Planning the deployment of
Terminal Services in your enterprise environment means taking into
consideration licensing, server resilience, how clients connect, and how
applications are deployed to the terminal server.
Planning a Terminal Services Deployment
As an experienced enterprise administrator, you
are aware of the role Terminal Services plays on your organizational
network. You understand how client computers connect to terminal
servers, how to install applications on a terminal server, and the
basics of managing and configuring an individual terminal server. In
this lesson, you will go beyond the maintenance and configuration of
this technology and learn how to plan the deployment of Terminal
Services so that it best meets the needs of your organization.
The first step in planning a deployment is understanding how the following Terminal Services components fit together:
Terminal server
The server itself is the core component of a Terminal Services
deployment. This is the server that clients connect to so they can
access their applications.
Terminal server farm
A terminal server farm is a collection of terminal servers, used to
provide high availability and load balancing to clients on the
organizational network. Client connections to terminal server farms are
mediated by Terminal Services session directory servers. Terminal server
farms are more likely to be deployed at large sites than are individual
terminal servers.
License servers
License servers provide Terminal Services client access licenses (TS
CALs) to terminal servers on the network. Unless a license server is
deployed, clients are able to connect to Terminal Services for only a
limited amount of time.
Terminal Services Gateway servers (TS Gateway)
These servers provide access to terminal servers to clients on
untrusted networks. In enterprise networks, you can use a TS Gateway
server as a bridge between the standard internal network and a terminal
server farm on a network protected by server isolation policies.
When
planning the deployment of terminal servers and terminal server farms,
ensure that the software the clients use to connect to a terminal server
is installed after the Terminal Server role is deployed. Many
applications perform a check during installation to determine whether
the target of the installation is a terminal server. In some cases,
different executable files will be installed when the installation
target is a terminal server as opposed to a normal, standalone computer.
Alternatively, some applications will generate a pop-up dialog box
informing you that installing the application on a terminal server is
not recommended and that the vendor does not support this deployment
configuration.
Applications that are deployed on a terminal
server might conflict with one another in unexpected ways. Your Terminal
Services deployment plan should include a testing period so that you
can verify that each terminal server’s application configuration does
not lead to unforeseen conflicts. If conflicts are detected, you will
need to plan either to deploy conflicting applications on separate
terminal servers or to deploy applications by using Microsoft SoftGrid
Application Virtualization.
Terminal Services Licensing
Perhaps the most critical aspect of planning the
deployment of Terminal Services in enterprise environments is ensuring
that licensing is configured appropriately. The loss of one terminal
server in an environment in which there are 100 terminal servers is a
potential problem. The loss of a license server that has an enterprise
scope in an environment in which there are 100 terminal servers is a
potential disaster.
All clients that connect to a terminal server
require a TS CAL. This license is not included with Windows Vista and is
not a part of the standard CALs that you use when licensing a
Windows-based server. TS CALs are managed by a Terminal Services license
server. When planning a Terminal Services deployment, answer the
following questions when considering the deployment of a Terminal
Services license server:
What is the scope of the license server?
Will it service clients in the domain or workgroup or manage the
licenses for all clients in the forest?
How will the license server be activated with Microsoft? How will additional licenses be purchased and installed?
How many license servers are required to service the needs of your organization?
What type of licenses will be deployed?
License Server Scope
The license server’s discovery scope determines
which terminal servers and clients can automatically detect the license
server. You configure the license server scope during the installation
of the Terminal Services License Server role service, as shown in Figure 1. You can change the scope after it is set. The three possible discovery scopes are This Workgroup, This Domain, and The Forest.
This Workgroup
This scope is not available if the license server is joined to an
Active Directory domain. This discovery scope is most often installed on
a computer that hosts the Terminal Services role. Terminal servers and
clients in the same workgroup can automatically discover this license
server.
This Domain
The domain discovery scope enables terminal servers and clients that
are members of the same domain to acquire TS CALs automatically. Plan to
use this scope if TS CALs in your organization are going to be
purchased and managed on a per-domain basis.
The Forest
The forest discovery scope enables terminal servers and clients located
anywhere in the same Active Directory forest to acquire TS CALs
automatically. You should plan to use this scope when licensing issues
are handled on an organizational level rather than at the domain level.
For example, if your organization has a single
forest with a separate domain for each state division, but all software
purchasing and licensing is handled centrally, you would plan to deploy a
license server set to the forest discovery scope. This enables the
people responsible for licensing to check a central location to
determine your organization’s compliance with its Terminal Services
licensing responsibilities. It saves them from having to check each
state division’s Terminal Services license server. If, however, your
nationwide organization has software and purchasing managed on a
regional basis, it makes sense to deploy Terminal Services licensing
servers on the same basis. In that case, you would plan to deploy
Terminal Services license servers by using the domain discovery scope.
License Server Activation
Another important component of a Terminal
Services deployment plan is choosing a license server activation method.
Before a Terminal Services license server can issue TS CALs, it must be
activated with Microsoft in a procedure similar to Windows Product
Activation. During the activation process, a Microsoft-issued digital
certificate validating both server ownership and identity is installed
on the TS license server. This certificate will be used in transactions
with Microsoft for the acquisition and installation of further licenses.
As shown in Figure 2, a license server can be activated through three methods.
The first method occurs transparently through a
wizard, like Windows Product Activation. This method requires the server
to be able to connect to the Internet directly, using a Secure Sockets
Layer (SSL) connection, which means that it will not work with certain
firewall configurations.
The second method involves navigating to a Web
page. This method can be used on a computer other than the license
server and is appropriate in environments in which the network
infrastructure does not support a direct SSL connection from the
internal network to an Internet host.
The third method involves placing a telephone
call to a Microsoft clearinghouse operator. This is a toll-free call
from most locations. The method you use for activation will also
validate TS CALs that are purchased at a later date, although you can
change this method by editing the Terminal Services
license server’s properties. If a license server is not activated, it
can issue temporary CALs only. These CALs are valid for 90 days.
When planning disaster recovery contingencies
for your Terminal Services deployment, consider that if the certificate
acquired during the activation process expires or becomes corrupted, you
might need to deactivate the license server. A deactivated license
server cannot issue permanent Terminal Services Per Device CALs,
although it can still issue Terminal Services Per User CALs and
temporary Terminal Services Per Device CALs. You can deactivate Terminal
Services license servers by using the automatic method or over the
telephone, but you cannot deactivate them by using a Web browser on
another computer.
Terminal Services Client Access Licenses
When planning the deployment of Terminal
Services, you must determine which sort of TS CAL is most appropriate
for your organization. A Windows Server 2008 Terminal Services license
server can issue two types of TS CALs: the Per Device CAL and the Per
User CAL. The differences between these licenses are as follows:
Terminal Services Per Device CAL
The Terminal Services Per Device CAL gives a specific computer or
device the ability to connect to a terminal server. Terminal Services
Per Device CALs are automatically reclaimed by the Terminal Services
licensing server after a random period between 52 and 89 days. This will
not affect clients that regularly use these CALs because any available
CAL will simply be reissued the next time the device reconnects. In the
event that you run out of available CALs, you can revoke 20 percent of
issued Terminal Services Per Device CALs for a specific operating system
by using the Terminal Services Licensing Manager console on the license
server. For example, 20 percent of issued Windows Vista Terminal
Services Per Device CALs can be revoked or 20 percent of issued
Microsoft Windows Server 2003 Per Device CALs can be revoked at any one
time. Revocation is not a substitute for ensuring that your organization
has purchased the requisite number of Terminal Services Per Device CALs
for your environment.
Terminal Services Per User CAL
A Terminal Services Per User CAL gives a specific user account the
ability to access any terminal server in an organization from any
computer or device. Terminal Services Per User CALs are not enforced by
Terminal Services licensing, and it is possible to have more client
connections occurring in an organization than actual Terminal Services
Per User CALs installed on the license server. Failure to have the
appropriate number of Terminal Services Per User CALs is a violation of
license terms. You can determine the number of Terminal Services Per
User CALs in use by using the Terminal Services Licensing Manager
console on the license server. You can either examine the Reports node or use the console to create a Per User CAL Usage report.
When
planning the deployment of Terminal Services license servers, remember
that TS CALs can be purchased directly from the server if the terminal
server is capable of making a direct SSL connection to the Internet.
Alternatively, it is possible to use a separate computer that is
connected to the Internet to purchase TS CALs by navigating to a Web
site or to use a telephone to call the Microsoft clearinghouse directly.
Backing Up and Restoring a License Server
To back up a Terminal Services license server,
you need to back up the system state data and the folder in which the
Terminal Services licensing database is installed. You can use Review
Configuration, shown in Figure 3,
to determine the location of the Terminal Services licensing database.
To restore the license server, rebuild the server, and reinstall the
Terminal Services Licensing Server role, restore the system state data,
and then restore the Terminal Services licensing database. When restored
to a different computer, unissued licenses will not be restored, and
you will need to contact the Microsoft clearinghouse to get the licenses
reissued.
License Server Deployment
When planning the deployment of Windows Server
2008 terminal servers in an environment with Terminal Services running
on earlier versions of a Microsoft-based server operating system,
consider that Windows Server 2003 Terminal Services license servers and
Microsoft Windows 2000 Server Terminal Services license servers cannot
issue licenses to Windows Server 2008 terminal servers. Windows Server
2008 license servers, however, support the
licensing requirements of earlier versions of Terminal Services. If
your organization’s Windows Server 2003 terminal servers will coexist
with Windows Server 2008 terminal servers for a time, upgrade your
organization’s license servers to Windows Server 2008 so that they can
support both the new and existing terminal servers.
License Server High Availability
When planning a high availability strategy for
license servers, plan the deployment of two separate license servers per
scope and install 50 percent of the TS CALs on each license server.
Because the location of license servers is published within AD DS, it is
not necessary to use a technology such as Domain Name System (DNS)
round robin, Network Load Balancing, or Failover Clustering for the
deployment of license servers. Your deployment plan for license servers
should include regular backups so that if a license server does fail,
the purchased licenses can be quickly recovered and redeployed. Remember
that licenses that have been installed but not issued will be lost when
a server is recovered. It is possible to recover these licenses from
the Microsoft clearinghouse, but your license deployment plan should
ensure that only the required number of licenses is purchased. You
should not purchase a significant number of extra licenses for possible
future use. It is easier to purchase those licenses when they will
actually be used than worry about recovering unused licenses if the
license server fails.
