Windows Server 2003 – Administering Remotely

There are several methods by which system administrators can manage the IT environment's [gs server] resources. Though it is possible to manage each server locally, managing these resources remotely can greatly improve productivity. Remote administration reduces the administrative overhead required to manage servers in any size IT organization because it provides the flexibility for administrators to be centrally located while managing distributed server resources.

Windows Server 2003 provides the tools necessary for administrators to perform a vast array of management [gs function]s on remotely located servers. Server application and operating system upgrades can be performed remotely, as well as [gs domain controller] promotion/demotion and disk defragmentation.

This chapter describes the tools available for administrators to manage Windows Server 2003 servers remotely and provides best practices for leveraging remote administration features.

Using Remote Desktop for Administration

Remote Desktop for Administration is one mode of the Terminal Services built into Windows Server 2003. Terminal Services can be enabled in one of two ways:

  • Terminal Server mode. This is the Application Server mode that was available in Windows 2000 Server.

  • Remote Desktop for Administration. This is an enhancement of the Remote Administration mode of Windows 2000 Server.

This second Terminal Services mode is used to administer Windows Server 2003 servers remotely. Remote Desktop for Administration provides remote access to the graphical interface–based tools available in the Windows environment. Remotely managing servers with Remote Desktop for Administration does not affect server performance or application compatibility.

Unlike the other terminal service mode, no terminal server Client Access Licenses (CALs) are required to use Remote Desktop for Administration. Windows Server 2003 provides two remote administrative sessions, for collaborative purposes, and a console session.

Enhancements to Remote Administration with Remote Desktop Connection

By taking advantage of the new Terminal Services [gs client], known as the Remote Desktop Connection (RDC), remote administration is enhanced in Windows Server 2003 in several ways.

The RDC supports a wide selection of hardware devices, so servers can be managed remotely from several different types of client hardware. The RDC is supported on the following hardware types:

  • 16-bit Windows-based computers running Windows for Workgroups with TCP/IP.

  • 32-bit Windows-based computers running every Windows OS from Windows 95 to Windows Server 2003.

  • Windows CE-based [gs handheld] devices.

  • Windows CE-based [gs terminal]s, or thin clients.

The RDC allows for automatic restoration of interrupted [gs network] connections. This is key for remote administration. In the event that an administrator is disconnected in the middle of a mission-critical operation, the RDC will reconnect the session without losing the administrator's place in the operation.

The RDC supports a great deal of customization for the look and feel of a remote session. Providing high color, audio, and full screen sessions, the RDC allows you to control the graphic options and connection speed. This is an important feature because as you connect remotely to servers over a slow [gs WAN] link you will want to throttle the bandwidth usage for those particular sessions.

One of the biggest improvements to the RDC involves client resource redirection, which is available to Windows Server 2003 and Windows XP. You now have the capability to access local drives, network drives, and [gs printer]s through the remote connection. Cut and paste, as well as large file transfers, can be accomplished between the client and server in a remote administration session.

Finally, in addition to the two remote sessions available for remote administration, Windows Server 2003 allows a console mode that enables you to connect to the "real" [gs console] of the server. Now administrative functions, such as some [gs software] installations that previously required local interaction, can be performed remotely.

Enabling Remote Desktop for Administration

Enabling Remote Desktop for Administration is a simple procedure. Unlike Windows 2000, the Remote Desktop for Administration feature is now a separately configurable component from Terminal Services and has some new flexibility options previously unavailable.

The default level of encryption for remote sessions

The default level of encryption for remote sessions is bidirectional 128-bit. Some older terminal service clients might not support 128-bit encryption.

The Remote Desktop for Administration feature is actually installed by [gs default] in Windows Server 2003, but it is installed in a disabled status for security reasons. To enable the feature with a default Start menu configuration, perform the following steps:

  1. From the Control Panel, double-click the System [gs icon].

  2. Choose the Remote tab.

  3. On the bottom of the screen, click the check box to Allow Users to Connect Remotely to your computer, as shown in the figure below.

  4. Click OK to complete the configuration.


Enabling Remote Desktop for Administration

If the Windows Server 2003 will be accessed remotely from a terminal server [gs client] that does not support high encryption, the encryption level of the remote session can be set to Client Compatible. This encryption level will provide the highest level of encryption to the remote session supported by the [gs client]. To change the default encryption level on the server to Client Compatible, follow these steps:

  1. Open Terminal Services Configuration from All Programs\Administrative Tools.

  2. In the right pane, under the Connection column, right-click RDP-Tcp, and choose Properties.

  3. Set the encryption level to Client Compatible, as shown in the following figure, and click OK to complete the configuration.


Setting the encryption level for Remote Administration.
Best Practices for Remote Desktop for Administration

Understanding the following aspects of remote administration will enable [gs system administrator]s to make the best use of the new Remote Desktop for Administration features in Windows Server 2003:

Use the Console Mode

With the new console mode of connection available in Windows Server 2003, you can interact with the remote server as if you are directly at the physical server. This enables you to see pop-ups and messages that might only appear at the [gs console].

Configure Disconnect and Reset Timeouts

By default, disconnect and reset timeouts are not set. This has the potential to lock you out of remote sessions if there are two remote sessions that are active but in a disconnected state. On the flip side, when configuring the timeouts, allow enough time so that accidental disconnections can be resumed without [gs reset]ting the session. By default, when a connection is broken, the session goes into a disconnected state and continues to execute whatever process it is running at that time.

If the session is configured to reset when the connection breaks, all processes running in that session will be abruptly stopped.

Disconnect and reset [gs timeout]s can be configured using the Terminal Services Configuration Administrative tool.

Preventing Eavesdropping

For security purposes, when you are using the console mode of remote administration, the physical console of the server is automatically locked to prevent eavesdropping.

Coordinate Remote Administration

With Windows Server 2003, administrators are able to collaborate through multiple remote sessions. This feature has potential problems, though, if two administrators are unknowingly connected remotely to the same server. For instance, server data might be lost if two administrators attempt to perform disk [gs defragmentation] from two remote sessions at the same time.

Distinguish Terminal Services from Remote Administration

Although administrators have the capability to install software through a Remote Desktop for Administration session, Terminal Services running in Terminal Server mode provides better installation and environment settings for office applications. For general desktop and remote application access functionality, use a dedicated Terminal Server solution.