You are on page 1of 32

Windows NT Server 4.

0, Terminal Server Edition Domain Issues

Thomas Martin Support Professional Microsoft Corporation

Domain Issues for Terminal Server Edition

Terminal Server as a Domain Controller or Member Server Home Directories Terminal Server Profiles System Policies Permissions Terminal Server Licensing User Manager for Domains - Changes Citrix MetaFrame Add-On Terminal Server Clients Service Pack 4 Effects and Hotfixes Service Pack 5 Terminal Server and Year 2000 (Y2K) Additional Information on the Web

Terminal Server as a Domain Controller or Member Server

Terminal Server Edition (TSE) is a new kernel and operating system; you cannot install it as a service in version 4.0. Windows 2000 Terminal Services is a service that you can install after server installation. Domain Controller Installations When you log on locally to the TSE domain controllers, you can log on locally to the console of any domain controller. Member Server Installations File Server Application Server

Home Directories

Home Directories

Stores information for a multiple-user environment. Microsoft Knowledge Base article Q186521, Why Terminal Server Users Should Have New Home Directories. The default home directory location is the user's profile. This may not be efficient if the user stores a large amount of data in the home directory. Microsoft Knowledge Base article Q230165, Terminal Server User's Home Directory Is Not Set Correctly. Home directories are not mapped correctly for users with existing profiles. Microsoft Knowledge Base article Q195934, Incorrect Permissions Applied to Terminal Server Home Folders. Incorrect default permissions are assigned when you create a unique TSE home directory for multiple users using the following format: \\server\share\%username% Microsoft Knowledge Base article Q192164, Home Directories Are Created with Incorrect Permissions.

Terminal Server Home Directory

User Manager for Domains Changes

Terminal Server Profile Path

Used for profiles while in TSE. User profile path is for non-TSE profiles. Stores multiple-user environment information.

Terminal Server Home Directory

User Configuration Dialog Box Security Accounts Manager (SAM) database changes to include the new fields being used.

Microsoft Knowledge Base article Q248474, Windows NT Server Tools Overwrites Terminal Server Information. When you attempt to modify TSE user accounts from a Windows 98/95based computer using a version of Windows NT Server tools earlier than version 4.0, the information in the TSE profile path and the Terminal Server Home Folder Universal Naming Convention (UNC) boxes is overwritten. Also, you are unable to view the information in these boxes using any version of Windows NT Server tools.

Terminal Server Profiles (Local and Roaming)

Local Profiles

Created in the Wtsrv\Profiles\Username folder of the TSE computer. Not good for clustered TSE with the Citrix MetaFrame add-on, which is described later in this presentation. Local profiles can also fill up the small system partition and not use the large data partitions. Moving the local profiles is a delicate process with which Microsoft Product Support Services can provide assistance. Local profiles are a fix to a current capacity problem. A longterm solution is to implement roaming profiles to a large data drive and implement a system policy to delete locally cached profiles.

Terminal Server Profiles (Local and Roaming)

Local Profiles

Implement roaming profiles and system policy. Microsoft Knowledge Base article Q245176, Cached Terminal Server Roaming Profiles Use Too Much Disk Space.

100 MB Filled Up System Partition C:\wtsrv

900 MB Largely unused space Data Partition D:\


Terminal Server Profiles (Local and Roaming)

Roaming Profiles

The TSE profile path is for roaming profiles only while in TSE. This is good for clustered TSE computers with Citrix MetaFrame. Select a server to house roaming profiles that can be accessed by any TSE computer. Higher bandwidth than traditional roaming profiles from server to the clients desktop computer. Implement TSE profile path to create roaming profiles for your TSE users.

Roaming profiles stored on member server

TS2 Clients



Terminal Server Profiles (Local and Roaming)

Roaming Profiles

If roaming profiles do not work, often the Security ID (SID) never left the registry. Therefore, it never wrote to the local profile, which in turn could not be written to the roaming profile (which is performed last). The SID can be put in the registry by some programs that lock open the Ntuser.dat file in the profile. Microsoft Knowledge Base article Q187453, Users SID Remains in Registry After Logoff. This article describes things that hold a SID in the registry and prevent roaming profiles from working.

User Profile Path vs. Terminal Server Profile Path

User Profile Path: Good for both Terminal Server and Microsoft Windows NT Server

Suitable for Microsoft Windows NT Workstation desktops that have or want the same desktop settings, whether they are using a TSE session or standard Windows NT Server logon.

Terminal Server Profile Path: The roaming profile for TSE use only.

Good for Microsoft Windows 98, Microsoft Windows 95, or other desktops that need a roaming profile with their virtual Windows NT Workstation user settings stored in it.


User Profile Path vs. Terminal Server Profile Path

User Profile Path vs. Terminal Server Profile Path Which path is used?

If only the User Profile Path is filled in, it is used inside the TSE session and from the regular desktop domain logon.

Microsoft Knowledge Base article Q243535, Terminal Services Client Roaming Profile Is Overwritten.

If both the User Profile Path and Terminal Server Profile Path are filled in, the User Profile Path is used for the regular desktop domain logon like Windows 95/98 clients. If only the Terminal Server Profile Path is filled in, the desktop domain logon does not roam but the TSE session profile is roaming. If neither path is filled in, the desktop domain logon is local on the Windows 95/98 client and the TSE profile is local only. This fills up the small system partition.


System Policies Local TSE vs. Domain Policies

Local Policies - Applied when working only on a specific TSE computer.

Microsoft Knowledge Base article Q186529, Local Policy Does Not Permit You to Log On Interactively. If you want to limit this right, create a group specifically for your TSE clients, and grant this group the Log on Locally right. You can then remove the Everyone group, which limits console logon rights to the client group and the administrator.

Domain Policies - Applied whenever the user logs on, and stored in the Netlogon share on the Windows NT domain controllers.

Microsoft Knowledge Base article Q192794, How to Apply System Policies to Terminal Server. Save the Ntconfig.pol file to the C:\Ntconfig.pol folder, and then point to the local version instead of the Netlogon share that is used for all domain users instead of just TSE users.

System Policies - Changes

Changes to System Policies There are new settings that apply only to TSE sessions and not standard domain logons. Microsoft Knowledge Base article Q186618, New System Policy Options in Terminal Server. There are four new settings to be implemented under Default User or specific users or groups. TSE includes the following new user policy options:

Remove Windows NT Security Item from Start Menu Remove Disconnect Item from Start Menu Remove Logoff Item from Start Menu Prevent users from creating global file associations



NTFS permissions file system requirements for a multiple-user environment. Everyone needs to have Change permissions to the Wtsrv; TSE has Read permissions by default (apply
only to the subfolders and not the existing files to protect system .exe and .dll files).

Microsoft Knowledge Base article Q186569, Security Configuration in Terminal Server. This article discusses the Terminal Server Administration tool, Security Configuration. This tool is a modified version of the C2 Security Configuration tool in the Microsoft Windows NT Server 4.0 Resource Kit. Microsoft Knowledge Base article Q186616, Terminal Server Client Error 13D at Logon. This error message means that you do not have permission to log on. The administrator has limited or denied your access in Terminal Server Connection Configuration.

Permissions (contd)

Terminal Server Connection Configuration

This is the system-wide graphical user interface (GUI) setting for rdp-tcp and ica-tcp. The Security tab has permissions; these permissions can override what User Manager for Domains has listed in its connection permissions. This issue is often overlooked because of standard Windows NT Server troubleshooting on User Manager for Domains.


User Rights

Access Computer from Network

Disable for a TSE computer that is a member server or standalone server. Enable for a TSE computer that is a domain controller because it affects every domain controller, and the standard Windows NT Server-based computers need this right for users to be able to gain access to file/print services. Not required from a thin client. Microsoft Knowledge Base article Q186490, Terminal Server's Use of Access This Computer From Network. The right to access the computer from the network is not required to log on to a Terminal Server computer across the network from a client. Every user has to have the Log on Locally right to the TSE computer. Microsoft Knowledge Base article Q186627, How to Temporarily Disable Terminal Server Client Logons. If you need to disable connectivity to the Terminal Server computer for maintenance issues.

Log on Locally TSE as Member Server or Domain Controller

Account Management


Terminal Server Licensing

License Manager

Tracks domain licenses as other Windows NT Server-based computers. Microsoft Knowledge Base article Q187629, Terminal Server Licensing. Terminal Server License Manager reports but does not enforce licensing. Enforcement comes from the License Manager in Windows NT. Profile issues if not completed if no licenses are available the user can log on to the domain but the TSE local profiles are not loaded. Licensing errors: Microsoft Knowledge Base article Q190233, Terminal Licensing Failed with the Specific Error 322148762. This replaces the Hydra.mdb file from the CD-ROM. Microsoft Knowledge Base article Q216843, Clients Receive "Error 1000 No Licenses Are Available. The errors are caused by a MetaFrame feature known as License Pooling. License Pooling allows MetaFrame servers to share installed licenses.

Terminal Server License Manager


Terminal Server License Manager

Terminal Server Licensing Service

Existing Windows NT Workstation 4.0 License Windows NT Workstation 4.0 Full License

For clients that already have Windows NT Workstation 4.0 on their desktops.

For clients that have a non-Windows NT Workstation client platform so they can license the virtual Windows NT Workstation desktop. This is modified with the TSE Client Access License (CAL).

Windows NT Workstation 4.0 Version Upgrade

For clients that have Windows NT Workstation 3.5x on their desktop and only need a version upgrade (less expensive than the full license option).

Temporary License for Windows NT Workstation 4.0 Full License

For clients that do not have a license grants them 90 days to work while licenses are being purchased.

Citrix MetaFrame Add-On

Citrix MetaFrame 1.8

Next generation from WinFrame thin-client solutions for Windows NT Server 3.5x. Server clustering for load balancing of the TSE computer. Installs on top of TSE. Citrix Licensing Services used instead of Terminal Server License Manager. Published programs for users to find and start.


Client Options: Remote Desktop Protocol

Remote Desktop Protocol (RDP)

Microsoft client program that allows connection to TSE computer with or without Citrix MetaFrame.
Clients: Windows NT Workstation Windows 95/98 Windows 3.x Windows thin-client devices with RDP embedded


Client Options: Independent Computing Architecture

Independent Computing Architecture (ICA)

Citrixs client program for TSE computers with Citrix MetaFrame.

Clients: Windows clients as RDP, Macintosh, UNIX, Novell, OS/2, Windows CE, ICA thin-client devices Features: Support for several client platforms Shadowing Remote printer attachment Sound through the channel Remote HDD attachment

Service Pack 4 Fixes to TSE

Service Pack 4 (SP4) was the first service pack for Terminal Server. Terminal Server Edition 4.0 was built with SP3 integrated into the code.

Microsoft Knowledge Base article Q222970, List of Bugs Fixed in Terminal Server Edition. This article is a list of the article numbers for bugs that were fixed in the latest Windows NT Server 4.0, Terminal Server Edition Service Pack.


Service Pack 4 Effects and Hotfixes

SP4 fixed many issues and generated some issues. Improper (dirty) shutdown criteria changed in SP4.

A dirty shutdown only used to refer to a sudden power outage. This term now includes scheduled shutdowns, sessioninitiated reboots, software-installed reboots, and at command reboots (typically, anything other than pressing CTRL-ALT-DEL at the server console). This causes the orphaned temporary folders problem.

Microsoft Knowledge Base article Q230449, Service Control Handler May Not Receive SERVICE_CONTROL_SHUTDOWN. This behavior can occur if a user is not logged on locally to the computer and the computer is shut down programmatically (by a program).


Service Pack 4 Effects and Hotfixes (contd)

Temp Directory Hotfix

Microsoft Knowledge Base article Q234029, Err Msg: "Temp Directory Not Accessible" After Applying TSE SP4. This behavior occurs because Terminal Server SP4 does not reset the permissions or delete existing temporary folders that are orphaned after a dirty shutdown. This behavior change was added in SP4 to improve security by preventing new users from viewing work that may have been abandoned by previous sessions because of a dirty shutdown. The scope on this hotfix is when starting a new TSE session, the hotfix checks the C:\Temp folder for an existing subfolder with the same session ID. If a similar session ID exists, it is deleted and re-created by the system account. It does not remove all orphaned temporary folders, which is the expected behavior.

Service Pack 4 Effects and Hotfixes (contd)

Profiles Stuck in the Registry

Microsoft Knowledge Base article Q234606, Terminal Server User Profiles Do Not Unload. The logged-on user's profile is held in the user's SID key under the HKEY_USER registry hive. This registry key is not unloaded when the user logs off. The user profile is not being updated correctly because of this. The scope of this hotfix is to have CSRSS send out a query for all processes that are running in the users session, and then send out a request for the processes to stop. After the specified wait time expires, Winlogon starts the session shutdown. The shutdown process should not work if there are session ID processes still running.

Service Pack 4 Effects and Hotfixes (contd)

RestrictAnonymous Setting Is Broken in SP4

Microsoft Knowledge Base article Q236185, Terminal Server User Profiles and Home Folder Paths Are Ignored.

This article describes how Service Pack 4 changed the functionality of having a security setting in the registry called RestrictAnonymous from Service Pack 3 (SP3). SP4 broke the RestrictAnonymous setting, which was designed to stop the enumeration of shares and user account information by anonymous users. SP3 logged the user on to the domain and then the authenticated user would verify the paths for user profile, Netlogon share, and so on. Service Pack 4 changed the order so that the shares were tried prior to logging a user on to the system so the user was anonymous. Winlogon had to be rewritten to process the user logon first, and then validate the profiles and shares.

Service Pack 4 Effects and Hotfixes (contd)

Application Security

Microsoft Knowledge Base article Q239873, Application Security May Not Work After Improper Shutdown. After an improper system shutdown, this list may not be read correctly from the registry and memory may contain an incomplete list of programs. Therefore, users who could log on or run certain programs earlier may not be able to because the list is incomplete. Microsoft Knowledge Base article Q230279, Corrupted User Profiles Can Cause New Local Default to Be Lost. When you download a corrupted profile from the central server, error 1009 is logged in the Event System log. A new local profile is then created from the local default setting. However, after you restart your computer, the computer does not reference the new local profile and begins the cycle of loading the corrupted profile from the server again. The following error message is then displayed: 27 The system cannot find the drive specified.

Profile Corruption and the Effects on New Sessions

Service Pack 5

Service Pack 5 Updates

Microsoft Knowledge Base article Q240331, List of Bugs Fixed in Terminal Server Edition, Service Pack 5. This article contains a current listing of the article numbers for bugs that are fixed in Service Pack 5 for Windows NT 4.0, Terminal Server Edition.

SP5 Is Currently on the Web


Terminal Server and Y2K

For compliance information refer to the following Web page: Terminal Server Licensing Service Microsoft Knowledge Base article Q236405, Terminal Server License Service May Not Start on 2/29/2000.
When you attempt to start the Licensing service on your computer running Windows NT 4.0, Terminal Server Edition, on February 29, 2000, the service may not start. Date Time Size File name Platform ----------------------------------------------------------------------07/01/99 06:27p 165,648 Lserver.exe x86 07/01/99 06:32p 205,584 Lserver.exe Alpha


TSE Domains Issues Article

This presentation is based on the following Microsoft Knowledge Base article:

Microsoft Knowledge Base article Q245607, Terminal Server Edition 4.0 Issues in a Domain Environment. Windows NT Server 4.0 Terminal Server Edition (TSE) has provided an increased capability for Windows NT domain environments. TSE has effected all aspects of the domain environment. This article describes the various domains areas that have been affected and provides links to other articles that have specific troubleshooting steps for those issues.


Additional Information

Terminal Server Web site: Technical white papers: For information about Windows 2000 Terminal Services: