The tasks required to set up Terminal Services in single-server and multi-server environments are discussed in the sections that follow. As you read these sections, remember that if you want to use a multi-server environment with Session Directory service, all the servers involved must be running Windows Server 2003 Enterprise Edition or later.
Two components are required for Terminal Services to work:
Terminal Services service, which is installed by default and configured to run automatically on Windows Server 2003
Terminal Server service, which is installed using Add Or Remove Programs
To install Terminal Server service, open the Control Panel and double-click Add Or Remove Programs. In the Add Or Remove Programs dialog box, click Add/Remove Windows Components to start the Windows Components Wizard. On the Windows Components page, select Terminal Server. If Internet Explorer Enhanced Security is configured (which is the default on servers), you see the prompt shown in Figure 31-5.
Note
By default, Internet Explorer Enhanced Security disables support for ActiveX controls and scripting. A user who visits a site that has these features is prompted to add the site to the Trusted sites security zone so that the content on the World Wide Web can run. For local intranet servers, servers must be added to the Local Intranet security zone so that users can run Web-based applications.
If you are prompted, you have two options:
If you want to continue and use Internet Explorer Enhanced Security, click Yes. Then click Next to begin the installation, and then click Finish.
If you want to stop using Internet Explorer Enhanced Security, click No, clear the Internet Explorer Enhanced Security option on the Windows Components page, and then select Terminal Server. Then click Next to begin the installation, and next click Finish.
Otherwise, click Next to display the Terminal Server Setup page. This page tells you the basic rules for using Terminal Services After you read the information, click Next again.
On the next page of the wizard, as shown in Figure 31-6, you can select the default permissions for application compatibility as follows:
Full Security Full Security restricts user access to certain areas of the Registry and to system files. This safeguards the terminal server so that remote users running a virtual session cannot modify system files or the Registry arbitrarily. Most applications designed for Windows XP can run under full security; most programs designed for earlier versions of Windows cannot.
Relaxed Security Relaxed Security is the standard configuration for Windows 2000 Terminal Services. This mode doesn't restrict user access to the Registry or to system files. It is designed for maximum compatibility with applications, particularly those designed for Windows 2000 or earlier versions of Windows.
Note
If you are not sure which setting to use, you might try using Full Security, and then perform pre-deployment testing after configuring applications. Don't worry; the security mode can be changed using the Terminal Services Configuration tool. See the section entitled "Configuring Server Settings" later in this chapter.
After you make a selection, click Next to begin the installation. When the installation is complete, click Finish to exit the Windows Component Wizard. If you are prompted to restart the computer, click Yes to restart the computer so that the installation can take effect or click No to restart the computer later.
Once you install Terminal Services, there are decisions to make about the applications that you want to make available to users. Not all applications work well in multi-user environments. Some applications simply shouldn't be used; others can be used with some modifications or using a compatibility script. Regardless, all applications must be installed so that they are made available to users correctly.
The best applications to run on a terminal server are those that can run multiple instances and perform well in a multi-user environment. The characteristics of applications that perform well in a multi-user environment include the following:
Storing global data separately from local data
Storing user data by user rather than by machine
Identifying users by user name rather than by computer name
Although Terminal Services can be used to run Win16, MS-DOS, and Win32 applications, Terminal Services works best with Win32 applications. With Win16 and MS-DOS applications, Windows Server 2003 creates a virtual MS-DOS machine and runs the 16-bit or MS-DOS application within that context. Because 16-bit and MS-DOS applications are run in a different context, there is additional overhead and the applications won't perform as well as Win32 applications.
If possible, you should limit the use of MS-DOS applications altogether as they are designed for single-user and non-multi-tasking environments and can cause serious performance problems. In addition, you should avoid using applications with known memory bugs or leaks; running multiple instances of such programs only multiplies the problem.
Unlike client access licensing, application licensing for Terminal Services users is pretty straightforward. Essentially, the licensing that is set for the product in a single-user environment is used in the Terminal Services environment. With Office, for example, licensing is per seat, so every computer that runs Office needs a license whether one user or several use the computer. Thus, a client computer connecting to a terminal server and using Office needs a license per seat. If the client computer already has a license for Office, another license is not needed.
Terminal Server has two operating modes:
Execute mode Execute mode is used for working with clients. When a client connects to a terminal server, the client and server use Execute mode.
Install mode Install mode is used to install applications on a terminal server. When you install an application, you use this mode to ensure that the application is configured for use with multiple users.
You really don't have to do anything complicated to ensure that you install applications in Install mode: Merely install the application through Add Or Remove Programs rather than using the application's normal setup program, as follows:
In Control Panel, select or double-click Add Or Remove Programs.
In Add Or Remove Programs, click Add New Programs, and then click CD or Floppy.
Click Next. Add Or Remove Programs will then look for a Setup.exe program on the floppy disk first, and then on CD-ROM.
If Add Or Remove Programs finds the appropriate Setup.exe program, click Next to begin installation. Otherwise, click Browse to find the appropriate Setup.exe program, and then click Next to begin the installation.
When you install an application on a terminal server using Add Or Remove Programs, Add Or Remove Programs uses a compatible configuration. Any configuration information that an application writes under HKCU or HKLM is written to HKLMSoftware MicrosoftWindows NTCurrent VersionTerminal ServerInstall as well. Any later changes to an application's configuration that affect HKCU or HKLM are also written to HKLM SoftwareMicrosoftWindows NTCurrent VersionTerminal ServerInstall.
Any time a client using Terminal Services runs an application and that application attempts to read HKCU or HKLM, Terminal Services uses HKLMSoftwareMicrosoftWindows NTCurrent VersionTerminal ServerInstall instead and copies the necessary information to the appropriate location under HKCU. User-specific .ini files or DLLs are copied to the user's home directory. If a user doesn't have a designated home directory, the .ini files or DLLs are copied to the user's profile. All this works to ensure that the core settings for an application are machine specific and that users can customize applications to meet their needs.
Note
Some applications come with multi-user installation packages. An example is Office. If you try to install one of these programs on a terminal server, you will see a prompt telling you how to install the application in a multi-user environment. Typically, this involves copying over an initialization or transform file before using Add Or Remove Programs to install the application.
In addition to using Add Or Remove Programs to install applications in Install mode, you can explicitly put a session in Install mode using the CHANGE USER command. CHANGE USER accepts three parameters:
/QUERY Displays the current mode as either "Application EXECUTE mode is enabled" or "Application INSTALL mode is enabled"
/EXECUTE Changes Terminal Services to Execute mode
/INSTALL Changes Terminal Services to Install mode
If you want to install an application using its setup program, you can do this by typing change user /install at the command prompt and then running the setup program. Any changes you make to the application in Install mode will apply to all users who use the application for the first time.
When you use CHANGE USER, you may also want to use CHANGE LOGON. The CHANGE LOGON command is used to enable or disable user logon to the terminal server. It can also be used to query the logon state. CHANGE LOGON accepts three parameters:
/QUERY Displays the current logon status as either "Session logins are currently ENABLED" or "Session logins are currently DISABLED"
/ENABLE Enables user logon
/DISABLE Disables user logon
Tip
A related but less frequently used command is CHANGE PORT. This command is used to map COM ports for MS-DOS compatibility. Type change port /? to learn more about this command.
After you install an application, you will probably need to optimize its configuration for a multi-user environment. Two techniques can be used: application compatibility scripts, discussed in the following section, "Using Application Compatibility Scripts," and hand-tuning, discussed in the section of this chapter entitled "Modifying Applications After Installation."
Some applications need a compatibility script to work properly in a multi-user environment. For these applications, you can develop an application compatibility script or use the techniques discussed in the section of this chapter entitled "Modifying Applications After Installation." Three application compatibility scripts are provided with Windows Server 2003:
Eudora4.cmd For Eudora 4
Msvs6.cmd For Microsoft Visual Studio 6
Outlk98.cmd For Outlook 98
These scripts are located in the %SystemRoot%Application Compatibility ScriptsInstall folder. After you install an application with an application compatibility script, you run the application compatibility script from the Install folder. For example, to run MSVS6, you would change the directory to the %SystemRoot%Application Compatibility ScriptsInstall folder, and then type msv6 at the command prompt.
The application compatibility scripts customize the application's setup so that it works with Terminal Services. This involves setting up the command environment, making changes to the Registry, and configuring file and folder paths for multi-user use. The scripts are written as batch programs and can be edited if you do not want to accept the default values.
After installation, you'll often need to manipulate an application to get it to work well in a multi-user environment. Here are some techniques you can use:
Configure application settings in Install mode You should make changes to application settings in Install mode. This ensures that the configuration settings are available to all users.
Set user file paths to drive letters Many applications have settings for file paths that need to be set on a per-user basis. In this case, you can enter a drive letter, and then map the drive letter to a network share as appropriate for each user. For example, you could set the file path to X: and map X: to the user's home directory. Every user has a separate Terminal Services profile, which you can use for mapping home folders.
Configure Registry settings under HKLMSoftwareMicrosoftWindows NTCurrent VersionTerminal ServerCompatibilityApplications Only a limited set of application settings can be changed through the Registry. If you need to tune an application's Registry settings, you must do this in Install mode and make changes only to keys and values under HKLMSoftwareMicrosoftWindows NTCurrent VersionTerminal ServerCompatibilityApplications. This means you would type change user /install and then start the Registry Editor.
Some applications don't work well in multi-user environments. If an application performs poorly or hogs system resources, you may need to fine-tune its configuration in the Registry. Each application configured on a terminal server should have a separate subkey under HKLMSoftwareMicrosoftWindows NTCurrent VersionTerminal ServerCompatibilityApplications. The name of the application subkey is the same as the name of the application's executable without the .exe extension.
Table 31-1 shows the values you can use under an application's subkey to modify the behavior of the application. All these values must be set as the REG_DWORD type. Create or edit the values as discussed in Chapter 14. Any changes you make are applied the next time the application is started.
Table 31-1. Performance-Tuning Registry Values for 16-Bit and 32-Bit Windows Applications
Value Entry | Description | Default Value |
|---|---|---|
FirstCountMsgQPeeks-SleepBadApp | Sets the number of times the application must query the message queue before Terminal Services decides that it is a bad application. The lower this value, the more often the application will be deemed to be bad and the more quickly the application will be suspended so that it uses less CPU time. | 0xF (15 decimal) |
MsgQBadAppSleep-TimeInMillisec | Sets the number of milliseconds the application is suspended when Terminal Services has decided that it is a bad application. The higher this value is set, the longer the application will be suspended. If this value is zero, polling detection is disabled. | 0 |
NthCountMsgQPeeks-SleepBadApp | Sets the number of times the application must query the message queue before it is suspended again. The lower this value, the more often the application will be deemed to be bad and the more quickly the application will be suspended so that it uses less CPU time. | 0x5 (5 decimal) |
Flags | Describes the type of Windows application. Valid values are: 0x4 for Win16 applications; 0x8 for Win32 applications; 0xC for either Win16 or Win32 applications | 0x8 (Win32 only) |
When you are using a load-balanced terminal server farm, you need to configure a Session Directory server and configure Terminal Services to join the Session Directory. As discussed previously, the Session Directory server can be a member of the load-balanced farm or it can be a separate server. If you use a separate Session Directory server, it probably doesn't need to be a high-end server. The session management workload on the Session Directory server typically is very light, but depends on the number of clients connecting to Terminal Services. Regardless of configuration, the Session Directory server and all terminal servers in the loadbalanced farm must be running Windows Server 2003 Enterprise Edition or later.
To set up the Session Directory server, you need to enable the Terminal Services Session Directory service for automatic startup, and then start the service. This service is installed automatically but disabled on all Windows Server 2003 systems. Next, you need to tell the Session Directory server about the computers that can connect to the service. The Terminal Services Session Directory service will not accept any connections from servers that it doesn't know are authorized. To tell the service which servers are authorized, add the computer account for each server in the load-balanced farm to a local computer group called Session Directory Computers. This group is created automatically when you configure the Terminal Services Session Directory service.
To complete the process, you need to configure each server in the farm so that it knows the cluster name, cluster IP address, and Session Directory server IP address. These settings enable Terminal Services to use load balancing and the Session Directory server. To make these changes, you use the Terminal Services Configuration tool.
Follow these steps to enable and start the Terminal Services Session Directory service:
Start Computer Management by clicking Start, Programs or All Programs, Administrative Tools, Computer Management. To work with a remote system, right-click the Computer Management entry in the left pane and select Connect To Another Computer on the shortcut menu. This displays the Connect To Another Computer dialog box. Type the domain name or IP address of the system whose drives you want to manage, and then click OK.
In Computer Management, expand Services And Applications, and then select Services. In the right pane, double-click Terminal Services Session Directory. This displays a Properties dialog box.
In the General tab, select Automatic as the Startup Type as shown in Figure 31-7, and then click OK. In Computer Management, right-click the Terminal Services Session Directory service entry and select Start.
When the Terminal Services Session Directory service is started, the service looks for a computer group named Session Directory Computers. If this group doesn't exist, the service creates it. You need to add the computer account for each server in the load-balanced farm to the Session Directory Computers group.
In an Active Directory domain, you add the computer account for each server by following these steps:
Start Active Directory Users And Computers by clicking Start, Programs or All Programs, Administrative Tools, Active Directory Users And Computers.
In Active Directory Users And Computers, expand the OU you created for Terminal Servers or the Users folder, and then double-click the Session Directory Computers group.
In the Session Directory Computers Properties dialog box, select the Members tab, and then click Add. This displays the Select Users, Contacts, Computers, Or Groups dialog box.
Click Object Types to display the Object Types dialog box as shown in Figure 31-8. In the Object Types dialog box, select Computers, and then click OK.
In the Select Users, Contacts, Computers, Or Groups dialog box, you can now type and validate the names of computer accounts, as shown in Figure 31-9. Type a computer account name, and then click Check Names. If multiple matches are found, select the name or names you want to use, and then click OK. If no matches are found, either you've entered an incorrect name part or you're working with an incorrect location. Modify the name and try again or click Locations to select a new location. To add additional computer accounts, type a semicolon (;), and then repeat this process.
When you click OK, the computer accounts are added to the list in the Session Directory Computers Properties dialog box. Click OK again to close the Properties dialog box.
In a workgroup, you add the computer account for each server by following these steps:
Start Computer Management by clicking Start, Programs or All Programs, Administrative Tools, Computer Management. To work with a remote system, right-click the Computer Management entry in the left pane, and then select Connect To Another Computer on the shortcut menu. This displays the Connect To Another Computer dialog box. Type the domain name or IP address of the system whose drives you want to manage, and then click OK.
In Computer Management, expand Services And Applications, and then select Services. In the right pane, double-click Terminal Services Session Directory. This displays a properties dialog box.
Click Add, and then use the Select Users dialog box to add each of the computer accounts in turn.
Click OK when you are finished.
Now that you've set up the Session Directory server and authorized servers to use it, you need to tell the terminal servers in the farm about the load-balancing and session directory configuration. You do this using the Terminal Services Configuration tool to set the Join Session Directory properties. These properties tell clients about the cluster name and the Session Directory server.
On each server in the load-balanced farm, complete these steps:
Start the Terminal Services Configuration tool by clicking Start, Programs or All Programs, Administrative Tools, Terminal Services Configuration, or by typing tscc.msc at the command prompt.
In the Terminal Services Configuration tool, select Server Settings in the left pane, and then, in the details pane, right-click Session Directory and select Properties.
In the Properties dialog box, select Join Session Directory.
In the Cluster Name field, type the fully qualified domain name of the cluster. With Microsoft Network Load Balancing, this is the Full Internet Name of the cluster as set in the section entitled "Creating a New Network Load Balancing Cluster".
In the Session Directory Server Name field, type the name or IP address of the Session Directory server.
Click OK.
Note
Some third-party load-balancing solutions act as routers as well as load balancers. For these devices, you must clear the IP Address Redirection check box to allow the load balancer to use router token redirection. If you clear this check box, you will need to set the Network Adapter And IP Address Session Directory … field to the IP address to which client computers should connect.
Licensing is required to use Terminal Services, which means you must do the following:
Install a Terminal Services license server.
Activate the license server.
Configure licenses for use.
A Terminal Services license server is a server running the Terminal Server Licensing service. While you can use any server in the organization, the license server should be well connected in the domain. The Terminal Services license server will need network access to the organization's terminal servers and to the Internet for the following reasons:
The internal network connection is required to issue and validate client licenses.
The connection to the Internet is needed to connect to the Microsoft Clearinghouse server for activation of the license server and any licenses you've purchased.
Note
The connection to the Microsoft Clearinghouse uses HTTP ports 80 and 443 for the connection. If you've set up a proxy or Network Address Translation (NAT) server and enabled Web browsing in the organization, the license server shouldn't have a problem connecting to the Internet over these ports. If, however, you do not allow Web browsing or you restrict Web browsing, you will need to activate the license server and its licenses over the telephone.
You can configure the Terminal Services license server for enterprise-wide use or for use in a specific domain or workgroup.
If you choose enterprise-wide use, you only need one license server regardless of how many single-server or multi-server Terminal Services environments you've implemented in the organization.
If you choose domain or workgroup use, you need one license server for each domain or workgroup that uses Terminal Services.
Think carefully about the approach, as it determines how licenses are issued and made available to Terminal Services clients. If you want all client access licenses to be available to all clients, you might want to use the enterprise-wide configuration. If you want to organize licensing by department or functional groups, you might want to use a domain or workgroup approach to restrict users' access to licenses per domain or per workgroup. When making infrastructure design decisions, keep the following in mind:
In a single-server Terminal Services environment, the terminal server and the Terminal Services license server can be the same system.
In a multi-server Terminal Services environment, you probably don't want one of the terminal servers to be a license server as well. If you have a separate Session Directory Server, however, you may want to make this server the Terminal Services license server as well.
Prior to activation of a license server, you have a 120-day grace period during which you can perform unlimited testing and client connections. Use this time to ensure that your Terminal Services environment is as you want it to be. Once you activate the license server, you will need to configure actual licenses for use, and those licenses will work only on the license server for which you've activated them. The activation code necessary for the license server is the product ID.
To install the Terminal Services Licensing service, access the Control Panel and double-click Add Or Remove Programs. In the Add Or Remove Programs dialog box, click Add/Remove Windows Components to start the Windows Components Wizard. On the Windows Components page, select Terminal Server Licensing, and then click Next.
As shown in Figure 31-10, you can specify the role of the license server as either Your Entire Enterprise or Your Domain or Workgroup. By default, the license server database is installed in the %SystemRoot%System32LServer folder. You can accept this setting or click Browse to specify a new location. When you are ready to continue, click Next to begin the installation, and then click Finish.
Tip
Consider the license database location
Every time a client attempts to connect to a terminal server, a lookup is made to the license server database. If the client has an existing license, the terminal server to which the client is connected queries the license server about the client's license and the license server performs a lookup to validate it. If the client doesn't have an existing license, the terminal server to which the client is connected queries the availability of licenses and the license server performs a lookup to determine if licenses are available. If a license is available, it is issued to the client. For optimal performance in a large network with many hundreds or thousands of clients, you might want to consider putting the license database on a separate physical disk from that used by the operating system.
Once you install the Terminal Services Licensing service, you can activate the license server and configure licenses for use with the Terminal Server Licensing tool. To start the Terminal Server Licensing tool, click Start, Programs, or All Programs, Administrative Tools, Terminal Server Licensing, or type licmgr.exe at the command prompt.
When you first start the Terminal Server Licensing tool, it will search for license servers on the network, and then list the ones it has found, as shown in Figure 31-11. Here, a license server is present but not yet activated (as indicated by a red dot on its icon).
You use the Terminal Server License Server Activation Wizard to activate the license server, and the Terminal Server CAL Installation Wizard to configure licenses for use. (The acronym CAL stands for Client Access License.) When you activate a server, both wizards can be run in turn if desired.
To activate the license server and configure licenses for use, follow these steps:
Right-click the server entry in the Terminal Server Licensing tool, and then select Activate Server. Click Next. On the Connection Method page, select the activation method to use, as shown in Figure 31-12.
The default technique used for license server and license activation is an Automatic Connection to the Microsoft Clearinghouse. You can also use specify Web Browser or Telephone if you want to get an activation code manually.
With the Automatic Connection method—When you click Next, the wizard attempts to connect over the Internet to the Microsoft Clearinghouse, as shown in the following screen. If you choose this method, you will need to identify yourself and your organization to obtain an authorization code, which is automatically sent to the server.
With the Web Browser method—When you click Next, the wizard tells you that you need to go the Terminal Server Activation and Licensing Web site (https://activate.microsoft.com) and provide your product ID, as shown in the following screen. You will then get a license server ID to use.
With the Telephone method—When you click Next, the wizard prompts you to select your country or region. After you select your country or region and click Next, you will see a telephone number specific to your region or country to call, and you will be given your product ID to provide during the call, as shown in the following screen. You will then get a license server ID to use.
When you finish this process, you'll see the Completing The Terminal Server Activation Wizard page as shown in Figure 31-13. On this page, Start Terminal Server Client Licensing Wizard is automatically selected so that if you click Next from here, the wizard starts.
The Terminal Server Client Licensing Wizard uses the previously selected connection method to activate client licenses. You will need to click Next twice and then enter a license code from your retail product packaging, Select Enterprise Agreement or Open license contract. As before, the way this works depends on the connection method.
To install licenses separately or at a later date, right-click the server entry in the Terminal Server Licensing tool, and then select Install Licenses. This starts the Terminal Server Client Licensing Wizard, which you can use to configure licenses for use.
The Terminal Server License Server Activation Wizard and the Terminal Server CAL Installation Wizard store information about the connection method and your contact information. If you want to use a different connection method or change contact information, you need to edit the default properties for the license server. To do this, right-click the server entry in the Terminal Server Licensing tool and select Properties. You can then make changes as necessary using the Licensing Wizard Properties dialog box shown in Figure 31-14.
