Full of I.T.

Kevin Remde's IT Pro WebLog

Windows Server 2003 Administration Webcast Series (Part 1) Q&A

Hi folks! 

Here is where I’m going to attempt to share many of your questions from part 1 of our webcast series, along with answers.  And hopefully the right ones. 

I’m also adding many of the questions and answers from the webcast Q&A. 
Thanks again to Bryan Von Axelson and Kelley DuBois for helping to answer questions!

And finally, here is the link to the Session Resources I posted for Part 1.  Expect to see resources for Part 2 very soon!

“Does remote assistance work with AOL dialup?”

It will work over a slow link, although certainly not as quick as broadband or LAN speeds.  Whether or not AOL or whatever provider you are using will allow the required TCP port 3389 over their connection should also be considered.

“Can I use your postal address for reguistering and then if I win the Portable Media Centre, you could post it to me here in New Zealand 😉

Great seminar btw.”

Can’t do it.  I’d be too tempted to keep it.  Sorry Kiwi.    Thanks!

“Where’s a good ‘Troubleshooting Remote Desktop’ document?”

How about one called “Troubleshooting Remote Desktop”.

“Are all the sessions in this series 100-level? Bit too simple for me today.”

I’m glad you asked that (several of you did, in fact).  Yes, we’re starting out with the basics, but we will be moving into more complexity as we progress.  My sincere hope is that even though the first few are “simple” for some of you, you’ll still find one or two gems in there.

Think of it like reading through a technical reference.  If you have some experience in the topic, you might have to read through a few boring chapters of what you mostly already know to be sure you’re not missing something that you don’t.  

How do I find out about topics in future webcasts?

We have the series completely mapped out with descriptions and links to the registration pages at the series home page

If you save [an mmc console] in user mode and can then open by right-clicking in author mode, what keeps the user from doing the same?

Great question.  One of my Q&A helpers found the link to a page describing how to restrict access to author mode in the MMC.

I disagree with his statement about the local and remote focus. I just create two snap-ins on one MMC, both for Computer Management, and pointed one at Local and one at a remote server. Can he please clarify?

Ah yes… this had to do with the pop-quiz question that asked: “Can a snap-in have focus on both the local computer and a remote computer simultaneously?”

The answer given was “no”, mainly because it is somewhat of a trick question.  Yes, you can have multiple snapins of the same type pointing to different computers.  But no ONE snap-in can focus on two different computers at the same time.

The content team has discussed changing the wording of that question so that it won’t be so misleading.  Something like, “Can a single instance of a snap-in focus on both the local computer and a remote computer simultaneously?” would be better.

What port number would the mmc need open?”

For remote administration, the ports that are required are TCP 135 and 445.  A good way to make sure these are available through the Windows Firewall would be to use Group Policy and under the Computer Configuration – Administrative Templates – Network – Network Connections – Windows Firewall – Domain Profile you enable the “Allow remote administration exception” policy. 

Also – here’s a great resource for MMC information: MMC Reference

“If [a group policy] option is set to ‘not configured’, is it the same as being turned off?”

No – If it is not configured then no setting is in the registry.pol file.  If it’s disabled there is a setting in the Registry.pol file but set to disabled.  So… “not configured” basically means “don’t change from the default” – whatever the particular policy might be.

“Does MMC login as a service when being used remotely or is it tied to your domain creds?”

If for example, you connect the Computer Manager to a remote machine, it will the credentials of the context it is running in. You can use “Run as” to run as different credentials.

“Remote Desktop sounds great. But is the port configurable?”

Here is a KB article on “How to change the listening port for Remote Desktop”.

“Does my machine need to be on or attached to the domain to add snap in for remote servers?”

No, but you will need credentials that work on that remote machine to perform any operations.

“Can you run remote desktop from XP pro?”

To enable your computer to accept remote connections, your computer must be running Windows NT4 Terminal Server Edition, Windows 2000 Server, Windows XP Professional, or a Windows Server 2003 operating system.

“Is it possible to connect to a Windows 2000 Pro workstation from a 2003 server to take control of the 2000 desktop?”

No, the Terminal Service feature wasn’t introduced into the desktop OS until XP.

“Will [remote assistance] invitations be sent with other e-mail programs? ie OE or Netscape?”

Yes.  When you choose MAPI, it will use whatever you have set up as your default email application.

“What is the difference in setting up a Terminal Service for sharing and a VPN connection? Where can I get information on setting up a VPN ? How do you Open and Close Ports ?”

This is a big question. First, Terminal Services are services that allows a one machine to simulate and run applications in a “user context” instead on having a physical PC.  A VPN is what provides secure connectivity over a public network for private networks. VPNs are covered heavily on www.microsoft.com/technet. Just put VPN into the search box and you’ll get a wave of articles and how-to’s back.

“Where do you find Help and Support Center?”

Click the Start button.  You should see “Help and Support” available.  Click it.

“What happens if the user requesting assistance is behind a NAT router?”

It should still work.  Check out this portion of the “Step-by-Step Guide to Remote Assistance”:
Administering Remote Assistance in Corporate Environments

“Can the RDP file be launched by anyone regardless of their access rights?”

With Remote Desktop Connection, you can easily connect to a terminal server or to any computer running Remote Desktop.  All you need is network access and permissions to connect to the other computer.

“What if the user is using a VPN, can this still work?”

You should not have any issues.  During a VPN connection they are essentially just another computer on the local network – provided that this is how your network security and engineering folks have set things up.  

“Can Remote Desktop by run from WinXP desktop to WinXP desktop, or does a server have to be involved?”

In addition to Windows Server 2003 family operating systems, this feature can be used with Windows 2000 Server. The Remote Desktop feature must be enabled on the remote computer.

“Can I use Remote Assistance across the Internet, not over the LAN?”

Yes  (find some security related link about how you may want to secure it further to allow this.)

“Can you limit remote desktop and remote assistance connections to within a local IP address range?”

Yes you can!  You can either use Group Policy or local settings of the Windows Firewall for the Remote Assistance Exception.  Properties of an exception in the Windows Firewall include the ability to specify that you want to allow it only from the local subnet.

“Making a Remote Desktop connection from an XP Pro Box to an XP Pro box, is there only one connection allowed? When I make a connection, it loggs off the current user on the remote machine.”

Yes.  Remote desktop to an XP machine essentially takes over the ONE login that is allowed to be running at a time. 

“How can I print the slides from this presentation? Can I print slides before a presentation (next time)? How long before?”

You can connect to the live event as early as 1/2 hour before the start time.  During that time, or anytime during the presentation, you can go to the File menu and “Print to PDF” to get a copy of the slides.

“Will there be followup chats on Thurdays?”

We haven’t yet scheduled them, but I’m hoping we can have chats set up and do them every two or three weeks during this series – probably on Fridays.

“What is Kevin’s blog address again?”

http://blogs.msdn.com/KevinRemde – but you knew that already.

“How can you limit who can provide Remote Assistance? We don’t people going outside the organization for assistance.”

You can set Group Policy to permit or prohibit users from requesting help using Remote Assistance. You can also determine whether users can allow someone to remotely control their computer, or just view it. In addition, you can set Group Policy to permit or prohibit a remote assistant from offering Remote Assistance to the local computer.

“Can you initiate a Remote Assistance session within a Remote Desktop session?”

Yes, you can.  And you can launch a Remote Desktop session within a Remote Desktop session, too.  (I’ve done it.) 
However.. Please Please be careful.  You might accidentally discover time travel. 

“How can I limit the time of conections with remote desktop?”

Terminal Services configuration on the remote machine.

“Will the Remote Desktop and Remote Assistance features exist in future Windows workstation and server operating systems?”

Unknown at this time.  But I am sure there will be something similar if not the same.

“How can you add/connect to (2) different AD Users and Computers to your Console and have rights to both? Currently, the only way is via a “Runas” via a desktop shortcut.”

If you’re managing what the ADUC sees from the context of two separate servers, it’s simply that you are running the MMC with rights (run as or directly) to manage those. If you’ve used runas to launch MMC and you only have minimal rights to the domain or server you’re connecting to in the snap-in, then yes, you’ll be limited. I hope that answers your question.

“What’s the difference between Citrix application sharing and Terminal Services application sharing?”

 Citrix is actually based on the built-in terminal services in Windows Server. It adds functionality to the services that are already there as the foundation.

“Can I get a copy of that picture?….That ruled!”

<heh> This one?


There you go!