Installation
Terminal
servers
*Disclaimer
for legalese stuff
This document is provided "as is", no rights blah blah etcetera...
Copyright me and if you claim it as your own I will place a curse on
all your servers, data and backup and may you end up working at the
helpdesk of AOL or Dell. (just kidding, any helpdesk will do)
This document describes the way I've been installing
Microsoft Windows
2000 and 2003 terminal servers at work.
Inspired by the way the FreeBSD system is set up and all the warnings
and tips to keep a terminal server running smoothly on
thethin.net
(now msterminalservices.org)
I have
experimented in
pulling the standard Windows setup apart and seperate the main parts as
the system, program files, and profiles directory. This has given me a
way to keep the system partition purely for system files and prevents
massive fragmentation or filling up with user data.
*This may also be not up-to-date with the latest Windows versions, I'll
update when I have the time.
Software requirements:
Windows 2000/2003 (preferably with latest integrated servicepack)
Junction (download at Sysinternals)
<- This is linked to Microsoft nowadays, I recommend getting a
point
release before the version on the Microsoft site as it is twice as
large, only to have a EULA added to the file.
A registry tool which can replace keys and values. (for instance the
registry toolkit
from Funduc)
Start the server with the latest system
configuration cd belonging to
the brand of the server. If neccessary erase the
previous installed configuration, then create a mirror raid (or in case
of more than 2 disks a raid 5 array) with the
following partitions (modify size as needed);
4 GiB (system partition)
4 GiB (swap partition)
4 GiB (profile partition)
4 GiB (application partition, optional)
* GiB (extra data partition if needed)
note:
With Windows 2003 SP2 a driveletter needs to be defined when formatting
a partition, otherwise it'll give an error stating format did not
complete.
Save configuration, then restart the server with a Windows
2000/2003
server
cd with latest integrated servicepack.
note: In the
case of Windows 2003 replace c:\winnt with c:\windows.
Install Windows with a minimum configuration as a member
server of the
domain. After installation format the second partition and create a
temporary administrator account (tmpadmin).
Create the following directories;
c:\temp
c:\winnt\batch
c:\winnt\command
c:\winnt\log
d:\spool
d:\temp
Copy a registry tool, in this case regtkt.exe to
c:\winnt\command and
restart the server in safe
mode with command prompt.
Log in as tmpadmin and run the following commands;
xcopy "c:\documents and
settings\*.*" "d:\documents and settings" /e /c
/h
/i /o
If Program Files won' t be linked to a seperate partition, skip all the steps involving Program Files.
xcopy "c:\program files\*.*" "d:\program files" /e /c /h /i /o
For Windows 2003 also remove the NetworkService
user directory, Windows will recreate it at boot;
attrib -r -s -h
"d:\documents and settings\networkservice"
rd /s /q "d:\documents
and settings\networkservice"
Start regedt32,
and load under HKEY_USERS
the ntuser.dat
hive
from the
default user
in d:\documents and
settings.
Start the registry tool, and replace the following;
C:\Docu with
D:\Docu
%systemdrive%\Docu
with D:\Docu
C:\Prog with
D:\Prog
%systemdrive%\Prog
with D:\Prog
Remove "^SetupICWDesktop
: REG_SZ : C:\Program Files\Internet
Explorer\Connection Wizard\icwconn1.exe /desktop" in
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Runonce
to disable the Internet connection wizard showing up after starting
Internet Explorer for the first time.
Remove the "HKEY_LOCAL_MACHINE\Software\Microsoft\Active
Setup\Installed
Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\Stubpath"
value to disable the creation of an Outlook Express shortcut in the
user's Start menu when logging in for the first time.
Do the same for {6BF52A52-349A-11D3-B153-00C04F79FAA6}
and {7790769C-0471-11D2-AF11-00C04FA35D02}
to prevent the shortcuts of Media Player and Windows Address Book.
Unload the default user hive and restart the server again in
safe mode
with command prompt. Log in as tmpadmin again.
Run the following commands;
rd /s /q "c:\documents
and settings"
rd /s /q "c:\program
files"
md "c:\Documents and
Settings"
md "c:\Program Files"
diskmgmt.msc
In the disk management console format the profile partition
and mount
it in c:\documents and
settings, the application partition in
c:\program files.
Next, run;
xcopy "d:\documents and
settings\*.*" "c:\documents and settings" /e /c
/h
/i /o
xcopy "d:\program
files\*.*" "c:\program files" /e /c /h /i /o
note: use
the *.* as
copying the directory itself will overwrite the junction point and you
end up with a regular directory.
Again, remove the NetworkService
directory;
attrib -r -s -h
"c:\documents and settings\networkservice"
rd /s /q "c:\documents
and settings\networkservice"
Start regedt32,
and load under HKEY_USERS
the ntuser.dat
hive
from the
default user
in c:\documents and
settings (you'll have to type it specifically as the
directory and file will be hidden).
Start the registry tool, and replace the following;
D:\Docu with
C:\Docu
D:\Prog with
C:\Prog
Change the registry setting
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\control\Print\Printers\DefaultSpoolDirectory
to d:\spool
(or change it under the server properties in the printers window).
Unload the default user hive, restart the server in normal mode and log
in as the local administrator.
Install terminal services (administrative mode) and only the useful
utilities from Windows, move the pagefile to d: and set minimum and
maximum size to 512 GiB, and change the machine tmp and temp variables to
d:\temp. Set
the Write Debugging
Information option to (none).
Registry
Change HKEY_USERS\.DEFAULT\Control
Panel\Desktop\AutoEndTasks from 0 to 1, this will prevent
hanging processes from blocking the shutdown of Windows.
Services
Disable the following services;
Automatic Updates
Background Intelligent Transfer Service
Clipbook
Computer Browser
DHCP Client
Distributed File System
Distributed Link Tracking Client
Distributed Link Tracking Server
Distributed Tracking Coordinator
Fax Service
File Replication
Indexing Service
Internet Connection Sharing
IPSEC Policy Agent
Netmeeting Remote Desktop Sharing
QoS RSVP
Smart Card
Smart Card Helper
Telnet
Uninterruptible Power Supply
Wireless configuration
Start gpedit.msc
and turn on the logoff option and remove the
shutdown
command in the start menu, and set loopback processing to replace.
Create the system variable tsprofilepath
to the network share that
holds the terminal server profiles for the users. Change the terminal
profile path for the users to %tsprofilepath%\%username%.
Install any necessary security fixes and restart the server.
In the disk management console, set the permissions for the
profiles and the application
partition to:
Local administrators: full
Local power users: change
system: full
Local users: read & execute
Change the permissions on c:\documents and settings\all
users\start
menu to full control for the local administrator and system, all others
read only.
Set the permissions on C:\Program Files (if not set up as a linked
partition) and the Windows directory to full control for administrators
and system, and read & execute for the local users group.
Link C:\WINDOWS\temp to D:\Temp with Junction
Change RDP connection settings in the
Terminal Services
Configuration.
RDP:
Automatic reboot
Let
the terminal server reboot daily or weekly to give it a fresh start and
keep up the performance.
A good way is to use a batch to clean
up directories and give the shutdown command, and schedule it with the
at command.
One in use by terminal servers at work;
date
/t > %systemroot%\log\reboot.log
time /t
>> %systemroot%\log\reboot.log
net
stop spooler /y
sleep 10
rem
spoolfiles
del /q /f d:\spool\*.*
rem
miscellaneous cache files
del /q /f /s "c:\documents and
settings\*.asd"
del /q /f /s "c:\documents and settings\*.bmc"
rem
ct directory (company software)
for /d %%a in ("c:\documents
and settings\*") do rd /s /q "%%a\local settings\temp\ct"
rem
internet explorer cache
for /d %%a in ("c:\documents and
settings\*") do rd /s /q "%%a\local settings\temporary internet files"
rem
axapta cache files
del /q /f /s "c:\documents and
settings\*.aoc"
%systemroot%\system32\tsshutdn
/reboot
(20071106)