Windows 7 / Getting Started

Install and Configure Terminal Services

The Terminal Server role is defined in the same way as all other server roles in the enterprise. Then it involves the basic server staging process, applying your customized kernel to the server. Next, proceed as follows:

  1. Use the Server Manager console to select Add Roles.
  2. Select the Terminal Services role.
  3. Use the values in Table-3 to run through the installation and configuration wizard.

The role is installed. Now you're ready to proceed to the next steps.

CAUTION: The TS Gateway role should be installed on a separate server because it may be in a perimeter network.

Prepare Terminal Server Licensing

Terminal Services requires special CALs for each client that connects to the server. This is because each client connecting to Terminal Services in application mode-as opposed to administrative mode-is actually opening a Windows Server 2008 remote session. Even if you have hardware that does not support Windows Vista, you can give users access to all of its features through remote terminal sessions on WS08 servers. If, on the other hand, you do have client hardware that supports Windows Vista, you gain a lot of advantages through Terminal Services. For example, there is no client component to deploy to have Terminal Sessions operate on a Windows Vista client because it already includes an updated Remote Desktop client. This means that you can focus on centralizing applications and the use of a simpler application deployment model.

TABLE-3 Install the Terminal Services Role
Add Terminal Services Role Wizard PageValues
Terminal ServicesReview the available information, if you need to, and move on to the next page.
Select Role ServicesSeveral role services are available:
Select Terminal Server since you want to share applications.
TS Licensing is required if you want to use Terminal Services in Application mode. TS uses separate client access licenses (CALs) for sharing applications. If you are installing Terminal Services for administrative purposes, then TS Licensing is not required. Note that only a few TS Licensing servers are required in the network for redundancy. Do not install this on each TS server.
TS Session Broker is used to provide connection continuity for users roaming from system to system.
TS Gateway lets users connect to shared applications over common Internet ports. This service requires IIS, Network Policy and Access Services, and Windows Process Activation Service. Add required role services.
TS Web Access lets users access shared applications through a Web portal. This service requires additional Application Development and Security components for IIS, as well as .NET support in the Windows Process Activation Service. Add required role services.
Application CompatibilityIf applications are already installed on the server, you will need to uninstall and then reinstall them once the TS components are installed so that they can operate in multiuser mode.
Authentication MethodsSelect Require Network Level Authentication. All clients will require the latest edition of the Remote Desktop client in order to use shared applications, but application connections will be more secure. Vista and WS08 systems already have this client.
Specify Licensing ModeThis lets you determine who needs a CAL, the user or the device. If users roam from system to system, using shared computers to access shared applications, then use Per User. If, however, your users have a principal PC that is assigned to them, then select Per Device. Make sure you select the proper TS CALs when you configure licensing later.
User GroupsSelect the user groups that will be allowed to access these shared applications. If you intend to restrict application access to specific groups-for example, you are setting up a server to run financial applications and only want the financial group to access them- then select or create the appropriate group. Otherwise-and this is more common-select Domain Users to allow any user in your domain to access these applications.
Configure Scope for TS LicensingThe scope of the TS licenses can cover either the entire forest or the domain you are in. You will only have a single global child domain; therefore, select This Domain.
Note In this case, only administrators will need access to shared applications throughout the forest-Server Manager, for example-and since they do not need a license for remote administration, you do not need to apply the licensing scope to the entire forest.
Server Authentication CertificateTS Gateway uses the Secure Sockets Layer (SSL) to secure communications between clients and servers. To do so, it requires a PKI certificate. Three choices are available:
  • Use an existing certificate
  • Create a self-signed certificate
  • Choose a certificate later
The first or third choice is recommended. If at all possible, you should select a certificate from an external CA because it will automatically be trusted by the clients on your network. If you choose a self-signed certificate, you will need to install it manually on each client that interacts with this server.
Create Authorization PoliciesPolicies are required to allow Internet users to access TS Gateway applications. You can configure them later or configure them now. Select Now.
Select User GroupsSelect the user groups that will be allowed to access shared applications through the gateway. If you intend to restrict application access to specific groups-for example, you are setting up a server to run remote applications and only want a select group of users to access them-then select or create the appropriate group. Otherwise, select Domain Users to allow any user in your domain to access these applications through the Internet.
Create a TS CAPConnection authorization policies (CAPs) allow users to connect to the server when they meet specific conditions. CAPs can rely only on passwords, providing simple security, or on smart cards, relying on twofactor authentication. Two items are required, something you have, the card, and something you know, the password, to authenticate.
Create a TS RAPResource authorization policies (RAPs) let you limit the internal resources Internet users can connect to inside your network. Users can connect to any computer or only specific computers. In this case, since you are creating a RAP for Terminal Services, make sure you create a custom security group in ADDS that includes the computer accounts of all of the servers that will run the TS role, and assign the RAP to this group.
Network Policy and Access Services (NPAS)NPAS servers are used to enforce both CAPs and RAPs. Review the information about this role before moving on.
NPAS Role ServicesFor NPAS support of the TS Gateway, only the Network Policy Server is required. Select only this role before you move on.
Note Only a few network policy servers are required in the network for redundancy. If this is not the first server you install for this role, then make sure you do not add this role to this server.
Web Server (IIS)Review information about this role, if required, before you move on.
Web Server Role ServicesIIS is required for both the TS Gateway and TS Web Access. Accept the default selections and move on.
Note Only a few TS Gateways and TS Web Access servers are required for redundancy. Do not assign this role to every TS server in your network.
Confirm Installation SelectionsReview your choices before proceeding. Use the Previous button to make corrections if required. Click Install when ready.
Installation Progress and Installation ResultsReview the installation progress, reboot the server, and then click Finish when the installation is complete.
CAUTION:
It is important to install the Desktop Experience, activate the Themes service on WS08 TS servers, and enable the Windows Vista theme; otherwise, Windows Vista users will be faced with a Windows 2000-like interface when accessing remote applications in Terminal Services mode. This will most certainly lead to confusion (Windows Vista on the desktop and Windows 2000 on remote sessions) and increase support calls.

Unlicensed servers will only allow clients to operate for 120 days, after which all sessions will end and the TS server will no longer respond to client requests. In order to license servers, you must install a Terminal Services license server. This server must be activated by Microsoft before it can begin to issue permanent licenses to your organization. Activation is the first step for this role.

  1. Begin by moving to the Terminal Services node in Server Manager.
  2. In the details pane, scroll down to the Advanced Tools section.
  3. Click TS Licensing. This launches the TS Licensing Manager (TSLM). TSLM begins by scanning the network for TS licensing servers and then displays them once they are found.
  4. To activate a server, right-click it and select Activate Server.
  5. This launches the Activation Wizard. Click Next.
  6. Select the connection method. Automatic Connection is the best. Click Next.
  7. Enter your personal information and click Next.
  8. Provide contact information and click Next.
  9. This will activate the server. Make sure the Start Install Licenses Wizard option is selected, and click Next.
  10. Review the information and click Next. This locates the Microsoft Activation Server.
  11. Select the appropriate license program based on the type of licenses you purchased, and click Next.
  12. Type your license code(s), and click Add. Click Next when done to complete the Install License Wizard. The wizard then connects to the Microsoft Clearing House and installs the license key packs. Click Finish when done, and close the TS License Manager.

Now you're ready to start issuing licenses to TS sessions. This is an area where you will want to apply Group Policy settings. By default, TS servers issue licenses to any server that requests one. By using the License Server Security Group GPO setting-under Computer Configuration | Policies | Administrative Templates | Windows Components | Terminal Services | TS Licensing-you can restrict TS sessions to authorized TS servers only. To do so, you will need to place the TS servers you want to grant licenses to in the Terminal Server Computers group on the TS licensing server. This will ensure that licenses are not wasted by being granted to servers running Terminal Services in remote administration mode.

[Previous] [Contents] [Next]

In this tutorial:

  1. Application-Oriented Servers
  2. Build Application Servers
  3. Application Development Support
  4. Application Server Types
  5. Prepare Web Servers (Dedicated or Application)
  6. The IIS 7 Feature Set
  7. Install the Application or Dedicated Web Server Role
  8. Work with Application Support Services
  9. Prepare Terminal Servers
  10. Install and Configure Terminal Services
  11. Determine the Application Model and Install Applications
  12. Prepare GPOs for Terminal Services
  13. Deploy Terminal Services Applications
  14. Deploy Through TS Web Access
  15. Create Highly Available Terminal Services
  16. Collaboration Servers
  17. Control Access to WSS Central Administration
  18. Prepare Windows Streaming Media Servers
  19. Design the Virtual Service Offerings OU Structure