Thursday, March 22, 2012

Terminal server role: Configuring a terminal server


Terminal server role: Configuring a terminal server

Configure this computer as a terminal server by installing the Terminal Server component, which provides centralized deployment of applications.

Using a terminal server, users in remote locations can run programs, save files, and use network resources as though those resources were installed on the users' own computers. By installing programs on a terminal server, you can ensure that all users are using the same version of a program. If you plan to use this computer to allow multiple users to access a program at the same time from a single point of installation, configure this computer as a terminal server.

However, if you plan to use this computer for remote administration on Windows Server 2003 operating systems, you do not need to install Terminal Server. Instead, you can use Remote Desktop for Administration (formerly Terminal Services in Remote Administration mode), which is installed by default on computers running one of the Windows Server 2003 operating systems. After you enable remote connections, Remote Desktop for Administration allows you to remotely manage servers from any client over a LAN, WAN, or dial-up connection. Up to two remote sessions, plus the console session, can be accessed at the same time, without requiring Terminal Server Licensing. For more information about Remote Desktop for Administration, see Remote Administration using Terminal Services.

This topic explains how to use the Configure Your Server Wizard to install and configure a terminal server. After you have completed the Configure Your Server Wizard, you must perform the following additional steps in order to have a basic terminal server.
  • Confirm Internet Explorer Enhanced Security Configuration settings.
  • Configure a Terminal Server License Server. For small deployments, it is acceptable to install both the Terminal Server and Terminal Server Licensing service on the same physical computer. However, for larger deployments, it is recommended that Terminal Server Licensing be installed on a separate server. Install client access licenses (CALs) on the Terminal Server License Server.

    Important
  • You must configure Terminal Server Licensing correctly in order for your terminal server to continue to accept connections from clients. To allow ample time for you to deploy a license server, Terminal Server provides a licensing grace period, during which no license server is required. During this grace period, a terminal server can accept connections from unlicensed clients without contacting a license server. The grace period begins the first time the terminal server accepts a client connection. It ends after you deploy a license server and that license server issues its first permanent CAL, or after 120 days, whichever comes first. For more information, see Terminal Server Licensing grace period.
  • Install programs on the terminal server.
  • Distribute the latest version of Remote Desktop Connection to clients running earlier versions of Remote Desktop Connection for Windows.
  • Specify which users have permission to connect to the terminal server.
After you have completed both the Configure Your Server Wizard and these additional required tasks, you will have a basic terminal server.
This topic covers:
Before you begin
Configuring your terminal server
Next steps: Completing additional tasks

Before you begin

Before you configure your computer as a terminal server, verify whether or not:
  • The operating system is configured correctly. In the Windows Server 2003 family, a terminal server depends on the appropriate configuration of the operating system and its services. If you have a new installation of a Windows Server 2003 operating system, you can use the default service settings. No further action is necessary. If you upgraded to a Windows Server 2003 operating system or you want to confirm that your services are configured correctly for best performance and security, verify your service settings with the table in Default settings for services.
  • The computer is a server on a network or in a domain, but is not a domain controller. Installing Terminal Server on a domain controller affects performance because of the additional memory, network traffic, and processor time required to perform the tasks of a domain controller in a domain.
  • The computer meets processor and memory requirements for supporting multiple concurrent sessions where different users are logged on. A terminal server requires a minimum of 128 MB RAM, plus additional RAM for each user to support running each user's programs on the server. An additional 10 MB RAM is recommended for each light user, who typically runs one program at a time, and up to 21 MB RAM for each power user, who typically runs three or more programs at the same time. In addition, if you plan to install 16-bit applications on the terminal server, be aware that they consume additional resources when they run in 32-bit environments such as Windows Server 2003 operating systems.
  • There are no programs installed on the computer. You should add the Terminal Server role before you install the programs that you want users to access. If there are programs already installed on the computer, you might have to reinstall them to ensure that they work correctly in the Terminal Server environment.
  • No users are able to log on remotely to the computer. You should allow users to access the terminal server only after you have installed programs, tested their installation, and performed any tuning necessary for the programs to work in a multisession environment. For information on disabling terminal services connections temporarily, see Disable Terminal Services connections.
  • All existing disk volumes use the NTFS file system. FAT32 volumes do not provide either the required level of security for users in a multisession environment or the ability to set file permissions.
  • Windows Firewall is enabled. For more information, see Enable Windows Firewall with no exceptions.

    Note

    Later, you will need to configure Windows Firewall to allow an exception, to ensure that clients running Remote Desktop can connect remotely to the terminal server. Additional exceptions might also be needed, depending on your terminal server deployment and network configuration. For more information, see Windows Firewall Settings.
  • The Security Configuration Wizard is installed and enabled. For information about the Security Configuration wizard, see Security Configuration Wizard Overview.

Configuring your terminal server

To configure a terminal server, start the Configure Your Server Wizard by doing either of the following:
  • From Manage Your Server, click Add or remove a role. By default, Manage Your Server starts automatically when you log on. To open Manage Your Server, click Start, click Control Panel, double-click Administrative Tools, and then double-click Manage Your Server.
  • To open the Configure Your Server Wizard, click Start, click Control Panel, double-click Administrative Tools, and then double-click Configure Your Server Wizard.
On the Server Role page, click Terminal server, and then click Next.
This section covers:
Summary of Selections
Completing the Configure Your Server Wizard
Confirming Internet Explorer Enhanced Security Configuration Settings
Configuring a Terminal Server License Server
Installing client access licenses on the Terminal Server License Server
Installing programs on the terminal server
Deploying client software
Giving users permission to access the terminal server
Removing the terminal server role

Summary of Selections

On the Summary of Selections page, view and confirm the options that you have selected. If you selected Terminal serveron the Server Role page, the following appears:
  • Install Terminal Server
To apply the selections shown on the Summary of Selectionspage, click Next. The following message appears: "During this process, the Configure Your Server Wizard restarts your computer. Before continuing, close any open programs." If you need to close open programs and you want to cancel the configuration of the terminal server role at this time, you must click Cancel now. When you click Cancel, the Configure Your Server Wizard displays the Cannot Complete page. To close the Configure Your Server Wizard, click Finish. Otherwise, if you click OK, the Configure Your Server Wizard begins the configuration process.
Next, the Configure Your Server Wizard displays the message "Installing Terminal Server." The Configuring Components page of the Windows Components Wizard appears, and then closes automatically. You cannot click Back or Next on this page. Then, the Configure Your Server Wizard shuts down the computer and restarts it to accept the configuration changes that make the computer a terminal server.
During the restart process, a dialog box displays progress messages, for example, "Windows is starting up" and "Preparing network connections." Depending on the size of your network, preparing network connections could take some time. When the Welcome to Windowsdialog box appears, press CTRL+ALT+DEL. In the Log on to Windowsdialog box, in Password, type your password. To complete the process, wait for the Configure Your Server Wizard to appear on the screen.

Completing the Configure Your Server Wizard

After your server restarts, the Configure Your Server Wizard displays the This Server is Now a Terminal Server page. To review all of the changes made to your server by the Configure Your Server Wizard or to ensure that a new role was installed successfully, click Configure Your Server log. The Configure Your Server Wizard log is located at systemroot\Debug\Configure Your Server.log. To close the Configure Your Server Wizard, click Finish.
To verify that your server is secure and has the most recent updates, do the following:
  1. Run Windows Update. For more information, see Windows Update.
  2. Run the Security Configuration Wizard. For more information, see Security Configuration Wizard Overview.
Next, you must complete the following steps so that your server is ready to function as a basic terminal server:
  • Confirm Internet Explorer Enhanced Security Configuration settings.
  • Configure a Terminal Server License Server.
  • Install client access licenses (CALs) on the Terminal Server License Server.
  • Install programs on the terminal server.
  • Deploy the Remote Desktop Connection .msi file to clients not running Windows XP or Windows Server 2003 operating systems.
  • Give users permission to access the terminal server.
A separate window displays checklists that provide information about these additional requirements. The same information is covered in this document.
To run a terminal server, you need to configure Terminal Server Licensing. For small deployments, you can configure Terminal Server Licensing on the same physical computer as the terminal server. For larger deployments, you should install Terminal Server Licensing on a separate server. If a Terminal Server License Server is already installed, you can skip the steps for configuring a Terminal Server License Server and installing CALs, and begin Installing programs on the terminal server. Otherwise, if the Manage Your Server page displays a message indicating that a Terminal Server License Server was not found, you must configure a Terminal Server License Server before you can use your terminal server.

Confirming Internet Explorer Enhanced Security Configuration settings

After you complete the Configure Your Server Wizard and install Terminal Server, you can configure Internet Explorer Enhanced Security Configuration settings.
If you activate these settings, Internet Explorer applies the following security settings to a user who logs on as an administrator:
  • High security settings to the Internet and Local intranet security zones
  • Medium security settings to the Trusted sites zone
By applying high security settings to the Internet and Local intranet security zones, you disable scripts, Microsoft ActiveX® controls, and the Microsoft virtual machine (Microsoft VM) for HTML content in these zones. You also prevent users from downloading files in these zones.
By applying medium security settings to the Trusted sites zone, you set standard browsing functionality. If you use sites for administrative tasks and Web-based applications that an administrator cannot access after you apply these settings, you can add the site addresses to the list of sites in the Trusted sites zone.
To review or change the Internet Explorer Enhanced Security Configuration settings, in Manage Your Server, click Internet Explorer Enhanced Security Configuration.
In the Windows Server 2003 family, you can implement enhanced security settings for Internet Explorer for all users and reduce the exposure of your server to Web sites that might pose a security risk. For more information, see Internet Explorer Enhanced Security Configuration.

Configuring a Terminal Server License Server

Configure a Terminal Server License Server, either on the same computer for which you have just configured the terminal server role (for small deployments), or on another computer (recommended for larger deployments). A Terminal Server License Server manages licenses for Terminal Services client connections. You are required to activate a Terminal Server License Server only once, after which the Terminal Server License Server becomes the repository for terminal server client licenses. Until the registration process is completed, your Terminal Server License Server can issue temporary licenses for clients.
Important
  • You must configure Terminal Server Licensing correctly in order for your terminal server to continue to accept connections from clients. To allow ample time for you to deploy a license server, Terminal Server provides a licensing grace period, during which no license server is required. During this grace period, a terminal server can accept connections from unlicensed clients without contacting a license server. The grace period begins the first time the terminal server accepts a client connection. It ends after you deploy a license server and that license server issues its first permanent CAL, or after 120 days, whichever comes first. For more information, see Terminal Server Licensing grace period.
The easiest and quickest way to activate a Terminal Server License Server is by using the Automatic method. To use this method, the computer running the Terminal Services Licensing service must have a direct connection to the Internet. For information on activation methods for computers that are not connected to the Internet, see Activate a Terminal Server license server by using a Web browser and Activate a Terminal Server license server by using the telephone.
The following table shows the steps you must take to configure and activate a Terminal Server License Server by using the Automatic method.

 

Task
Comments
Install the Terminal Server Licensing service. Open Add or Remove Programs in Control Panel, and then click Add/Remove Windows Components. In the Windows Components Wizard, select the Terminal Server Licensing check box, and then click Next. If your network includes several domains, or if you are installing the Terminal Server Licensing service on a member server, choose Your entire enterprise. If you want to maintain a separate Terminal Server License Server for each domain, or if your network includes workgroups or Windows NT 4.0 domains, choose Your domain or workgroup. If you want to change the location of the license server database, specify a new location, and then click Next. The Configuring Components page displays the progress of configuration changes. On the Completing the Windows Components Wizard page, click Finish, and then click Close.
To open Add or Remove programs, click Start, click Control Panel, and then double-click Add or Remove programs.
Activate the Terminal Server License Server. Open Terminal Server Licensing, right-click the Terminal Server License Server that you want to activate, and then click Activate Server. The Terminal Server License Server Activation Wizard starts. On the Connection method page, under Activation method, click Automatic connection, and then click Next. On the Company Information page, provide the following required information:
  • First name
  • Last name
  • Company name
  • Country or region
Confirm that the information you typed is correct, and then click Next. On the next Company Information page, you can provide the following optional information:
  • Email address
  • Organizational unit
  • Company address
  • City
  • State or province
  • Postal code
Confirm that the information you typed is correct, and then click Next. On the Completing the Terminal Server License Server Activation Wizard page, under Status, the following message appears: "Your license server has been successfully activated." If you want to install client licenses now, click Next. If you want to postpone the installation of client licenses, clear the Start Terminal Server Client Licensing Wizard now check box, and then click Finish.
Note
  • To open Terminal Server Licensing, click Start, click Control Panel, double-click Administrative Tools, and then double-click Terminal Server Licensing.

Installing client access licenses on the Terminal Server License Server

After you activate a Terminal Server License Server, the next step is to install client access licenses (CALs) on the Terminal Server License Server.
Important
  • Your Terminal Server License Server can issue temporary licenses. Temporary licenses are designed to allow you ample time to deploy a license server, and they allow clients to connect to the terminal server for 90 days. There is no limit to the number of temporary licenses that a license server can issue, but a single client is only issued a temporary license once. After the temporary license expires, the client can only connect to the terminal server if the license server can issue a permanent CAL, or if the terminal server is still within its licensing grace period. The grace period begins the first time the terminal server accepts a client connection. It ends after you deploy a license server and that license server issues its first permanent CAL, or after 120 days, whichever comes first. For more information, see Terminal Server Licensing grace period.
CALs are digitally-signed certificates that each client stores locally. All CALs are installed on a Terminal Server License Server. When a client attempts to log on to a terminal server for the first time, the terminal server recognizes that the client has not been issued a CALand locates a Terminal Server License Server to issue a new CAL to the client. For information about specific license requirements, see the Microsoft Web Site.
Before you install CALs, you must have your licensing agreement numbers ready, and know which method you used to purchase them.
The easiest and quickest way to install CALs on a Terminal Server License Server is by using the Automatic method. To use this method, the computer running the Terminal Services Licensing service must have a direct connection to the Internet. For information on installing CALs for computers that are not connected to the Internet, see Install client access licenses by using a Web browser and Install client access licenses by using the telephone.
The following table shows the steps you must take to install CALs on a Terminal Server License Server by using the Automatic method.

 

Task
Comments
Install CALs on the Terminal Server License Server. On the Terminal Server License Server, open Terminal Server Licensing. Verify that the installation method for the Terminal Server License Server is set to Automatic by right-clicking the Terminal Server License Server for which you want to install CALs, and then clicking Properties. If necessary, on the Installation Method tab, change the installation method to Automatic connection, and then click OK.
In the Terminal Server Licensing console tree, right-click the Terminal Server License Server on which you want to install CALs, click Install Licenses, and then click Next. The Terminal Server CAL Installation Wizard starts. On the Licensing program page, choose the license program under which you purchased your licenses, and then click Next. On the License Code page, type the license code for each license you have purchased, and then click Add after each entry. After you have typed all of the license codes, click Next. The Completing the Terminal Server CAL Installation Wizard page displays a message that the CALs were successfully installed. To close the wizard, click Finish.
Note
  • To open Terminal Server Licensing, click Start, click Control Panel, double-click Administrative Tools, and then double-click Terminal Server Licensing.

Installing programs on the terminal server

At this stage, you have accomplished the following tasks:
  • Completed the Configure Your Server Wizard and configured the terminal server role on your server.
  • Installed Terminal Server Licensing.
  • Activated the Terminal Server License Server.
  • Installed CALs on the Terminal Server License Server.
Now you are ready to install programs on the terminal server. Add or Remove Programs in Control Panel is the preferred method for program installation, and you should use this method whenever possible. This section describes how to use Add or Remove Programs to install programs on a terminal server.
There are other program installation methods, such as the change user command, Windows Installer packages (.msi files), and Group Policy Software Installation. For more information about the change usercommand, see Install a program using the change user command. For more information about using Windows Installer, see Assigned and published programs. For more information about Group Policy, see Group Policy.

For improved performance and reduced network traffic, install programs on the local drive of the terminal server instead of on a file server. Ensure that you have enough space to install programs on NTFS file system drives instead of on FAT32 drives. NTFS drives allow you to set file permissions, which you cannot do on FAT32 drives.
If you are installing published programs, you must use another installation method, such as Group Policy Software Installation.

For performance and security reasons, you should use 32-bit programs whenever possible. Most 32-bit programs use the registry to read and write program settings and need to write only to specific registry values. Running 16-bit programs can reduce the number of users a processor supports by 40 percent and increase the memory required for each user by 50 percent. In addition, some 16-bit programs must be able to write to the directory where the program's .ini file is stored.
RAM and CPU requirements increase approximately linearly with the number of sessions running. To reduce RAM and CPU requirements, consider restricting user or group access to certain program types, disabling unnecessary program features, or installing programs on separate terminal servers.
Some programs have known installation issues in a multisession environment. For information about programs that require installation scripts in order to work correctly in a multisession environment, see Optimizing Applications for Windows 2000 Terminal Services and Windows NT Server 4.0, Terminal Server Edition at the Microsoft Web site.
Application compatibility considerations
You should install programs from the console session of the terminal server. You can install programs from a remote console session, but this is not the preferred method for installing programs.
Some programs require an application compatibility script to be run after the program is installed. The scripts are stored in the systemroot\Application Compatibility Scripts\Install directory on the terminal server.
You should be aware of the implications of the security mode in which the terminal server operates. There are two security modes:
  • Full security provides the most secure environment for users connecting to a terminal server. To run in this mode, applications must be written to run in the security context of an ordinary user. For Windows Server 2003 operating systems and Windows 2000, full security is the default.
  • Relaxed security enables you to run programs that otherwise might not work at all in the more rigorous Full security mode. However, in Relaxed security mode (also known as Windows NT 4.0/Terminal Server Edition permissions compatibility mode), any user on the system can change files and registry settings in many places throughout the system, although others users' data files might not be visible. A malicious user could exploit this situation by replacing a known and trusted program with a program of the same name but some harmful intent. If the operating system on your terminal server was installed using the Upgrade method, the security mode might be set to Relaxed security. When in doubt, you should choose Full security, test your applications in that mode, and change the security mode only if your test results indicate the need to do so.
The following table shows the steps you must take to install programs on a terminal server, using Add or Remove Programs.

 

Task
Comments
Ensure that no users are logged on to the terminal server. Send a message to all users who are logged on to the terminal server. Program installation often requires restarting the computer, and their sessions will be disconnected. You should not allow users to access the terminal server until programs have been installed and tested.
Disable Terminal Services connections temporarily. Right-click My Computer, click Properties, click the Remote tab, and then clear the Allow users to connect remotely to this computer check box.
Specify Full Security as the security mode. Open Terminal Services Configuration. In the console tree, click Server Settings, right-click Permission Compatibility, and then click Properties. In the Permission Compatibility dialog box, click Full Security, and then click OK.
Note
  • To open Terminal Services Configuration, click Start, click Control Panel, double-click Administrative Tools, and then double-click Terminal Services Configuration.
Install programs from a CD or floppy disk. Ensure that you are logged on as a member of the Administrators group on the terminal server. Open Add or Remove Programs in Control Panel, and then click Add New Programs. Click CD or Floppy. Insert the CD or floppy disk into the appropriate drive, and then click Next. Verify that the installation file is specified correctly in the Open box on the Run Installation Program page, and then click Finish. Follow the instructions in the program's installation wizard. After the program is installed, edit and run any applicable scripts to tailor the program for a multisession environment.
Note
  • To open Add or Remove programs, click Start, click Control Panel, and then double-click Add or Remove programs.
Test the installation. Ensure that event logging is enabled by opening Services in Administrative Tools. Create a temporary user account that mimics the settings of the user or users who will access the program, and use the account to log on to the terminal server. Start the program and step through some basic tasks. Then, use Event Viewer to determine which files or directories need Write access and which registry keys require Read access by the user for correct operation. Note that this process might not find all files, directories, and registry keys for which the application requires access in all user scenarios. The only way to ensure that you have accounted for all access requirements is to perform tasks manually.
Some programs enable users to start other programs. For example, Microsoft Access has a toolbar that can be used to start other Microsoft Office programs. If you want users to have access only to specified programs when they log on to the terminal server, you should disable toolbar access from within programs that you install on the terminal server.
Note
  • To open Event Viewer, click Start, click Control Panel, double-click Administrative Tools, and then double-click Event Viewer.
Tune programs for multisession use. Use a text editor such as Notepad to modify any scripts, and then run the scripts to tune any programs that require it. To obtain the scripts, see Optimizing Applications for Windows 2000 Terminal Services and Windows NT Server 4.0, Terminal Server Edition at the Microsoft Web site (http://www.microsoft.com/).
Run application compatibility scripts. Navigate to the systemroot\Application Compatibility Scripts\Install directory on the terminal server and run scripts for any programs that require them.
Enable remote connections on the terminal server. Right-click My Computer, click Properties, click the Remote tab, and then check the Allow users to connect remotely to your computer check box.
Note
  • Depending on your desktop settings, My Computer might not appear on your desktop. To show or hide desktop icons, right-click somewhere on the desktop, click properties, click the Desktop tab, click Customize Desktop, and then, under Desktop icons, select the check box next to the icon you want to display, or clear the check box next to the icon you want to hide.

Deploying Client Software

Remote Desktop Connection, formerly known as the Terminal Services Client, is installed automatically on computers running Windows XP and Windows Server 2003 operating systems. For performance and security reasons, computers running earlier versions of Microsoft Windows, including Windows 2000 Server, Windows 2000 Professional, Windows NT 4.0, Windows 98, and Windows 95, should have the latest version of Remote Desktop Connection installed.
There are several ways to deploy the client software:
  • Share the Msrdpcli.msi file and use Microsoft IntelliMirror to distribute it to workstations running Windows 2000.
  • Download Remote Desktop Connection directly from the Microsoft Web site.
  • Place the .msi file in a shared folder residing on a server on the network.
This topic describes how to install the client software from a shared folder residing on a server on the network.
Before you deploy the client software, decide whether you want the software to be installed for the use of a single user or for anyone who uses the client computer. You will make this choice during the deployment process.
The following table shows the steps you must take to deploy the latest version of Remote Desktop Connection to clients running earlier versions of either Windows or Remote Desktop Connection.

 

Task
Comments
Share the client setup folder. On the computer running a Windows Server 2003 operating system, open Windows Explorer. Navigate to the systemroot\System32\Clients\Tsclient\win32 folder, right-click the win32 folder, click Sharing and Security. On the Sharing tab, click Share this folder, and then click OK.
Note
  • To open Windows Explorer, click Start, point to All programs, point to Accessories, and then click Windows Explorer.
Install Remote Desktop Connection. On the client computer, click Start, click Run, and then, in Open, type \\ServerName\win32, where ServerName is the name of the computer where the shared folder is located. Double-click the msrdpcli.msi file to start the InstallShield Wizard for Remote Desktop Connection, and then click Next. Read the License Agreement, click I accept the terms in the license agreement, and then click Next. Type your name and organization in the Customer Information page, click Anyone who uses this computer (all users), and then click Next. On the Ready to Install the Program page, either click Back to review or change any of your installation settings, or click Install to begin the installation. To complete the installation, click Finish.

Giving users permission to access the terminal server

By default, on Windows Server 2003 operating systems, members of the Administrators and Remote Desktop Users groups can use Terminal Services connections to connect to a remote computer. The Remote Desktop Users group is not populated by default, so you must decide which users and groups should have permission to log on remotely, and then manually add them to this group.
Important
  • You must use the Remote Desktop Users group to grant selected users and groups the necessary permission to make Terminal Services connections to remote computers.

    Membership in the Remote Desktop Users group does not also put the user into the local Users group. Depending on the contents of your local Users group, you might need to add the user to that group also.
Before you give users permission to access the terminal server, you must:
  • Check the membership of the Administrators group to ensure that you know who has access to the terminal server.
  • Decide which users should have permission to access the terminal server.
  • Determine which users must also be added to the local Users group.
The following table shows the steps you must take to give users permission to access the terminal server.

 

Task
Comments
Add users to the Remote Desktop Users group. Open Computer Management (Local), and in the console tree, click Local Users and Groups. In the details pane, double-click the Groups folder, double-click Remote Desktop Users, and then click Add. In the Select Users dialog box, click Locations to specify the search location. To specify the types of objects that you want to search for, click Object Types. In this case, you want to search for Users or Groups. Type the name that you want to add in the Enter the object names to select (examples) box, and then click Check Names. When the name is located, click OK.
Note
  • To open Computer Management, click Start, click Control Panel, double-click Administrative Tools, and then double-click Computer Management.
Add users to the local Users group, if they are not already members. Open Computer Management (Local), and in the console tree, click Local Users and Groups. In the details pane, double-click the Groups folder, double-click Users, and then click Add. In the Select Users dialog box, click Locations to specify the search location. To specify the types of objects that you want to search for, click Object Types. In this case, you want to search for Users or Groups. Type the name that you want to add in the Enter the object names to select (examples) box, and then click Check Names. When the name is located, click OK.
Note
  • To open Computer Management, click Start, click Control Panel, double-click Administrative Tools, and then double-click Computer Management.

Removing the terminal server role

If you need to reconfigure your server for a different role, you can remove existing server roles. If you remove the terminal server role, you will need to reinstall all software, review and update any file or registry permissions for which you changed default values, and review and update any software restriction policies that were used to control programs running on the terminal server.
To remove the terminal server role, restart the Configure Your Server Wizard by doing either of the following:
  • From Manage Your Server, click Add or remove a role. By default, Manage Your Server starts automatically when you log on. To open Manage Your Server, click Start, click Control Panel, double-click Administrative Tools, and then double-click Manage Your Server.
  • To open the Configure Your Server Wizard, click Start, click Control Panel, double-click Administrative Tools, and then double-click Configure Your Server Wizard.
On the Server Role page, click Terminal server, and then click Next. On the Role Removal Confirmationpage, review the items listed under Summary, select the Remove the terminal server role check box, and then click Next. The following message appears: "During this process, the Configure Your Server Wizard restarts your computer. Before continuing, close any open programs." If you need to close open programs and you want to cancel the removal of the Terminal Server role at this time, you must click Cancelnow. When you click Cancel, the Configure Your Server Wizard displays the Cannot Complete page. To close the Configure Your Server Wizard, click Finish. Otherwise, if you click OK, the Configure Your Server Wizard begins the removal process.
Next, the Configure Your Server Wizard displays the "Removing Terminal Server" message. The Configuring Components page of the Windows Components Wizard appears, displays messages about the configuration changes being made to the computer, and then closes. The Configure Your Server Wizard shuts down the computer and restarts it to accept the configuration changes that remove this role.
During the restart process, a dialog box displays progress messages, for example, "Windows is starting up" and "Preparing network connections." Depending on the size of your network, preparing network connections could take some time. When the Welcome to Windowsdialog box appears, press CTRL+ALT+DEL. In the Log on to Windowsdialog box, in Password, type your password. To complete the process, wait for the Configure Your Server Wizard to appear on the screen. On the Terminal Server Role Removed page, click Configure Your Server log to see a record of your changes, and then click Finish.
After you remove the terminal server role, you should:
  • Reinstall all software.
  • Review any file or registry permissions for which you changed default values and, if necessary, make changes.
  • Review any software restriction policies used to control programs running on the terminal server and, if necessary, make changes.

Next steps: Completing additional tasks

After you complete the Configure Your Server Wizard and associated tasks, the computer is ready for use as a basic terminal server that can accept multiple connections from remote clients. Up to this point, you have completed the following tasks:
  • Run the Configure Your Server Wizard.
  • Activated a Terminal Server License Server.
  • Installed CALs on the Terminal Server License Server.
  • Installed applications on the terminal server.
  • Deployed the Remote Desktop Connection .msi file to clients not running Windows XP or Windows Server 2003 operating systems.
  • Configured user permissions for user access to the terminal server.
The following table lists some additional tasks you might want to perform on your terminal server.

 

Task
Purpose of task
Reference
Manage Terminal Services connections. To enable, disable, rename, or delete a connection. Manage Terminal Services Connections
Specify connection permissions. To grant terminal server access only to selected users and groups.
To identify which users and groups are permitted to perform a given task or tasks on the terminal server.
Managing Terminal Services users; Managing Permissions on Connections
Configure terminal server settings using either Group Policy or Terminal Services Configuration. To configure settings such as Active Desktop, temporary folders, and session limits for individual users. Configure Server Settings
Deploy Remote Desktop Web Connection. To allow users to create a Remote Desktop connection within Internet Explorer, even though the Remote Desktop Connection client is not installed on their computers. About Remote Desktop Web Connection
Control programs running in a terminal server session. To protect terminal servers and users from unknown, or possibly malicious, programs. Using Software Restriction Policies in Windows XP and the Windows Server 2003 family to Protect Against Unauthorized Software at the Microsoft Web site
Configure Session Directory settings. To ensure that users are transparently reconnected to the original server hosting their disconnected Terminal Server sessions. This task applies to terminal servers that are part of a cluster of terminal servers, and requires that a server running either Windows Server 2003, Enterprise Edition, or a Windows Server 2003, Datacenter Edition, is visible on the network, and has the Session Directory service enabled. This session directory server should not be the server on which the Terminal Server role is configured. Load balancing and terminal servers
Configure ports to allow incoming connections to terminal servers.
  • To ensure that clients running Remote Desktop Connection can connect remotely to terminal servers.
  • Additional port configuration might also be required, if Remote Desktop Web connection is deployed, SSL is enabled on the Web server, and if the terminal server license server and terminal server are on opposite sides of a firewall.
Windows Firewall Settings

Print server role: Configuring a print server


Print server role: Configuring a print server

If you plan to use this computer to manage and share printers, configure this computer as a print server.
Note
This document explains how to use the Configure Your Server Wizard to quickly meet the most basic requirements of a print server. When you are done setting up a basic print server, you can complete additional configuration tasks, depending on how you want to use this print server.
This topic covers:

Before you begin

Before you configure your server as a print server, verify whether or not:
  • The operating system is configured correctly. In the Windows Server 2003 family, print services depend on the appropriate configuration of the operating system and its services. If you have a new installation of a Windows Server 2003 operating system, you can use the default service settings. No further action is necessary. If you upgraded to a Windows Server 2003 operating system or you want to confirm that your services are configured correctly for best performance and security, verify your service settings by comparing them to the table in Default settings for services.
  • The computer is joined to an Active Directory domain as a member server. If you want to restrict access to a printer, so that some domain users can print to it and other users cannot, or you want the print server to publish shared printers to Active Directory so that domain users can easily search for those printers, the print server must be joined to a domain. If you do not need to perform either of these tasks, the print server does not need to be joined to a domain.
  • All existing disk volumes use the NTFS file system. FAT32 volumes are less secure. For more information about encrypting data stored on NTFS volumes, including spooled print jobs, see Storing Data Securely.
  • Windows Firewall is enabled. For more information, see Enable Windows Firewall with no exceptions.
  • The Security Configuration Wizard is installed and enabled. For information about the Security Configuration wizard, see Security Configuration Wizard Overview.
The following table lists the information that you need to know before you add a print server role.

 

Before adding a print server role
Comments
Determine the operating system version of the clients that will send jobs to this printer. You must have this information to select the correct client printer drivers for your client and server computers. After you add this role, the print server can automatically distribute these drivers to the clients. Additionally, the set of client operating systems determines which of these drivers you need to install on the server during the print server role installation.
At the printer, print a configuration or test page that includes manufacturer, model, language, and installed options. You need this information to choose the correct printer driver. The manufacturer and model are usually enough to uniquely identify the printer and its language. However, some printers support multiple languages, and the configuration printout usually lists them. Also, the configuration printout often lists installed options, such as extra memory, paper trays, envelope feeders, and duplex units.
Determine how the print server connects to the printer. If the printer supports Plug and Play and connects to the print server using infrared technology, a universal serial bus (USB) port, or an IEEE 1394 port, the print server will configure itself automatically. You do not need to follow the remaining steps.
Otherwise, if the printer is connected to the print server with a cable, note which server port is used. For printers, LPT1 is the most commonly used port.
If the printer is located away from the print server and uses its own network adapter to receive print jobs, determine the IP address of the network adapter on the printer.
(Optional) Determine whether you need a new or updated printer driver. Most printers are supported by drivers on the installation CD for the Windows Server 2003 operating system. To save time, you can often skip this step because the wizard that you will use to configure your print server provides compatibility information. If the wizard does not list a driver for your printer, you can look for an update from the printer manufacturer or Windows Update.
Choose a printer name. Users running Windows-based client computers choose a printer by using the printer name. The wizard that you will use to configure your print server provides a default name, consisting of the printer manufacturer and model. The printer name is usually less than 31 characters in length.
Choose a share name. A user can connect to a shared printer by typing this name, or by selecting it from a list of share names. The share name is usually less than 8 characters in length for compatibility with MS-DOS and Windows 3.x clients.
(Optional) Choose a location description and a comment. These can help identify the location of the printer and provide additional information. For example, the location could be "Second floor, copy room" and the comment could be "Additional toner cartridges are available in the supply room on floor 1."

Configuring your print server

To set up a print server, start the Configure Your Server Wizard by doing either of the following:
  • From Manage Your Server, click Add or remove a role. By default, Manage Your Server starts automatically when you log on. To open Manage Your Server, click Start, click Control Panel, double-click Administrative Tools, and then double-click Manage Your Server.
  • To open the Configure Your Server Wizard, click Start, click Control Panel, double-click Administrative Tools, and then double-click Configure Your Server Wizard.
On the Server Role page, click Print server, and then click Next.
This section covers:

Printers and Printer Drivers

On the Printers and Printer Drivers page, do one of the following:
  • If all of the clients on your network run Windows XP Home Edition, Windows XP Professional, or Windows 2000, click Windows 2000 and Windows XP clients only.
  • If any of the clients run Windows XP 64-bit Edition (Itanium), Windows NT 4.0, Windows Millennium Edition, Windows 98, or Windows 95, click All Windows clients.
After you finish, click Next.

Summary of Selections

On the Summary of Selections page, view and confirm the options that you have selected. If you selected Windows 2000 and Windows XPclients only on the previous page, the following appears:
  • Add printers to this server using the Add Printer Wizard.
If you selected All Windows clients on the previous page, the following appears:
  • Add printers to this server using the Add Printer Wizard.
  • Add printer drivers to this server using the Add Printer Driver Wizard.
To apply the selections shown on the Summary of Selectionspage, click Next.

Using the Add Printer Wizard

After you click Next, the Configure Your Server Wizard runs the Add Printer Wizard once for each printer that you want to add. If the wizard finishes and you choose to share at least one printer, your server can be used as a print server. If you cancel the Add Printer Wizard, the Print Spooler service remains installed. If you cancel the Add Printer Wizard and no printers are shared, the server does not add the print server role.
Important
  • If the printer you want to share supports Plug and Play, do not run the Add Printer Wizard. Plug and Play printers complete the configuration steps in the Add Printer Wizard automatically. If the printer you want to share supports Plug and Play, click Cancel.
This section describes the following steps in the Add Printer Wizard:
Local or Network Printer
On the Local or Network Printer page of the Add Printer Wizard, choose one of the following options:
  • To configure this print sever to send print jobs directly to the printer, click Local printer attached to this computer. Typically, print servers send print jobs directly to the printer. A printer with its own network adapter is considered to be a local printer. If you want to send print jobs directly to a printer with its own network adapter, click this option.
  • To configure this print server to forward print jobs to a second print server, click A network printer, or a printer attached to another computer. For example, you can configure a print server at a branch office to forward print jobs to a print server in the main office. You might do this if regulations require you to create printouts of daily transaction logs and store them at the main office. If you want to do this, click this option.
Note
  • The A network printer, or a printer attached to another computer option is included here because this dialog box is used on all computers running a Windows Server 2003 operating system so that users can connect to a network printer. If you need to print from a computer that is not a print server, click A network printer, or a printer attached to another computer.
After you finish, click Next.
After you click Next, one of the following wizard pages appears:
New Printer Detection
If you selected the Automatically detect and install my Plug and Play printer check box and the wizard is unable to detect any Plug and Play printers, this page appears. Click Next.
To complete the steps on the Select a Printer Port page, see Select a Printer Port.
Select a Printer Port
If you selected Local printer attached to this computer, this page appears.
On the Select a Printer Port page, choose one of the following options:
  • If a cable connects the printer directly to a port on the print server, under Use the following port, click the name of that port. LPT1 is the most commonly used port for this type of printer.
  • If the printer has its own network adapter and you want to send print jobs to the printer through the network, click Create a new port, and then click the type of port that you want to create. If you do not know what type of port to create, Standard TCP/IP Port is recommended.

    If you click Standard TCP/IP Port, and then click Next, the Add Standard TCP/IP Printer Port Wizard starts. In the Add Standard TCP/IP Printer Port Wizard, click Next. On the Add Port page, type the name or IP address of the printer. The IP address is usually listed on the printer configuration page. As you type the name or IP address, the wizard completes the Port Name field for you. Click Next.

    The wizard attempts to connect to the printer. If the wizard is able to connect, the Completing the Add Standard TCP/IP Printer Port Wizard page appears, and you can click Finish. If the wizard is not able to connect, the Additional Port Information Required page appears. If you think that the address or name you entered is not correct, click Back, retype the name or address, and then click Next.

    If you are sure the address or name is correct, select one of the following device types to identify the printer network adapter:
    • Standard is the default. If you click Standard, click the manufacturer and model of network adapter from the Standard list.
    • If the printer network adapter uses nonstandard settings, click Custom and then click Settings. The Configure Standard TCP/IP Port Monitor page appears. Specify the settings that are recommended by the manufacturer of the printer network adapter, and then click OK.
After you finish, click Next.
Specify a Printer
If you selected A network printer, or a printer attached to another computer, this page appears.
On the Specify a Printer page, choose one of the following options to configure your print server to forward print jobs to another print server:
  • If the print server that you want to connect to is available on the network, click Browse for a printer, click Next, and then, under Shared printers, click the server and printer from the list.
  • If the print server that you want to connect to is temporarily unavailable on the network, click Connect to this printer (or to browse for a printer, select this option and click Next), and then, in Name, type the server and printer names.
  • If the print server that you want to connect to belongs to another organization and is available on the Internet, click Connect to a printer on the Internet or on a home or office network.
Important
  • Use the options on this page only if you want your print server to forward print jobs to another print server. If this is not what you want, click Back, click Local printer attached to this computer, click Next, and then follow the steps in Select a Printer Port.
After you finish, click Next.
For this configuration path, you can skip some of the following steps in this document. To continue the instructions for this configuration path, see Completing the Add Printer Wizard.
Install Printer Software
On the Install Printer Software page of the Add Printer Wizard, under Manufacturer, click the printer manufacturer, and then, under Printers, click the printer model.
Note
  • Write down the manufacturer and model that you select, because you will need this information later if you use the Add Printer Driver wizard to install printer drivers for other Windows-based clients.
If the manufacturer or model is not listed, try each of the steps outlined in the following table, in sequence, to install the correct printer software.

 

Step
Comments
Check the configuration printout to confirm the exact spelling of the name of your printer manufacturer and model. The Manufacturer and Printers lists show the official product names, which might be different from the names that you normally use.
Click Have Disk, locate the driver files, and then click OK. If you have printer driver files stored somewhere else, follow these steps. For example, the printer manufacturer might include a CD-ROM containing driver files in the packaging of the printer.
Click Windows Update. If you want to look for new or updated drivers that are available from Microsoft as part of Windows Update, click this option. When you click Windows Update, the Manufacturer and Printers lists change to show only the drivers that are available from Windows Update. If the printer is not listed, return to the original list by clicking Back, and then clicking Next.
Select the manufacturer and model of a compatible printer, and then click Next. To determine which printers are compatible, consult the user guide for your printer. Also, some manufacturers list compatibility information on their Web sites.
After you finish, click Next.
Use Existing Driver
If you add an additional printer that is the same manufacturer and model as one previously installed, the Use Existing Driver page appears. Decide whether to keep the same driver or replace it with a new one. If you select Replace existing driver, the wizard reinstalls the driver files.
After you finish, click Next.
Name Your Printer
On the Name Your Printer page of the Add Printer Wizard, the default name is the manufacturer and model of the printer. You can change this name so that the printer is easier to use and administer. When using applications, users often select a printer from a list that displays the names of the available printers. To help users decide which printer to select, the application might also list the location or a comment.
Under Do you want to use this printer as the default printer?, click Yes or No. Your response applies only when you print from an application that is running on this print server. Your response does not set this printer as the one that clients use by default.
After you finish, click Next.
Printer Sharing
Important
  • You must share at least one printer for this server to act as a print server.
On the Printer Sharing page of the Add Printer Wizard, Share name is selected by default so that the printer is shared. The default share name is the first 8 letters of the printer manufacturer and model, without spaces. You can change this name so that the printer is easier to use and administer.
For compatibility with clients that run MS-DOS or earlier versions of Windows, type a share name that follows these rules:
  • The share name contains only letters, digits, and the period (.).
  • The share name contains no more than eight letters and digits, and, optionally, followed by a period, which is followed by no more than 3 letters and digits.
After you finish, click Next.
Location and Comment
On the Location and Comment page of the Add Printer Wizard, in Location, type a description of the print server location, and then, in Comment, type a comment. This step is optional, but recommended because this information makes it easier to use and administer your print server. Many applications display the comment or the location when the user prints a document, so that the user can choose the most appropriate printer.
After you finish, click Next.
Print Test Page
On the Print Test Page page of the Add Printer Wizard, choose whether to print a test page to confirm that the printer is ready to use.
Note
  • The test page does not print immediately when you click Next. Instead, it prints when you finish the wizard.
After you finish, click Next.
Completing the Add Printer Wizard
On the Completing the Add Printer Wizard page, the Restart the wizard to add another printer check box is selected by default. If you leave it selected and click Finish, the wizard restarts to add another printer. If you have finished adding all of the printers that you want to share on this server, clear this check box, and then click Finish.
When you click Finish, the wizard installs the printer driver files. Then, if you chose to print a test page, the wizard attempts to print that page. If the printer does not receive the test page, you might have selected an incorrect port. However, if the printer receives the test page and prints it incorrectly, you might have selected an incompatible manufacturer and model.
When you started the Configure Your Server Wizard to configure this server as a print server, you selected one of the following options on the Printers and Printer Drivers page:
  • Windows 2000 and Windows XP clients only
  • All Windows clients
If you selected All Windows clients, the Add Printer Driver Wizard starts after you click Finish in the Add Printer Wizard. You can use the Add Printer Driver Wizard to install client printer drivers onto the print server, which can then automatically distribute them to clients.
Note
  • The Add Printer Driver Wizard does not communicate with the Add Printer Wizard. Therefore, the Add Printer Driver Wizard does not automatically run once for each printer that you add, and it does not automatically install drivers for the same manufacturer and model of printer. Instead, you must decide how many times to run the Add Printer Driver Wizard, and each time it runs you must decide which manufacturer and model of drivers to install.

Using the Add Printer Driver Wizard

If you selected All Windows clients on the Printers and Printer Drivers page of the Configure Your Server Wizard, the Add Printer Driver Wizard starts after the Add Printer Wizard. If you cancel the Add Printer Driver Wizard, the Print Spooler service remains installed, and any printers you have added remain, but the additional client driver files are not installed on the server, and therefore the server cannot distribute those drivers to clients.
This section describes the following steps in the Add Printer Driver Wizard:
Printer Driver Selection
On the Printer Driver Selection page of the Add Printer Driver Wizard, select the manufacturer and model of a printer that is shared on this print server, and then click Next.
Important
  • The Add Printer Driver Wizard does not automatically select a manufacturer and model for a printer that you have already added. Instead, it selects the first manufacturer in the list, and the name of the first printer model (in alphabetical order) made by that manufacturer. If possible, select the manufacturer and model of a printer that you have added. If you select a different manufacturer or model, the wizard installs drivers that might not work correctly with your printer.
Processor and Operating System Selection
On the Processor and Operating System Selection page of the Add Printer Driver Wizard, select the client operating systems and processors.
Drivers for your server operating system are installed automatically when you add a printer. As a result, one of the following is selected automatically and you cannot remove it: Windows 2000, Windows XP and Windows Server 2003 for x86–based processors, Windows XP and Windows Server 2003 for Itanium–based processors, or Windows XP and Windows Server 2003 for x64-based processors.
After you finish, click Next.
Completing the Add Printer Driver Wizard
On the Completing the Add Printer Driver Wizard page, the Restart the wizard to add another printer driver check box is selected by default. If you leave it selected and click Finish, the wizard restarts to add another printer driver. If you have finished adding all of the printer drivers for all of the printers that you want to share on this server, clear this check box, and then click Finish.

Completing the Configure Your Server Wizard

After you complete the Add Printer Wizard and, if necessary, the Add Printer Driver Wizard, the Configure Your Server Wizard displays the This Server is Now a Print Server page. To review all of the changes made to your server by the Configure Your Server Wizard or to ensure that a new role was installed successfully, click Configure Your Server log. The Configure Your Server Wizard log is located at systemroot\Debug\Configure Your Server.log. To close the Configure Your Server Wizard, click Finish.
Before you start to use your print server, we recommend the following steps:
Removing the print server role
If you need to reconfigure your server for a different role, you can remove existing server roles. If you remove the print server role, each client that sent print jobs only to this print server will be unable to print until you reconfigure the client to send print jobs to a different server. Also, each printer managed only by this print server will be unable to receive print jobs until you reconfigure another print server to send print jobs to that printer.
To remove the print server role, restart the Configure Your Server Wizard by doing either of the following:
  • From Manage Your Server, click Add or remove a role. By default, Manage Your Server starts automatically when you log on. To open Manage Your Server, click Start, click Control Panel, double-click Administrative Tools, and then double-click Manage Your Server.
  • To open the Configure Your Server Wizard, click Start, click Control Panel, double-click Administrative Tools, and then double-click Configure Your Server Wizard.
On the Server Role page, click Print server, and then click Next. On the Role Removal Confirmationpage, review the items listed under Summary, select the Remove the print server role check box, and then click Next. On the Print Server Role Removed page, click Finish.

Next steps: Completing additional tasks

After you complete the Configure Your Server Wizard, the server is ready for use as a print server. By following the steps in this document, you have:
  • Added one or more printers.
  • Shared printers so that clients can send print jobs to the printers.
  • If necessary, added client print drivers.
You can use the Add Printer Wizard and Add Printer Driver Wizard to add more printers and client printer drivers. These wizards are available through Manage Your Server.
The following table lists some of the additional tasks that you can perform on your print server.

 

Task
Purpose of task
Reference
Set the configuration to match installed options. To provide user access to installed printer options, such as an envelope feeder or extra memory, that are available on some printers. If your printer provides additional features, you must update the configuration so that users can use these features. Set installable options for a printer
Set printing defaults. To set the default configuration for clients when they connect to the printer. For example, you can set the default layout or paper source. Set printing defaults
Assign printer permissions. To change the permissions that users have for a printer. Set or remove permissions for a printer
Choose a separator page. To define a page that appears at the beginning of each printout. Choose a separator page
Configure network clients to use the printer. To configure clients to connect to the printers that are shared on this print server. Connect clients to a printer
Set advanced printer tasks. To manage your print server more efficiently and effectively. For example, to schedule alternate printing times, to enable printer location tracking, or to set different priority for different groups. Use Advanced Options
Publish a printer in Active Directory. To help domain users find printers shared by this print server quickly. For this task, the print server must be a member server. Publish a printer in Active Directory
Configure ports to allow remote administration. To manage the print server from other computers on the network. Windows Firewall Settings