Once the license server is activated it needs licenses to dole out to users. You should see the Install Licenses Wizard start immediately after activation, or you can start it manually from the Terminal Services Licensing MMC. Simply select the server, right-click, and select Install Licenses. You will need to have the Open License agreement from your reseller handy. Type in the authorization number and license number in the spaces provided, type in the number of licenses you purchased, and click Next. Make sure you have opted to install Per User licenses since this will be most cost-effective for our scenario. For some people per-device CALs will be more cost-effective, but it seems to me that per-user CALs are going to be the best fit in most situations. Here is what Microsoft has to offer on the topic:

With the release of Windows Server 2003, there are now two types of Windows CALs to choose from—device-based or user-based, known as Windows Device CALs or Windows User CALs. This means you can choose to acquire a Windows CAL for every device (used by any user) accessing your servers, or you can choose to acquire a Windows CAL for every named user accessing your servers (from any device).
The option to choose between the two types of Windows CALs offers you the flexibility to use the licensing that best suits the needs of your organization. For example:

• Windows Device CALs might make most economic and administrative sense for an organization with multiple users for one device, such as shift workers.
• Whereas, Windows User CALs might make most sense for an organization with many roaming employees that need access to the corporate network from unknown devices and/or employees who access the network via multiple devices.

Once the Terminal Server License Server is installed, activated, and has licenses available to use it will be necessary for the actual Terminal Server to be able to find and communicate with the License Server in order to grant licenses to users. The Terminal Server may be able to find the licensing server (which is of course itself although it doesn’t know it) through an LDAP query to Active Directory. If it can’t though, it will start asking domain controllers. Since no domain controller is a Terminal Server Licensing Server the Terminal Server will need to make a successful LDAP query.

If this is not working (or to simply override this) you can configure a Terminal Server to use a specific license server via the Terminal Server’s registry. Be careful though, because this registry edit is not like most others. In this case, rather than specifying a new registry value and then entering data, you have to create a new registry key (or “folder”). To do this, browse to the following registry location:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService\Parameters

Add a new key called “LicenseServers” by right-clicking Parameters -->New --> Key. Select the LicenseServers subkeyand right-click --> New --> Key and type in the NetBIOS name, fully qualified domain name, or IP address of the appropriate license server to add the new subkey under LicenseServers. You don’t need to add any values or data under this new key. Add multiple keys for multiple servers if you wish, although the Terminal Server will only communicate with one license server at a time. Once you’re done, reboot the server for it to take affect.

Go into Start --> All Programs --> Administrative Tools --> Terminal Server Configuration and select the Server Settings folder in the right pane of the MMC. On the left double-click the Licensing option, and select Per User. This is basically all that is necessary in terms of getting TS Licensing working. If you are purchasing only a handful of licenses initially and planning to add more later this is not a problem. Terminal Server will grant 120-day temporary licenses to anyone who needs them. There is no special configuration needed in order to use the temporary licenses.

At this point, all the applications that are going to be required by users need to be installed. Remember, you should have created a separate partition for the program files and user profile data at this point. You should make sure you move the user profiles before installing any of the software. See the following section titled Providing Access and Locking Down Sessions for details on how to do that. This will prevent you from breaking some software by moving the user profile storage location later.

Here is a list of software to be run on Terminal Server:
Microsoft Office XP Professional w/ Frontpage (all features)
Norton Antivirus CE 9.0 (or latest)
Adobe Acrobat Reader
FileZilla
Zip Central
Printers
HomeSite 5.0
Crystal Reports

When installing applications on a Terminal Server you must follow the correct procedure in order to have all the requisite registry entries, .ini files, etc apply to all users who access the Terminal Server. Otherwise the applications will be installed correctly for the user who installed them, but not necessarily for other users. Go to Start --> Control Panel --> Add/Remove Programs --> Add New Programs. Select the install from a CD or floppy option and then follow normal installation procedures. When you have the option to select the installation path change the drive letter to the partition you created for profiles and user data. This will help keep all user interaction off of the system partition and most user rights management that needs to be done is isolated away from the system partition as well.

All of the technical information regarding GPO settings in this section is blatantly stolen from this Microsoft Locking Down Windows Server 2003 Terminal Server Sessions whitepaper. I am not going to annotate or put quotes around every single GPO setting for readability, but the text came from that document. I have embellished some of their text when it needed a bit more of an explanation as to why you'd use that setting.

You'll notice that they offer a lot more GPO settings than I am going to use. That is because I found some of the settings they use to be unnecessary for this particular environment. You'll need to make similar decisions on how strictly you need to control your Terminal Server, but I suggest you err on the side of strictness. It will prevent users from accidentally mucking up the server in which case you may need to start all over again.

The first thing that should be done to lock down Terminal Server sessions is to move the temporary storage location of user profiles to a separate partition. This not only tightens security, it can boost performance significantly if you move them to a seperate physical disk. This is not the case in our example, but we still benefit from keeping people out of the system partition. Typically, these temporary Terminal Services profiles are stored under %SystemDrive%\Documents and Settings\%Username%, even if roaming profiles are used in the network environment. To change the location to another partition, do the following:

1. Create a Documents and Settings Folder on the partition.
2. Modify HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProfilesDirectory using a Reg_Sz value to specify the new location.
3. Restart the server.
4. Copy the Default and All Users profiles to the new location.