Planning for Terminal Services

To achieve the most successful Terminal Services project deployment, careful and thorough planning and testing must be performed prior to production rollout. Criteria such as application resource usage, security requirements, physical location, network access, licensing, fault tolerance, and information indicating how users will be utilizing the Terminal Server all contribute to the way the Terminal Services implementation should be designed.

Planning for Remote Desktop for Administration Mode

Unless Terminal Services is viewed as a security risk, it is recommended to enable Remote Desktop for Administration mode on all internal servers to allow for remote administration. For servers that are on the Internet and for DMZ networks, Terminal Services may be used, but access should be limited to predefined separate IP addresses using firewall access lists to eliminate unauthorized attempts to log on to the Terminal Server. In addition, those servers should be closely monitored for unauthorized attempts to access the system.

Planning for Terminal Server Mode

Terminal Server mode can require a lot of planning. Because this mode is used to make applications available to end users, server hardware specification and application compatibility are key components to test before a production rollout.

User Requirements

It is important to determine user requirements based on typical usage patterns, the number of users accessing the system, and the number of applications that are required to run. For instance, the more applications that a user will run in a session, the more processing power and memory will be required in order to optimize session performance. On average, a Terminal Server user who runs one application may take 10MB of RAM and use little more than 3% of a server's total processing time per session. A power user who runs three or more applications simultaneously may require 40MB of RAM or much more, depending on the applications and features being used. Use the Terminal Services Manager tool and the Performance System Monitor console to test and validate usage statistics. The key is to not overload the server to the point where performance is too slow to be cost effective. Bandwidth to the Terminal Server required by each user will also affect how well the system performs under various workloads.

Antivirus on Terminal Services

Just as standard servers require operating system (OS)level antivirus software, so do Terminal Servers. When choosing an antivirus product, be sure to choose one that is certified to run on Windows Server 2003 Terminal Servers. For Terminal Server mode deployments, install the antivirus software after installing the Terminal Server so that scanning will work for all Terminal Server sessions. Follow installation guidelines for installing applications as outlined in the "Installing Applications for Terminal Server" section later in this chapter.

Terminal Server Upgrades

Upgrading Terminal Servers can be tricky and should be handled with caution. Before any operating system or application updates or patches are applied on a production Terminal Server, they should be thoroughly tested in an isolated lab server. This process includes knowing how to properly test the application before and after the update to be sure the update does not cause any problems and, in some cases, adds the functionality that you intended to add.

When a Terminal Server's operating system is to be upgraded to the next version, many issues can arise during the upgrade process. Applications may not run properly in the next version because key system files might be completely different. Even printer drivers can be changed drastically, causing severe performance loss or even loss of functionality. Lastly, you need to consider that the existing Terminal Server could have been modified or changed in ways that can cause the upgrade to fail, requiring a full restore from backup.

Note

Complete disaster recovery and rollback plans should be available during upgrades. This way, if problems arise, the administrator does not have to create the plan on the spot ensuring that no important steps are overlooked.

As a best practice and to ensure successful upgrades of Terminal Servers, replace existing servers with clean built Terminal Servers with the latest updates. This includes re-creating each of the file shares and print devices and using the latest compatible drivers to support each of your clients. Avoid upgrading a Terminal Server from Windows NT 4.0 to avoid driver and application conflicts. You can upgrade Windows 2000 Terminal Servers to Windows Server 2003 rather easily. However, to make your Terminal Server operating system upgrade as painless as possible, replace the existing server with a new one. If necessary, rebuild the old server from scratch and redeploy to the production environment if the hardware can still meet performance requirements.

Physical Placement of Terminal Servers

Place your Terminal Servers where they can be readily accessed by the clients that will primarily be using them. Also, to keep network performance optimized, try to place Terminal Servers on the same network segment as other servers that clients may use in their session, such as domain controllers, database servers, and mail servers, as shown in Figure 27.1. This way, you can reduce traffic on the network and improve Terminal Server performance. However, if security, as opposed to performance, is of concern, you should place the Terminal Server system between the client and the servers to create a barrier between external and internal resources.

Planning for Hosted Applications

Whenever possible, choose applications that have been tested and certified by Microsoft to run on Windows Server 2003 Terminal Servers. If you must run third-party applications on Terminal Services, run the necessary compatibility scripts provided with Windows Server 2003, when applicable, and also review the software vendors' information on installing the applications on a Windows Server 2003 Terminal Server. Certified or compatible applications should be capable of running multiple instances simultaneously on the server as independent processes. Test applications completely to note the resource requirements and functionality.

Networking Requirements

To keep Terminal Server sessions running efficiently, adequate available network bandwidth is a must. A Terminal Server requires network access to each Terminal Server client, along with any other server the client accesses during that session. For optimum performance for multitiered applications, install two or more network cards on a Terminal Server and configure the server to use one exclusively for Terminal Server client connectivity and the others for back-end server communication.

Terminal Server Fault Tolerance

A fault-tolerant Terminal Server environment can be created using Windows Server 2003 NLB or other hardware vendor load-balancing technologies. If using a third-party load-balancing solution, also ensure that it supports Session Directory server for session failover capabilities, or provides a similar solution. This increases server availability and also gives administrators the flexibility to remove a specific Terminal Server from production without affecting the availability of the Terminal Server environment.

Keep in mind that if a Terminal Server session is disconnected from a failed network load-balanced Terminal Server, the disconnected session is lost and a completely new session must be started on a remaining Terminal Server node if Session Directory server is not used. Also, upgrades and patches need to be performed on each node in the cluster independently.

Note

Refer to Chapter 31, "System-Level Fault Tolerance (Clustering/Network Load Balancing)," for NLB configuration and installation assistance.

Working with Terminal Server Licensing

Terminal Services deployed in Terminal Server mode requires the purchase of client access licenses (CALs) for each client device or session. Also, a Terminal Services License server must be available on the network to allocate and manage these client access licenses. When a Terminal Server is establishing a session with a client, it checks with the Terminal Services License server to verify whether this client has a license. A license is allocated if the client does not already have one.

To install licenses on the Terminal Services License server, the Terminal Services License server must first be installed and then activated online. To activate the Terminal Services License server, the wizard can automate the process or the administrator can choose to activate the server using a Web page form or by calling the Microsoft Clearing House via an 800 number to get an activate key.

When a Terminal Server cannot locate a Terminal Services License server on the network, it still allows unlicensed clients to connect. This can go on for 120 days without contacting a License server, and then the server stops serving Terminal Server sessions. This is why it is imperative to get a Terminal Services License server installed on the network as soon as possible or before Terminal Servers are deployed to production.

When servers are running in Terminal Services Remote Desktop for Administration mode, no CALs are required, so no Terminal Services License server is required either.