Remote Administration of Exchange Server 2010 Servers : RDP with Exchange Server 2010 (part 1) - Planning and Using Remote Desktop for Administration

3/25/2011 8:57:01 AM
RDP access to an Exchange server is one of the most common methods to remotely access a server. With most servers hosted in data centers that might be halfway around the world, RDP give administrators a fast, easy, and secure method to get complete console access.

In this section, two methods of using RDP are discussed. The first is Remote Desktop for Administration, which enables a maximum of two connections and has no licensing implications. This is great for basic access to the Exchange Server 2010 server remotely. The second is Terminal Services, which enables many users to connect and has licensing costs associated with it. This is great for setting up a jump box to enable many administrators to use an SMC.

Planning and Using Remote Desktop for Administration

As mentioned earlier, Remote Desktop for Administration is included and installed with the Windows Server 2008 operating system and needs only to be enabled. This eases automated and unattended server deployment by enabling an administrator to deploy servers that can be managed remotely after the operating systems have completed installation. This enables Exchange Server administrators in central offices to manage servers in branch offices or Exchange Server administrators in one region (such as the America region) to manage servers in another region (such as the Asian region). This can reduce the required headcount to manage Exchange Server infrastructure and facilitate a follow-the-sun model of global support.

This model can also be used to manage a headless server, which can reduce the amount of space needed in any server rack. More space can be dedicated to servers instead of switch boxes, monitors, keyboards, and mouse devices.

This also provides for an improved security model because Exchange Server administrators can administer the Exchange servers without having to get physical access to the servers. This is an effective security strategy for large data centers with various application servers that might be collocated in the same racks as the Exchange servers. It enables the Exchange Server administrators to perform their job functions without needed access to the data center.

Remote Desktop for Administration limits the number of terminal sessions to two, with only one RDP or Secure Sockets Layer (SSL) for remote administration connection per network interface. Only administrators can connect to these sessions. No additional licenses are needed to run a server in this Terminal Services mode, which enables an administrator to perform almost all the server management duties remotely.

Even though Remote Desktop for Administration is installed by default, this mode does need to be enabled. Some organizations might see Remote Desktop for Administration as an unneeded security risk and choose to keep it disabled. This function can easily be disabled throughout the entire Active Directory (AD) forest by using a Group Policy setting to disable administrators from connecting through Remote Desktop for Administration.

Planning for Remote Desktop for Administration Mode

Unless Remote Desktop for Administration is viewed as a security risk, you should enable it on all internal servers to allow remote administration. For servers that are on the Internet or for demilitarized zone (DMZ) networks, Remote Desktop for Administration can be used, but access should be even more restricted. For example, consider limiting access to a predefined IP address or set of IP addresses, using firewall access control lists (ACLs) to eliminate unauthorized attempts to log on to the server. Another option is to limit connections to the server based on protocol.


The level of encryption for remote sessions by default is 128-bit (bidirectional). It is also important to note that some older Terminal Services clients might not support that level of encryption. See the section “Securing Remote Desktop for Administration” for more details and how to increase the security.

Enabling Remote Desktop for Administration

Remote Desktop for Administration mode is installed on all Windows Server 2008 servers by default and needs only to be enabled. To manually enable this feature, follow these steps:

Launch Server Manager.

In the Server Summary, Computer Information section, click the Configure Remote Desktop link.

In the Remote Desktop section, check Allow Connections from Computers Running Any Version of Remote Desktop (Less Secure), as shown in Figure 1 (or alternately choose Allow Connections Only from Computers Running Remote Desktop with Network Level Authentication (More Secure) if you have a more current version of the RDP client that supports network level authentication).
Figure 1. Enabling users to connect to the system remotely.

At the Remote Desktop Firewall exception will be an enabled pop-up; click OK to allow the firewall exception to be made.

Click OK on the Systems Properties page to complete this process.

The connection can be tested by launching the Remote Desktop Client from Start, All Programs, Accessories and selecting the Remote Desktop Connection icon. Enter in the name of the Exchange server to connect to.

Enabling Remote Desktop for Administration After the Fact

Sometimes, an Exchange server is built and deployed, but the Remote Desktop option is not enabled. This is a problem when subsequently attempting to remotely administer the server. The Terminal Services Client will behave as if the server could not be found.

Even though Remote Desktop is not enabled, the Exchange server can still be accessed administratively. In particular, the Registry can still be modified remotely and the Remote Desktop setting can be enabled using the RegEdit tool.

To enable Remote Desktop remotely on a Windows Server 2008-based Exchange Server 2010 server, complete the following steps:

From a domain member computer, log on as a user with Administrator privileges on the server.

Launch regedit.exe.

Click File and then select Connect Network Registry.

Enter the name of the server on which you want to enable Remote Desktop, and click OK.

Under the Exchange server tree, go to the key HKLM\System\CurrentControlSet\Control\Terminal Services\.

Change the value fDenyTSConnections from 1 to 0.

Close regedit.exe.

The change takes effect immediately.

The server now accepts Terminal Services connections.

Remote Desktop Client Command-line Options

The Remote Desktop Connection client (mstsc.exe) can be launched from the command line for additional control.

The command line for the Remote Desktop Client is as follows:

mstsc.exe {ConnectionFile | /v:ServerName[:Port]} [/console] [/f] [/w:Width/h:Height]

A handful of switch commands for the Remote Desktop Client can be used to choose specific servers and options. The commands are as follows:

  • /v:ServerName[ :Port]— Specifies the remote computer and, optionally, the port number to which you want to connect.

  • /admin— Connects to the console session of the specified Windows Server 2008 family operating system.

  • /f— Starts the Remote Desktop connection in full-screen mode.

  • /w:Width/h:Height— Specifies the dimensions of the Remote Desktop screen.

In particular, the /admin switch setting is useful. It enables the Exchange Server administrator to connect directly to the console session on the Exchange server, which is the session used when logging on at the keyboard of the Exchange server. This, in effect, enables the Exchange Server administrator to assume control of the keyboard of the Exchange server.

Remote Desktop Administration Tips and Tricks

You should consider several key points before using Remote Desktop for Administration, including, but not limited to, the following:

  • Make sure resources are available— What information technology (IT) personnel resources, if any, are available at the remote location or at the Exchange server’s location? If a problem arises with the connection to the remote Exchange server or the server itself (for example, a disconnection), contingency plans should be available to recover and continue to remotely manage the system. Generally speaking, it is a good idea to have someone in the vicinity who can assist the administrator.

  • Use care when modifying network configurations— With any remote administration tool, you are dependent upon the connectivity between the client computer and the Exchange server that is remotely managed. If network configuration settings must be modified remotely, consider having alternative methods of access. For instance, dial-up or a separate network connection might minimize downtime or other issues stemming from loss of connectivity.

  • Use disconnect and reset timeout values— Anytime a connection is accidentally broken or an administrator disconnects, the remote session is placed into a disconnected state that can later be reconnected and used to manage a server remotely. Disconnect and reset timeouts are not configured by default for Remote Desktop administration tools. These values can be used to ensure that administrators are not unintentionally locked out (for example, when there are two remote sessions that are active but in a disconnected state). Generally speaking, using a five-minute timeout value allows enough time for administrators to reconnect if they were accidentally disconnected. Moreover, it helps minimize the number of sessions that are disconnected and not used.

  • Coordinate remote administration efforts— The number of remote administration connections is limited to a precious two. Therefore, plan and coordinate efforts to reduce the number of attempts to access Exchange servers remotely. This also helps ensure that remote administration activities do not conflict with other administrators and sessions or, in the worst of cases, corrupt information or data on the server.

Remote Desktop Administration Keyboard Shortcuts

The keyboard shortcuts that work on the server have equivalents when running in Terminal Services. Table 1 lists the most common ones.

Table 1. Keyboard Shortcuts in a Remote Desktop Session
Windows Keyboard ShortcutTerminal Services Keyboard ShortcutDescription
Alt+TabAlt+Page UpSwitches between programs from left to right
Alt+Shift+TabAlt+Page DownSwitches between programs from right to left
Alt+EscAlt+InsertCycles through the programs in the order they were started
 Ctrl+EscSwitches the client between a window and full screen
Ctrl+EscAlt+HomeDisplays the Start menu
 Alt+DeleteDisplays the Windows menu
Prnt ScrnCtrl+Alt+Minus (–) symbol on the numeric keypadPlaces a snapshot of the active window in the Remote Desktop session on the Clipboard
Ctrl+Alt+DelCtrl+Alt+EndDisplays the Task Manager or Windows Security dialog box
Alt+Prnt ScrnCtrl+Alt+Plus (+) symbol on the numeric keypadPlaces a snapshot of the entire Remote Desktop session window on the Clipboard

These keyboard shortcuts can be handy when working within Terminal Services sessions to capture a screen for documentation, check the performance in Task Manager, or quickly switch between windows in the session.

Planning and Preparing Terminal Services for Exchange Administration

Terminal Services mode is available in all editions of Windows Server 2008 (that is, Standard, Enterprise, and DataCenter) except the Web Edition. It enables any authorized user to connect to the server and run a single application or a complete desktop session from the client workstation.

Because the applications are loaded and running on the Terminal Services server, client desktop resources are barely used; all the application processing is performed by the Terminal Services server. This enables companies to extend the life of old, less-powerful workstations by running applications only from a Terminal Services server session.

Terminal Services is generally not considered a viable technology to manage Exchange Server remotely. Although it is possible to use Terminal Services to manage Exchange Server 2010, several planning considerations must be addressed to determine whether Terminal Services is suitable in your environment.

The narrow use for Terminal Services is in the case of a centralized tool platform where multiple administrators (more than two at a time) log on and use the administration tools. Terminal Services in this case allows the organization to set up a central server or set of servers with all the tools that the administrators use. This server is sometimes referred to as a Jump Server, as administrators establish a Remote Desktop to the system, and then they jump to other servers using console administration applications.

Planning Considerations for Using Terminal Services

Terminal Services can require a lot of planning, especially when you’re considering whether to use it to manage Exchange Server remotely. Because Terminal Services is intended to make applications available to end users rather than serve as a remote management service, security, server performance, and licensing are key components to consider before using it in a production environment.

Terminal Services Security

Terminal Services servers should be secured following standard security guidelines defined in company security policies and as recommended by hardware and software vendors. Some basic security configurations include removing all unnecessary services from the Terminal Services nodes and applying security patches for known vulnerabilities on services or applications that are running on the terminal server.

Terminal Services in Windows Server 2008 supports three different security levels. The main difference is in the support for Network Level Authentication, which uses certificates to authenticate the server identity to the client. This prevents man-in-the-middle attacks. The three security levels follow:

  • RDP Security— This is the native RDP encryption and does not support Network Level Authentication.

  • SSL (TLS 1.0)— Network Level Authentication is performed to verify the identity of the server to the client. Certificates are used to secure the transmission and to perform Network Level Authentication.

  • Negotiate— The most secure level that the client supports will be used. If the client supports SSL (TLS 1.0), that will be used. If not, then RDP security will be used. This is the default setting.

In addition to the security levels, Windows Server 2008 terminal services can be run in four different encryption levels to provide the transmission protection appropriate for the organization. The four levels of encryption follow:

  • Low— Encryption is performed at the highest level supported by the client, but only on the data sent from the client to the server. Data sent from the server to the client is not encrypted. This is insecure and not recommended.

  • Client Compatible— Encryption is performed at the highest level supported by the client, but all data between the client and server is encrypted.

  • High— 128-bit encryption is performed on all data between the client and the server. If the client cannot support 128-bit encryption, the connection is refused by the server.

  • FIPS Compliant— Federal Information Process Standard (FIPS) 140-1 validated encryption is performed on all data between the client and the server. If the clients cannot support FIPS encryption, the connection is refused by the server.

An administrator can use Group Policy to limit client functionality as needed to enhance server security, and if increased network security is a requirement, can consider requiring clients to run sessions in 128-bit high-encryption mode.

In addition to the more common security precautions that are recommended for Terminal Services, you must also consider how running Terminal Services on an Exchange Server 2010 server affects security. Using a server with both Terminal Services and Exchange Server 2010 roles and responsibilities can be a dangerous combination and should be considered only in the smallest of environments with very relaxed security requirements. In any circumstance, the combination is not recommended.

Combining the two services and configuring Terminal Services to remotely manage Exchange Server can result in many security-related hazards, including the following:

  • A single misconfiguration or setting can enable users to change specific Exchange Server settings or parameters.

  • Users authorized to shut down or restart the system might inadvertently do so, causing messaging downtime.

  • Application-specific security might conflict or, in some cases, unintentionally allow or restrict access to messaging components on the server.

Terminal Server Licensing

Terminal Services requires the purchase of client access licenses (CALs) for each client device or session. A Terminal Services License Server also must be available on the network to allocate and manage these CALs. When a Terminal Services server is establishing a session with a client, it checks with the Terminal Services License Server to verify whether this client has a license. A license is allocated if the client does not already have one.


Using Terminal Services to connect to and remotely manage an Exchange Server 2010 server does not exempt you from needing a Terminal Services CAL. This adds to the overall cost of supporting Exchange Server 2010.

To install licenses on the Terminal Services License Server, the Terminal Services License Server must first be installed and then activated online. The Terminal Services License Server requires Internet access or dial-up modem access to activate the CALs added to the server.

When a Terminal Services server cannot locate a Terminal Services License Server on the network, it still allows unlicensed clients to connect. This can go on for 120 days without contacting a license server, and then the server stops serving Terminal Services sessions. It is imperative to get a license server installed on the network as soon as possible—before Terminal Services servers are deployed to production.

Installing Terminal Services for Remote Administration

To install Terminal Services, a network administrator can use the Server Manager as follows:

Launch Server Manager. Right-click on Roles and select Add Roles.

Click Next.

Select the Terminal Services role and click Next.

Click Next at the Introduction page.

Select Terminal Server for the role services and click Next.

Click Next.

Select the Authentication Method for the Terminal Server and click Next.

Select the Licensing Mode and click Next.

Select the User Groups that can connect to the Terminal Server and click Next.

Click Install to complete the installation of Terminal Services.

Click Close to finish. A reboot might be required.

Terminal Services is now accessible.

  •  Remote Administration of Exchange Server 2010 Servers : Using the ECP Remotely
  •  Safeguarding Confidential Data in SharePoint 2010 : Examining Supported Topologies
  •  SharePoint 2010 : SQL Server Database Mirroring for SharePoint Farms
  •  Remote Administration of Exchange Server 2010 Servers : Using the Remote Exchange Management Shell
  •  Remote Administration of Exchange Server 2010 Servers : Certificates, Trust, and Remote Administration
  •  Enabling Presence Information in SharePoint with Microsoft Communications Server 2010
  •  Integrating Exchange 2010 with SharePoint 2010
  •  Documenting an Exchange Server 2010 Environment : Exchange Server 2010 Project Documentation
  •  Documenting an Exchange Server 2010 Environment : Benefits of Documentation
  •  Getting the Most Out of the Microsoft Outlook Client : Using Cached Exchange Mode for Offline Functionality
  •  UML Essentials - UML at a Glance
  •  Understanding Microsoft Exchange Server 2010
  •  Working with Email-Enabled Content in SharePoint 2010
  •  Enabling Incoming Email Functionality in SharePoint
  •  Getting the Most Out of the Microsoft Outlook Client : Using Outlook 2007 (part 3) - Using Group Schedules
  •  Getting the Most Out of the Microsoft Outlook Client : Using Outlook 2007 (part 2) - Sharing Information with Users Outside the Company
  •  Getting the Most Out of the Microsoft Outlook Client : Using Outlook 2007 (part 1)
  •  Implementing and Validating SharePoint 2010 Security : Using IPsec for Internal SharePoint Encryption
  •  Examining Integration Points Between SharePoint and Public Key Infrastructure
  •  Getting the Most Out of the Microsoft Outlook Client : Deploying Outlook 2007
    Top 10
    Nikon 1 J2 With Stylish Design And Dependable Image And Video Quality
    Canon Powershot D20 - Super-Durable Waterproof Camera
    Fujifilm Finepix F800EXR – Another Excellent EXR
    Sony NEX-6 – The Best Compact Camera
    Teufel Cubycon 2 – An Excellent All-In-One For Films
    Dell S2740L - A Beautifully Crafted 27-inch IPS Monitor
    Philips 55PFL6007T With Fantastic Picture Quality
    Philips Gioco 278G4 – An Excellent 27-inch Screen
    Sony VPL-HW50ES – Sony’s Best Home Cinema Projector
    Windows Vista : Installing and Running Applications - Launching Applications
    Most View
    Bamboo Splash - Powerful Specs And Friendly Interface
    Powered By Windows (Part 2) - Toshiba Satellite U840 Series, Philips E248C3 MODA Lightframe Monitor & HP Envy Spectre 14
    MSI X79A-GD65 8D - Power without the Cost
    Canon EOS M With Wonderful Touchscreen Interface (Part 1)
    Windows Server 2003 : Building an Active Directory Structure (part 1) - The First Domain
    Personalize Your iPhone Case
    Speed ​​up browsing with a faster DNS
    Using and Configuring Public Folder Sharing
    Extending the Real-Time Communications Functionality of Exchange Server 2007 : Installing OCS 2007 (part 1)
    Google, privacy & you (Part 1)
    iPhone Application Development : Making Multivalue Choices with Pickers - Understanding Pickers
    Microsoft Surface With Windows RT - Truly A Unique Tablet
    Network Configuration & Troubleshooting (Part 1)
    Panasonic Lumix GH3 – The Fastest Touchscreen-Camera (Part 2)
    Programming Microsoft SQL Server 2005 : FOR XML Commands (part 3) - OPENXML Enhancements in SQL Server 2005
    Exchange Server 2010 : Track Exchange Performance (part 2) - Test the Performance Limitations in a Lab
    Extra Network Hardware Round-Up (Part 2) - NAS Drives, Media Center Extenders & Games Consoles
    Windows Server 2003 : Planning a Host Name Resolution Strategy - Understanding Name Resolution Requirements
    Google’s Data Liberation Front (Part 2)
    Datacolor SpyderLensCal (Part 1)