Changes to Remote Administration in Windows Server 2008

Changes to Remote Administration in Windows Server 2008

Rate This

This article describes the differences between Windows Server 2003 and Windows Server 2008 when you use the Remote Desktop Connection (RDC) client to remotely connect to the server for administrative purposes.

 

In Windows Server 2003, you can start the RDC client (mstsc.exe) with the /console switch to remotely connect to the physical console session on the server (also known as session 0). In Windows Server 2008, the /console switch has been deprecated. (For more information, see the “Why the /console switch is no longer needed” section of this article.) In Windows Server 2008, session 0 is a non-interactive session that is reserved for services.

 

You can use the new /admin switch to remotely connect to a Windows Server 2008-based server for administrative purposes. The /admin switch is introduced with RDC 6.1. RDC 6.1 is included with the following operating systems:

       Windows Server 2008

       Windows Vista Service Pack 1 (SP1) Beta and RC

       Windows XP Service Pack 3 (SP3) Beta and RC

 

Note   RDC 6.1 (6.0.6001) supports Remote Desktop Protocol (RDP) 6.1.

 

RDC 6.1 does not support the /console switch. However, for backward compatibility, you can use the /admin switch to connect to the physical console session on a Windows Server 2003-based server. For example, to connect from a Windows Vista SP1 RC-based client to the physical console session of a Windows Server 2003-based server, you can run the command mstsc.exe /admin.

 

If you try to use the /console switch with the RDC 6.1 client, the behavior is as follows.

 

 

Scenario

Behavior

You type mstsc.exe /console at the command prompt, and then connect to a remote server that does not have Terminal Server installed.

The /console switch is silently ignored. You will be connected to a session to remotely administer the server.

 

(For more information about the Windows Server 2008 behavior, see the “Behavior when you connect to a server that does not have Terminal Server installed” section of this article.)

You type mstsc.exe /console at the command prompt, and then connect to a remote server that has Terminal Server installed.

The /console switch is silently ignored. You will be connected to a standard Remote Desktop session that requires a Terminal Services client access license (TS CAL).

In the RDC client UI, you specify Computer_name /console in the Computer box (where Computer_name represents the name of the remote computer to which you want to connect), and then click Connect.

You receive the following error message:

 

“An unknown parameter was specified in computer name field.”

In the .rdp file, you specify /console in the “full address” property, and then try to start the Remote Desktop connection.

You receive the following error message:

 

“An unknown parameter was specified in computer name field.”

In the .rdp file, you specify the “connect to console” property, and then start the Remote Desktop connection.

The property is silently ignored. You will be connected to a session that requires a TS CAL.

As a developer, you programmatically call the put_ConnectToServerConsole function or the get_ConnectToServerConsole function of the IMsRdpClientAdvancedSettings interface.

The function fails, and returns S_FALSE.

 

 

Why the /console switch is no longer needed

 

In Windows Server 2003, starting a Remote Desktop session by running mstsc.exe with the /console switch is used for the following reasons:

       To connect to session 0. Some applications install and run only in session 0 because they need to communicate with services that run in session 0, or display UI that is displayed in session 0.

       To connect back to an existing session on the physical console. Because the physical console session in Windows Server 2003 is always session 0, the only way that you can reconnect to this session is by using the /console switch.

 

In Windows Server 2008, the /console switch functionality is no longer needed for the following reasons:

       Improved application compatibility ensures that legacy applications that need to communicate with services in session 0 will install and run in sessions other than session 0. Additionally, if the service that is associated with an application tries to display UI in session 0, a built-in capability in Windows Server 2008 and in Windows Vista enables the user to view and to interact with the session 0 UI from the user’s session. Windows Server 2008 session 0 is a non-interactive session that is reserved for services. Therefore, there is no need for a user to have to explicitly connect to this session.

 

Note   For more information about session 0 isolation in Windows Vista, see “Impact of Session 0 Isolation on Services and Drivers in Windows Vista” (http://go.microsoft.com/fwlink/?LinkId=106201).

 

       Because the physical console session is never session 0, you can always reconnect to your existing session on the physical console. Reconnecting to your existing physical console session is controlled by the "Restrict Terminal Services users to a single remote session" Group Policy setting, available in the Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Connections node of the Local Group Policy Editor. You can also configure this setting in the UI by using Terminal Services Configuration. (The Restrict each user to a single session setting appears under Edit settings, in the General section.)

 

Behavior of the /admin switch

 

You can start the RDC 6.1 client (mstsc.exe) with the /admin switch to remotely administer a Windows Server 2008-based server (with or without Terminal Server installed). However, if you are connecting to remotely administer a Windows Server 2008-based server that does not have the Terminal Server role service installed, you do not have to specify the /admin switch. (In this case, the same connection behavior occurs with or without the /admin switch.) At any point in time, there can be two active remote administration sessions. To start a remote administration session, you must be a member of the Administrators group on the server to which you are connecting.

 

Behavior when you connect to a server that does not have Terminal Server installed

 

If you (as a member of the Administrators group on the destination server) start a Remote Desktop session to a Windows Server 2008-based server that does not have the Terminal Server role service installed, the following behavior is true for the remote administration session:

       Time zone redirection is disabled.

       Terminal Services Session Broker (TS Session Broker) redirection is disabled.

       Plug and Play device redirection is disabled.

       The remote session theme is changed to Windows Classic.

       Terminal Services Easy Print is disabled.

 

Behavior when you connect to a server that has Terminal Server installed

 

If you (as a member of the Administrators group on the destination server) start a Remote Desktop session to a Windows Server 2008-based server that has the Terminal Server role service installed, you must specify the /admin switch to connect to a session to remotely administer the server. The following behavior is true for the session:

       You do not need a TS CAL to connect remotely to administer a terminal server.

       Time zone redirection is disabled.

       Terminal Services Session Broker (TS Session Broker) redirection is disabled.

       Plug and Play device redirection is disabled.

       The remote session theme is changed to Windows Classic.

       Terminal Services Easy Print is disabled.

 

Developer resources – Changes to APIs

If you are using RDC 6.1, you can no longer use the ConnectToServerConsole property of the IMsRdpClientAdvancedSettings interface to specify whether the Remote Desktop ActiveX control should attempt to connect to the server for administrative purposes. Instead, you must use the ConnectToAdministerServer property of the IMsRdpClientAdvancedSettings6 interface to connect to the physical console session on a Windows Server 2003-based server, or to the session that is used for administrative purposes on a Windows Server 2008-based server.

For more information about the ConnectToServerConsole property, see http://go.microsoft.com/fwlink/?LinkId=106203.

For more information about the ConnectToAdministerServer property, see http://go.microsoft.com/fwlink/?LinkId=106204.

Leave a Comment
  • Please add 8 and 8 and type the answer here:
  • Post
  • @Sergey:

    To get "Start program on connection" to work, you need to use RemoteApp Manager to either list the allowed programs, or allow users to start unlisted programs.

    For security purposes, the first one is recommended.

    Rob

  • Thanks for fast answer. As I understand the RemoteApp Manager is a part of Terminal Services Role. Does it mean that I cannot use "Start program on connection" without Terminal Services installed? On the Windows 2003 it works without Terminal Server – enabling Remote Desktop was enough.

  • @Sergey:

    If you don't have Terminal Service role installed, you can still use RemoteApp Manager, either installed locally or remotely.

    Alternately, you can use WMI: see the Win32_TSPublishedApplication and Win32_TSPublishedApplicationList classes.

    Rob

  • session 0 is not longer available in Windows 2008, this is very BAD. I have programs that require session 0 in order to run for troubleshooting. Freaking M$.

  • Trying to get multiple RDP admin sessions running on WindowServer 2008....via remote PC's running WinXP sp3.

    How can I get this working ?   (Right now..when the 2nd session initiates the first is getting terminated....unlike Win2003..where I'm having no issues.)

    Thanks.

    -Brian

  • Brian,

    Do you use the same user account?

    You might need to disable "Restrict each user to a single session" setting in tsconfig.msc

  • yes....we were using the same default Admin account.

    -Brian

  • This is ridiculous. Why has there been NO response from Microsoft on this issue? Not even anything in the kb, not that they've made it easy to find things there with their new fluffy web site.

    I couldn't care less about Remote Desktop Connections breaking or having to edit .rdp files, tho I feel your pain.

    What's really screwed up is breaking the Remote Desktops MMC snap-in that all real IT administrators use everyday.  As a work around, I've found that you can open up Terminal Services Manager in your crippled session and 'Connect' to the console 0 from there.  Of course you now have two running but you could kill the other one.  Problem is if you re-connect, it's back to the extra session. What a waste of time.

    On the plus side, it does keep one stupid admin around here from touching the console sessions. Maybe he'll someday learn you very rarely need to logon to the actual server if you have the admin tools on your own workstation. lol

  • Currently uninstalling XP SP3.  The fact that over a year has passed without restoring (or even addressing the issue!) the ability for Administrators to use the "Connect to Console" option in the MMC Snap-In to connect to 2003 servers is completely unacceptable.

    MS, you really dropped the ball on this one.  As with Vista, your assumption that everyone would immediately jump in and starting using Server 2008 was a pipe dream.

    Why would anyone, who's had stable applications running on 2003 server for years, even dream about a major server OS upgrade?  So we can waste even more hours on stupid undocumented "tweaks" like this mstsc.exe snafu?

  • Micro$oft,

    Your verbiage (above) includes dialog on "Why the /console switch is no longer needed", which in reality describes precisely why it ABSOLUTELY IS NEEDED, as follows:

    "In Windows Server 2003, starting a Remote Desktop session by running mstsc.exe with the /console switch is used for the following reasons:

    • To connect to session 0. Some applications install and run only in session 0 because they need to communicate with services that run in session 0, or display UI that is displayed in session 0.

    • To connect back to an existing session on the physical console. Because the physical console session in Windows Server 2003 is always session 0, the only way that you can reconnect to this session is by using the /console switch."

    Apparently, your Corporate goals include:

    1. Break existing, functional processes/tools to force worldwide upgrade purchases regardless of the current economic situation.

    2. Do this without notification or readily accessible documentation, thus inconveniencing and/or embarrasing your front-line representatives (Windows Admins, Engineers, etc.)

    3. Ignore all feedback, even when coming from these front-line representatives.

    Who do you think actually makes it possible for your software to survive in the marketplace? Do you really think it's OK to ignore the personnel who support your products? Would you survive if these representatives began jumping ship? Linux is becoming a more attractive option every day, and the seasoned veterans are not afraid to take the plunge...

    Maybe your Corporate goals should also include:

    * Increase the cost of training and certification, to ensure our representatives recommend competing technologies.

  • I've just run into this same problem with a recent XP SP3 upgrade, which is now no longer able to connect to the Windows 2003 server I've been connecting to from here for the last year+.  First, I waste a frustrated hour trying to figure out why /console stopped working, then it appears that the RDC/mstsc just doesn't work at all any more.

    I understand that things change with various upgrades, service packs, and the like.  But change without notification or warning -- and seemingly without reason or benefit -- is generally not an appreciated thing, and changes that outright break previously useful/vital functionality are a good way to drive your customers to other competing providers.

    Has there been any sort of MS response, explanation, or fix for any of these issues on XP SP3?

    This one issue alone may well be reason enough for some of us to uninstall XP's SP3...

  • Why?

    The decision to deprecate the /console switch is crap and completely incomprehensible.

    Not only there are only two (2) RDP-connections left to use; our main problem with this is that we can no longer use the SAME USER in two (2) different sessions (one console, on TS4A).

    It's very annoying to be persistently kicked from a system by a colleague in the middle of doing something...

    Hey M$, fix it!

  • This switch from /console to /admin doesn't really bug me.  What bugs me is that my 2008 server, twice in the last week, has gotten into a state where I cannot log-in and I have to open a support case with my hosting provider to reboot the machine.

    My "fix" is to set the machine to reboot every night so I have a chance in the morning to log-in.

    The machine pings fine.  Serves web-pages, etc... but MSTSC.EXE with or without /admin won't connect.  Bleh.

  • Is it possible to connect to the Console session running on a Windows 2008 server? The /admin switch appears to spawn a new session.

    I'm not talking about Session 0 - I'm talking about session #41 that the Console is running on.

    thanks,

    Keith

  • If "Restrict each user to a single session" setting is enabled in tsconfig.msc, you should be able to reconnect to your console session by simply connecting remotely as the same user.

    Thx,

    Sergey.

Page 6 of 8 (111 items) «45678