Managing Terminal Services

Using Terminal Services for Windows 2003 Server is the recommended method for deploying Project Professional and Microsoft Office 2003. This section outlines the benefits, considerations, and other useful information regarding deploying Terminal Services for Project Server 2003.

Terminal Services Versus a Virtual Private Network (VPN)

VPNs are becoming an everyday necessity for most organizations with remote users to secure data and protect company resources. Unfortunately for remote users, VPNs tend to be slow, and these latency issues are magnified to the point of failure for managers using Project Professional to connect to Project Server. This is because the connection from the desktop application to the server contains a lot of query and response. If at any point a response is delayed (times out), the entire process fails. For this reason, latency kills the productivity of your project managers. This is where Terminal Services comes in. Terminal Services eliminates the latency problem for remote users and improves overall performance. Best of all, your data is still secure and in fact may be even more so because the actual sensitive data traffic all remains within the confines of your local area network (LAN). Many great resources can provide more detail on the security model and options of Terminal Services, including Microsoft's site online.

Benefits of Using Terminal Services for Project Server 2003

The biggest benefits of using Terminal Services will be seen when using applications such as Microsoft Project Professional; however, there are several other important advantages to consider. The following lists some of the benefits of using Terminal Services for both remote and local users:

Faster than VPN for remote users No latency issues for remote users because all the processing occurs on the server side.
Low bandwidth requirements Even users on slower dial-up connections can enjoy fast access to Office applications and connectivity to the Project Server. This is because Terminal Services really sends only screen views instead of the actual data.
Centralized support With Terminal Services, you are managing only one system rather than individual desktops, providing for better availability, service, and monitoring. Additionally, you can easily share a desktop with a remote user and troubleshoot real-time. You also ensure that your users are running all the latest security updates, patches, and enhancements eliminating the need to visit each desktop.
Availability and scalability With Terminal Services, your users can reach their data from anywhere, anytime using the Remote Desktop built into Windows XP or freely downloadable from Microsoft, even through an ActiveX browser plug-in. If your users are having a problem with their desktop, they can use another workstation, and it will look and feel exactly the same to them. Additionally, the system requirements on the user side are minimal. A computer with a Pentium 133 megahertz processor performs well because you'll be leveraging server architecture, which allows for faster performance and scalability. As your user load increases, simply add another Terminal Services to your network load-balanced (NLB) cluster.
Increased security Because the desktops are only receiving screenshots, your data remains on your LAN. Group Policy management allows you to protect key components of the server as well as provide some customization to the users, such as automatically setting their home page in Internet Explorer (IE) and collaboration settings in Project Professional.
Monitoring By having your users access through Terminal Services, you can easily monitor who is logged on to the system, what processes are running, and so on. This can be useful information for troubleshooting performance and other issues.

Considerations for Implementing Terminal Services

Before implementing a Terminal Services solution, careful architecture and planning should take place. Performance, availability, and training are just a few of the areas to take into account. The following is a short list of other important considerations:

Hardware requirements For smaller organizations, the hardware requirements may be cost prohibitive.
Single point of failure If the terminal server fails, all your users will be without access. This can be minimized by creating a failover by using Network Load Balanced (NLB) clusters using two or more servers. Before deploying Terminal Services, be sure to have a strong disaster recovery plan in place. A network failover should also be considered.
Single configuration You can have only one configuration of the applications on a Terminal Services. If your users require custom features to be installed, an additional terminal server will be required.

Installation Order and Application Server Mode

The installation order is important for deploying Project Professional and/or Microsoft Office on a Terminal Server. The server must have Terminal Services installed and enabled prior to installing any other applications. Project Professional automatically detects the implementation of Terminal Services on Windows 2003 and installs properly.

CAUTION

In Windows server versions prior to Windows 2003, you could choose the Remote Administration or the Application Server mode for Terminal Services. In Windows 2003, the Remote Administration mode is built-in. The terminal server must have Terminal Services Application mode installed for Project Professional to install correctly for use by remote users.

Group Policy and the Group Policy Management Console (GPMC)

The Windows Server 2003 implementation of Active Directory (AD) provides a key upgrade to managing Group Policy Objects (GPO) in the enterprise. GPOs can perform many management tasks including adding registry entries, enforcing security policies, and even performing software maintenance. The GPMC is a Microsoft Management Console (MMC) snap-in that can be used to create and enable GPOs. You need to download and install it from Microsoft because it is not included on the Windows Server disks or install.

TIP

Organization Units (OU) are useful when applying GPOs. OUs provide a tree structure, allowing you to apply GPOs similar to the way security groups are implemented. This may come in handy if you want to apply a restrictive policy to your Terminal Server users but don't want to lock out the administrator's functions. OUs can be created and managed using either the GPMC or the AD Users and Computers MMC snap-in.

CHECKING FOR ENFORCED GROUP POLICIES

After making any changes to an existing GPO, check to make sure that the updates are actually being enforced on the server or user. To do this, use the Group Policy Results Wizard built in to the GPMC. You can find this wizard by right-clicking the Group Policy Results folder. Although Windows Servers check and grab new or updated GPOs on a schedule, you may want to "push" the changes right away. You can do this by using the Group Policy Update (gpupdate.exe) command from a command prompt. Type gpupdate /? for a list of switches. The /force switch, in particular, is important.

You can use an .adm file to add a template to the GPO editor. These are text-based files that contain registry and security settings. By default, the GPO editor tries to read .adm files from the Sysvol on the domain controller, but you can add a template from any directory. If the .adm file is new or the time stamp is newer than one currently in the Sysvol, the GPO Editor automatically copies it to the Sysvol.

The following is an example of an .adm file that can be used to set the registry entries needed to connect Project Professional to the Project Server:

 CLASS USER CATEGORY "Project Professional Settings"     POLICY "Microsoft Project 2003"         KEYNAME "Software\Microsoft\Office\MS Project\Profiles\Windows Logon"         EXPLAIN    "Set these settings for the hosting environment."             PART "Project Server URL" EDITTEXT                 VALUENAME "Path"                 DEFAULT "http://servername/projectserver"             END PART             PART "Windows Logon Name" EDITTEXT                 VALUENAME "Name"                 DEFAULT "Windows Logon"             END PART             PART "Window Logon Account" CHECKBOX                 VALUENAME "AccountType"                 VALUEON "0"         ;REVERSED ORDER: 0,1                 VALUEOFF "1"                 DEFCHECKED             END PART             PART "Default" CHECKBOX                 VALUENAME "Default"                 VALUEON "Yes"                 VALUEOFF "No"                 DEFCHECKED             END PART             PART "AutoConnect" CHECKBOX                 KEYNAME "Software\Microsoft\Office\MS Project\Settings"                 VALUENAME "AutoConnect"                 VALUEON "Yes"                 VALUEOFF "No"                 DEFCHECKED             END PART     END POLICY END CATEGORY

Copy and paste this code into a text file and rename it with a descriptive name and an .adm extension. After the GPMC is installed, follow these steps to add the template to the GPO Editor:

1.	From Administrative Tools open the GPMC.
2.	Right-click on the appropriate folder level that you want to create a GPO for and choose Create and Link a GPO Here.
3.	Give the new GPO a name and click OK.
4.	Right-click on the new GPO and select Edit. This launches the GPO Editor.
5.	Under User Configuration find the Administrative Templates section, right-click, and select Add/Remove Templates.
6.	Click the Add button.
7.	Navigate to the location of your .adm file, highlight it, and click Open.

Now that you've added the template, you need to perform a few more steps to see it in the editor to modify:

1.	From the GPO Editor, highlight the Administrative Templates section under User Configuration and then click the View menu toward the top of the window.
2.	Select Filtering.
3.	Remove the selection on the Only Show Policy Settings That Can Be Fully Managed option.
4.	Click OK.

You should now see the template you created and can modify it at will. Make sure that when you are finished making changes that you enforce the policy in the GPMC by right-clicking it and choosing Enforced as shown in Figure 25.16.