Changes to Remote Administration in Windows Server 2008

Changes to Remote Administration in Windows Server 2008

Rate This

This article describes the differences between Windows Server 2003 and Windows Server 2008 when you use the Remote Desktop Connection (RDC) client to remotely connect to the server for administrative purposes.

 

In Windows Server 2003, you can start the RDC client (mstsc.exe) with the /console switch to remotely connect to the physical console session on the server (also known as session 0). In Windows Server 2008, the /console switch has been deprecated. (For more information, see the “Why the /console switch is no longer needed” section of this article.) In Windows Server 2008, session 0 is a non-interactive session that is reserved for services.

 

You can use the new /admin switch to remotely connect to a Windows Server 2008-based server for administrative purposes. The /admin switch is introduced with RDC 6.1. RDC 6.1 is included with the following operating systems:

       Windows Server 2008

       Windows Vista Service Pack 1 (SP1) Beta and RC

       Windows XP Service Pack 3 (SP3) Beta and RC

 

Note   RDC 6.1 (6.0.6001) supports Remote Desktop Protocol (RDP) 6.1.

 

RDC 6.1 does not support the /console switch. However, for backward compatibility, you can use the /admin switch to connect to the physical console session on a Windows Server 2003-based server. For example, to connect from a Windows Vista SP1 RC-based client to the physical console session of a Windows Server 2003-based server, you can run the command mstsc.exe /admin.

 

If you try to use the /console switch with the RDC 6.1 client, the behavior is as follows.

 

 

Scenario

Behavior

You type mstsc.exe /console at the command prompt, and then connect to a remote server that does not have Terminal Server installed.

The /console switch is silently ignored. You will be connected to a session to remotely administer the server.

 

(For more information about the Windows Server 2008 behavior, see the “Behavior when you connect to a server that does not have Terminal Server installed” section of this article.)

You type mstsc.exe /console at the command prompt, and then connect to a remote server that has Terminal Server installed.

The /console switch is silently ignored. You will be connected to a standard Remote Desktop session that requires a Terminal Services client access license (TS CAL).

In the RDC client UI, you specify Computer_name /console in the Computer box (where Computer_name represents the name of the remote computer to which you want to connect), and then click Connect.

You receive the following error message:

 

“An unknown parameter was specified in computer name field.”

In the .rdp file, you specify /console in the “full address” property, and then try to start the Remote Desktop connection.

You receive the following error message:

 

“An unknown parameter was specified in computer name field.”

In the .rdp file, you specify the “connect to console” property, and then start the Remote Desktop connection.

The property is silently ignored. You will be connected to a session that requires a TS CAL.

As a developer, you programmatically call the put_ConnectToServerConsole function or the get_ConnectToServerConsole function of the IMsRdpClientAdvancedSettings interface.

The function fails, and returns S_FALSE.

 

 

Why the /console switch is no longer needed

 

In Windows Server 2003, starting a Remote Desktop session by running mstsc.exe with the /console switch is used for the following reasons:

       To connect to session 0. Some applications install and run only in session 0 because they need to communicate with services that run in session 0, or display UI that is displayed in session 0.

       To connect back to an existing session on the physical console. Because the physical console session in Windows Server 2003 is always session 0, the only way that you can reconnect to this session is by using the /console switch.

 

In Windows Server 2008, the /console switch functionality is no longer needed for the following reasons:

       Improved application compatibility ensures that legacy applications that need to communicate with services in session 0 will install and run in sessions other than session 0. Additionally, if the service that is associated with an application tries to display UI in session 0, a built-in capability in Windows Server 2008 and in Windows Vista enables the user to view and to interact with the session 0 UI from the user’s session. Windows Server 2008 session 0 is a non-interactive session that is reserved for services. Therefore, there is no need for a user to have to explicitly connect to this session.

 

Note   For more information about session 0 isolation in Windows Vista, see “Impact of Session 0 Isolation on Services and Drivers in Windows Vista” (http://go.microsoft.com/fwlink/?LinkId=106201).

 

       Because the physical console session is never session 0, you can always reconnect to your existing session on the physical console. Reconnecting to your existing physical console session is controlled by the "Restrict Terminal Services users to a single remote session" Group Policy setting, available in the Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Connections node of the Local Group Policy Editor. You can also configure this setting in the UI by using Terminal Services Configuration. (The Restrict each user to a single session setting appears under Edit settings, in the General section.)

 

Behavior of the /admin switch

 

You can start the RDC 6.1 client (mstsc.exe) with the /admin switch to remotely administer a Windows Server 2008-based server (with or without Terminal Server installed). However, if you are connecting to remotely administer a Windows Server 2008-based server that does not have the Terminal Server role service installed, you do not have to specify the /admin switch. (In this case, the same connection behavior occurs with or without the /admin switch.) At any point in time, there can be two active remote administration sessions. To start a remote administration session, you must be a member of the Administrators group on the server to which you are connecting.

 

Behavior when you connect to a server that does not have Terminal Server installed

 

If you (as a member of the Administrators group on the destination server) start a Remote Desktop session to a Windows Server 2008-based server that does not have the Terminal Server role service installed, the following behavior is true for the remote administration session:

       Time zone redirection is disabled.

       Terminal Services Session Broker (TS Session Broker) redirection is disabled.

       Plug and Play device redirection is disabled.

       The remote session theme is changed to Windows Classic.

       Terminal Services Easy Print is disabled.

 

Behavior when you connect to a server that has Terminal Server installed

 

If you (as a member of the Administrators group on the destination server) start a Remote Desktop session to a Windows Server 2008-based server that has the Terminal Server role service installed, you must specify the /admin switch to connect to a session to remotely administer the server. The following behavior is true for the session:

       You do not need a TS CAL to connect remotely to administer a terminal server.

       Time zone redirection is disabled.

       Terminal Services Session Broker (TS Session Broker) redirection is disabled.

       Plug and Play device redirection is disabled.

       The remote session theme is changed to Windows Classic.

       Terminal Services Easy Print is disabled.

 

Developer resources – Changes to APIs

If you are using RDC 6.1, you can no longer use the ConnectToServerConsole property of the IMsRdpClientAdvancedSettings interface to specify whether the Remote Desktop ActiveX control should attempt to connect to the server for administrative purposes. Instead, you must use the ConnectToAdministerServer property of the IMsRdpClientAdvancedSettings6 interface to connect to the physical console session on a Windows Server 2003-based server, or to the session that is used for administrative purposes on a Windows Server 2008-based server.

For more information about the ConnectToServerConsole property, see http://go.microsoft.com/fwlink/?LinkId=106203.

For more information about the ConnectToAdministerServer property, see http://go.microsoft.com/fwlink/?LinkId=106204.

Leave a Comment
  • Please add 6 and 4 and type the answer here:
  • Post
  • For the people that don't want to remove Vista SP1 or XP SP3 just replace the new TS files with the old ones. The two needed files AFAIK are mstscax.dll and mstsc.exe, and you can find them on system32 dir (XP).

  • can any one help with the step by step to configure win 2008 Terminal server

  • This was a poorly thought out plan.  The changes break most 3rd party RDP utilities.  Why not leave /console as a valid switch and just interpret as /admin where applicable?  Lame job by the MS team.

  • BTW, i have opened up a feedback item on MSFT Connect:

    https://connect.microsoft.com/WindowsServerFeedback/feedback/ViewFeedback.aspx?FeedbackID=341289

    This silly OVERSIGHT by the MSFT team has became one of the most requested "features" in my 3rd party application (Terminals):

    http://www.codeplex.com/Terminals/WorkItem/View.aspx?WorkItemId=14694

  • This was a bad decision. /console no longer works on XP SP3.

    Do you guys have any idea how much sysadmin time is going to be wasted because of this idiotic decision?

    Do you think those system admins will be happy or upset?

  • This seems to break the tsmmc.msc snap-in.  The snap-in version of RDP now ignores "Connect to console" check box in the individual server properties.  Now that I am running SP 3 on XP, I can no longer connect to server consoles using the snap-in.  Microsoft wants me to pay for a support call when I try to report it.

  • I am using the Remote Desktops snap-in from the Windows 2003 Server Admin Tools, just like many other Admins here, to connect to several servers to the console, Session 0.  I don't think that Microsoft realized what problem this will present, not to also issue an update for this tool at the same time when the issued Service Pack 3 for XP.  Millions of admins around the world will be really, really mad!

    I have to waste time to re-configure all my remote connections now using the Remote Desktop included with XP, which I don't like because it doesn't offer me the same efficiency and speed in my remote work on the servers.

  • @MS: When can we expect a separate install for the new RDP client for XP (without SP3!) and WinServer below 2008? We use RDP for administration throughout our company, and we do have lots of prepared .RDP file with the /console switch inside. Wehen we chage this to /admin we need to have update all clients (and again, we do not want to upgrade to XPSP3 now).

  • So "/admin" replaces /console", but what replaces the following .rdp-file argument;

    connect to console:i:1

    ?

    I've changed all my shortcuts from /console to /admin, but I don't know what to add to my rdp-files (which uses no shortcuts, hence no command line arguments.)

  • I'm always connecting with the /console, but i will change it to /admin now. Why is this change only on the blogs?

  • This silent change cost me quite a bit of time trying to figure out why I could not connect to the console session on Windows Server 2003 servers.  In fact, in a few instances, I had to physically go to the servers to access the console session because I already had apps running in that session.  Unfortunately, one of these servers was over an hour away.

  • Quoted from above:

    -----------------------------------------

    BTW, i have opened up a feedback item on MSFT Connect:

    https://connect.microsoft.com/WindowsServerFeedback/feedback/ViewFeedback.aspx?FeedbackID=341289

    -----------------------------------------

    I read this and noted that MS closed this "by design".  

    You know, I pushed for MS software in my company where and when I could.  However, seeing how they've blatantly ignored user input such as this speaks volumes to me.  MS simply is not interested in what the user (or in this case admins) want and quite frankly if they've no interest in what we want and can make changes like this even with the backlash they're getting, I see no reason to continue pushing their software.  

    Mind you that doesn't mean I won't every use anything MS; but I will definitely investigate any and all alternatives a bit more heavily before recommending the MS solution.  (And no, this is not the only issue that I've seen lately where MS has done this.)  It just seems to me overall that the culture at Microsoft just as interested in user feedback as they seem to claim.

  • Since installing XP SP3, the functionality of mstsc has changed. I used to be prompted for credentials before actually connecting to a server. Then, once the correct information was entered, the server gave me the warning dialog, and when accepted, logged me into the system.

    Since I use multiple servers in multiple environments (multiple domains, and standalone), and since I also use a password manager with automatically generated passwords with a high complexity level, this was a great setup. I could copy/paste my passwords from the manager without ever exposing them to anyone (including myself).

    I also use a management tool that allows me to have hot keys assigned to various functions. Selecting a server and executing a hot key against it will automatically launch the following command - "C:\WINDOWS\system32\mstsc.exe /console "C:\admintools\Default.rdp" /v:%E% /w:1024 /h:768"

    This would launch against the servername (%E%), and use my default.rdp. The bonus to this setup was that my name (domain or computer)\username was prepopulated correctly. I did not need multiple .rdp files.

    With 6.1, this is gone. How do I regain this functionality?

  • David,

    With RDP client 6.1 user name and domain are  prepopulated from the registry. RDP Client remembers the last user name you used successfully to for each server.

    Unfortunately, Cred UI RDP client uses does not allow copy/paste of passwords.

    Have you considered saving your password in the the credential store instead? You could enter your credentials once, check "Remember my credentials" checkbox and next time you connect to the same server, it will not prompt you.

  • This is such typical arrogant behavior by Microsoft.  I, too, like everyone on this blog just spent a TON of time trying to figure this out?!?  

    But Microsoft DOESN'T CARE!  In the past, they used to only ignore end users who they think don't know anything any way.  They used to pay attention to admins and techs.  But now, they really showed they don't care about us either?!?

    I'm SOOO glad I decided to use CentOS for my last 2 installs!  It JUST WORKS!  None of this CRAP!

    Sorry, Microsoft!  (NOT!)

Page 4 of 8 (111 items) «23456»