The primary client used to establish connections to a terminal server is the Remote Desktop Connection client. This client comes installed on the Microsoft Windows XP and Windows Server 2003 operating systems and is available for installation on Microsoft Windows 95, Windows 98, Windows Millennium Edition (Windows Me), Windows NT 4, Windows 2000, and Windows CE. For details on the use and features of this client, see the section entitled "Supporting Remote Desktop Connection Clients".

By sending only the data required for I/O devices to and from the server, Terminal Services significantly reduces the amount of data transferred between a client and a server. This reduces the amount of network bandwidth used, allowing Terminal Services to operate in low bandwidth environments. In addition, users are able to optimize performance based on the speed of their connection. On a 28.8 Kbps modem, a user has only the essential features to ensure the best overall performance possible. As a user goes from a 28.8 Kbps modem connection to a LAN connection at 10 Mbps or higher, Windows features are automatically added to enhance the user experience. Administrators can also configure Terminal Services to restrict the additional features. For example, if hundreds of users are using a terminal server, you may need to restrict enhancements to ensure the overall performance of the server. If you don't do this and the terminal server is overworked, it may fail.

It's very easy to set up a terminal server. What isn't so easy is getting the infrastructure right before you do so and maintaining the installation once it's in place. Before you install Terminal Services, it is essential to plan the environment and to deploy Terminal Services before you install applications on the terminal server. Once you deploy Terminal Services, you will configure the environment, install applications, and make those applications available to remote users.

The new features for the Remote Desktop Connection client were discussed in the section entitled "New Features for the Remote Desktop Connection Client". For Windows Server 2003, there are many standard features and enhancements as well. The administration tools for Terminal Services include the following:

Terminal Services has many changes for security as well. In previous editions of Terminal Services, you had to assign user access permissions using the Terminal Services Configuration tool. For Windows Server 2003, you have the additional option of adding users and groups to the Remote Desktop Users group. This is a standard group for which you can configure membership in Active Directory Users And Computers. By adding the Domain Users group to the Remote Desktop Users group, you allow all authenticated users to use Terminal Services. If instead you were to add the special group Everyone, anyone with access to the network could use Terminal Services.

Other important security changes involve additional encryption options. Terminal Services now supports 128-bit encryption as well as encryption compliant with the Federal Information Processing Standard (FIPS). Using 128-bit encryption ensures a high level of encryption, which provides powerful protection of the data sent between a Terminal Services client and a server. FIPS encryption is added to provide compliance with FIPS 140-1 and FIPS 140-2, which are standards for Security Requirements for Cryptographic Modules, a necessity for some organizations.

A Terminal Services license server is required to set up Terminal Services (see Figure 31-1). The license server, responsible for issuing licenses and tracking their usage, maintains a pool of all available licenses. The assigned licenses are also tracked so that they can be validated. Unlike Windows NT 4, which allowed the license server to trust that you had acquired the number of licenses you specified, Terminal Services requires that you get official licenses from Microsoft and activate them through the Microsoft Clearinghouse.

Figure 31-1. Terminal Services implementation with a license server.

The first time a client connects to a terminal server, the terminal server checks for a license. If the client has a license, the terminal server validates it and allows the client to connect. If the client doesn't have a license, the terminal server locates a license server (using a network broadcast in workgroups or through Active Directory in domains) and requests a new license. If that license server doesn't have a license to offer, the client is not allowed to connect.

Provided that the server has a license, it will give the license to the terminal server, which in turn issues it to the client. Client access licenses provided by Terminal Services are issued per device or per user, so the way licensing works depends on the licensing configuration—which can be mixed and matched as necessary. With per-device licensing, the license is valid only for a particular computer and will be validated in the future to the globally unique identifier (GUID) of the machine on which the client is running. With per-user licensing, the license is valid only for that user and will be validated in the future to the GUID of the user's account.

An issued license is valid for a period of 52 to 89 days; the interval is assigned randomly. When the client later disconnects or logs off the terminal server, the license is not returned to the pool. The expiration date serves to return unused licenses to the license pool. Each time a client connects to a terminal server, the expiration date of its license is checked. If the current date is within seven days of the expiration date, the license server renews the license for another 52 to 89 days. If a client doesn't log back in to the terminal server before its license expires, the license is returned to the license pool, which makes it available to other clients.

Unlike previous implementations of Terminal Services, the current version lets you reassign a client access license from one device to another device or from one user to another user. However, there are some limitations. The license must be either permanently reassigned away from its existing owner (device or user), or it must be temporarily reassigned to a loaner device while a permanent device is out of service, or to a temporary worker while a regular employee is absent.

Inside Out: Terminal Services Licensing Changes

Anyone who wants to use Terminal Services must have a client access license. This remains true whether a user connects to the terminal server using Microsoft Remote Desktop Protocol (RDP) or uses another vendor's protocol. You can purchase client access licenses using the licensing programs discussed in the section entitled "Product Licensing". This means that small companies can purchase licenses in packs of 5, 20, or more, while bigger companies can purchase licenses under programs such as the Microsoft Open License.

When you purchase licenses in packs, you'll receive a product activation code that can be used one time to activate the number of licenses purchased. When you use Open Licensing or other programs, you purchase a set number of licenses. With Open Licensing, you are then issued an Open License Authorization and a set of license numbers that you can use to activate licenses. Under Select and Enterprise licensing agreements, you provide your Enrollment Agreement Number to activate licenses.

In the past, the requirement for a Terminal Services client access license was waived if the device accessing the terminal server was running the same or later version of an equivalent desktop operating system. For example, a client running Windows XP Professional could access a Windows 2000 terminal server without needing a Terminal Services client access license. With the release of Windows Server 2003, all clients are required to have a Terminal Services client access license.