Freigeben über


Terminal server role: Configuring a terminal server

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Terminal server role: Configuring a terminal server

Configure this computer as a terminal server by installing the Terminal Server component, which provides centralized deployment of applications.

Using a terminal server, users in remote locations can run programs, save files, and use network resources as though those resources were installed on the users' own computers. By installing programs on a terminal server, you can ensure that all users are using the same version of a program. If you plan to use this computer to allow multiple users to access a program at the same time from a single point of installation, configure this computer as a terminal server.

However, if you plan to use this computer for remote administration on Windows Server 2003 operating systems, you do not need to install Terminal Server. Instead, you can use Remote Desktop for Administration (formerly Terminal Services in Remote Administration mode), which is installed by default on computers running one of the Windows Server 2003 operating systems. After you enable remote connections, Remote Desktop for Administration allows you to remotely manage servers from any client over a LAN, WAN, or dial-up connection. Up to two remote sessions, plus the console session, can be accessed at the same time, without requiring Terminal Server Licensing. For more information about Remote Desktop for Administration, see Remote Administration using Terminal Services.

This topic explains how to use the Configure Your Server Wizard to install and configure a terminal server. After you have completed the Configure Your Server Wizard, you must perform the following additional steps in order to have a basic terminal server.

  • Confirm Internet Explorer Enhanced Security Configuration settings.

  • Configure a Terminal Server License Server. For small deployments, it is acceptable to install both the Terminal Server and Terminal Server Licensing service on the same physical computer. However, for larger deployments, it is recommended that Terminal Server Licensing be installed on a separate server. Install client access licenses (CALs) on the Terminal Server License Server.

    Important

  • You must configure Terminal Server Licensing correctly in order for your terminal server to continue to accept connections from clients. To allow ample time for you to deploy a license server, Terminal Server provides a licensing grace period, during which no license server is required. During this grace period, a terminal server can accept connections from unlicensed clients without contacting a license server. The grace period begins the first time the terminal server accepts a client connection. It ends after you deploy a license server and that license server issues its first permanent CAL, or after 120 days, whichever comes first. For more information, see Terminal Server Licensing grace period.

  • Install programs on the terminal server.

  • Distribute the latest version of Remote Desktop Connection to clients running earlier versions of Remote Desktop Connection for Windows.

  • Specify which users have permission to connect to the terminal server.

After you have completed both the Configure Your Server Wizard and these additional required tasks, you will have a basic terminal server.

This topic covers:

Before you begin

Configuring your terminal server

Next steps: Completing additional tasks

Before you begin

Before you configure your computer as a terminal server, verify whether or not:

  • The operating system is configured correctly. In the Windows Server 2003 family, a terminal server depends on the appropriate configuration of the operating system and its services. If you have a new installation of a Windows Server 2003 operating system, you can use the default service settings. No further action is necessary. If you upgraded to a Windows Server 2003 operating system or you want to confirm that your services are configured correctly for best performance and security, verify your service settings with the table in Default settings for services.

  • The computer is a server on a network or in a domain, but is not a domain controller. Installing Terminal Server on a domain controller affects performance because of the additional memory, network traffic, and processor time required to perform the tasks of a domain controller in a domain.

  • The computer meets processor and memory requirements for supporting multiple concurrent sessions where different users are logged on. A terminal server requires a minimum of 128 MB RAM, plus additional RAM for each user to support running each user's programs on the server. An additional 10 MB RAM is recommended for each light user, who typically runs one program at a time, and up to 21 MB RAM for each power user, who typically runs three or more programs at the same time. In addition, if you plan to install 16-bit applications on the terminal server, be aware that they consume additional resources when they run in 32-bit environments such as Windows Server 2003 operating systems.

  • There are no programs installed on the computer. You should add the Terminal Server role before you install the programs that you want users to access. If there are programs already installed on the computer, you might have to reinstall them to ensure that they work correctly in the Terminal Server environment.

  • No users are able to log on remotely to the computer. You should allow users to access the terminal server only after you have installed programs, tested their installation, and performed any tuning necessary for the programs to work in a multisession environment. For information on disabling terminal services connections temporarily, see Disable Terminal Services connections.

  • All existing disk volumes use the NTFS file system. FAT32 volumes do not provide either the required level of security for users in a multisession environment or the ability to set file permissions.

  • Windows Firewall is enabled. For more information, see Enable Windows Firewall with no exceptions.

    Note

    Later, you will need to configure Windows Firewall to allow an exception, to ensure that clients running Remote Desktop can connect remotely to the terminal server. Additional exceptions might also be needed, depending on your terminal server deployment and network configuration. For more information, see Windows Firewall Settings.

  • The Security Configuration Wizard is installed and enabled. For information about the Security Configuration wizard, see Security Configuration Wizard Overview.

Configuring your terminal server

To configure a terminal server, start the Configure Your Server Wizard by doing either of the following:

  • From Manage Your Server, click Add or remove a role. By default, Manage Your Server starts automatically when you log on. To open Manage Your Server, click Start, click Control Panel, double-click Administrative Tools, and then double-click Manage Your Server.

  • To open the Configure Your Server Wizard, click Start, click Control Panel, double-click Administrative Tools, and then double-click Configure Your Server Wizard.

On the Server Role page, click Terminal server, and then click Next.

This section covers:

Summary of Selections

Completing the Configure Your Server Wizard

Confirming Internet Explorer Enhanced Security Configuration Settings

Configuring a Terminal Server License Server

Installing client access licenses on the Terminal Server License Server

Installing programs on the terminal server

Deploying client software

Giving users permission to access the terminal server

Removing the terminal server role

Summary of Selections

On the Summary of Selections page, view and confirm the options that you have selected. If you selected Terminal server on the Server Role page, the following appears:

  • Install Terminal Server

To apply the selections shown on the Summary of Selections page, click Next. The following message appears: "During this process, the Configure Your Server Wizard restarts your computer. Before continuing, close any open programs." If you need to close open programs and you want to cancel the configuration of the terminal server role at this time, you must click Cancel now. When you click Cancel, the Configure Your Server Wizard displays the Cannot Complete page. To close the Configure Your Server Wizard, click Finish. Otherwise, if you click OK, the Configure Your Server Wizard begins the configuration process.

Next, the Configure Your Server Wizard displays the message "Installing Terminal Server." The Configuring Components page of the Windows Components Wizard appears, and then closes automatically. You cannot click Back or Next on this page. Then, the Configure Your Server Wizard shuts down the computer and restarts it to accept the configuration changes that make the computer a terminal server.

During the restart process, a dialog box displays progress messages, for example, "Windows is starting up" and "Preparing network connections." Depending on the size of your network, preparing network connections could take some time. When the Welcome to Windows dialog box appears, press CTRL+ALT+DEL. In the Log on to Windows dialog box, in Password, type your password. To complete the process, wait for the Configure Your Server Wizard to appear on the screen.

Completing the Configure Your Server Wizard

After your server restarts, the Configure Your Server Wizard displays the This Server is Now a Terminal Server page. To review all of the changes made to your server by the Configure Your Server Wizard or to ensure that a new role was installed successfully, click Configure Your Server log. The Configure Your Server Wizard log is located at systemroot\Debug\Configure Your Server.log. To close the Configure Your Server Wizard, click Finish.

To verify that your server is secure and has the most recent updates, do the following:

  1. Run Windows Update. For more information, see Windows Update.

  2. Run the Security Configuration Wizard. For more information, see Security Configuration Wizard Overview.

Next, you must complete the following steps so that your server is ready to function as a basic terminal server:

  • Confirm Internet Explorer Enhanced Security Configuration settings.

  • Configure a Terminal Server License Server.

  • Install client access licenses (CALs) on the Terminal Server License Server.

  • Install programs on the terminal server.

  • Deploy the Remote Desktop Connection .msi file to clients not running Windows XP or Windows Server 2003 operating systems.

  • Give users permission to access the terminal server.

A separate window displays checklists that provide information about these additional requirements. The same information is covered in this document.

To run a terminal server, you need to configure Terminal Server Licensing. For small deployments, you can configure Terminal Server Licensing on the same physical computer as the terminal server. For larger deployments, you should install Terminal Server Licensing on a separate server. If a Terminal Server License Server is already installed, you can skip the steps for configuring a Terminal Server License Server and installing CALs, and begin Installing programs on the terminal server. Otherwise, if the Manage Your Server page displays a message indicating that a Terminal Server License Server was not found, you must configure a Terminal Server License Server before you can use your terminal server.

Confirming Internet Explorer Enhanced Security Configuration settings

After you complete the Configure Your Server Wizard and install Terminal Server, you can configure Internet Explorer Enhanced Security Configuration settings.

If you activate these settings, Internet Explorer applies the following security settings to a user who logs on as an administrator:

  • High security settings to the Internet and Local intranet security zones

  • Medium security settings to the Trusted sites zone

By applying high security settings to the Internet and Local intranet security zones, you disable scripts, Microsoft ActiveX® controls, and the Microsoft virtual machine (Microsoft VM) for HTML content in these zones. You also prevent users from downloading files in these zones.

By applying medium security settings to the Trusted sites zone, you set standard browsing functionality. If you use sites for administrative tasks and Web-based applications that an administrator cannot access after you apply these settings, you can add the site addresses to the list of sites in the Trusted sites zone.

To review or change the Internet Explorer Enhanced Security Configuration settings, in Manage Your Server, click Internet Explorer Enhanced Security Configuration.

In the Windows Server 2003 family, you can implement enhanced security settings for Internet Explorer for all users and reduce the exposure of your server to Web sites that might pose a security risk. For more information, see Internet Explorer Enhanced Security Configuration.

Configuring a Terminal Server License Server

Configure a Terminal Server License Server, either on the same computer for which you have just configured the terminal server role (for small deployments), or on another computer (recommended for larger deployments). A Terminal Server License Server manages licenses for Terminal Services client connections. You are required to activate a Terminal Server License Server only once, after which the Terminal Server License Server becomes the repository for terminal server client licenses. Until the registration process is completed, your Terminal Server License Server can issue temporary licenses for clients.

Important

  • You must configure Terminal Server Licensing correctly in order for your terminal server to continue to accept connections from clients. To allow ample time for you to deploy a license server, Terminal Server provides a licensing grace period, during which no license server is required. During this grace period, a terminal server can accept connections from unlicensed clients without contacting a license server. The grace period begins the first time the terminal server accepts a client connection. It ends after you deploy a license server and that license server issues its first permanent CAL, or after 120 days, whichever comes first. For more information, see Terminal Server Licensing grace period.

The easiest and quickest way to activate a Terminal Server License Server is by using the Automatic method. To use this method, the computer running the Terminal Services Licensing service must have a direct connection to the Internet. For information on activation methods for computers that are not connected to the Internet, see Activate a Terminal Server license server by using a Web browser and Activate a Terminal Server license server by using the telephone.

The following table shows the steps you must take to configure and activate a Terminal Server License Server by using the Automatic method.

Task Comments

Install the Terminal Server Licensing service.

Open Add or Remove Programs in Control Panel, and then click Add/Remove Windows Components. In the Windows Components Wizard, select the Terminal Server Licensing check box, and then click Next. If your network includes several domains, or if you are installing the Terminal Server Licensing service on a member server, choose Your entire enterprise. If you want to maintain a separate Terminal Server License Server for each domain, or if your network includes workgroups or Windows NT 4.0 domains, choose Your domain or workgroup. If you want to change the location of the license server database, specify a new location, and then click Next. The Configuring Components page displays the progress of configuration changes. On the Completing the Windows Components Wizard page, click Finish, and then click Close.

To open Add or Remove programs, click Start, click Control Panel, and then double-click Add or Remove programs.

Activate the Terminal Server License Server.

Open Terminal Server Licensing, right-click the Terminal Server License Server that you want to activate, and then click Activate Server. The Terminal Server License Server Activation Wizard starts. On the Connection method page, under Activation method, click Automatic connection, and then click Next. On the Company Information page, provide the following required information:

  • First name

  • Last name

  • Company name

  • Country or region

Confirm that the information you typed is correct, and then click Next. On the next Company Information page, you can provide the following optional information:

  • Email address

  • Organizational unit

  • Company address

  • City

  • State or province

  • Postal code

Confirm that the information you typed is correct, and then click Next. On the Completing the Terminal Server License Server Activation Wizard page, under Status, the following message appears: "Your license server has been successfully activated." If you want to install client licenses now, click Next. If you want to postpone the installation of client licenses, clear the Start Terminal Server Client Licensing Wizard now check box, and then click Finish.

Note

  • To open Terminal Server Licensing, click Start, click Control Panel, double-click Administrative Tools, and then double-click Terminal Server Licensing.

Installing client access licenses on the Terminal Server License Server

After you activate a Terminal Server License Server, the next step is to install client access licenses (CALs) on the Terminal Server License Server.

Important

  • Your Terminal Server License Server can issue temporary licenses. Temporary licenses are designed to allow you ample time to deploy a license server, and they allow clients to connect to the terminal server for 90 days. There is no limit to the number of temporary licenses that a license server can issue, but a single client is only issued a temporary license once. After the temporary license expires, the client can only connect to the terminal server if the license server can issue a permanent CAL, or if the terminal server is still within its licensing grace period. The grace period begins the first time the terminal server accepts a client connection. It ends after you deploy a license server and that license server issues its first permanent CAL, or after 120 days, whichever comes first. For more information, see Terminal Server Licensing grace period.

CALs are digitally-signed certificates that each client stores locally. All CALs are installed on a Terminal Server License Server. When a client attempts to log on to a terminal server for the first time, the terminal server recognizes that the client has not been issued a CAL and locates a Terminal Server License Server to issue a new CAL to the client. For information about specific license requirements, see the Microsoft Web Site.

Before you install CALs, you must have your licensing agreement numbers ready, and know which method you used to purchase them.

The easiest and quickest way to install CALs on a Terminal Server License Server is by using the Automatic method. To use this method, the computer running the Terminal Services Licensing service must have a direct connection to the Internet. For information on installing CALs for computers that are not connected to the Internet, see Install client access licenses by using a Web browser and Install client access licenses by using the telephone.

The following table shows the steps you must take to install CALs on a Terminal Server License Server by using the Automatic method.

Task Comments

Install CALs on the Terminal Server License Server.

On the Terminal Server License Server, open Terminal Server Licensing. Verify that the installation method for the Terminal Server License Server is set to Automatic by right-clicking the Terminal Server License Server for which you want to install CALs, and then clicking Properties. If necessary, on the Installation Method tab, change the installation method to Automatic connection, and then click OK.

In the Terminal Server Licensing console tree, right-click the Terminal Server License Server on which you want to install CALs, click Install Licenses, and then click Next. The Terminal Server CAL Installation Wizard starts. On the Licensing program page, choose the license program under which you purchased your licenses, and then click Next. On the License Code page, type the license code for each license you have purchased, and then click Add after each entry. After you have typed all of the license codes, click Next. The Completing the Terminal Server CAL Installation Wizard page displays a message that the CALs were successfully installed. To close the wizard, click Finish.

Note

  • To open Terminal Server Licensing, click Start, click Control Panel, double-click Administrative Tools, and then double-click Terminal Server Licensing.

Installing programs on the terminal server

At this stage, you have accomplished the following tasks:

  • Completed the Configure Your Server Wizard and configured the terminal server role on your server.

  • Installed Terminal Server Licensing.

  • Activated the Terminal Server License Server.

  • Installed CALs on the Terminal Server License Server.

Now you are ready to install programs on the terminal server. Add or Remove Programs in Control Panel is the preferred method for program installation, and you should use this method whenever possible. This section describes how to use Add or Remove Programs to install programs on a terminal server.

There are other program installation methods, such as the change user command, Windows Installer packages (.msi files), and Group Policy Software Installation. For more information about the change user command, see Install a program using the change user command. For more information about using Windows Installer, see Assigned and published programs. For more information about Group Policy, see Group Policy.

For improved performance and reduced network traffic, install programs on the local drive of the terminal server instead of on a file server. Ensure that you have enough space to install programs on NTFS file system drives instead of on FAT32 drives. NTFS drives allow you to set file permissions, which you cannot do on FAT32 drives.

If you are installing published programs, you must use another installation method, such as Group Policy Software Installation.

For performance and security reasons, you should use 32-bit programs whenever possible. Most 32-bit programs use the registry to read and write program settings and need to write only to specific registry values. Running 16-bit programs can reduce the number of users a processor supports by 40 percent and increase the memory required for each user by 50 percent. In addition, some 16-bit programs must be able to write to the directory where the program's .ini file is stored.

RAM and CPU requirements increase approximately linearly with the number of sessions running. To reduce RAM and CPU requirements, consider restricting user or group access to certain program types, disabling unnecessary program features, or installing programs on separate terminal servers.

Some programs have known installation issues in a multisession environment. For information about programs that require installation scripts in order to work correctly in a multisession environment, see Optimizing Applications for Windows 2000 Terminal Services and Windows NT Server 4.0, Terminal Server Edition at the Microsoft Web site.

Application compatibility considerations

You should install programs from the console session of the terminal server. You can install programs from a remote console session, but this is not the preferred method for installing programs.

Some programs require an application compatibility script to be run after the program is installed. The scripts are stored in the systemroot\Application Compatibility Scripts\Install directory on the terminal server.

You should be aware of the implications of the security mode in which the terminal server operates. There are two security modes:

  • Full security provides the most secure environment for users connecting to a terminal server. To run in this mode, applications must be written to run in the security context of an ordinary user. For Windows Server 2003 operating systems and Windows 2000, full security is the default.

  • Relaxed security enables you to run programs that otherwise might not work at all in the more rigorous Full security mode. However, in Relaxed security mode (also known as Windows NT 4.0/Terminal Server Edition permissions compatibility mode), any user on the system can change files and registry settings in many places throughout the system, although others users' data files might not be visible. A malicious user could exploit this situation by replacing a known and trusted program with a program of the same name but some harmful intent. If the operating system on your terminal server was installed using the Upgrade method, the security mode might be set to Relaxed security. When in doubt, you should choose Full security, test your applications in that mode, and change the security mode only if your test results indicate the need to do so.

The following table shows the steps you must take to install programs on a terminal server, using Add or Remove Programs.

Task Comments

Ensure that no users are logged on to the terminal server.

Send a message to all users who are logged on to the terminal server. Program installation often requires restarting the computer, and their sessions will be disconnected. You should not allow users to access the terminal server until programs have been installed and tested.

Disable Terminal Services connections temporarily.

Right-click My Computer, click Properties, click the Remote tab, and then clear the Allow users to connect remotely to this computer check box.

Specify Full Security as the security mode.

Open Terminal Services Configuration. In the console tree, click Server Settings, right-click Permission Compatibility, and then click Properties. In the Permission Compatibility dialog box, click Full Security, and then click OK.

Note

  • To open Terminal Services Configuration, click Start, click Control Panel, double-click Administrative Tools, and then double-click Terminal Services Configuration.

Install programs from a CD or floppy disk.

Ensure that you are logged on as a member of the Administrators group on the terminal server. Open Add or Remove Programs in Control Panel, and then click Add New Programs. Click CD or Floppy. Insert the CD or floppy disk into the appropriate drive, and then click Next. Verify that the installation file is specified correctly in the Open box on the Run Installation Program page, and then click Finish. Follow the instructions in the program's installation wizard. After the program is installed, edit and run any applicable scripts to tailor the program for a multisession environment.

Note

  • To open Add or Remove programs, click Start, click Control Panel, and then double-click Add or Remove programs.

Test the installation.

Ensure that event logging is enabled by opening Services in Administrative Tools. Create a temporary user account that mimics the settings of the user or users who will access the program, and use the account to log on to the terminal server. Start the program and step through some basic tasks. Then, use Event Viewer to determine which files or directories need Write access and which registry keys require Read access by the user for correct operation. Note that this process might not find all files, directories, and registry keys for which the application requires access in all user scenarios. The only way to ensure that you have accounted for all access requirements is to perform tasks manually.

Some programs enable users to start other programs. For example, Microsoft Access has a toolbar that can be used to start other Microsoft Office programs. If you want users to have access only to specified programs when they log on to the terminal server, you should disable toolbar access from within programs that you install on the terminal server.

Note

  • To open Event Viewer, click Start, click Control Panel, double-click Administrative Tools, and then double-click Event Viewer.

Tune programs for multisession use.

Use a text editor such as Notepad to modify any scripts, and then run the scripts to tune any programs that require it. To obtain the scripts, see Optimizing Applications for Windows 2000 Terminal Services and Windows NT Server 4.0, Terminal Server Edition at the Microsoft Web site (https://www.microsoft.com/).

Run application compatibility scripts.

Navigate to the systemroot\Application Compatibility Scripts\Install directory on the terminal server and run scripts for any programs that require them.

Enable remote connections on the terminal server.

Right-click My Computer, click Properties, click the Remote tab, and then check the Allow users to connect remotely to your computer check box.

Note

  • Depending on your desktop settings, My Computer might not appear on your desktop. To show or hide desktop icons, right-click somewhere on the desktop, click properties, click the Desktop tab, click Customize Desktop, and then, under Desktop icons, select the check box next to the icon you want to display, or clear the check box next to the icon you want to hide.

Deploying Client Software

Remote Desktop Connection, formerly known as the Terminal Services Client, is installed automatically on computers running Windows XP and Windows Server 2003 operating systems. For performance and security reasons, computers running earlier versions of Microsoft Windows, including Windows 2000 Server, Windows 2000 Professional, Windows NT 4.0, Windows 98, and Windows 95, should have the latest version of Remote Desktop Connection installed.

There are several ways to deploy the client software:

  • Share the Msrdpcli.msi file and use Microsoft IntelliMirror to distribute it to workstations running Windows 2000.

  • Download Remote Desktop Connection directly from the Microsoft Web site.

  • Place the .msi file in a shared folder residing on a server on the network.

This topic describes how to install the client software from a shared folder residing on a server on the network.

Before you deploy the client software, decide whether you want the software to be installed for the use of a single user or for anyone who uses the client computer. You will make this choice during the deployment process.

The following table shows the steps you must take to deploy the latest version of Remote Desktop Connection to clients running earlier versions of either Windows or Remote Desktop Connection.

Task Comments

Share the client setup folder.

On the computer running a Windows Server 2003 operating system, open Windows Explorer. Navigate to the systemroot\System32\Clients\Tsclient\win32 folder, right-click the win32 folder, click Sharing and Security. On the Sharing tab, click Share this folder, and then click OK.

Note

  • To open Windows Explorer, click Start, point to All programs, point to Accessories, and then click Windows Explorer.

Install Remote Desktop Connection.

On the client computer, click Start, click Run, and then, in Open, type \\ServerName\win32, where ServerName is the name of the computer where the shared folder is located. Double-click the msrdpcli.msi file to start the InstallShield Wizard for Remote Desktop Connection, and then click Next. Read the License Agreement, click I accept the terms in the license agreement, and then click Next. Type your name and organization in the Customer Information page, click Anyone who uses this computer (all users), and then click Next. On the Ready to Install the Program page, either click Back to review or change any of your installation settings, or click Install to begin the installation. To complete the installation, click Finish.

Giving users permission to access the terminal server

By default, on Windows Server 2003 operating systems, members of the Administrators and Remote Desktop Users groups can use Terminal Services connections to connect to a remote computer. The Remote Desktop Users group is not populated by default, so you must decide which users and groups should have permission to log on remotely, and then manually add them to this group.

Important

  • You must use the Remote Desktop Users group to grant selected users and groups the necessary permission to make Terminal Services connections to remote computers.

    Membership in the Remote Desktop Users group does not also put the user into the local Users group. Depending on the contents of your local Users group, you might need to add the user to that group also.

Before you give users permission to access the terminal server, you must:

  • Check the membership of the Administrators group to ensure that you know who has access to the terminal server.

  • Decide which users should have permission to access the terminal server.

  • Determine which users must also be added to the local Users group.

The following table shows the steps you must take to give users permission to access the terminal server.

Task Comments

Add users to the Remote Desktop Users group.

Open Computer Management (Local), and in the console tree, click Local Users and Groups. In the details pane, double-click the Groups folder, double-click Remote Desktop Users, and then click Add. In the Select Users dialog box, click Locations to specify the search location. To specify the types of objects that you want to search for, click Object Types. In this case, you want to search for Users or Groups. Type the name that you want to add in the Enter the object names to select (examples) box, and then click Check Names. When the name is located, click OK.

Note

  • To open Computer Management, click Start, click Control Panel, double-click Administrative Tools, and then double-click Computer Management.

Add users to the local Users group, if they are not already members.

Open Computer Management (Local), and in the console tree, click Local Users and Groups. In the details pane, double-click the Groups folder, double-click Users, and then click Add. In the Select Users dialog box, click Locations to specify the search location. To specify the types of objects that you want to search for, click Object Types. In this case, you want to search for Users or Groups. Type the name that you want to add in the Enter the object names to select (examples) box, and then click Check Names. When the name is located, click OK.

Note

  • To open Computer Management, click Start, click Control Panel, double-click Administrative Tools, and then double-click Computer Management.

Removing the terminal server role

If you need to reconfigure your server for a different role, you can remove existing server roles. If you remove the terminal server role, you will need to reinstall all software, review and update any file or registry permissions for which you changed default values, and review and update any software restriction policies that were used to control programs running on the terminal server.

To remove the terminal server role, restart the Configure Your Server Wizard by doing either of the following:

  • From Manage Your Server, click Add or remove a role. By default, Manage Your Server starts automatically when you log on. To open Manage Your Server, click Start, click Control Panel, double-click Administrative Tools, and then double-click Manage Your Server.

  • To open the Configure Your Server Wizard, click Start, click Control Panel, double-click Administrative Tools, and then double-click Configure Your Server Wizard.

On the Server Role page, click Terminal server, and then click Next. On the Role Removal Confirmation page, review the items listed under Summary, select the Remove the terminal server role check box, and then click Next. The following message appears: "During this process, the Configure Your Server Wizard restarts your computer. Before continuing, close any open programs." If you need to close open programs and you want to cancel the removal of the Terminal Server role at this time, you must click Cancel now. When you click Cancel, the Configure Your Server Wizard displays the Cannot Complete page. To close the Configure Your Server Wizard, click Finish. Otherwise, if you click OK, the Configure Your Server Wizard begins the removal process.

Next, the Configure Your Server Wizard displays the "Removing Terminal Server" message. The Configuring Components page of the Windows Components Wizard appears, displays messages about the configuration changes being made to the computer, and then closes. The Configure Your Server Wizard shuts down the computer and restarts it to accept the configuration changes that remove this role.

During the restart process, a dialog box displays progress messages, for example, "Windows is starting up" and "Preparing network connections." Depending on the size of your network, preparing network connections could take some time. When the Welcome to Windows dialog box appears, press CTRL+ALT+DEL. In the Log on to Windows dialog box, in Password, type your password. To complete the process, wait for the Configure Your Server Wizard to appear on the screen. On the Terminal Server Role Removed page, click Configure Your Server log to see a record of your changes, and then click Finish.

After you remove the terminal server role, you should:

  • Reinstall all software.

  • Review any file or registry permissions for which you changed default values and, if necessary, make changes.

  • Review any software restriction policies used to control programs running on the terminal server and, if necessary, make changes.

Next steps: Completing additional tasks

After you complete the Configure Your Server Wizard and associated tasks, the computer is ready for use as a basic terminal server that can accept multiple connections from remote clients. Up to this point, you have completed the following tasks:

  • Run the Configure Your Server Wizard.

  • Activated a Terminal Server License Server.

  • Installed CALs on the Terminal Server License Server.

  • Installed applications on the terminal server.

  • Deployed the Remote Desktop Connection .msi file to clients not running Windows XP or Windows Server 2003 operating systems.

  • Configured user permissions for user access to the terminal server.

The following table lists some additional tasks you might want to perform on your terminal server.

Task Purpose of task Reference

Manage Terminal Services connections.

To enable, disable, rename, or delete a connection.

Manage Terminal Services Connections

Specify connection permissions.

To grant terminal server access only to selected users and groups.

To identify which users and groups are permitted to perform a given task or tasks on the terminal server.

Managing Terminal Services users; Managing Permissions on Connections

Configure terminal server settings using either Group Policy or Terminal Services Configuration.

To configure settings such as Active Desktop, temporary folders, and session limits for individual users.

Configure Server Settings

Deploy Remote Desktop Web Connection.

To allow users to create a Remote Desktop connection within Internet Explorer, even though the Remote Desktop Connection client is not installed on their computers.

About Remote Desktop Web Connection

Control programs running in a terminal server session.

To protect terminal servers and users from unknown, or possibly malicious, programs.

Using Software Restriction Policies in Windows XP and the Windows Server 2003 family to Protect Against Unauthorized Software at the Microsoft Web site

Configure Session Directory settings.

To ensure that users are transparently reconnected to the original server hosting their disconnected Terminal Server sessions. This task applies to terminal servers that are part of a cluster of terminal servers, and requires that a server running either Windows Server 2003, Enterprise Edition, or a Windows Server 2003, Datacenter Edition, is visible on the network, and has the Session Directory service enabled. This session directory server should not be the server on which the Terminal Server role is configured.

Load balancing and terminal servers

Configure ports to allow incoming connections to terminal servers.

  • To ensure that clients running Remote Desktop Connection can connect remotely to terminal servers.

  • Additional port configuration might also be required, if Remote Desktop Web connection is deployed, SSL is enabled on the Web server, and if the terminal server license server and terminal server are on opposite sides of a firewall.

Windows Firewall Settings