How to Configure Windows Server 2003 Remote Desktop - Remotely

Introduction to How to Configure Remote Desktop - Remotely

One of the most annoying situations is when you know that the Windows 2003 Server is up and running, but you cannot connect because Remote Desktop has not been setup.  However, if you have the knowledge, then there is a backdoor called fDenyTSConnections which will turn the key to that backdoor.

Of all the services on Windows Server 2003 or 2008, Remote Desktop is the one service where you most need to plan ahead.  The reason I say this is not because configuring Remote Desktop is difficult, quite the reverse; no my reason is to save you frustration.

Topics for Remotely Editing, Remote Desktop

• Enabling Remote Desktop Mission
• How to find fDenyTSConnections in the Registry
• Editing the Registry setting: fDenyTSConnections
• Shutdown Command - Remote switch

Enabling Remote Desktop Mission

Our goal is to use a backdoor registry hack to enable Remote Desktop on Windows Server 2003.  Fortunately, Microsoft's Windows Server 2003 has the Terminal Services installed and built-in.  So, our mission is merely to put a tick in Remote Desktop box, which you find in the System Icon, Remote tab.

Let us pretend that you wish to add another service such as RRAS or Certificate Server to a Windows Server 2003 machine.  Inconveniently, this machine is the other side of town, or the other side of the world.  The answer is regedit and fDenyTSConnections.

How to find fDenyTSConnections in the Registry

The technique of how I found the 'fDenyTSConnections' setting is instructive in its own right.

1. Launch Regedit.
2. Export the registry on the test machine.
3. Next manually place the tick in the box
4. Export the registry again.
5. Run WinDiff to find the single change in the registry.
6. What I found was that fDenyTSConnections had changed from 1, meaning deny Remote Desktop, to 0 meaning enable, permit that remote desktop connection.
7. To be quite certain of the double negative logic, find fDenyTSConnections and experiment with adding and removing the tick in the Remote Desktop box.

Note: For more instructions on using Windiff see here

Learn more about Terminal Services and VPN. As an MCT trainer, I can thoroughly recommend TrainSignal because they provide practical hands on training.  In particular, I like the way TrainSignal cover all learning methods, instructor lead, video and of course text material.  With TrainSignal you can either take one module, for example Terminal Services and VPN or go for a combination of modules.  See more about Terminal Services and VPN here

Registry Setting fDenyTSConnections

Now our mission is clear, on the Terminal Services machine, change fDenyTSConnections from =1 to =0.  In order to achieve our mission we need to connect to the registry of the target machine.  My first choice would be Remote Registry.  Open regedit, File Menu, Connect Network Registry.  Naturally, you have to connect to the correct registry hive,
HKLM\System\CurrentControlSet\Control\Terminal Server, now find the Reg_DWord called fDenyTSConnections and set the value = 0 (zero)

Note: You may have to Start the Remote Registry Service on the target machine.  See here for a WMI Script to start services.

Unfortunately, you have to restart the Windows Server 2003 before the fDenyTSConnections setting takes effect.  There must be service that you could start and stop but I have not found which one that is.  Instead I use the shutdown command with the restart switch.

Monitor Your Network with the Real-time Traffic Analyzer

The main reason to monitor your network is to check at a glance which of your servers are available.  If there is a network problem you want an interface to show the scope of the problem immediately.

Even when all servers and routers are available, sooner or later you will be curious to know who, or what, is hogging the precious network's bandwidth.  A GUI showing the top 10 users makes interesting reading.

Another reason to monitor network traffic is to learn more about your server's response times and the consumption of resources.  To take the pain out of capturing frames and analysing the raw data, Guy recommends that you download a copy of the SolarWinds free Real-time NetFlow Analyzer.

Shutdown Command - Remote switch

Shutdown /m \\targetserver /r

The /r means restart.  Mr Angry wrote in saying it should not be /m and /r but -m and -r.  Personally, I find that either a minus or slash works equally well.  With shutdown, beware shooting yourself in the foot and shutting down your own machine instead of the target Windows Server 2003, it sounds hilarious, but actually it's embarrassing.  Again knowledge is power there is a switch to abort a shutdown. See more about Shutdown here.

Another clever idea I have is using a .reg file.  One reason for adding fDenyTSConnections to the registry from a file is that the remote registry service is disabled on the target machine.  So you have a choice of strategies, start the Remote Registry service remotely with a script see here, or remotely execute a .reg file with a shell program.

Summary of Terminal Services and fDenyTSConnections

Here we have a precise, but tricky task.  We want to enable Remote Desktop on a distant Terminal Server even though Remote Desktop is specifically denied on that distant server.  Even if you have no need to configure fDenyTSConnections yet, you may like the challenge of testing the technique.  You never know that you may need the combination of Windiff and remote registry editing to solve a similar Microsoft problem.

 Related topics

• Terminal Services Home 
• Terminal Services Concepts 
• Terminal Services Configuration 
• Terminal Services Clients
• Group Policies for Terminal Services
• Audit with ObserveIT
• LANsurveyor - Create Network Maps
• Network Performance Monitor Tool
• Free Syslog Analyzer
• Free CatTools Device Backup Utility

 *