This is a pretty hefty guide for deploying {mosyq}Windows Server 2003 Terminal Server for remote access.{/mosyq} It covers installation, licensing, application installation, and locking down user sessions with a GPO. There is an informal bibliography at the end with plenty more information on many of the topics you will need to understand when deploying a Terminal Server.

You can find this (and all of my GeekExtreme postings, and possibly some extras that don't make it over here) at www.smoothsailingit.com.

In this guide we want to install a Windows 2003 Server Terminal Server at a small office to simply provide remote access for 30 people. Those people will need to be able to use most of the software they have access to in the office, and will need to have access to the resources they do when they are in the office. At the same time, this server will be a shared environment in which one person has the ability to cause problems for everyone else on the system, and it is publicly accessible. So we want to lock down access to the server as much as possible.

We will start off looking at how to size your terminal server, then we will jump into setting it up. We will install necessary software, and then we will spend a great deal of time focused on how to lock this down. In the end we will have a remote access server running Windows 2003 Terminal server.

The first thing you need to know about Terminal Server is that memory is your friend. The more the better. The faster the better. Your disk subsystem and your processors do, of course, have an effect on the performance of your Terminal Server, but no single piece of hardware will impact your Terminal Server as much as memory.

Microsoft has written a handy whitepaper on Terminal Server scaling in conjunction with HP. They divide users into 2 groups- knowledge workers and data entry workers. On page 8 they provide a table stating that you should allocate 3.5 MB of memory per data entry worker, 9.5 MB of memory per knowledge worker. This is on top of a base of 128 MB of RAM for the system. Use these figures to calculate the amount of memory you will need, and keep in mind it is usually much easier to put in too much memory now than to add more later. Unfortunately they do not include AMD Opterons in their analysis because the memory performance of Opterons is that of Xeons far behind. (I own stock in both AMD and Intel for all of you quick to label me a fanboy.) There are some reviews showing that Opterons also scale much better when you go from 2, to 4, to 8-way systems. All in all you will probably be better served with an Opteron-based Terminal server than a Xeon-based sytem, but do your own research into the platforms and make your own decision. The focus of this article is not benchmarking hardware.

The whitepaper also outlines the testing methodology, and provides a guide for you to replicate similar testing on your own should you desire. For my situation this was not really necessaary. I already had a system that had been decommissioned from other duties, and was plenty powerful enough to handle the task of running Terminal Server. It is a dual Xeon 2Ghz with 1 GB of RAM and 2 10K RPM Ultra160 drives in RAID1. At most it will handle 30 users, but usually never sees more than ten at a time.

Before installing the OS create a single mirrored container in the raid controller BIOS. If you are trying to set up a server for considerably more users you should use a seperate array for user profiles, and possibly for your applicaions. You may need to investigate NLB or clustering if your load is going to be too great or if your need for 5 nines of uptime requires an extremely fault tolerant solution. Install Windows Server 2003 with only required services and software. There should be no DNS, DHCP, or other networking components installed. Once you have begun installing Windows Server 2003, create an 8GB partition for the system drive. Either during or shortly after installation, join the server to the domain.

After Windows Server 2003 installation has finished be sure to run all the Microsoft Updates so the machine is fully patched. Then, from the remaining space on the drive create 2 more partitions. Create a 6GB partition for log files, and use the rest of the space for a partition to store the user profiles. The machine should be assigned a static IP address. This does not need to be done until later on, but you should make sure you configure this before locking down the Terminal Server through a GPO.

When installing Terminal Server be sure to select Full Security (it should actually install in this mode by default). The Relaxed Security option is necessary only for compatibility with certain legacy applications which do not behave properly in Full Security mode. Should you need to modify this setting, it can be done later using the Terminal Server Configuration MMC snap-in. If an application requires you to run in Relaxed Security mode, be absolutely sure to return to Full Security mode once you have completely transitioned off of that application.

Once Windows Server 2003 and all updates are applied, run the Add Server Role Wizard from the Manage your Server screen (or install from Add Remove Programs --> Windows Components). Select Terminal Server and click Next. The wizard will install Terminal Server and reboot the machine.

The next thing you need to do is to install Terminal Services Licensing Server somewhere on the network. This is a service necessary for Terminal Server to function, and can be installed on the same system you installed Terminal Server on, or a completely different server. Since this a small, simple setup we are going to install the Terminal Server Licensing service on this Windows Server 2003 box. The only thing the service is doing is answering requests for license tokens and tracking their use. The impact it has on system performance is negligible. Microsoft states that "Memory usage is less than 10 megabytes (MB). The license database will grow in increments of 5 MB for every 6,000 license tokens issued. The license server is only active when a terminal server is requesting a license token, and its impact on server performance is very low, even in high-load scenarios." You can of course install the License Server on another machine, but we will install it on the Terminal Server in this case. I would recommend reading more on Terminal Server licensing here.

When the system is back online go to Control Panel --> Add/Remove Programs --> Add/Remove Windows Components and select Terminal Server Licensing. Click OK. When the Terminal Services Licensing Server is installed it will need to be assigned a licensing scope. There are 2 choices and both should behave the same within the context of this network. However, we should make sure to select the “Enterprise” scope option. Although the domain/workgroup licensing option is designed for non-Active Directory domains it may be useful for some in an Active Directory environment. For instance, if you have a seperate budget and needs for Terminal Server at your site you could install with this licensing option to ensure that your Terminal Server only searched the local subnet for your license server which contained the licenses you had purchased. Other departments on other subnets could handle their own Terminal Servers and purchase their own licenses.

After the TS licensing service is installed on a server, it must be activated by the Microsoft clearinghouse via the Terminal Services Licensing tool. This activation gives the license server the digital certificate it will use to accept and activate TS CALs. To activate the server go to Start --> Programs --> Administrative Tools --> Terminal Services Licensing --> Right-click on server --> Activate. Activation can be accomplished directly via the Internet or via a web page, fax, or telephone call. If you run the licensing tool on a computer other than the license server and using the, the computer that you are using must have access to the Internet, not the license server.