Remote support is an important part of administration. Although
Server Manager and related MMCs allow you to perform remote
management, sometimes you might prefer to connect and work with remote
systems as if you were logged on locally, and Remote Desktop allows you to do this.
8.1 Remote Desktop essentials
Using Remote Desktop, you can use a local area network (LAN),
wide area network (WAN), or Internet connection to manage computers
remotely with the Windows graphical interface. Because all the
application processing is performed on the remote system, only the
data from devices such as the display, keyboard, and mouse are
transmitted over the network.
Remote Desktop is part of Remote Desktop Services. Microsoft has separated
Remote Desktop Services into two operating modes:
You enable and configure Remote Desktop using the System utility in Control
Panel. You set up a Remote Desktop Server by installing and configuring
the appropriate role services for the Remote Desktop Services role.
To be operational, the Remote Desktop and Remote Desktop
Server modes both depend on the Remote Desktop Services service
being installed and running on the server. By default, the Remote
Desktop Services service is installed and configured to run
automatically. Both features use the same client, Remote Desktop
Connection (RDC), for connecting to remote systems.
Note
Remote Desktop isn’t designed for application serving. Most
productivity applications such as Microsoft Office Word, Outlook,
and Excel require specific environment settings that are not
available through this feature. If you want to work with these
types of applications (rather than server applications), you
should install and use the Remote Desktop Services role.
No Remote Desktop Client Access License (RD CAL) is required
to use Remote Desktop. Windows Server 2012 allows two active
administration sessions:
-
One administrator can be logged on locally, and another
administrator can be logged on remotely.
-
Or two administrators can be logged on remotely.
Most remote sessions run in admin mode. The reason for this is that the admin
session provides full functionality for administration. Standard
Remote Desktop Services connections are created as virtual sessions.
Why is this important? Using admin mode, you can interact with
the server just as if you were sitting at the keyboard. This means
all notification area messages directed to the console are visible
remotely. For security, only two sessions are allowed. If a third
administrator tries to log on, the administrator will be prompted to
end an existing session so that she can log on.
Although it is recommended that administrators use admin sessions, you can use virtual sessions—hey,
that’s what they’re there for. When working with a virtual session,
you can perform most administration tasks, and your key limitation
is in your ability to interact with the console session itself. This
means users logged on using a virtual session do not see console
messages or notifications, cannot install some programs, and cannot
perform tasks that require console access.
You’ll want to formalize a general policy on how Remote Desktop should be used in your organization.
You don’t want multiple administrators trying to perform
administration tasks on a system because this could cause serious
problems. For example, if two administrators are both working with
Disk Management, this could cause serious problems with the volumes
on the remote system. Because of this, you’ll want to coordinate
administration tasks with other administrators.
8.2 Configuring Remote Desktop
The two components of Remote Desktop you need to support and
configure are Remote Desktop Services for the server portion and the
Remote Desktop Connection (RDC) for the client portion.
Enabling Remote Desktop on servers
Enabling the Remote Desktop mode on all servers on your
network is recommended, especially for servers in remote sites
that have no local administrators. To view the current status of
Remote Desktop on the server, select Local Server in Server
Manager and then check the enabled or disabled status for the
Remote Desktop entry. Just because Remote Desktop is enabled,
doesn’t mean the feature is fully configured. With that in mind,
tap or click the Enabled or Disabled link for the Remote Desktop
entry. This opens the System Properties dialog box to the Remote
tab, as shown in Figure 11.
You have two configuration options for enabling Remote
Desktop. You can do either of the following:
-
Select Allow Remote Connections To This Computer, which
allows connections from any version of Windows.
-
Select Allow Remote Connections To This Computer and also
select the Allow Connections Only From Computers Running
Remote Desktop With Network Level Authentication check box to allow connections
only from Windows Vista or later, as well as other computers
with secure network authentication.
Keep the following details about using Remote Desktop in mind:
-
All remote connections must be established using
accounts that have passwords. If a local account on the system
doesn’t have a password, you can’t use the account to connect
to the system remotely.
-
If the computer is running Windows Firewall, the
operating system automatically creates an exception that
allows Remote Desktop Protocol (RDP) connections to be
established. The default port used is TCP port 3389. The
registry value
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\PortNumber
controls the actual setting.
-
If you are running a different firewall on the computer,
you must open a port on the firewall to allow incoming Remote
Desktop Protocol (RDP) connections to be established. Again,
the default port used is TCP port 3389.
Permitting and restricting remote logon
By default, all members of the Administrators group can log
on remotely. The Remote Desktop User group has been added to Active
Directory to ease managing Remote Desktop Services users. Members of
this group are allowed to log on remotely.
If you want to add a member to this group, select Local
Server in Server Manager and then tap or click the Enabled or
Disabled link for the Remote Desktop entry. This opens the System
Properties dialog box to the Remote tab. On the Remote tab, tap or
click Select Users. As shown in Figure 12, any current members
of the Remote Desktop Users group are listed in the
Remote Desktop Users dialog box. To add users or
groups to the list, tap or click Add. This opens the Select Users
Or Groups dialog box.
In the Select Users Or Groups dialog box, type the name of a
user in the selected or default domain, and then tap or click
Check Names. If multiple matches are found, select the name or
names you want to use and then tap or click OK. If no matches are
found, you either entered an incorrect name part or you’re working
with an incorrect location. Modify the name and try again, or tap
or click Locations to select a new location. To add additional
users or groups, type a semicolon (;) and then repeat this
process. When you tap or click OK, the users and groups are added
to the list in the Remote Desktop Users dialog box.
In Group Policy, members of the Administrators and Remote
Desktop Users groups have the user right Allow Log On Through Remote Desktop Services by
default. If you modified Group Policy, you might need to
double-check to ensure that this user right is still granted to
these groups. Typically, you will want to do this through local
policy on a per-machine basis. You can also do this through site,
domain, and organizational policy. Access the appropriate Group
Policy Object and select Computer Configuration, Windows Settings,
Security Settings, Local Policies, and User Rights Assignments.
Double-tap or double-click Allow Log On Through Remote Desktop
Services to see a list of users and groups currently granted this
right.
Configuring Remote Desktop through Group Policy
Remote Desktop is part of Remote Desktop Services, and you
can use Group Policy to configure Remote Desktop Services.
Microsoft recommends using Group Policy as the first choice when
you are when configuring Remote Desktop Services for use with
Remote Desktop. The precedence hierarchy for Remote Desktop
Services configuration is as follows:
-
Computer-level Group Policy
-
User-level Group Policy
-
Local computer policy using the Remote Desktop Services
Configuration tool
-
User policy on the Local User And Group level
-
Local client settings
You can configure local policy on individual computers or on
an organizational unit (OU) in a domain. You can use Group Policy
to configure Remote Desktop Services settings per connection, per
user, per computer, or for groups of computers in an OU of a
domain. The Group Policy settings for Remote Desktop Services are
modified using the Group Policy Object Editor and are located in
Computer Configuration\Administrative Templates\Windows
Components\Remote Desktop Services and in User
Configuration\Administrative Templates\Windows Components\Remote
Desktop Services.
Typically, Remote Desktop is used throughout an organization,
but Remote Desktop Services servers are isolated to a
particular group of servers operating in a separate OU. So, if
you plan to use Remote Desktop Services servers as well in the
organization, you should consider creating a separate OU for the
Remote Desktop Services servers. In this way, you can manage
Remote Desktop Services servers separately from Remote
Desktop.