c ck ng a document on the sess on desktop s not poss b e n
th s scenar o ) To prevent users from sav ng fi es to the desktop, you can make the desktop
read-on y and tr gger an error message f the user tr es to save fi es to the desktop To do th s,
you’ need to do the fo ow ng
■ Red rect the Desktop fo der to an externa share
■ Set the perm ss ons on th s externa share to read-on y

NOTE  For instructions on how to create a read-only desktop, read the section entitled
”Creating a Safe Read-Only Desktop” later in this chapter.

If you keep the Desktop fo der n the profi e fo der and use mandatory profi es, then
peop e can save fi es to the desktop as ong as they are ogged on When the user ogs off,
however, no changes are saved, nc ud ng saved fi es on the desktop The same th ng w hap-
pen to users of VM poo s w th ro back enab ed; anyth ng saved by the user to the VM dur ng
each sess on w be d scarded once the VM snapshot s nvoked
In both cases, red rect the desktop to a fo der so users can save data there w thout t be ng
d scarded at ogoff

NOTE  For instructions on implementing Folder Redirection, see the section “Centralizing
Personal Data with Folder Redirection” later in this chapter.

Des gn Gu de nes for User Profi es  Chapter 5 245

www.it-ebooks.info
Upload Profile Registry Settings in the Background
NTUSER DAT s updated on y when a user ogs off A user who does not og off sn’t sav ng
changes Th s can ead to data oss A new po cy n W ndows Server 2008 R2 enab es th s fi e
to be up oaded wh e the user s ogged on, as fo ows

Computer Configurat on Adm n strat ve Temp ates System User Profi es Background
up oad of a roam ng user profi e’s reg stry fi e wh e user s ogged on

Configure the sett ng to up oad NTUSER DAT on a set schedu e (at a certa n t me of day) or
at a set nterva , des gnated n hours

NOTE  This setting does not upload any other profile data, just the contents of HKCU.

Speed Up Logons
Peop e are sens t ve to the amount of t me t takes to og on to a sess on If t takes too ong,
you’ have prob ems w th peop e eav ng the r sess ons open rather than ogg ng off Th s s
a secur ty r sk, has the potent a to ock fi es that more than one person m ght need to ed t,
and keeps processes open on the RD Sess on Host server You can d sconnect and term nate
sess ons forc b y us ng Group Po cy, but th s has other drawbacks
To encourage peop e to og off, make the ogon process as pa n ess as poss b e You’ve
a ready earned about us ng Fo der Red rect on to m n m ze the s ze of a profi e To speed
th ngs up, you can a so emp oy Group Po c es to do the fo ow ng
■ Cache roam ng profi es
■ L m t the amount of t me an RD Sess on Host server or VM w try to oad the user
profi e before us ng a temporary profi e
■ Set an upper m t on the s ze of a user profi e
■ Process group po c es asynchronous y

New to Windows Server 2008: Speeding Up Logoffs

S peeding up logons is important, but when it’s Friday afternoon and you want to
get out of the office, logoffs are just as important. There are two ways in which
Windows Server 2008 and later help logoffs take less time.

You can limit the size of a profile using Group Policy (and help this limit by redirect-
ing the folders out of the policy). This policy, Limit Profile Size, is set per user and
is located in User Configuration Policies Administrative Templates System User
Profiles.

Prior to Windows Server 2008, there was a nasty catch when it came to profile
quotas: Windows was serious about enforcing this limit. If you made your roaming

246 Chapter 5  Manag ng User Data n a Remote Desktop Serv ces Dep oyment

www.it-ebooks.info
profile larger than Group Policy allowed, Windows would prevent you from logging
off until you made the profile smaller. In Windows Vista and later, you can log
off, but if the profile is larger than the size permitted by Group Policy, the profile
changes won’t get written back to the roaming profile storage area.

Before Windows Server 2008, another issue that could delay logoffs (or prevent you
from unloading your roaming profile altogether) was applications or drivers that
left handles to the registry open (in other words, they started to use it but never
broke the connection). Microsoft had a separate tool called the User Profile Hive
Cleanup Service (in an application called UPHClean) that checked for these open
handles and closed them so users could log off. In Windows Server 2008 and later,
UPHClean functionality is handled by the User Profile Service.

Caching Roaming Profiles


To reduce the t me that t takes to og on to an RD Sess on Host server, the server w cache
the roam ng profi es Ord nar y, RD Sess on Host servers attempt to retr eve the roam ng
profi e from ts centra ocat on In cases when the network connect on to the profi e server
s too s ow or not work ng, however, be ng ab e to og on w th a oca y cached copy of your
profi e can at east speed th ngs up Cach ng stores a copy of the profi e on the RD Sess on
Host server Th s profi e cache sn’t used f the or g na roam ng profi e s ava ab e, but t can
speed up ogons n the case of s ow or absent network connect ons
Cach ng profi es s not w thout ts drawbacks It consumes hard d sk space on the RD
Sess on Host server It can a so prevent new users from ogg ng on f the space a ocated to
cached profi es gets fi ed up If you do cache profi es, make sure that you’ve got suffic ent
space for your user base and use Group Po cy to de ete profi es that aren’t be ng used

CAUTION  Don’t delete user profiles from the RD Session Host server using
Windows Explorer or the delete command-line tools, because this does not clean
up the registry entries associated with the profile and can affect the user’s ability to
log on again. Configure the RD Session Host servers with Group Policy to delete any
profiles unused for a given period.

Process Group Policy Asynchronously


Cach ng user profi es a so means that you can use asynchronous process ng of Group Po cy, a
po cy process ng mode ntroduced n W ndows Server 2008 You can app y Group Po cy syn-
chronous y or asynchronous y If you app y t synchronous y (the defau t mode for a server),
ogon doesn’t comp ete unt the Group Po cy sett ngs that app y to that user are app ed If

Des gn Gu de nes for User Profi es  Chapter 5 247

www.it-ebooks.info
you app y Group Po cy asynchronous y (the defau t act on for a desktop), the user can og on
wh e Group Po cy s be ng app ed Asynchronous process ng can ead to changes n the user
env ronment after users have ogged on but w speed up ogon t mes f Group Po cy process-
ng s s ow ng th ngs down For a rev ew of the connect on process, see Chapter 3, “Dep oy ng
a S ng e Remote Desktop Sess on Host Server ”
A ow asynchronous Group Po cy process ng by enab ng the fo ow ng Group Po cy
sett ng

Computer Configurat on Po c es Adm n strat ve Temp ates System Group Po cy


A ow Asynchronous User Group Po cy Process ng When Logg ng On Through Remote
Desktop Serv ces

Th s po cy works on y when ogg ng on to an RDS sess on host It’s not needed when
ogg ng on to desktop poo s, because a desktop operat ng system a ready processes Group
Po cy asynchronous y by defau t

Deploying Roaming Profiles with Remote Desktop


Services
Th s sect on d scusses manag ng roam ng profi es n an RDS env ronment, nc ud ng the fo -
ow ng
■ Creat ng roam ng profi es
■ Convert ng an ex st ng oca profi e to a roam ng profi e
■ Creat ng a defau t network profi e
■ Us ng Group Po cy to set up the roam ng profi e storage area automat ca y
■ Imp ement ng a Group Po cy nfrastructure that supports these po c es, nc ud ng
secur ty fi ter ng and oopback po cy
■ Manag ng roam ng profi es cached on the RD Sess on Host servers

Creating a New Roaming Profile


To mp ement roam ng profi es, you w need to
1. Create a network share n wh ch to store the roam ng profi es
2. Configure the user accounts (through Act ve D rectory Users And Computers or Group
Po cy) to use roam ng profi es
3. Have each user og on and create the roam ng profi e
F rst, create a shared network ocat on to store the roam ng profi es On the fi e server,
create a new fo der and set the appropr ate NTFS and share perm ss ons, us ng the gu de nes
n Tab e 5-5

248 Chapter 5  Manag ng User Data n a Remote Desktop Serv ces Dep oyment

www.it-ebooks.info
TABLE 5-5  Recommended Share and NTFS Perm ss ons or an RDS Roam ng Pro es S orage Fo der

USER ACCOUNT PERMISSION TYPE NTFS PERMISSIONS

Authent cated Users group Share Fu Contro


Creator Owner NTFS Fu Contro , subfo ders and fi es on y
Loca System NTFS Fu Contro on th s fo der, subfo ders,
fi es
User/Group whose profi es NTFS L st Fo der Content/Read, Create
w be stored n the fo der Fo ders/Append Data, a on th s fo der
on y

DIRECT FROM THE SOURCE

How Profile Folders Are Named


Sergey Kuzin
Software Development Engineer II

T he way that a user’s profile folder is named depends on the circumstances in


which it’s created. The user My Name (with user name Myname) with an ac-
count in Domain1 will store his profile in one of two places: \RDS-Roaming-Profiles\
Myname or \RDS-Roaming-Profiles\Myname.Domain1.

The best case is to add the domain name to the profile path; this disambiguates
the path when there are two (or more) users with the same name living in different
domains. For example, in a large corporate network, you might have Domain1\
Myname (that’s me) and Domain2\Myname (some other user). When Domain1\
Myname logs on to a legacy terminal server the profile created for him will be
…\Myname. If Domain2\Myname later wants to store his profile on the same server,
he will have a problem. That’s why you add .domain to the profile path, so that users
with the same name but from different domains would have different profiles. So
ideally, you always want to add .domain to the profile path.

But then, what do you do with profiles that were created before you made this
change and don’t have .domain in the name? Leave them as is. But in this case, how
do you know which user this particular profile belongs to? You use permissions to
determine that. When the User Profile Service creates a new profile, it gives full
control to the user whom this profile is created for. So, if Domain1\Myname has
explicit full control permission to the …\Myname folder, then this profile belongs
to me and not to Domain2\Myname. That’s why you have this logic when creating
profile names.

Here is the logic you use to create the profile path.

Continued on the next page

Dep oy ng Roam ng Profi es w th Remote Desktop Serv ces  Chapter 5 249

www.it-ebooks.info
1. Attempt to locate the …\username.domain path. If it exists and the user has
explicit permissions to it, then use it.

2. If the user does not have explicit Full Control access to …\username.domain or
this folder does not exist, then try to access …\username.

3. If …\username exists and the user has explicit permissions to it, then use it.

4. If the user does not have explicit Full Control access to …\username or the folder
does not exist, then use …\username.domain.

As you can see, by default you always create the folder with …\username.domain.
Only when the …\username folder exists and the user has explicit Full Control ac-
cess to it do you use it. Again, it’s always best to include the domain name in the
profile path so that two people with the same user name with accounts in different
domains can store their profiles in the same central share.

When you’ve set up the profi e ocat on, configure the user account to use roam ng pro-
fi es Th s process var es s ght y for profi es used w th RD Sess on Host servers and for profi es
used w th poo ed and persona VMs You w see these d fferences as you step through th s
process It’s eas est f you configure th s v a Group Po cy, but you w a so see how to do t on
a per-user bas s

Remote Desktop Session Host


To configure a user account to use roam ng profi es, perform the fo ow ng steps
1. Open Act ve D rectory Users And Computers, r ght-c ck a user’s account, and choose
Propert es
2. For Remote Desktop Sess on Host s tuat ons, nav gate to the Remote Desktop Serv ces
Profi e tab and type the Profi e Path ocat on us ng the format \\servername\share
name\%username%.DomainName, as shown n F gure 5-6
The var ab e %username% nserts the user account name nto the profi e path, so you
don’t have to custom ze the path for each person when add ng new accounts manua y or
through a scr pt You don’t need to add the V2 extens on to th s path, e ther; t w be added
automat ca y because the profi e w be a 2008 vers on profi e The next t me the user ogs
on to the RD Sess on Host server, he w use the roam ng RDS profi e

250 Chapter 5  Manag ng User Data n a Remote Desktop Serv ces Dep oyment

www.it-ebooks.info
FIGURE 5-6  Enter the Remote Desktop Serv ces prof e path.

NOTE  Windows Server 2008 and later and Windows Vista profiles have a .V2 extension.
Older operating systems use V1 profiles, which have no extension associated with the
profile folder name.

Virtual Machines
Poo ed and persona VMs do not use Remote Desktop Serv ces profi es A poo ed or persona
VM s rea y a v rtua zed c ent desktop and acts accord ng y—that s, t uses regu ar profi es
For these VM scenar os, enter the profi e share’s UNC path on the Profi es tab of the user ac-
count Propert es d a og box, shown n F gure 5-7

Dep oy ng Roam ng Profi es w th Remote Desktop Serv ces  Chapter 5 251

www.it-ebooks.info
FIGURE 5-7  Spec fy the prof e used for poo ed and persona VMs on the Prof e tab, not the Remote
Desktop Serv ces Prof e tab.

When the user s configured to use roam ng profi es, t’s t me to create the profi e Th s
happens when the user first ogs on to the RD Sess on host server (or the poo ed/persona
VM) When the user first ogs on, the fo ow ng happens
1. The User Profi e Serv ce creates a profi e fo der for the user n the spec fied path
2. The User Profi e Serv ce cop es the defau t profi e on the RD Sess on Host server or VM
to g ve the user a profi e
3. When the user ogs off, the User Profi e Serv ce cop es the profi e to ts storage oca-
t on n the spec fied network share The user w be the owner of the fo der and there-
fore w be the on y one to have access to the fo der and ts contents
A though a user profi e fo der s for the user, f Adm n strators a so have perm ss ons they
can de ete a corrupted profi e or perform other ma ntenance eas y To perm t th s, g ve the
Doma n Adm ns group Fu Contro NTFS r ghts to the parent fo der, and pre-create roam ng
profi e fo ders for each user n the roam ng profi es share Make sure that the user has fu
contro of h s profi e fo der, subfo ders, and fi es and that the user s a so the owner of the
fo der The s mp est way to do th s s to use Group Po cy; f you keep your RD Sess on Host
servers or poo ed VMs n the r own organ zat ona un t (OU), you can a so create a computer
Group Po cy object (GPO) w th Loopback Process ng enab ed and g ve adm n strators access
to profi e contents by enab ng the fo ow ng GPO sett ng

252 Chapter 5  Manag ng User Data n a Remote Desktop Serv ces Dep oyment

www.it-ebooks.info
Computer Configurat on Po c es Adm n strat ve Temp ates System User Profi es Add
The Adm n strators Secur ty Group To The Roam ng User Profi e Share

For more nformat on on Loopback Process ng and us ng Group Po cy to create and man-
age RDS roam ng profi es, see the sect on ent t ed “Us ng Group Po cy to Manage Roam ng
Profi es” ater n th s chapter

DIRECT FROM THE FIELD

Managing Roaming Profiles Without Admin Access to the File


Server
Bohdan Velushchak
Operations Engineer, MSIT

T o use roaming profiles, you need a file server to store them on. In a smaller
deployment, you can have administrative rights to the file server as well as the
terminal servers, but enterprise deployments often segregate ownership. If you
aren’t an administrator of the file server, you can’t manage the folders directly—
you’ll need to ask the file server administrator. Even the Group Policy setting Add
The Administrators Security Group To Roaming User Profiles will not help if the RDS
administrator is not a member of the Administrators group on the file server. You
could lobby to become a member of the Administrators group on the file server,
but this is counter to Least Privilege Access principles.

You can resolve this situation with a logoff script. Use Icacls.exe to include RDS
administrators to the user profile’s permissions during logoff from user’s security
context. This works because the user has full access permissions to her profile, so
she can add necessary permissions for RDS Administrators. For example, the Logoff
script might look like this.

Icacls.exe //<profile root>/%username%.%userdomain%.v2 /grant


<RDS Admins group>:
F /T /Q

Add this script to each user through Group Policy: User Configuration Windows
Settings Scripts Logoff Script. Now you can manage that profile folder.

There are two reasons to do this at logoff, not logon. First, if the user is logging
on for the first time, the profile folder might not yet exist, so the settings wouldn’t
apply until the second time. If the user never logged in again, you couldn’t delete
her profile without the help of the file server administrators. Second, if the profile
is large, it takes some time for Icacls.exe to go through the whole tree. Users do not
like long logon times, so why make them wait to start working? Let the script pro-
cess permissions when they’re done working and are less concerned about time.

Dep oy ng Roam ng Profi es w th Remote Desktop Serv ces  Chapter 5 253

www.it-ebooks.info
Converting an Existing Local Profile to a Roaming Profile
Somet mes you w want to convert ex st ng oca profi es to roam ng profi es Th s can app y
f you are convert ng a trad t ona desktop dep oyment to an a -RDS dep oyment, and you are
w ng to r sk that the oca profi e sett ngs are appropr ate for the remote work env ronment

NOTE  It’s often unwise to convert a local profile that a user has been using on a personal
desktop to a Remote Desktop Services roaming profile. The user might have administrative
access to her personal computer and could have installed numerous applications and made
many customizations that don’t apply to the shared (and more locked-down) world of RD
Session Host servers.

Convert ng oca profi es to roam ng profi es s rea y s mp e Configure a user accounts to


use roam ng po c es as descr bed ear er, and spec fy that cached cop es of the profi e shou d
be de eted When users og on to the server where the r oca po cy res des and then og off,
the r oca profi e w be cop ed to the network share that you spec fied The cache on the
server w be de eted and on y the roam ng profi e n the network share w rema n
You m ght have done th s convers on n W ndows Server 2008 us ng the Copy To button n
the User Profi e Propert es d a og box Th s s no onger poss b e on a server runn ng W ndows
2008 R2 or a c ent runn ng W ndows 7—the button has been d sab ed

DIRECT FROM THE SOURCE

Why the Copy To Button Is Disabled


Kyle Beck
Program Manager, Microsoft

T he Copy To button is now disabled, because even though this button was used to
overwrite a profile with another profile, it was unsupported to use it to edit the
default profile. It was unsupported because the source profile was just copied whole-
sale into the default profile—the Copy To button performed a complete copy of ev-
erything in the source profile over the default profile. This could lead to errors in the
registry because references to the source user would persist on any new user created
from the new default profile. Because it was an unsupported method, its behavior was
updated; the default profile is now the only one that is copyable using this button.

The remova of th s funct ona ty doesn’t prevent you from convert ng oca profi es to
roam ng profi es or even overwr t ng one user’s profi e w th another’s Remov ng the funct on-
a ty prevents you from overwr t ng the defau t user profi e w th another user profi e Peop e
often overwrote the defau t user profi e w th a custom zed one from another user to dep oy
custom zed profi es to new users As descr bed n the D rect from the Source s debar ent t ed
“Why the Copy To Button Is D sab ed,” do ng th s was unsupported (a though popu ar) as far

254 Chapter 5  Manag ng User Data n a Remote Desktop Serv ces Dep oyment

www.it-ebooks.info
back as W ndows XP, because a though th s “worked” for many peop e, t actua y was not a
c ean process It cou d ead to prob ems f that profi e had been used at a , and t wou d a so
“tattoo” the profi e w th nappropr ate sett ngs and nam ng, such as the fo ow ng
■ A st of that user’s frequent y run programs
■ The user’s documents fo ders w be ncorrect y ca ed Adm n strator’s Documents
■ The user m ght have access to Adm n strat ve Too s (th s s ncorrect for regu ar users)
■ W ndows 7 brar es w be broken

ON THE COMPANION MEDIA  There are other implications to overwriting the


default user profile with a user profile by way of the Copy To button. See this article
(also on the companion media) for more information: http://blogs.technet.com
/deploymentguys/archive/2009/10/29/configuring-default-user-settings-full-update-
for-windows-7-and-windows-server-2008-r2.aspx. This article also discusses some
options for customizing the default profile in Windows 7.

Customizing a Default Profile


Custom z ng the defau t profi e s one way to ensure that a new RDS users start w th the
same sett ngs The on y supported method for custom z ng the defau t profi e s to use the
Sysprep exe too (bu t nto W ndows 7 and W ndows Server 2008 R2) to overwr te the defau t
profi e w th the profi e that you are ogged onto when you run Sysprep exe Here are the steps
1. Log on as an adm n strator and custom ze the profi e as needed Th s s the profi e that
w be cop ed over the defau t user profi e
2. Create an Unattend xm fi e and add a ne of code to t to te t to copy the profi e of the
user ogged on over the defau t profi e when the system reboots The ne you add s
<CopyProfile>true</CopyProfile>

The fo ow ng s examp e code for a 64-b t vers on Unattend xm fi e w th the extra ne


of code added
<?xml version="1.0" encoding="utf-8"?>
<unattend xmlns="urn:schemas-microsoft-com:unattend">
<settings pass="specialize">
<component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64"
publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS"
xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<CopyProfile>true</CopyProfile>
</component>
</settings>
<cpi:offlineImage cpi:source="catalog:e:/clg files/64-bit/install_windows 7
ultimate.clg" xmlns:cpi="urn:schemas-microsoft-com:cpi" />
</unattend>

Dep oy ng Roam ng Profi es w th Remote Desktop Serv ces  Chapter 5 255

www.it-ebooks.info
3. Save th s Unattend xm fi e to C \W ndows\System32\Sysprep
4. After you have the Unattend xm fi e n p ace, open a command prompt and type the
fo ow ng command

sysprep.exe /oobe /reboot /generalize /unattend:unattend.xml

NOTE  The article at http://support.microsoft.com/kb/973289 explains how to do this,


but at the time of this writing, the syntax is incorrect. Use the one provided here.

After you run th s command, the server w reboot When t comes back up, the defau t
profi e w be overwr tten w th the one that was ogged n when you ran Sysprep Now you
can h gh ght the defau t profi e and use the Copy To button to copy the profi e to a network
share to be used for roam ng profi es

CAUTION  Don’t run Sysprep on a production machine. The Sysprep command


resets the computer SID as well as eliminating system-specific data like the computer
name and the domain affiliation. It can also remove unique hardware drivers and
can reset the Windows activation key. If you are using VMs, then one workaround
is to take a snapshot of the VM before running Sysprep. After you are done running
Sysprep, rebooting, and copying the default profile to another location, apply the
snapshot and the VM will be rolled back to its prior state.

Creating a Default Network Profile


You have a ready earned ( n the sect on t t ed “How Profi es Are Created” ear er n th s
chapter) when a network defau t user profi e wou d be used to create new user profi es Us ng
a defau t network profi e to create new roam ng profi es m ght benefit your roam ng profi es
mp ementat on because t ensures that when new profi es are created, they a stem from the
same source

Reasons Not to Create a Network Default Profile

C reating a network default profile can work well to deploy customized profiles in
low-complexity environment. But it’s not always the best solution.

First, there is no way to distinguish when a network default profile should be used
to create a new roaming user profile. As discussed earlier in this chapter, in complex
remoting scenarios, it’s possible for people to have more than one remoting profile,
and if you point them to the same starting point, they will start with the same pro-
file in all scenarios. For example, a new profile created when the user logs on to a
Windows 7 pooled VM would stem from the same network default user profile that
is used to create a new user roaming user profile for use in an RD session host server

256 Chapter 5  Manag ng User Data n a Remote Desktop Serv ces Dep oyment

www.it-ebooks.info
environment. Depending on how you implement profiles, this might or might not
be acceptable.

In short, Windows doesn’t allow you to specify more than one default profile loca-
tion. So unless it’s okay to use the same default profile to build all roaming profiles,
we recommend applying customizations through Group Policy or scripting.

Assum ng that you can use a network defau t profi e for a your scenar os, on W ndows
2008 (and W ndows 7) you can copy a oca defau t profi e to the NETLOGON share on a
doma n contro er, fo ow ng these steps
1. Log on to the server w th an adm n account
2. From the Run box, browse to the doma n contro er \\DOMAIN CONTROLLER\
NETLOGON
3. Create a fo der n the NETLOGON share and name t Defau t User v2
4. From Server Manager, c ck Change System Propert es, nav gate to the Advanced tab,
and then c ck the Sett ngs button n the User Profi es sect on
5. Se ect the Defau t Profi e from the st of profi es stored on the server and c ck Copy To
6. Browse to or type the network path \\DOMAIN CONTROLLER\NETLOGON Defau t
User v2

BEST PRACTICE  Ensure that the profile doesn’t contain any unnecessary data. A large
default network profile will slow down the initial profile creation process because new
profiles have to pull this large amount of data across the network.

Using Group Policy to Manage Roaming Profiles


You’ve seen how to d ctate who uses roam ng profi es by sett ngs th s up on a per user bas s
n Act ve D rectory Users And Computers If you have more than a few users, t’s eas est to
create a GPO that d ctates the RDS roam ng profi e ocat on for everyone who ogs on to a
farm Th s sect on exp a ns how to do th s and how to set up the Group Po cy nfrastructure
that you’ need
The s ng e most mportant part of successfu y us ng roam ng profi es w th RD Sess on Host
servers s to set up the RD Sess on Host server env ronment OU and create the GPOs correct y
Group Po cy has many d fferent uses, but t a comes down to mak ng changes to many
computers or many users a at once
There are two broad categor es of Group Po cy computer sett ngs and user sett ngs
Computer sett ngs are app ed at boot t me, or on an RD Sess on Host server (see Chapter 2,
“Key Arch tectura Concepts for Remote Desktop Serv ces,” for more deta s), when a sess on
starts (to app y the sett ngs to the sess on) User sett ngs are app ed when the user ogs on

Dep oy ng Roam ng Profi es w th Remote Desktop Serv ces  Chapter 5 257

www.it-ebooks.info
to the sess on Because sett ngs are app ed to users at ogon, they don’t have to be saved as
part of a user’s account propert es Because they’re app ed second, sett ngs app ed to a user
w contro when there’s a confl ct
Because of the order n wh ch user and computer Group Po cy s app ed, when manag-
ng RD Sess on Host server sett ngs, you’ a most a ways use an add t ona GPO to enforce
loopback policy processing In short, oopback po cy reapp es the user-spec fic sett ngs that
are p aced on the OU where Loopback Process ng s enab ed after the norma user GPOs are
app ed The resu t s that sett ngs p aced on the RD Sess on Host server OU w a ways take
precedence n case of a confl ct If you have b ocked GPO nher tance on the RDS OU, then
on y the user po c es that you p ace on the OU w be mp emented for your users You’ find
out more about oopback po c es n the sect on ent t ed “The Ins and Outs and Ins of Loop-
back Po cy Process ng” ater n th s chapter
There’s some over ap between the computer- and user-spec fic sett ngs n Group Po cy, but
you’ genera y find that you’ need both to configure the users’ work ng env ronment When
sett ng up an RD Sess on Host server env ronment, where t’s mportant not just that you are
ogg ng on but that you’re us ng an RD Sess on Host server, you’ definitely need both

ON THE COMPANION MEDIA  The following explanations assume that you have
permission to manage Group Policy for your RD Session Host servers. If this is not
the case, you’ll need to provide the instructions to the administrator controlling
Group Policy for your organization and let him or her fit them into corporate
management policy. This is one way to organize your RD Session Host server GPOs,
but it is not the only possible model. GPO architecture is unique to the particular
situation. For example, for some organizations, blocking inheritance might not be an
option for business policy reasons. For more information on Group Policy modeling,
see “Design Considerations for Organizational Unit Structure and Use of Group
Policy Objects,” located at http://technet2.microsoft.com/windowsserver/en
/library/2f8f18cf-a685-48db-a7be-c6401a8fb6341033.mspx?mfr=true. (This article
was written for Windows Server 2003, but it still applies.) You can also find the link
on this book’s companion media.

Controlling Group Policy Processing for an RDS Environment


When you have mu t p e users work ng on one computer, you need to contro the env ron-
ment as much as poss b e The eas est way to do th s s to perform the fo ow ng steps
1. Put RD Sess on Host server farms and a VMs poo s nto the r own OUs
2. B ock nher tance of a GPOs that are not spec fica y enforced (You m ght not have
th s opt on, depend ng on company po cy )
3. P ace computer and user GPOs on these OUs to spec fy the sett ngs to be mp emented
for each poo and farm
Here’s how to do a th s

258 Chapter 5  Manag ng User Data n a Remote Desktop Serv ces Dep oyment

www.it-ebooks.info
ORGANIZE FARMS AND POOLS INTO OUS
F rst, create an OU for each RD Sess on Host farm or VM poo (Because a members of a farm
or poo are homogenous, they shou d a be n the same OU ) Open Act ve D rectory Users
And Computers, r ght-c ck the doma n, and choose New, Organ zat ona Un t Name t after
the farm (for examp e, RDSH Farm1) and then drag a computer objects n the farm or poo
nto the OU (see F gure 5-8)

FIGURE 5-8  Create OUs for your RD Sess on Host server farms and VM poo s.

BLOCK GPO INHERITANCE


Next, f poss b e n your organ zat on, b ock GPO nher tance for th s OU Th s ensures that
on y computer sett ngs set by GPOs nked to th s OU w app y to the computers n th s OU It
a so ensures that w th Loopback Process ng enab ed, on y user sett ngs set by GPOs nked to
th s OU w be app ed to users ogg ng on to the computers n th s OU; other GPOs set at the
doma n or s te eve w not be app ed
To b ock nher tance for a farm or poo OU, open the Group Po cy Management conso e
(GPMC; do th s by c ck ng Start, Programs, Adm n strat ve Too s, and Group Po cy Manage-
ment), r ght-c ck the RD Sess on Host server’s OU, and choose B ock Inher tance If poss b e,
a so do th s for your poo ed VM OUs Persona VMs can be contro ed ke th s, but more ke y
they w act as regu ar desktops n your env ronment and w treated as such n the case of
Group Po cy process ng

Dep oy ng Roam ng Profi es w th Remote Desktop Serv ces  Chapter 5 259

www.it-ebooks.info
IMPORTANT  Company policy might prevent you from blocking inheritance. You can
still know exactly what policies are going to be applied to the users and computers in your
OUs; it will just take more effort because you will have to know about all Group Policies
applied at higher levels.

CREATE GPOS FOR USER AND COMPUTER SETTINGS


There are mu t p e ways to set up po c es, but t s usua y eas est f you separate computer-
and user-spec fic sett ngs nto d fferent po c es A though one po cy m ght conta n both
user- and computer-spec fic sett ngs, t’s s mp est to so ate the two types of sett ngs un ess
your env ronment s very sma or your user base s very homogenous Th s a ows you to
create a cons stent mode of RD Sess on Host server management wh e st a ow ng you the
flex b ty to app y d fferent po c es to d fferent groups of users and computers (that s, us ng
a GPO on mu t p e OUs f the funct ona ty s needed n mu t p e p aces) Create two d fferent
types of GPOs a computer GPO and user GPOs, as shown n F gure 5-9

The computer policy will affect all Create different GPOs for
users who log on to any RD Session different terminal server user
Host server or VM in the OU. groups based on group needs.

Computer Policy: User Group 1 Policy:


• Disable User portion of policy • Disable Computer portion
• Enable Loopback Processing of policy
• Set security filtering for • Set security filtering for
computers in the group User Group 1

User Group 2 Policy:


• Disable Computer portion
of policy
• Set security filtering for
User Group 2

User Group n Policy:


• Disable Computer portion
of policy
• Set security filtering for
User Group n

FIGURE 5-9  Create separate user and computer GPOs for the RDS env ronment.

260 Chapter 5  Manag ng User Data n a Remote Desktop Serv ces Dep oyment

www.it-ebooks.info
To create the GPOs, open the GPMC (by c ck ng Start, Programs, and Adm n strat ve Too s)
R ght-c ck the Group Po cy Objects fo der n the eft pane, found under your doma n fo der,
and choose New to open the d a og box shown n F gure 5-10
Name the computer po cy someth ng descr pt ve, such as RDS Computer GPO, and then
c ck OK

FIGURE 5-10  Create an RD Sess on Host server computer po cy.

Next, create another po cy that w ho d user-spec fic sett ngs, nam ng t someth ng ke
RDS User GPO C ck OK, and you w be back n the GPMC, w th a st of ava ab e po cy ob-
jects that nc udes the ones you just created, as shown n F gure 5-11

FIGURE 5-11  Create computer and user spec f c GPOs.

Next, ensure that each GPO s spec fic to one type of sett ngs—computer or user Th s s
opt ona , but th s w g ve you more contro over your RDS env ronment
C ck the Deta s tab n the upper port on of the r ght pane Here, there’s a GPO Status
drop-down st w th four opt ons A Sett ngs D sab ed, Computer Configurat on Sett ngs
D sab ed, Enab ed, and User Configurat on Sett ngs D sab ed For your computer-spec fic
GPOs, make sure that no user-spec fic sett ngs w be app ed by sett ng the Status to User
Configurat on Sett ngs D sab ed Fo ow the same process to create a new user-spec fic GPO
For the User GPO, nav gate to the drop-down menu on the Deta s tab and set the GPO Status
to Computer Configurat on Sett ngs D sab ed

Dep oy ng Roam ng Profi es w th Remote Desktop Serv ces  Chapter 5 261

www.it-ebooks.info
Updating Group Policy

A ctive Directory Domain Services (AD DS) does not immediately send user
Group Policy changes down to the computers to which they apply. The Group
Policy engine on the computer actually pulls the GPO changes from AD DS at
specific intervals, called the refresh interval. By default, the refresh interval is 90
minutes (plus a random time ranging from 0 to 30 minutes). To immediately see
the effects of changes that you make to GPOs, you can force this refresh. Open a
command prompt on your RD Session Host server and type gpupdate /force. Most
computer policies can be updated just by doing this; a few (like Folder Redirection)
will require a reboot.

The Ins and Outs and Ins of Loopback Policy Processing


Outs de an RD Sess on Host server env ronment, you often app y Group Po cy based on the
persona of the user ogg ng on If you don’t want Adam Barr to open Contro Pane , for ex-
amp e, you probab y fee much the same way about th s whether Adam Barr s ogged on to
h s desktop computer or h s aptop S m ar y, f you don’t care whether he s runn ng Contro
Pane , then you cont nue not to care whether he’s ogged on to h s desktop or h s aptop
It’s h s space— et h m mess t up (The He p desk m ght fee d fferent y about th s, but that’s
another matter )
As d scussed n “Us ng Group Po cy to Manage Roam ng Profi es” ear er n th s chapter,
the computer po cy w a ways be app ed first, then the user po cy If a user po cy and a
computer po cy confl ct, the user po cy w “w n,” because t’s app ed ast Any Group Po cy
stored oca y on the computer s app ed first Next, po c es p aced at these eve s are app ed
n order ( oca , S te, Doma n, OU), as shown n F gure 5-12
In case of confl cts, the po cy app ed ast w ns For examp e, computer po c es set on a
computer OU w overr de confl ct ng po c es set at the doma n eve And user po c es w
overwr te computer po c es n confl ct ng s tuat ons (some sett ngs can be set for a computer
and a so for a user) because they are app ed after computer po c es

262 Chapter 5  Manag ng User Data n a Remote Desktop Serv ces Dep oyment

www.it-ebooks.info
Local

1 Computer policies Applied when the computer starts

5 User policies Applied when a user logs on

Site

2 Computer policies Applied when the computer starts

6 User policies Applied when a user logs on

Domain

3 Computer policies Applied when the computer starts

7 User policies Applied when a user logs on

Computer OU

4 Computer policies Applied when the computer starts

User OU

8 User policies Applied when a user logs on

FIGURE 5-12  Group Po c es get app ed from the top down.

On a persona computer, t’s perfect y acceptab e to have the dent ty of the person
ogg ng on define the fina sett ngs for Group Po cy But RD Sess on Host server farms and
poo ed VMs are ocat on-spec fic or context-spec fic s tuat ons n wh ch where you are matters
even more than who you are For examp e, you m ght dec de that t’s acceptab e for users to
use c pboard red rect on when connect ng to persona VMs, but for secur ty reasons, you
don’t want them us ng c pboard red rect on when connect ng to an RDS server farm host ng
sens t ve data You need po c es app ed based on wh ch computer you are ogged on to In
th s case, you w app y oopback po cy process ng to te the Group Po cy eng ne to app y
the user GPOs that are app ed to a computer OU (for examp e, to an RDS farm OU) after ap-
p y ng the user GPOs that are norma y app ed dur ng ogon W th oopback po cy process-
ng enab ed, GPO process ng w now work as shown n F gure 5-13

Dep oy ng Roam ng Profi es w th Remote Desktop Serv ces  Chapter 5 263

www.it-ebooks.info
Local

1 Computer policies Applied when the computer starts

5 User policies Applied when a user logs on

Site

2 Computer policies Applied when the computer starts

6 User policies Applied when a user logs on

Domain

3 Computer policies Applied when the computer starts

7 User policies Applied when a user logs on

RDS Computer OU Loopback Processing Enabled

4 Computer policies Applied when the computer starts

9 User policies Applied when a user logs on

User OU

8 User policies Applied when a user logs on

FIGURE 5-13  Loopback Process ng changes the effect ve Group Po cy resu ts.

When the RD Sess on Host server starts, computer GPOs are app ed When the user ogs
on to the RD Sess on Host server, the User GPOs are app ed to the sess on Then, because
oopback po cy process ng s enab ed, User GPOs that are app ed to the RD Sess on Host
server OU are app ed ast In add t on, f you have b ocked nher tance, t’s poss b e that the
only GPOs that w be app ed are computer and user GPOs that are p aced spec fica y on the
OU
To enab e Loopback Process ng, r ght-c ck the Computer GPO app ed to the RD Sess on
Host server OU and choose Ed t The Group Po cy Management Ed tor opens the GPO Go
to Computer Configurat on, Po c es, Adm n strat ve Temp ates, System, and Group Po cy and

264 Chapter 5  Manag ng User Data n a Remote Desktop Serv ces Dep oyment

www.it-ebooks.info
find the User Group Po cy Loopback Po cy Process ng Mode node n the pane on the r ght
Doub e-c ck t and you w see the d a og box shown n F gure 5-14

FIGURE 5-14  Enab e oopback po cy process ng from the User Group Po cy Loopback Process ng Mode
Propert es d a og box.

HOW IT WORKS

Applying Loopback Policy

L oopback policy can apply to users in one of two ways: Merge Mode and Replace
Mode.

■ In Merge Mode, loopback policy processing will apply the user GPOs placed
on the RD Session Host server OU along with the other normal user GPOs
applied from the OU where the user account resides. If there is a conflict,
then the user GPOs applied to the RD Session Host server OU will prevail.
■ In Replace Mode, the Group Policy engine ignores all other user GPOs from
the User OU and applies only the user GPOs applied to the RD Session Host
server OU.
Merge Mode and Replace Mode affect only GPOs placed on the OU where the user
account resides. User GPOs placed at higher levels (for example, at the domain
level) will still be applied unless you have specifically blocked inheritance on the OU
where the computers reside.

Whether you choose Merge Mode or Replace Mode depends on your goals and
how you’ve set up the rest of your environment. If users are using the same GPOs to
Continued on the next page

Dep oy ng Roam ng Profi es w th Remote Desktop Serv ces  Chapter 5 265

www.it-ebooks.info
log on to the RD Session Host servers and to their local desktops, their user settings
might not mesh well with a shared environment. If that’s the case, then you’d pick
Replace Mode. If you want the user experience to be as similar as possible for both
local and remote logons, then Merge Mode might be more appropriate because
it will preserve user-specific policies. The main thing you’ll need to watch out for
is that GPO settings from the GPOs applied to the user do not cause problems for
your user when she is logged on to an RD Session Host server (or pooled VM). Using
Merge Mode is more work because it requires a lot of considering of individual
policies and their effect on a remote workspace.

Fine-Tuning GPOs with Security Filtering


A GPO works because by defau t, anyone n the Authent cated Users group can use t, and
Authent cated Users means “anyone who s ogged on to the doma n ” (Computers a so og
on to the doma n, so they’re a so members of Authent cated Users )
If you have groups of users w th spec fic needs contro ed by Group Po cy, you can create
a User Po cy for each user group and then use Secur ty F ter ng to app y each User GPO to
a spec fic user group For examp e, th s techn que cou d come n handy f you g ve access to
mu t p e app cat ons n one farm but on y have cens ng enough for a subset of users You
cou d b ock certa n users from runn ng that app cat on, thus meet ng software cens ng com-
p ance requ rements To narrow the scope of to whom (or to what) these po c es w app y,
doub e-c ck the GPO n the Group Po cy Objects fo der and nav gate to the Scope tab n the
r ght pane In the Secur ty F ter ng sect on on th s tab, mod fy Secur ty F ter ng to nc ude the
spec fic users group for wh ch you want sett ngs n the GPO to app y, as shown n F gure 5-15

FIGURE 5-15  Add users to the GPO Secur ty F ter ng sect on of the ASH TS Users Po cy.

266 Chapter 5  Manag ng User Data n a Remote Desktop Serv ces Dep oyment

www.it-ebooks.info
Using Group Policy to Define the Roaming Profile Share
After you have a Group Po cy nfrastructure set up, you can create a po cy to create roam ng
profi e fo ders n the proper fo der share ocat on automat ca y
The Group Po cy sett ng to set the path for RDS roam ng profi es s a computer set-
t ng R ght-c ck your Computer Po cy GPO and choose Ed t Expand the GPO to Computer
Configurat on Po c es Adm n strat ve Temp ates W ndows Components Remote Desktop
Serv ces Remote Desktop Sess on Host Profi es In the pane at r ght, doub e-c ck Set Path
For Remote Desktop Serv ces Roam ng User Profi e, shown n F gure 5-16

FIGURE 5-16 Set the path for Remote Desktop Serv ces Roam ng User Prof e storage.

Se ect the Enab ed opt on and type the RDS roam ng profi e share ocat on n the Profi e
Path text box If you use Group Po cy to set the RDS roam ng profi e path, then the profi e
fo ders that are created take the form of username domainname V2; you do not need to
add the %username% var ab e, the doma n name, or the V2 extens on Th s s n contrast to
defin ng the path to the Remote Desktop Serv ces profi e fo der by ed t ng the user account
propert es through scr pt ng or through Act ve D rectory Users And Computers, where you
must spec fy the username and domainname var ab es to create the fo der proper y

Dep oy ng Roam ng Profi es w th Remote Desktop Serv ces CHAPTER 5 267

www.it-ebooks.info
NOTE  If you already have profiles stored in the profile path and the profile folders do not
include the domain name (perhaps they take the form of username.V2), change the names
to include the domain name. Otherwise, the server will not see the existing profile, and the
service will create a new one in the format username.domainname.V2.

If the profi e fo ders are created automat ca y when the user ogs on, then the user gets
so e access to the profi e and s a so set as the owner of the profi e fo der To perm t adm n-
strators to access the profi e, enab e the fo ow ng GPO sett ng Computer Configurat on
Po c es Adm n strat ve Temp ates System User Profi es Add The Adm n strators Secur ty
Group To Roam ng User Profi es W th th s GPO sett ng enab ed, the fo ow ng perm ss ons are
p aced on new y created user fo ders
■ User  Fu Contro , owner of fo der
■ SYSTEM  Fu Contro
■ Administrators  Fu Contro (Th s s the oca adm n strators group of the server
where the profi es are stored, wh ch a so conta ns the Doma n Adm ns group )
You can a so pre-create user profi e fo ders and set perm ss ons as requ red For more
nformat on about profi e fo der perm ss ons, see the sect on ent t ed “Convert ng an Ex st ng
Loca Profi e to a Roam ng Profi e” ear er n th s chapter
W th th s GPO sett ng configured, users access ng the RD Sess on Host servers n th s OU
now have a roam ng profi e created and stored n the des gnated share

Configuring Roaming Profile Paths for VMs


Poo ed and persona VMs w run c ent operat ng systems Sett ng an RDS roam ng profi e
path on these mach nes s mp y won’t work They are c ent mach nes, and for the most part,
they shou d be treated as such To configure the roam ng profi e path for c ent mach nes, use
th s GPO sett ng Computer Configurat on Po c es Adm n strat ve Temp ates System User
Profi es Set Roam ng Profi e Path For A Users Logg ng On To Th s Computer
Enter the share name where your profi es are stored and add the %username% var ab e to
the end of the path so that each user gets a un que profi e fo der, as fo ows

\\servername\sharename\%username%

Speeding Up Logons
One of the b ggest cha enges that IT profess ona s face n an RDS env ronment s to prov de
a user exper ence that fee s as much ke a oca computer as poss b e Users want to og on
qu ck y, work stead y, get the r job done, and get out If they find that they have to wa t on-
ger to og on than they ke, the He p desk w hear about t, or peop e w ook for ways to
c rcumvent the data center

268 Chapter 5  Manag ng User Data n a Remote Desktop Serv ces Dep oyment

www.it-ebooks.info
Roam ng profi es are usua y the best cho ce for RDS Centra z ng the profi e on a network
share makes t poss b e to a ways have the same exper ence no matter what RD Sess on Host
server or VM a user s ogged nto—even new ones that were just added Centra z ng a so
s mp fies backups However, f you don’t take steps to avo d t, profi es grow over t me By
defau t, a profi e conta ns not on y configurat on data but a so user documents Assum ng
that a user saves fi es to the fo ders there for that purpose, the profi e w grow B g profi es
s ow down ogons and ogoffs due to the mass ve amounts of data that must be cop ed to the
remote ocat on
There are severa th ngs you can do to speed ogons
■ Take advantage of the new behav or of Group Po cy cach ng among servers n a farm
to reduce the t me needed for the first og n
■ Enab e Fo der Red rect on
■ Manage po cy cach ng
■ L m t profi e s ze
Let’s start w th the one that requ res no configurat on

Roam Group Policy Cache Between RD Session Host Farm Servers


Group Po cy s cached on a computer to speed up ogon t mes The first t me someone ogs
on to an RD Sess on Host server, her Group Po cy sett ngs won’t be cached there A new fea-
ture of W ndows Server 2008 R2 cop es the Group Po cy cache to a servers n a farm That
way, once a user has ogged on to one member of the farm, her GP cache w be ava ab e on
a servers n the same farm

Enable Folder Redirection


When a user ogs on to an RD Sess on Host server, h s roam ng profi e has to be cop ed to
that RD Sess on Host server When the user ogs out, the changed profi e must be cop ed back
to the roam ng profi e storage ocat on Note that you are wr t ng the ent re profi e back, not
just the changes to the profi e Imag ne f one of your users saved 30 GB of data n h s Docu-
ments fo der He wou d og on to the RD Sess on Host server and then go get a cup of coffee
(or even go to unch) wh e wa t ng for the profi e to copy tse f to the server Now mag ne
f a your users had that much data stored n the r Documents fo der If they a come n at 9
A M and try to og on to the RD Sess on Host server, ogons cou d qu ck y consume a your
network bandw dth Soon the water coo er or break room wou d be very popu ar, and no one
wou d get any work done
Profi e cach ng a so suffers f you exper ence profi e b oat Profile caching saves a copy of
the user profi e on the RD Sess on Host server so that, f the network s s ow to retr eve the
saved profi e from ts fi e share, the user can st og on us ng the cached copy (When you og
on to an RD Sess on Host server, a copy of your profi e s saved there as a matter of course If
you enab e profi e cach ng, the profi e sn’t de eted when you og off ) However, f the profi es
n the cache are too arge, the space a ocated for them w fi up, and peop e won’t be a -

Dep oy ng Roam ng Profi es w th Remote Desktop Serv ces  Chapter 5 269

www.it-ebooks.info
owed to og on because there’s no room to store the r profi es There are Group Po c es to
remove o der data n the cache f room runs out, but t’s better f you can avo d th s prob em
ent re y
The s mp est step that you can take to avo d profi e b oat s to enab e Fo der Red rec-
t on Fo der Red rect on has two advantages t keeps user data out of the profi e to keep the
profi e sma er, and t a ows d fferent a synch ng (so that f on y part of a fi e s changed, that
part w be saved to the centra ocat on, rather than copy ng the ent re fi e) You’ earn how
to set up Fo der Red rect on n the sect on “Centra z ng Persona Data w th Fo der Red rec-
t on” ater n th s chapter

Limit Profile Size


One way to reduce the mpact of cach ng profi es on the RD Sess on Host servers s to m t
the s ze of the profi es A though too many profi es can st fi up the hard d sk, sma er
cached profi es have ess mpact To m t profi e s ze, open your RDS User GPO and browse
to User Configurat on Po c es Adm n strat ve Temp ates System User Profi es Locate the
po cy L m t Profi e S ze and enab e t
If you’re red rect ng fo ders, the s ze of the profi e shou dn’t be a major concern
NTUSER DAT s a fa r y sma fi e The exact s ze depends on the profi e, but t’s not much;
check the s ze of some representat ve NTUSER DAT fi es to gauge the space needed to
a ocate space for profi es

Manage the Profile Cache on RD Session Host Servers


Another way to keep the s ze of the cache on the RD Sess on Host servers from gett ng too
arge s to de ete o d cop es of the user roam ng profi es You can a so m t the profi e cache
s ze f you’re concerned about runn ng out of room on the servers

PROGRAMMATICALLY MANAGING THE CACHE


You can use two computer Group Po cy sett ngs to de ete unused cached profi es on RD Ses-
s on Host servers n the RD Sess on Host Farm OU automat ca y Both po c es are ocated n
Computer Configurat on Po c es Adm n strat ve Temp ates System User Profi es
■ Delete Cached Copies Of Roaming Profiles  Enab ng th s sett ng de etes a user’s
cached profi e when the user ogs off Th s sett ng ensures that the oaded profi e s a -
ways the most recent However, the cached profi e prov des a fa back configurat on to
oad f the actua profi e sn’t ava ab e for some reason If you de ete cached profi es,
then f the actua profi e can’t be oaded, the user w get a temporary profi e and any
changes he makes to t w be d scarded when the user ogs off
■ Delete Unused Profiles  W ndows Server 2008 R2 has a new Group Po cy sett ng
that m ts the s ze of the overa roam ng profi e cache ( ocated n the %SystemDr ve%\
Users d rectory) If the s ze of the profi e cache exceeds the configured s ze, RDS
de etes the east recent y used cop es of roam ng profi es unt the overa cache goes

270 Chapter 5  Manag ng User Data n a Remote Desktop Serv ces Dep oyment

www.it-ebooks.info
be ow the quota The po cy sett ng s found n Computer Configurat on Adm n stra-
t ve Temp ates W ndows Components Remote Desktop Serv ces Remote Desktop
Sess on Host Profi es L m t The S ze Of The Ent re Roam ng User Profi e Cache

NOTE  Although you can apply the Delete Cached Copies Of Roaming Profiles GPO set-
ting to pooled and personal VMs, it doesn’t accomplish anything useful. Pooled VMs get
rolled back (if set up to do so) when a user logs off, so the user profile cache is cleared
as part of the rollback function. And personal VMs are, well, personal. They will have one
profile cached on the machine. You will have enough room for one user profile cache in
this instance. Deleting the profile cache on a personal desktop will just increase logon time
and has no advantages.

Another way to make sure that your servers do not run out of d sk space due to an over-
grown profi e cache s to put a cap on the cache s ze If the s ze of the ent re cache exceeds
the m t set by th s po cy, the server w de ete the o dest profi e n the cache unt the overa
s ze drops be ow the thresho d you set The GPO sett ng s ocated at Computer Configurat on
Adm n strat ve Temp ates W ndows Components Remote Desktop Serv ces RD Sess on
Host Profi es L m t The S ze Of The Ent re Roam ng User Profi e Cache
Enab e th s sett ng and enter the fo ow ng numbers
■ A mon tor ng Interva ( n m nutes) The nterva at wh ch the profi e cache s ze s
checked
■ Max mum cache s ze ( n GB) Th s s the thresho d If the cache grows beyond th s num-
ber, the o dest profi es start gett ng de eted

DELETING CACHED PROFILES MANUALLY


De et ng cached profi es manua y sounds too s mp e to bother exp a n ng, but t’s more
subt e than t m ght appear Cached profi es are kept n the %SystemDr ve%\Users d rectory
However, the obv ous approach doesn’t work If you do the obv ous— ook at the profi es,
check the dates, note that some profi es haven’t been used n a wh e, and de ete them—you
w prevent the owners of those de eted profi es from be ng ab e to og on to the RD Sess on
Host server and oad the r roam ng profi es, at east w thout some he p from you See the sec-
t on ent t ed “The Consequences of De et ng a Profi e Fo der from W ndows Exp orer” ater n
th s chapter for more nformat on For now, et’s see how you can avo d extra work
The prob em s that c ean ng up o d profi es sn’t just a matter of de et ng some o d d -
rector es The reg stry ma nta ns a st of profi es n HKLM\Software\M crosoft\W ndows NT\
CurrentVers on\Profi eL st Sort through that key (see F gure 5-17), and you’ see entr es for
everyone who current y has a profi e cached on the server A though the keys themse ves
are dent fied by the SIDs of the user accounts, you can see the names of the profi e paths by
exam n ng the contents of the keys

Dep oy ng Roam ng Profi es w th Remote Desktop Serv ces  Chapter 5 271

www.it-ebooks.info
FIGURE 5-17  When you cache a prof e on a server, t automat ca y creates a correspond ng reg stry
entry.

NOTE  Examining this key can also help you troubleshoot profile problems. If a user seems
to be getting his standard profile to log on to the RD Session Host server, check the con-
tents of CentralProfile (see Figure 5-17). If this entry is blank, that person is using a local
profile.

If you just de ete the profi e from W ndows Exp orer, the entr es n the reg stry rema n,
wh ch confuses the server, as exp a ned n the next sect on
The c eanest way to de ete unused profi es s to et Group Po cy de ete the o d and unused
profi es You can a so de ete cached roam ng user profi es from the User Profi es sect on of
System Propert es on the RD Sess on Host server Log on to the RD Sess on Host server as
an adm n strator Go to Start, Contro Pane , System, and c ck Change Sett ngs The System
Propert es d a og box w appear Se ect the Advanced tab In the User Profi es sect on, c ck
Sett ngs… to open the User Profi es d a og box, shown n F gure 5-18

FIGURE 5-18  The User Prof es d a og box d sp ays the prof es stored on the computer.

272 Chapter 5  Manag ng User Data n a Remote Desktop Serv ces Dep oyment

www.it-ebooks.info
H gh ght the roam ng profi e that you want to de ete and then c ck De ete When you see
a d a og box confirm ng that you want to de ete the profi e, c ck Yes and the roam ng profi e
cache s de eted C ck OK

THE CONSEQUENCES OF DELETING A PROFILE FOLDER FROM WINDOWS EXPLORER


Just n case you dec de to try de et ng a profi e fo der from W ndows Exp orer, here’s what w
happen If you de ete an unused profi e fo der from W ndows Exp orer, the next t me that user
w th that fo der ogs on, he w be unab e to oad h s roam ng profi e A temporary roam ng
profi e w be created for h m, profi e changes that he makes w be d scarded at ogoff, and
Event ID 1511 s ogged n the W ndows App cat on event og stat ng that W ndows cannot
find the oca profi e and s ogg ng h m on w th a temporary profi e
De et ng that d rectory caused a prob em because you d dn’t c ean up the cached profi e
comp ete y For each cached profi e stored n %SystemDr ve%\Users\%UserName%, the User
Profi e Serv ce creates a reg stry entry for th s profi e at HKLM\Software\M crosoft\W ndows
NT\CurrentVers on\Profi eL st, shown n F gure 5-19 Th s reg stry key s named accord ng to
the user SID

FIGURE 5-19  The  RDS roam ng prof e cache reg stry entry for user Adam Barr

The Profi eImagePath key n th s fo der nd cates the cache ocat on, wh ch by defau t s
%SystemDr ve%\Users\%UserName% (The network ocat on where the roam ng profi e s
stored s n the Centra Profi e key )
If you de ete the user’s oca y cached profi e fo der and that user starts a sess on on that
RD Sess on Host server, he w get a temporary profi e The reg stry entry correspond ng to
the user’s cached profi e s renamed The SID part stays the same, but t s g ven an extens on
of bak, as shown n F gure 5-20

Dep oy ng Roam ng Profi es w th Remote Desktop Serv ces  Chapter 5 273

www.it-ebooks.info
FIGURE 5-20  The o d reg stry key for the prof e that was de eted ncorrect y now has a .bak extens on.

In add t on, a new key s created n ts p ace The new y created reg stry entry s named
after the user SID just as before However, the Profi eImagePath key ns de the new fo der now
po nts to %SystemDr ve%\Users\TEMP, as shown n F gure 5-21

FIGURE 5-21  A new reg stry entry s created, but the Prof e magePath key po nts to
%SystemDr ve%\Users\TEMP.

Therefore, the entry that used to work now has a bak extens on and s not usab e, and
the profi e actua y be ng used s a temporary profi e When the user ogs off, h s temporary
profi e s not cop ed back to the centra profi e storage ocat on on the fi eserver
De et ng the profi e from the System Propert es d a og box User Profi es sect on no onger
works e ther Most ke y, the profi e w not even be sted n the d a og box If t s, t most
ke y means that the user has not ogged off comp ete y If you do manage to se ect t and
c ck De ete, you get an error message “Profi e not de eted comp ete y Error – The system
cannot find the fi e spec fied ”

274 Chapter 5  Manag ng User Data n a Remote Desktop Serv ces Dep oyment

www.it-ebooks.info
To rect fy th s, you must manua y de ete the abandoned reg stry entry that has the bak
extens on You m ght a so need to reboot the server On y then can the user og on to the RD
Sess on Host server and have h s roam ng profi e correct y cached once aga n on the server

Centralizing Personal Data with Folder Redirection


The s ng e b ggest th ng that you can do to affect profi e s ze, s mp fy backups, and speed
ogons and ogoffs s to red rect user-spec fic storage out of the user profi e By defau t, user
data fo ders such as Documents are n the profi e, but they don’t have to be Instead you can
create a po nter to a network share where the data actua y ves Users w st store fi es
n the r persona fo ders, but the user data won’t be roamed, so t w not affect the t me
requ red to oad the profi es at ogon
Fo der red rect on s fundamenta y very s mp e If you go to HKCU\Software\M crosoft\
W ndows\CurrentVers on\Exp orer\User She Fo ders, you’ see every fo der n your profi e
and the current ocat on of that fo der If Fo der Red rect on s not turned on, then a entr es
w ook ke th s %USERPROFILE%\Mus c The goa s to get r d of the %USERPROFILE% var -
ab e and rep ace t w th a new ocat on
You can’t red rect a fo ders, but you can red rect the ones w th the b ggest mpact on
profi e s ze These fo ders are
■ AppData(Roaming)  Conta ns a user’s app cat on sett ngs that are not computer-
spec fic and therefore can roam w th the user
■ Desktop  Conta ns any tems a user p aces on h s desktop
■ Start Menu  Conta ns a user’s Start menu
■ Documents  Conta ns documents saved to the defau t ocat on
■ Favorites  Conta ns a user’s Internet Exp orer favor tes
■ Music  Conta ns a user’s mus c fi es saved to the defau t ocat on
■ Pictures  Conta ns a user’s p ctures saved to the defau t ocat on
■ Video  Conta ns a user’s v deo fi es saved to the defau t ocat on
■ Contacts  Conta ns a user’s contacts saved to the defau t ocat on
■ Downloads  Conta ns a user’s down oads saved to the defau t ocat on
■ Links  Conta ns a user’s Favor te nks from Internet Exp orer
■ Searches  Conta ns a user’s saved searches
■ Saved Games  Conta ns a user’s saved games
Before you red rect these fo ders, you need a p ace to red rect them to Create a shared
fo der on the server where you want to store the red rected fo ders and set perm ss ons on
th s fo der accord ng to the user profi e fo der perm ss ons that were descr bed n Tab e 5-5
To red rect the fo ders to th s share, open the GPMC, create or se ect an ex st ng user GPO,
r ght-c ck t, and choose Ed t Go to User Configurat on Po c es W ndows Sett ngs Fo der
Red rect on, as shown n F gure 5-22

Dep oy ng Roam ng Profi es w th Remote Desktop Serv ces  Chapter 5 275

www.it-ebooks.info
FIGURE 5-22  Set the Fo der Red rect on po cy.

R ght-c ck the AppData(Roam ng) fo der and choose Propert es to open the d a og box
shown n F gure 5-23

FIGURE 5-23  AppData(Roam ng) Fo der Red rect on propert es d a og box

276 Chapter 5  Manag ng User Data n a Remote Desktop Serv ces Dep oyment

www.it-ebooks.info
To spec fy the ocat on of the AppData(Roam ng) fo der, choose between two opt ons n
the Sett ng drop-down menu
■ Basic    Redirect Everyone’s Folder To The Same Location  Th s means just what t
says; a AppData(Roam ng) fo der data for every user w go to the same ocat on
■ Advanced    Specify Locations For Various User Groups  To store user data n d f-
ferent ocat ons based on user group membersh p, choose th s opt on
The menu contents w vary depend ng on the type of fo der red rect on you choose If
you choose Bas c, then you get a Target fo der ocat on drop-down menu w th three cho ces
■ Create A Folder For Each User Under The Root Path  Choose th s opt on to put
each user’s profi e data nto a fo der under the root path named accord ng to the user
name In the Root Path text box, spec fy the ocat on of your des gnated Fo der Red -
rect on share In most cases, th s s the best opt on
■ Redirect To The Following Location  Choose th s opt on to red rect a user data
to the same ocat on You’d do th s f you wanted a users to use the same Desktop or
Start Menu fo der Choose th s opt on on y f you want everyone to wr te to the same
user-spec fic fo ders
■ Redirect To The Local Profile Location  Don’t choose th s opt on Your profi es
roam, and you want your profi e fo ders red rected to the network share
C ck the Sett ngs tab, as shown n F gure 5-24

FIGURE 5-24  Grant The User Exc us ve R ghts To AppData(Roam ng) s enab ed by defau t. C ear th s
check box to et adm n strators manage the red rected fo der.

Dep oy ng Roam ng Profi es w th Remote Desktop Serv ces  Chapter 5 277

www.it-ebooks.info
By defau t, Grant The User Exc us ve R ghts To AppData(Roam ng) s enab ed If you eave
t th s way, then the user w own th s fo der, and on y she w be ab e to access th s data To
enab e manag ng th s fo der, c ear th s box so that the r ghts from the parent fo der w be
nher ted For examp e, f you g ve Doma n Adm ns fu contro of the parent fo der, then th s
group w have access to the red rected user fo ders as we
If your users a ready have these fo ders before you set up Fo der Red rect on, then you
must set up the ex st ng fo ders n one of two ways (otherw se, Fo der Red rect on w fa )
■ The user needs to be the owner of the fo der and can be granted exc us ve r ghts to the
fo der
■ If the user does not need to be the owner of the fo der, c ear th s box
A the fo ders sted n th s GPO sect on have the same cho ces to p ck from, except for the
P ctures, Mus c, and V deo fo ders These fo ders have an extra sett ng that you can choose
for the ocat on of the fo der Fo ow The Documents Fo der Th s means that these fo ders w
be stored n the user’s Documents fo der, wherever that fo der s red rected
To move the contents of the ex st ng fo der to the new fo der outs de the profi e, se ect
the Move The Contents Of “The Name Of The Fo der Be ng Red rected” check box to the new
ocat on

ON THE COMPANION MEDIA  When redirecting a folder using Group Policy, one
of the options is Move The Contents. Unless you select this option, a duplicate link
will be left behind, even when that folder is completely empty, meaning that users
will see two Documents folders, two Music folders, and so forth. For tips on how to
avoid the “duplicate link” problem, see http://blogs.technet.com/deploymentguys
/archive/2008/05/01/dealing-with-duplicate-user-profile-links-in-windows-vista.aspx.
You can also find the link on this book’s companion media.

Sharing Personal Folders Between Local and Remote


Environments
Because the RemoteApp programs are des gned to b ur the ne between the remote
computer and the oca computer, t m ght make sense for you to he p th s a ong by us ng
the same fo der to store user-spec fic documents Th s e m nates the prob em of hav ng to
remember whether you were sav ng a fi e from a oca or a remote app cat on to know where
the fi e wou d be stored

278 Chapter 5  Manag ng User Data n a Remote Desktop Serv ces Dep oyment

www.it-ebooks.info
Sharing Folders Between Windows Server 2003 and
Windows Server 2008 R2 Roaming Profiles
The eas est profi e env ronment to manage s homogenous A users work on y n RD Sess on
Host servers, and a servers of sess ons are runn ng W ndows Server 2008 R2 However, there
are good reasons why you m ght need to support both V1 and V2 profi e structure at the
same t me
■ Some users work both on the RD Sess on Host server and on VMs runn ng W ndows XP
(perhaps because they’re us ng RemoteApp on Hyper-V)
■ You’re m grat ng to W ndows Server 2008 R2 RDS from W ndows Server 2003 Term na
Serv ces, and some of the o der servers are st n use as you convert
V1 profi es and V2 profi es are not compat b e Therefore, f you have some act ve 2003 RD
Sess on Host servers, you w need to keep two sets of profi es for your users—one to og on
to the 2003 servers and one to og on to the 2008 servers And you m ght need even more
profi es f users are a so us ng poo ed and persona VMs, and/or RemoteApp programs on
Hyper-V However, Fo der Red rect on can be used to br dge the gap
Not a 13 fo ders that can be red rected n W ndows Server 2008 R2 can be red rected n
W ndows Server 2003, but some can You can share the data n these fo ders between the
2003 profi es and the 2008 profi es On the Sett ngs tab of each fo der n the Fo der Red rec-
t on conta ner s an opt on ca ed A so App y Red rect on Po cy To W ndows 2000, W ndows
2000 Server, W ndows XP And W ndows Server 2003 Operat ng Systems For some fo ders,
th s opt on s ava ab e, but on others (the ones that w not red rect for down eve operat ng
systems), t appears d mmed and s unava ab e Tab e 5-6 shows wh ch of the fo ders can be
red rected for W ndows 2000, W ndows XP, and W ndows Server 2003

TABLE 5-6  Pro e Fo der Red rec on Capab es or Var ous Vers ons o W ndows

CAN THE FOLDER BE


REDIRECTED FOR EARLIER
FOLDER OPERATING SYSTEMS? DETAILS

AppData(Roam ng) Yes If you enab e the sett ng A so App y


Red rect on Po cy To W ndows 2000,
W ndows 2000 Server, W ndows XP,
And W ndows Server 2003 Operat ng
Systems, the fo ow ng fo ders w th n
AppData(Roam ng) are not red rected
Start Menu, Network Shortcuts, Pr nter
Shortcuts, Temp ates, Cook es, and Sent
To These fo ders are red rected f you do
not enab e th s sett ng
Desktop Yes
Continued on the next page

Dep oy ng Roam ng Profi es w th Remote Desktop Serv ces  Chapter 5 279

www.it-ebooks.info
CAN THE FOLDER BE
REDIRECTED FOR EARLIER
FOLDER OPERATING SYSTEMS? DETAILS

Start Menu Yes In W ndows Server 2003, the contents


of the Start Menu fo der are not cop ed
to the red rected ocat on It s assumed
that the Start Menu fo der has been pre-
created Therefore, f you do not pre-
create the Start Menu fo der and p ace
t n the red rected ocat on, the defau t
Start Menu fo der ocated n the user’s
W ndows Server 2003 roam ng profi e
ocat on s used nstead
Documents Yes
P ctures Depends If the check box for Documents s se-
ected, th s fo der w fo ow the Docu-
ments fo der for ear er operat ng system
profi es If Documents s not red rected,
however, then th s fo der cannot be
red rected
Mus c Depends If the check box for Documents s se-
ected, th s fo der w fo ow the Docu-
ments fo der for ear er operat ng system
profi es If Documents s not red rected,
then th s fo der cannot be red rected
V deo Depends If the check box for Documents s se-
ected, th s fo der w fo ow the Docu-
ments fo der for ear er operat ng system
profi es If Documents s not red rected,
then th s fo der cannot be red rected
Favor tes No NA
Contacts No NA
Down oads No NA
L nks No NA
Searches No NA
Saved Games No NA

280 Chapter 5  Manag ng User Data n a Remote Desktop Serv ces Dep oyment

www.it-ebooks.info
ON THE COMPANION MEDIA  For more information on Windows Server 2003 and
Windows XP Profiles and Folder Redirection, see http://technet2.microsoft.com
/windowsserver/en/library/06f7eebc-2ebb-47c5-8361-1958b58078cc1033.mspx?mfr=true.
You can also find the link on this book’s companion media.

NOTE  Some custom applications might not respond well to having the AppData folder
redirected. But not redirecting AppData could lead to profile bloat, especially if your ap-
plications write a lot of data to this location. For situations like this, consider using App-V
to deploy the problem application. For technical resources on sequencing with App-V, see
http://www.microsoft.com/systemcenter/appv/dynamic.mspx.

Setting Standards with Mandatory Profiles


One ssue w th roam ng profi es s that users can change them On the one hand, that’s the
po nt On the other hand, changes can cause prob ems If users can change the r profi es, they
can de ete cons, acc denta y res ze the r too bar so that t d sappears, add wa paper that
s ows the r ogon t me, and so on
One way to avo d th s s to set po c es contro ng what users can and cannot do, and
Chapter 7, “Mo d ng and Secur ng the User Env ronment,” exp a ns how to do th s Another
way to prevent users from mak ng permanent changes to the r profi e s to make the user
profi e read-on y A user can change sett ngs, but those sett ngs w not be saved when the
user ogs off the RD Sess on Host server
Profi es that don’t change are ca ed mandatory profiles Mandatory profi es on a cen-
tra store are cop ed to the RD Sess on Host server at ogon, but they are not cop ed back
at ogoff Any profi e changes that occur are d scarded at the end of the user sess on Many
compan es w not mp ement mandatory profi es because users find them too constr ct ng,
but comb ned w th Fo der Red rect on, they m ght g ve your users enough flex b ty Some
th rd-party profi e so ut ons a so requ re the use of mandatory profi es— t depends on how
the products are mp emented
A though t’s poss b e to g ve every user a un que mandatory profi e, t’s not dea One of
the best th ngs about mandatory profi es s that because the profi e w never be changed, a
users can use a s ng e mandatory profi e, creat ng much ess ma ntenance work for adm n-
strators If a change needs to happen to the profi e, there s on y one p ace to make the
change, nstead of many f every user had h s or her own nd v dua profi e
Mandatory profi es are great n many respects, but you need to be carefu when mp e-
ment ng them to make sure each user who ogs on w not be suscept b e to reg stry changes
from other users See the D rect from the F e d s debar that fo ows for more deta s

Dep oy ng Roam ng Profi es w th Remote Desktop Serv ces  Chapter 5 281

www.it-ebooks.info
DIRECT FROM THE FIELD

Mandatory Profiles: Insecure By Default?


Helge Klein
IT Architect, sepago

M andatory profiles are generally considered fast and secure because they
usually are small in size and cannot be modified by the user. Although that is
true—mandatory profiles stay pristine indefinitely—there is more to security than
read-only access.

Mandatory profiles are a variant of roaming profiles: A master copy on a file server
is copied to the RDS session host during logon. The resulting local copy is secured
with file system ACLs that grant full access to the user, but to no one else (except
administrators and SYSTEM). All is safe and secure—except in the case of manda-
tory profiles.

A user profile consists not only of file system data, but also of a registry hive (stored
in the file NTUSER.MAN) that is mounted to HKU\<SID> and accessible from within
a session via the well-known name HKCU. In contrast to the file system, registry
permissions are not changed during logon because that is not necessary—at least
with roaming profiles where the master copy of each hive already has the correct
permissions.

Not so with mandatory profiles. The creation of a mandatory profile involves


changing registry permissions on the master copy to full access for “Everyone.” And
because many users are logged on simultaneously to an RDS session host, each
server’s registry consists of many users’ hives that are readable and writeable by
everyone, not just the owner of the individual user profile.

So on an RD Session Host server where mandatory profiles are used, a user can
simply open Regedit (if not blocked from doing so), navigate to HKU\<Some other
user’s SID>, and read/write at will.

Consequences
Users being able to read/write somebody else’s HKCU hive poses a potentially grave
security problem. At least two types of attacks can be envisioned: eavesdropping
and damaging. Here are some simple examples.

Many applications store a list of most recently used (MRU) files in HKCU (for exam-
ple, Word: HKCU\Software\Microsoft\Office\12.0\Word\File MRU). By reading such
lists, attackers can gain information about which documents another user is editing.

Applications and the operating system itself need and expect write access to HKCU.
Because a user always has write access to HKCU, programs do not handle

282 Chapter 5  Manag ng User Data n a Remote Desktop Serv ces Dep oyment

www.it-ebooks.info
the absence of such permissions well. By changing permissions on another user’s
hive (for example, removing write access), an attacker could effectively break
another user’s session, making it impossible to start and use even the most trivial
programs—most applications that store their settings in HKCU would be affected.

How to Fix
The following workarounds can help fix this security vulnerability.

1. Make sure that remote registry editing is limited to administrators.

2. Block access to the registry via software restriction policies. This includes, but is
not limited to, Regedit.exe, Cmd.exe, Reg.exe, scripts and batch files, and other
custom (downloaded) tools. In essence, in order to avoid this problem exclusive
white-listing is required.

3. Re-ACL (change the security permissions on) each registry hive after it is loaded
and replace “Everyone” with the current user.

Converting Existing Roaming Profiles to Mandatory


Profiles
Sett ng up mandatory profi es s very s m ar to sett ng up roam ng profi es us ng Group
Po cy To convert a roam ng profi e to a mandatory profi e, you first need to have roam ng
profi es work ng, e ther by sett ng the RDS Roam ng Profi e path n the user’s account prop-
ert es n Act ve D rectory Users and Computers, or by us ng Group Po cy For nformat on
on how to set up roam ng profi es, see the sect on ent t ed “Us ng Group Po cy to Manage
Roam ng Profi es,” ear er n th s chapter
Assum ng you have roam ng profi es mp emented, when a user ogs on, her profi e s
stored n a subd rectory of the des gnated roam ng profi e share To make the user’s profi e
mandatory, n the user’s profi e fo der, ocate NTUSER DAT and change ts extens on to man
(see F gure 5-25) Then change the NTFS perm ss ons for the user from Fu Contro to Read &
Execute (so she can’t change the extens on back) The next t me the user ogs on, she w be
us ng a mandatory profi e

Dep oy ng Roam ng Profi es w th Remote Desktop Serv ces  Chapter 5 283

www.it-ebooks.info
FIGURE 5-25  To convert a roam ng prof e to a mandatory prof e, change ts extens on.

No changes that the user makes to the profi e w be saved But comb n ng mandatory
profi es w th Fo der Red rect on w g ve users some contro over the r sess on and a ow them
to change the r Favor tes, Documents, Desktop, and other sett ngs w thout comprom s ng the
configurat on data oaded n HKCU

Creating a Single Mandatory Profile


If you have many users, you probab y won’t want to convert each roam ng profi e to a man-
datory one—that wou d negate one of the ma n reasons to mp ement mandatory profi es
ess configurat on and ma ntenance To g ve everyone the same exper ence, you can create
one mandatory profi e for everyone to use Here are the steps to do so
1. Create a network share to store the mandatory profi e (for examp e //Co fax/ASH-
Mandatory-Profi e) Make sure to configure the perm ss ons on th s fo der correct y
Tab e 5-7 and Tab e 5-8 out ne the necessary share and NTFS perm ss ons that need to
be set on th s fo der

TABLE 5-7  Share Perm ss ons or a Manda ory Pro e S orage Fo der

USER ACCOUNT SHARE PERMISSIONS

Adm n strators Fu Contro


Authent cated Users Read

284 Chapter 5  Manag ng User Data n a Remote Desktop Serv ces Dep oyment

www.it-ebooks.info
TABLE 5-8  NTFS Perm ss ons or User Accoun s or a Manda ory Pro e S orage Fo der

USER ACCOUNT NTFS PERMISSIONS

SYSTEM Fu Contro , th s fo der, subfo ders, fi es


Adm n strators Fu Contro , th s fo der, subfo ders, fi es, Owner
Authent cated Users Read & Execute, th s fo der, subfo ders, fi es

2. Create a fo der w th n the fo der created n Step 1, name t someth ng appropr ate to
nd cate t s a mandatory profi e, and append the V2 extens on (for examp e
ASH RDS MAN V2)
3. Because us ng the Copy To button now works on y for the Defau t user profi e, th s s
the profi e you w copy to the share you created n Step 1 On the RD Sess on Host
server, from Server Manager, c ck Change System Propert es and se ect the Advanced
tab In the User Profi es sect on, c ck Sett ngs H gh ght the Defau t User, and c ck
Copy To In the Copy To d a og box, type or browse to the shared fo der ocat on that
you created n Step 1 C ck Perm tted To Use, add Everyone, and c ck OK

NOTE  If you choose to create a customized mandatory profile, use Sysprep to over-
write the Default User profile on the machine that you will copy from. For more on
customizing the default user profile and using the Copy To button, and how to use
Sysprep to customize the Default User Profile, see the sections earlier in this chapter
entitled “Converting an Existing Local Profile to a Roaming Profile” and “Customizing a
Default Profile.”

4. Rename NTUSER DAT n the resu t ng profi e ( n the fi e share created n Step 1) to
NTUSER MAN You w need to change the fo der opt ons to show h dden fi es and
fo ders to see th s fi e
5. Create appropr ate GPOs by do ng the fo ow ng
■ Ed t the Computer GPO sett ng as fo ows Computer Configurat on Po c es
Adm n strat ve Temp ates W ndows Components Remote Desktop Serv ces
Remote Desktop Sess on Host Profi es Set Path For Remote Desktop Serv ces
Roam ng User Profi e to po nt to the share created n Step 2, for examp e //co fax/
ash-rds-mandatory-profi e/ASH RDS MAN) Do not nc ude the V2 extens on
■ Enab e the Computer GPO po cy sett ng as fo ows Adm n strat ve Temp ates
W ndows Components Remote Desktop Serv ces Remote Desktop Sess on Host
Profi es Use Mandatory Profi es On The RD Sess on Host Server
■ Enab e the Computer GPO sett ngs as fo ows Computer Configurat on Po c es
Adm n strat ve Temp ates System User Profi es Add The Adm n strators Secur ty
Group To Roam ng User Profi es

Dep oy ng Roam ng Profi es w th Remote Desktop Serv ces  Chapter 5 285

www.it-ebooks.info
6. App y the GPOs to the RD Sess on Host Server OU ( n Group Po cy Manager on a
doma n contro er)
7. Reboot the RD Sess on Host servers and test by ogg ng n as a regu ar user

Creating a Safe Read-Only Desktop


One cur ous s de effect to not be ng ab e to save anyth ng to a mandatory profi e s that
any fo ders rema n ng n the profi e (that s, not red rected) w not save changes e ther For
examp e, f you do not red rect the Desktop fo der and f users save fi es to the desktop, those
fi es w be d scarded when they og off There won’t be any error, and the fi e w be on the
desktop dur ng the sess on, but the fi es won’t be there when the users og on aga n To put
t m d y, th s cou d be confus ng However, f you’re us ng Remote App programs, you don’t
rea y want peop e sav ng fi es to the desktop because not be ng ab e to see the desktop w
make those fi es hard to find
To keep the desktop read-on y but make sure peop e know t s read-on y, red rect the
desktop to a read-on y fo der as descr bed n the sect on ent t ed “Centra z ng Persona Data
w th Fo der Red rect on” ear er n th s chapter Th s w both prevent users from sav ng fi es
to the desktop (wh ch you want) and a ert them to the fact that they can’t save fi es to the
desktop (wh ch you a so want) If they try, they w get an error They st can’t save anyth ng
to the desktop, but at east they w know that they can’t

Decrease Logon Times with Local Mandatory Profiles


The ma n reason to house a mandatory profi e on a network share s to make t eas er to
update when you have a farm env ronment But t’s a so worth not ng that ogon t mes can be
decreased s gn ficant y by keep ng a mandatory profi e oca to the server because the profi e
doesn’t get pu ed down from the network share when the user ogs on
Ma nta n ng oca mandatory profi es s more work, because any changes to the manda-
tory profi es w need to be made to the mandatory profi e on each server But the ncrease n
ogon speed m ght make th s worthwh e to you, espec a y f you have on y a few RD Sess on
Host servers n a farm or you don’t often need to change the profi e Aga n, test ng th s fu y
n your env ronment w te you f t makes sense for your setup
To use oca mandatory profi es, perform the fo ow ng steps
1. Create a fo der on each mach ne ca ed someth ng ke “Mandatory Profi e V2” and set
the appropr ate NTFS profi e fo der perm ss ons as spec fied n Tab e 5-8
2. Copy a defau t profi e to the new Mandatory Profi e fo der, g v ng Everyone perm ss on
to use t when you perform the copy
3. Convert th s oca profi e to a mandatory profi e by chang ng the extens on of
NTUSER DAT to make t NTUSER MAN

286 CHAPTER 5 Manag ng User Data n a Remote Desktop Serv ces Dep oyment

www.it-ebooks.info
4. Enab e the GPO sett ng as fo ows Computer Configurat on Po c es Adm n strat ve
Temp ates W ndows Components Remote Desktop Serv ces Remote Desktop
Sess on Host Profi es Use Mandatory Profi es On The RD Sess on Host Server
5. Enab e the Computer GPO sett ng as fo ows Computer Configurat on Po c es
Adm n strat ve Temp ates W ndows Components Remote Desktop Serv ces Remote
Desktop Sess on Host Profi es Set Path For Remote Desktop Serv ces Roam ng User
Profi e Po nt to the oca mandatory profi e ocat on, such as C \Mandatory Profi e Do
not nc ude the V2 extens on
6. Do th s on each mach ne n the farm or poo

Profile and Folder Redirection Troubleshooting Tips


Many peop e find the comb nat on of RD Sess on Host servers and profi es daunt ng And t’s
true—th ngs don’t a ways work the way you expect them to Tab e 5-9 descr bes some com-
mon errors, poss b e so ut ons, and the sect ons n the chapter where you’ earn how to fix
each prob em

TABLE 5-9  Pro es and Fo der Red rec on Troub eshoo ng T ps

ADDITIONAL INFORMATION
PROBLEM SOLUTION IN THIS CHAPTER

Po c es appear to be set Force a po cy update by See the s debar ent t ed


correct y, but aren’t be ng us ng Gpupdate or by “Updat ng Group Po cy ”
app ed reboot ng
Fo ders are not be ng Check event ogs to make See the sect ons ent t ed “The
red rected to the proper sure that share s ava ab e Consequences of De et ng a
ocat on or roam ng profi es on the network and has Profi e Fo der from W ndows
are not be ng oaded appropr ate perm ss ons Exp orer” and “Centra z ng
Persona Data w th Fo der
Red rect on ”
Group Po cy sett ngs aren’t Check the secur ty fi ters See the sect on ent t ed
be ng app ed to the r ght and make sure that you’ve “F ne-Tun ng GPOs w th
computers, groups, or users nc uded the correct groups Secur ty F ter ng ”
Fo ders from profi es from Make sure you’ve enab ed See the sect on ent t ed
ear er operat ng systems ear er Fo der Red rect on for “Shar ng Fo ders Between
aren’t red rect ng proper y, that GPO W ndows Server 2003 and
but W ndows 7 and W ndows W ndows Server 2008
Server 2008 R2 profi e fo ders Roam ng Profi es ”
are red rect ng
Continued on the next page

Profi e and Fo der Red rect on Troub eshoot ng T ps  Chapter 5 287

www.it-ebooks.info
ADDITIONAL INFORMATION
PROBLEM SOLUTION IN THIS CHAPTER

Users cannot oad the r You m ght have de eted the See the sect on ent t ed
roam ng profi es when cached profi e manua y “De et ng Cached Profi es
they og on, and they see a us ng W ndows Exp orer Manua y ”
message that they w be De ete the o d reg stry keys
ogged on w th a temporary and use too s such as the
profi e profi e management ut ty or
De prof to de ete profi es
Test ng Mandatory Profi es Make sure you set the
returns the error “Access s Everyone group to be
den ed ” perm tted to use the
profi e when you use the
Copy To button to create
the mandatory profi e If
necessary, de ete the profi e
that s not work ng and redo
t

Summary
A though roam ng profi es (read-wr te or read-on y) are often the best mode for stor ng user
profi es n an RDS env ronment, the comp cat ons nvo ved n mak ng them work well can be
daunt ng Th s chapter has exp a ned how profi es work, nc ud ng how the User Profi e Serv ce
oads and saves configurat on data You’ve earned about best pract ces, nc ud ng how to
keep profi es manageab e n s ze to speed user ogons and how Fo der Red rect on and profi e
cach ng a so contr bute to faster ogons You’ve seen how to set up Group Po cy to enab e
automat c profi e creat on and how to use secur ty fi ter ng and oopback po cy process ng to
ensure that the po c es are app ed correct y w th RDS F na y, you’ve earned how to set up
and use mandatory profi es w th RDS and how to prevent users from os ng fi es when us ng
mandatory profi es
■ There are three types of profi es oca , roam ng, and mandatory ( nc ud ng super-
mandatory)
■ Comb n ng roam ng profi es w th Fo der Red rect on s genera y the best way to store
user data n remote env ronments Fo der Red rect on s very mportant for keep ng
ogon t mes short and profi e s zes sma
■ Mandatory profi es work best when you don’t want to save any changes to the profi e
and have prevented users from wr t ng fi es to profi e fo ders
■ Profi es don’t merge—they overwr te For best resu ts, open on y one copy of the user
profi e at a t me For th s reason, you shou d genera y not use the same roam ng pro-
fi e for both oca ogons and RD Sess on Host server ogons

288 Chapter 5  Manag ng User Data n a Remote Desktop Serv ces Dep oyment

www.it-ebooks.info
■ Imp ement ng Group Po cy correct y from the beg nn ng s key to mak ng roam ng
profi es work
■ Fo der Red rect on s very mportant to mak ng profi es work proper y, as fo ows

• Fo der Red rect on keeps profi es sma


• Fo der Red rect on reduces the data that must be wr tten back to a fi e stored na
profi e fo der

• Us ng Fo der Red rect on, you can share fo ders between two profi es for better
ntegrat on of oca and remote user exper ences

• If us ng mandatory profi es, you must use Fo der Red rect on to a ow users to save
fi es to any of the r norma document storage ocat ons (for examp e, Documents
and Favor tes)

Additional Resources
The fo ow ng resources w extend your know edge of top cs addressed n th s chapter A
nks are ava ab e to you on th s book’s compan on med a
■ For more nformat on on user profi e management (w th or w thout RDS), read the
fo ow ng

• “Manag ng Roam ng User Data Dep oyment Gu de,” ava ab e on ne at


http://technet.microsoft.com/en-us/library/cc766489%28WS.10%29.aspx and for
down oad from http://go.microsoft.com/fwlink/?LinkId=73760

• “Us ng User Profi es n W ndows Server 2003,” ocated at


http://technet2.microsoft.com/windowsserver/en/library/23ee2a30-5883-4ffa-
b4cf-4cfff3ff8cb71033.mspx?mfr=true
■ For more nformat on about how to configure dev ce red rect on, see Chapter 6,
“Custom z ng the User Exper ence ”
■ To earn how to ock down the server, see Chapter 7, “Mo d ng and Secur ng the User
Env ronment ”
■ For more nformat on about pub sh ng RemoteApp programs, see Chapter 9, “Mu t -
Server Dep oyments ”
■ For more nformat on about enab ng RD Sess on Host server farms w th RD
Connect on Broker and mu t -server management, see Chapter 9

Add t ona Resources  Chapter 5 289

www.it-ebooks.info
www.it-ebooks.info
CHAPTER 6

Customizing the User


Experience
■ How Remot ng Works  291

■ Mov ng the C ent Exper ence to the Remote Sess on  307

■ Pr nt ng w th RDP  334

If you’re read ng th s book sequent a y, by th s po nt you have the bas c v rtua mach ne
(VM) or sess on de very system enab ed, and you’ve configured profi es and fo der
red rect on for your env ronment At th s stage, you’re ready to move on to what most
users wou d cons der the cr t ca part of remot ng the user exper ence After read ng th s
chapter, you’ know more about the fo ow ng po nts
■ How the core features of Remote Desktop Protoco (RDP) 7 0 work
■ How the remote exper ence w vary depend ng on the vers on of RDP a user
emp oys to get to W ndows 7 or W ndows Server 2008 R2
■ How RDP 7 0 and RemoteFX d ffer n the r approaches to remot ng
■ How to configure the remote exper ence so that c ent-s de dev ces work n
remote sess ons
■ How to configure pr nt ng w th and w thout RD Easy Pr nt

How Remoting Works


Remote Desktop Serv ces (RDS) s a about the RDP W thout RDP, RDS just sn’t very
exc t ng In th s sect on, you’ exam ne how RDP works You’ start w th the bas cs of how
stat c v rtua channe s, dynam c v rtua channe s, and protoco data un ts cooperate to
send data, and then move on to a deeper ook at how the nd v dua features use v rtua
channe s and Protoco Data Un ts (PDUs)

291

www.it-ebooks.info
New Features in RDP 7.0

E ach version of RDP adds new features to improve the user experience. RDP 7.0
introduces a number of changes to the remoting protocol that are designed to
make the remote session feel more like working on the local computer.

● Multimedia remoting
● True multi-monitor support
● Audio recording from the local session to the remote session
● Desktop composition (Aero Glass) remoting from a session
● Language bar redirection
All these features require having Windows 7 or Windows Server 2008 R2 on the
endpoint, and they are not available for /admin connections to a server running
Window Server 2008 R2.

Multimedia Remoting
Using Remote Desktop Connection (RDC) 7 with Windows 7 and Windows Server
2008 R2, audio and video content, played back by using Windows Media Player, is
redirected from the RD Session Host server to the client in its original format and
rendered by using the client’s resources. Other multimedia content, such as Silver-
light and Windows Presentation Foundation (WPF), are rendered as bitmaps on the
server. The bitmaps are then compressed and sent over to the client.

Multiple Monitor Support


Remote Desktop Connection (RDC) 7, with Windows 7 or Windows Server 2008
R2, enables support for up to 16 monitors. This feature supports connecting to
a remote session with any monitor configuration that is supported on the client.
Programs function just as they do when they are running on the client. All monitors
connected to the client will show the remote session; you can’t choose to exclude a
monitor to show only local programs.

Audio Recording Redirection


RDC 7, with Windows 7 and Windows Server 2008 R2, redirects audio recording de-
vices, such as microphones, from the client to the remote desktop session. This can
be useful for organizations that use voice chat or Windows Speech Recognition.

Desktop Composition
RDC 7, with Windows 7 and Windows Server 2008 R2, supports Aero Glass remoting
and display of other advanced graphics features within an RD Session Host session.
Desktop composition works only with a single monitor.

Language Bar Redirection


Using RDC 7 with Windows 7 and Windows Server 2008 R2, you can use the language
bar on the client to control the language settings within your RemoteApp programs.

292 CHAPTER 6  Custom z ng the User Exper ence

www.it-ebooks.info
What Defines the Remote Client Experience?
D st ngu sh ng RDP 7 0, RDC 7, and the actua user exper ence can be confus ng There are
three p eces that fac tate remot ng (shown n F gure 6-1)
■ The RDC application on the client  Th s app cat on comes nat ve to an operat ng
system, but can be upgraded You don’t have to upgrade the operat ng system
■ The RDP listener on the endpoint  The W nstat on dr ver on the endpo nt stens for
ncom ng RDP connect ons and sends data to the c ent computer The stener s bu t
nto the operat ng system, so to upgrade t, you have to upgrade the operat ng system
■ The RDP  The protoco that the RDC and the stener use to pass data between the
oca and remote computer

RDC Client

RDP Listener
RD
An Application. Can be Session
upgraded without Host
upgrading the RDC Client Farm
operating system.
RDP Listener

RDC Client RDP Protocol


RDC Client
RDP Listener
VM 1
RDP Listener

Part of the operating RDC Client


system. To be able to VM 2 VM
support more features, RDP Listener Host
you upgrade the
operating system.
RDC Client
VM n
RDP Listener

FIGURE 6-1  The RDP C ent, stener, and protoco work together to fac tate remot ng.

The three of these comb ned define the c ent exper ence The protoco tse f passes data,
the RDC sends data from the c ent and hand es t when rece ved, and the W nstat on dr ver
on the remote computer sends data from the server and rece ves t
The stener and the RDC c ent support vers ons of the RDP protoco Tab e 6-1 descr bes
the remot ng exper ence atta nab e g ven d fferent comb nat ons of RDC and the RDP stener
(A though the user nterface n the RD Sess on Host Configurat on too says RDP 6 1, the
exper ence s RDP 7 0 ) There s no user nterface to d sp ay the vers on of the RDP stener on

How Remot ng Works  CHAPTER 6 293

www.it-ebooks.info
c ent operat ng systems, but th s s the vers on bu t n to the operat ng system (To see the
vers on on c ent SKUs, go to HKLM\SYSTEM\Contro Set001\Contro \Term na Server\Wds\
Rdpwd )

NOTE  It’s a bit confusing that the RDP listener name in RD Session Host Configuration
says “6.1” when the protocol experience is 7. It does this because, as you can see in
HKLM\SYSTEM\ControlSet001\Control\Terminal Server\Wds\Rdpwd, the name of the
Winstation driver (the session driver, and stored in WdName) is “Microsoft RDP 6.1.” It
could just have easily been “Fred.” Regardless of the name of the driver, the experience you
will get when connecting to a Windows Server 2008 R2 or Windows 7 endpoint with RDC 7
is that of RDP 7.0.

RDC 7 0 w appear n the W ndows XP and W ndows V sta RDC About d a og box as ver-
s on 6 1 7600 “7600” s the RTM vers on number of the W ndows 7 bu d It w a so say that
RDP 7 0 s supported

TABLE 6-1  RDP Pro oco and s ener Suppor Ma r x

SERVER 2008 SP1, SP2


SERVER 2003 SP1,SP2
WINDOWS XP SP3

SERVER 2008 R2
VISTA SP1, SP2

WINDOWS 7
WINDOWS

WINDOWS

WINDOWS

WINDOWS
 

RDC can support


RDP 7 0 RDP 7 0 RDP 6 RDP 7 0 RDP 6 1 RDP 7 0
up to
RDP Listener
RDP 5 1 RDP 6 1 RDP 5 2 RDP 7 0 RDP 6 1 RDP 7 0
Supports

NOTE  Table 6-3 in the section entitled “How the RDC Version Affects the User Experi-
ence—or Doesn’t” later in this chapter further defines this matrix.

When connect ng from a c ent to an endpo nt, the remot ng exper ence w be the ow-
est common denom nator of what the RDC can support and what the RDP stener on the
endpo nt can support For examp e, f you connect from a mach ne runn ng W ndows XP to
another mach ne runn ng W ndows XP, even f you have nsta ed RDC 7, the exper ence w
be that of RDP 5 1, because the RDP stener on W ndows XP supports on y up to RDP 5 1
Another examp e If you connect from a mach ne runn ng W ndows 7 to a mach ne runn ng

294 CHAPTER 6  Custom z ng the User Exper ence

www.it-ebooks.info
W ndows Server 2008 R2, RDP 7 0 s supported by both the c ent and the stener, so that s
the exper ence you w get
The RDP protoco connect ng the RDC and the endpo nt s sp t nto virtual channels
V rtua channe s are ded cated paths that carry part cu ar k nds of data For examp e, d ffer-
ent channe s support pr nt jobs, c pboard shar ng, dr ve red rect on, and so forth In W ndows
Server 2008 R2, v rtua channe s operate n both user mode and kerne mode (see Chapter 2,
“Key Arch tectura Concepts for Remote Desktop Serv ces,” for a descr pt on of user mode and
kerne mode) Remote aud o and the c pboard red rector both have v rtua channe s n user
mode, whereas p ug and p ay dev ces commun cate v a kerne -mode v rtua channe s
To pass data between c ent and server, both ends of the channe must ex st and be
enab ed That’s why t’s poss b e to turn off dr ve red rect on on an RD Sess on Host server
w thout hav ng to overr de th s sett ng on the c ent—the server just sn’t sten ng on that
channe It’s a so why t’s not poss b e to use a g ven v rtua channe un ess t s supported by
both c ent and server You can’t, for examp e, use the RDP 7 0 c ent to enab e P ug and P ay
(PnP) Dev ce Red rect on on a term na server runn ng W ndows Server 2003 The c ent sup-
ports that channe , but the server does not

HOW IT WORKS

Why Don’t I Get Language Bar Redirection When Connecting


to Windows XP from Windows 7?

W hen the product group blogged about RDP 7.0 on the RDS Team Blog, some
people wanted to know if the new protocol would enable new features on
earlier versions of Windows. For example, would someone using RDP 7.0 on the cli-
ent get language bar support when connecting to Windows XP? Would they get any
new functionality?

The short answer is “Not really.” This is because of the way that virtual channels
work. Almost all features available with RDS rely on virtual channels. (One exception
to this rule is the integration of RemoteApp and Desktop Connections in the Start
menu of Windows 7. That feature actually depends on the client operating system
itself.) If the virtual channel isn’t on both ends of the connection, then the feature
doesn’t work.

Because remoting functionality requires support on both ends of the connection,


the new features of RDP 7.0 are available only if you’re connecting to an endpoint
that supports them. Windows XP listener supports RDP 5.1, and Windows Vista SP1
supports RDP 6.1, so the user experience will fall back to whatever that version can
handle.

How Remot ng Works  CHAPTER 6 295

www.it-ebooks.info
Unt W ndows Server 2008, a v rtua channe s were created at the beg nn ng of the ses-
s on and severed when the sess on was ended by the c ent or the server—these are static
channels W ndows Server 2008 ntroduced a new k nd of v rtua channe ca ed a dynamic
virtual channel (DVC) that an app cat on can create after the sess on has begun, and wh ch t
can sever before the sess on ends DVCs make t poss b e to add new red rected dev ces to a
sess on after t’s started If you re ed on stat c channe s ent re y, then t wou d not be pos-
s b e to p ug n a camera (for examp e) to the c ent and have t show up n an act ve remote
sess on Instead, you’d have to p ug the camera nto the un versa ser a bus (USB) port before
beg nn ng the sess on

ON THE COMPANION MEDIA  Although it’s possible to connect to an RD Session


Host server using RDP 5.2 or later, applications using DVCs require RDP 6.1 or later;
the IWTSVirtualChannelManager interface that manages the connections has a
minimum requirement of RDP 6.1. You can get RDP 6.1 in Windows XP SP3 and
Windows Vista SP1, or download RDC 7 for both these operating systems from
http://support.microsoft.com/kb/969084.

Separat ng data nto v rtua channe s s how th s arch tecture a ows you to se ect ve y d s-
ab e c ent-s de red rect on It’s poss b e to enab e pr nt ng but d sab e dr ve red rect on, or to
enab e c pboard red rect on but d sab e PnP dev ces The fo ow ng sect on exp ores n deta
how v rtua channe s work

The Foundation of RDP: Virtual Channels and PDUs


W th a very few except ons, the commun cat on between the endpo nt and the c ent—and
therefore the remot ng exper ence— s enab ed through v rtua channe s and Protoco Data
Un ts (PDUs) RDP descr bes the genera gu de nes for how data gets from po nt A to po nt B,
but the actua data s passed a ong the v rtua channe s, and the negot at on of how the data
s sent s done through PDUs

Static Virtual Channels


RDP has been pass ng data through stat c v rtua channe s from ts ncept on Stat c v rtua
channe s are created at the beg nn ng of a sess on and rema n n p ace unt the sess on s
d sconnected RDP can have a max mum of 31 stat c v rtua channe s, wh ch s one reason
why DVCs are usefu They’re the bas s for a remot ng; even the features that use DVCs (see
the sect on ent t ed “Dynam c V rtua Channe s” ater n th s chapter) depend on stat c v rtua
channe s, because DVCs run n a stat c v rtua channe
RDP goes through e ght steps to set up stat c v rtua channe s for a connect on
1. The c ent n t ates the connect on and the endpo nt responds Not ce that the c ent
a ways n t ates

296 CHAPTER 6  Custom z ng the User Exper ence

www.it-ebooks.info
2. The server and c ent exchange some bas c nformat on about the connect on,
nc ud ng the fo ow ng

• Whether they can both support mu t p e mon tors


• The c ent d sp ay he ght and w dth
• The co or depth requested
• The type of keyboard
• The c ent operat ng system bu d number and RDP vers on
• What k nd of secur ty the c ent w use
• How the c ent w prov de credent a s (for examp e, whether t’s us ng CredUI)

• The number of v rtua channe s requested


NOTE  For more details on the security negotiations, see Chapter 8, “Securing Remote
Desktop Protocol Connections.”

3. The c ent and server hook up the v rtua channe s


4. If the c ent s us ng standard RDP secur ty, the c ent and server set up sess on keys for
the connect on (aga n, you’ cover th s n more deta n Chapter 8) After th s po nt, a
subsequent RDP traffic w be encrypted us ng the sess on keys, accord ng to the eve
of secur ty set on the c ent and enforced by the server
5. The c ent sends the user name and password to the server
6. The server and c ent negot ate whether the c ent has or needs a cense, and then the
server arranges to a ocate the c ent a cense f the c ent doesn’t a ready have one

NOTE  For details on licensing, see Chapter 12, “Licensing Remote Desktop Services.”

7. The server te s the c ent what capab t es t supports, and the c ent acknow edges th s
nformat on The server capab t es sent dur ng th s step nc udes features such as the
fo ow ng

• RemoteApp support
• Desktop compos t on support
• The eve of compress on supported
8. F na y, the c ent and server fina ze the connect on deta s After the c ent has rece ved
th s, t can start send ng keyboard and mouse nput to the sess on, and the server can
beg n send ng graph ca updates to the c ent

How Remot ng Works  CHAPTER 6 297

www.it-ebooks.info
The fo ow ng features of RDP use stat c v rtua channe s
■ C pboard red rect on
■ DVCs
■ RemoteApp programs
■ Aud o output
■ Smart card red rect on
■ F e system red rect on
■ Ser a port red rect on
■ Legacy pr nter red rect on (not RD Easy Pr nt)
■ Sess on shadow ng
An RDP connect on m ght not have a these stat c v rtua channe s n p ace Dur ng the
capab ty negot at ons between c ent and server, po c es app ed to the endpo nt (and c ent)
w be taken nto cons derat on Therefore, even f the operat ng system cou d techn ca y
support, say, fi e system red rect on, f fi e system red rect on s turned off due to Group Po cy
or turned off on the RDC, then the feature won’t be supported and the stat c v rtua channe
won’t be created

Dynamic Virtual Channels


Dynam c v rtua channe s (DVCs), ntroduced w th W ndows Server 2008, are v rtua channe s
that connect the c ent to an app cat on runn ng on the server (for examp e, W ndows Med a
P ayer) Because they’re nked to app cat ons, they can be created after a sess on beg ns
and destroyed before t ends DVCs a ow you to add remote support for a dev ce (such as a
camera) dur ng a sess on w thout hav ng to p ug the camera nto the c ent’s USB port before
beg nn ng the sess on
DVCs everage the stat c v rtua channe arch tecture At the beg nn ng of the connect on,
when the stat c v rtua channe s are created, a DVC Server Manager negot ates capab t es
w th the DVC C ent Manager ( nc ud ng the vers on of DVC supported) and n t a zes the
DVC path Then, when an app cat on wants to open one or more DVCs, the path s a ready
prepared The DVC Manager on the server keeps a the DVCs stra ght (and avo ds confus ng
data between app cat ons) by ass gn ng each DVC an dent fier A traffic for a part cu ar
DVC s marked w th ts channe ’s dent fier E ther the c ent or the server can n t ate a DVC
request, and any data sent between c ent and endpo nt us ng DVCs s not acknow edged by
the rec p ent
There are two vers ons of the DVCs Vers on 1 a ows an app cat on to commun cate w th
the other end of the connect on Vers on 2 adds the ab ty to pr or t ze the data w th n the
DVCs n case some data s more t me-sens t ve than other data For examp e, mu t med a
remot ng s very t me-sens t ve, or e se the user w detect a ag Pr nt ng us ng RD Easy Pr nt
s ess so

298 CHAPTER 6  Custom z ng the User Exper ence

www.it-ebooks.info
The fo ow ng features of RDP use DVCs
■ RD Easy Pr nt
■ PnP Remot ng
■ Mu t med a Remot ng
■ Aud o Record ng from c ent to sess on
■ Compos ted Remot ng (requ red to enab e effects ke Aero G ass remot ng)

Protocol Data Units


PDUs are not spec fic to RDP by any means, but the r ro e w th n RDP s often to he p negot -
ate the respect ve capab t es of c ent and endpo nt to he p RDP transport data as requ red
(PDUs can a so transport data f requ red ) Throughout th s sect on, when descr b ng how the
c ent and endpo nt are negot at ng how they can commun cate, th s negot at on uses PDUs

Basic Graphics Remoting


The most obv ous th ng that RDP does s update the c ent d sp ay w th the graph ca updates
n the sess on W thout that, there sn’t much to the exper ence In th s sect on, you’ earn
about the bas c graph cs remot ng that RDP does and how t draws the desktop to ook
better
Bas c graph cs remot ng does what t sounds ke It gets the graph ca data from the server
to the c ent As bas c graph cs remot ng uses stat c v rtua channe s, t does not requ re a very
advanced RDP c ent to support t (W ndows Server 2008 R2 and W ndows 7 both support
connect ons from RDP 5 2, even though you m ght not get a fu comp ement of features) It s
a so the bas s for more advanced graph cs capab t es ke compos ted remot ng and mu t -
med a red rect on
Bas c graph cs remot ng has to be ab e to do the fo ow ng th ngs
■ D st ngu sh between mu t p e endpo nts when send ng graph ca updates to the c ent
■ Make the sess on as respons ve as poss b e
■ Stop send ng graph cs updates to the c ent when the sess on s d sconnected or the
remote w ndow s h dden
Bas c graph c remot ng s enab ed when the c ent and the server estab sh a connect on, as
descr bed n the connect on sequence n the sect on ent t ed “Stat c V rtua Channe s” ear er
n th s chapter After the connect on s there, the two ends can work out how to hand e the
other aspects of graph cs remot ng, such as mu t med a remot ng or desktop compos t on

Distinguishing Between Sessions


When the connect on s estab shed, the server keeps track of wh ch sess on a process s run-
n ng n and assoc ates that process w th the sess on ID for each sess on Because the operat ng
system has to know wh ch process generated keyboard or mouse nput, t w assoc ate the

How Remot ng Works  CHAPTER 6 299

www.it-ebooks.info
process w th the sess on (A though a c ent operat ng system endpo nt can support on y a
s ng e nteract ve sess on at a t me, Fast User Sw tch ng means that t m ght have more than
one sess on ogged on at once )

Minimizing Data Sent


One way to send graph ca updates s common y known as “screen scrap ng”—send ng
b tmap mages of the d sp ay on the endpo nt to the c ent for d sp ay Th s method s s mp e,
makes t poss b e to support a w de array of c ent dev ces, and a ows for h gh-fide ty render-
ng of a graph ca updates, but over ower-bandw dth connect ons, t’s neffic ent and eads
to a very choppy d sp ay Therefore, RDP does pr m t ve remot ng whenever poss b e, not
b tmap remot ng In pr m t ve remot ng, the endpo nt sends the nstruct ons for how and
where to draw, say, a rectang e to the c ent, rather than send ng the p cture of the rectang e
and ts prec se pos t on RDP w send b tmaps when t needs to—when remot ng S ver ght
app cat ons, for examp e—but when t does, the d sp ay speed s reduced because t has to
send more data
Another way that RDP can m n m ze the data sent s by us ng a codec on the endpo nt to
commun cate w th a codec on the c ent When th s opt on s ava ab e (see the sect on en-
t t ed “Advanced Graph cs Remot ng” ater n th s chapter), then the codecs can send the data
to the c ent for render ng; th s m ght not reduce the amount of bandw dth requ red because
the data st has to get to the c ent computer somehow, but to the user, t w appear to be
updated more qu ck y and w genera y ook better
F na y, RDP can use a cache for graph ca data sent to the c ent W th the except on of
b tmaps, caches are stored n memory, not on d sk, and are w ped c ean when the sess on s
d sconnected C ent and server negot ate the r cach ng capab t es when the connect on s
be ng estab shed, but the cache m ght conta n the fo ow ng
■ B tmap mages
■ Co ors used n draw ng the screen updates
■ G yphs (characters) that the c ent types, both s ng y and n groups
■ F areas (for examp e, those needed to pa nt the desktop co or)
■ Graph cs dev ce nterface (GDI) pr m t ves, cached by both c ent and server
Each p ece of the cache has an ID When the endpo nt s go ng to send a graph ca update
that m ght be cached, the server w te the c ent what t p ans to send, and the c ent can
ook to see f t’s a ready got t If t does, then t w use the b tmap, or g yph, n the cache
If t does not, the server can send the update If the server wants to use the GDI pr m t ves
cache, t w te the c ent exact y where to ook n ts own cache for that nstruct on

300 CHAPTER 6  Custom z ng the User Exper ence

www.it-ebooks.info
DIRECT FROM THE SOURCE

Why Microsoft RemoteFX?


Tad Brockway
Principal Product Unit Manager, Remote Desktop Virtualization

I have been passionate about desktop centralization for many years, even before I
joined the Microsoft Remote Desktop Virtualization team in 1998. Prior to joining
Microsoft, I was a UNIX developer. (We didn’t call the scenario “desktop centraliza-
tion” at that time. We called it “X Windows.”)

The promise of Virtual Desktop Infrastructure (VDI) is that user desktops can be
centralized in such a way as to move complexity and state from the desktop into the
datacenter. To execute on this promise, we needed to allow people to use a broad
range of endpoint devices without compromising on the user experience. To this
end, we are developing a remoting approach that complements traditional graphics
remoting capabilities and works for endpoint devices ranging from PCs to the most
lightweight of thin clients.

Up to now, graphics remoting protocols like RDP have approached remoting in a


client-centric way. Client-centric remoting intercepts graphics on the host device
and then efficiently forwards the intercepted graphics “primitives” (for example,
“Draw Rectangle” or “Draw Line”) to the client device. The client endpoint renders
the primitives using a client-side counterpart for each graphics intercept point on
the host. Client-centric remoting originated when there was limited bandwidth
from the datacenter to the user desktop and when the vast majority of applications
were developed on top of the same Windows graphics API: GDI.

Client-centric remoting relies heavily on the rendering capabilities of the client


software and hardware. The chief benefit to client-centric remoting is that it’s a very
bandwidth-efficient way of remoting graphics types that can be intercepted high in
the software stack and sent as primitives. But when the client and host don’t both
support a particular graphics type, either the application fails to run properly or the
two sides negotiate down to a least common denominator graphics construct: a bit-
map. Bitmaps require more bandwidth than primitives because they have to detail
how to remote everything. For example, the primitive representation of “Draw Line”
would simply include the X and Y coordinates for the line start and the line finish.
The bitmap representation of the line would have to describe at least the X and Y
coordinates for every single point on the line.

If you have a powerful client device with a rich software stack and your host has all
the right graphics intercept points, a client-centric graphics remoting can give you a
great user experience over a relatively low-bandwidth connection. But if you have a
less complex client device, are missing some important graphics intercept points on

How Remot ng Works  CHAPTER 6 301

www.it-ebooks.info
the host, or both, client-centric remoting will result in gaps in the experience, such
as choppy video or missing graphics.

Today, bandwidth is less expensive and more widely available, and Windows users
want a wide array of graphics types (for example, Silverlight, Adobe Flash, DirectX,
Aero Glass, Windows Media, and so on). These changing conditions call for the ad-
dition of a new model that can support all graphics types, including 3-D, by sending
highly compressed bitmaps to the endpoint device in an adaptive manner. We call
this host-centric remoting.

You can ensure a consistent user experience for a wide array of devices if you follow
the VDI model and move a large portion of the client software and hardware into
the datacenter. With host-centric remoting, all the graphics can be intercepted on
the host at a very low layer in the software stack. All graphics are rendered on the
host into a single frame buffer (a temporary holding station for graphical updates)
that represents the user’s display. Changes to the frame buffer are sent to the client
at a frame rate that dynamically adapts to network conditions and the client’s abil-
ity to consume the changes. The changes are sent to the client endpoint as highly
compressed bitmaps by using an encoding scheme optimized for Windows desktop
content. The basic graphics requirement for the client endpoint is that it supports
the ability to decode and display the highly compressed bitmaps that it receives
from the host. At a minimum, the client needs the decoder counterpart to the en-
coder that was used on the host, as well as a basic graphics display capability.

Host-centric remoting requires more bandwidth than client-centric remoting. How-


ever, it delivers a consistent experience for every aspect of the modern Windows
desktop regardless of the capability of the client-side device.

If you’re wondering which remoting model to choose, you don’t have to. If you
have a client device with a rich software stack and advanced processing capabilities,
client-centric remoting makes sense. But to deliver completely on the promise
of VDI for less powerful client devices, you also need host-centric remoting. We
are adding RemoteFX as a new capability or “payload” to the RDP platform, while
continuing to support and enhance our existing client-centric model. Whichever
remoting model you use, the fundamentals of RDP are unchanged. RDP includes
the same authentication, encryption, device redirection, and transport capabilities,
independent of the remoting model being used.

Compressing RDP Data


RDP supports two k nds of bu k compress on (compress on done on a v rtua channe s, as
opposed to compress ng nd v dua channe s) Both compress on y when sent from server to
c ent, not from c ent to server Standard bu k compress on compresses a the data go ng

302 CHAPTER 6  Custom z ng the User Exper ence

www.it-ebooks.info
through RDP channe s us ng a oss ess techn que known as Huffman compression (Loss ess
compress on doesn’t ose any data dur ng the compress on/decompress on process )

NOTE  Huffman compression encodes data based on the frequency of symbols in the
data stream. If a symbol appears more often, its representative code is shorter than a
character that appears only once. For more information on Huffman compression, see
http://www.huffmancoding.com/my-family/my-uncle/huffman-algorithm.

W ndows Server 2008 added a new codec, ca ed NSCodec, for mprov ng graph cs com-
press on over the w de area network (WAN) for 32-b t and 24-b t graph cs (used on y w th
RDC 5 1) Th s ossy compress on a gor thm s contro ed by the fo ow ng Group Po cy object
(GPO)

Computer Configurat on Adm n strat ve Temp ates W ndows Components Remote


Desktop Serv ces RD Sess on Host Remote Sess on Env ronment Set Compress on
A gor thm For RDP Data

Th s compress on mode s off by defau t because t s more memory- ntens ve on the end-
po nt (wh ch can reduce the number of sess ons that an RD Sess on Host server can support)
However, t a ows RDP to perform better over s ower networks To the user, the mages st
ook fine—your eye puts the mages together n the same way t does for a newspaper mage
The more data that s ost n the compress on process—wh ch genera y corre ates to a h gher
degree of compress on—the gra n er the connect on w ook
NSCodec works by degrad ng the graph cs s ght y (a most mpercept b y to the user),
us ng the fo ow ng techn ques
■ Sp tt ng and comb n ng co or p anes, wh ch bas ca y means send ng a the co or nfor-
mat on at once nstead of treat ng two types of co ors as d fferent “ ayers” n the mage
and send ng them separate y
■ Co or space convers on (requ red for chroma subsamp ng)
■ Chroma subsamp ng and super-samp ng, wh ch reduces the var at on n co ors
between adjo n ng p xe s (wh ch the human eye s ess sens t ve to) wh e ma nta n ng
the ntens ty Reduc ng the co or fide ty s gn ficant y reduces the amount of data that
needs to be sent
■ Co or oss reduct on
When the c ent and endpo nt are negot at ng the r mutua capab t es (see the sect on
ent t ed “Stat c V rtua Channe s” ear er n th s chapter), they determ ne whether the c ent
supports both ossy compress on (and how much co or oss the c ent w to erate) and
chroma subsamp ng Both requ re at east RDP 6 1 on the c ent

How Remot ng Works  CHAPTER 6 303

www.it-ebooks.info
304 CHAPTER 6 Custom z ng the User Exper ence

www.it-ebooks.info
received data. If it can’t, then it will need the endpoint to send the character again.
ClearType remoting is off by default and isn’t recommended for wide area network
(WAN) connections.

As you can see, the choices you could make depend on the amount of bandwidth
available and are computer-wide. If you need to support both local and remote
users, one option would be to define a parallel farm for use via RD Gateway only.
(For more about RD Gateway, see Chapter 10, “Making Remote Desktop Services
Available from the Internet.”) If you did this, then you could use the compression
algorithm optimized for low-bandwidth scenarios and limit the color depth, then
provide greater color depth and a memory-optimized compression algorithm on
the endpoints for local use.

Sending Updates Only When the Session Is Active


There’s no po nt n send ng frequent graph ca updates when the user sn’t nteract ng w th
the sess on When the sess on doesn’t need updates—when the user has m n m zed the w n-
dow or d sconnected from the sess on—the sess on on the endpo nt rema ns act ve, but the
c ent doesn’t get updates
When the c ent sends a request to d sconnect, the server w first refuse the request and
then rep y w th an error to prompt that d sconnect ng w end the connect on, but the ses-
s on w rema n act ve If the user on the c ent confirms the request, the connect on w be
d sconnected and the endpo nt w stop send ng graph ca updates

Advanced Graphics Remoting


Bas c RDP d sp ays the desktop and app cat ons on the endpo nt n a w ndow on the c ent
Compos ted remot ng, ntroduced w th W ndows Server 2008 R2 and W ndows 7, mproves
the remote d sp ay by draw ng a w ndows separate y from each other to ach eve a 3-D
effect, wh ch s requ red for Aero G ass remot ng, w ndow prev ews, and other advanced
graph cs remot ng features To make th s work, RDP must be ab e to send the contents of
each app cat on ayer separate y and then send them to the Desktop W ndow Manager on
the c ent to reassemb e them appropr ate y
Advanced graph cs remot ng s ava ab e on y when the c ent has a s ng e mon tor If the
c ent uses more than one mon tor n a remote sess on, th s feature s d sab ed even f t s
enab ed on the endpo nt
To enab e advanced graph cs remot ng, open Server Manager on the host In the C ent
Exper ence sect on, make sure that you’ve se ected the box for Desktop Compos t on
W ndows 7 Enterpr se and U t mate don’t requ re add t ona configurat on to support th s
feature

How Remot ng Works  CHAPTER 6 305

www.it-ebooks.info
The RDP 7.0 FAQ

W hen the product group posted the RDS Team Blog entry announcing RDP 7.0
for Windows XP SP3 and Windows Vista SP1, we got a lot of questions. For
easy reference, we’ve organized and answered them here.

What Operating Systems Is RDC 7 Available For?


All versions of Windows 7 and Windows Server 2008 R2 come with RDC 7. You can
install RDP 7.0 on 32-bit Windows XP SP3 and 32-bit Windows Vista SP1 and SP2.
(The RDC upgrade is not available for 64-bit versions of Windows XP and Vista
because the code base for 64-bit XP is different and there wasn’t enough user
demand to justify the huge increase in test cost.) For thin clients, RDP 7.0 is available
for Windows Embedded Standard 2009 and Windows Embedded POSReady 2009.

NOTE  Windows 7 Premium allows outbound RDP connections. It does not


permit incoming RDP connections.

A separate installation of RDP 7.0 is not supported on earlier server operating sys-
tems as a client, and if you hack the install to install RDP7 on a server SKU (there are
instructions floating around the web for this, but none are supported or endorsed
by Microsoft), then this will not enable the new features of RDP7 on the endpoint.

As of this writing, there is no RDP 7.0 for Apple Macintosh operating systems, just a
basic connectivity. Microsoft does not make or support an RDP client for Linux.

Which Endpoints Will Give Me All the Features of RDP 7.0?


To get all the features of RDP 7.0, you’ll need to connect to Windows 7 Enterprise or
Ultimate edition, or Windows Server 2008 R2 with the RD Session Host role service
installed. Administrative connections to RD Session Host servers or connections to
other Windows 7 SKUs will get a limited set of features. Windows 7 Premium cannot
be an RDP endpoint.

Does RDP 7.0 Support Tablet Input?


No.

If Using Windows Server 2008 R2 as a Client and Connecting to


Windows 7, Will You Get All Features of RDP 7.0?
Yes, as long as you’re connecting to Windows 7 Enterprise or Ultimate edition.
Whe