
Some people, meaning only some users can’t print and some can. If some people
can’t print, the problem likely has to do with the permissions, application soft-
ware, or the network. Perform the following actions:

Check the network using a computer in the same subnet as the people
having the problem. See if you can ping the printer’s IP address. At the
command line, type ping PrinterIP, where PrinterIP is the IP address of the
printer. If you can’t ping the printer’s IP address from any system on the
subnet, a switch or routing between the user’s computer and the printer
might be bad or disconnected. This happens a lot if local switches/hubs are
under people’s desks.

Check the printer permissions and the permissions on the spool folder to
see if the groups of which the users are members have appropriate access. If
the permissions are set incorrectly, the spooling won’t work. See “Confi gur-
ing Print Spool, Logging, and Notifi cation Settings” on page 889 and the
Troubleshooting sidebar “Check permissions on the spool folder” on page
881.

Check the print processor. Windows 95, Windows 98, and Windows Me
clients can print only if the print processor uses the RAW data type. See
“Viewing the Print Processor and Default Data Type” on page 901.

Check the application being used for printing. The application might be
incorrectly confi gured or the default printer might not be what users think
it is.

Check the error message generated when printing. If the client gets an
error stating it must install a print driver when connecting to a printer,
this means the correct drivers are installed on the server but aren’t avail-

able to the client. Additionally, Windows 95, Windows 98, and Windows
Me clients do not automatically check for updated drivers and must be
updated manually. See “Installing and Updating Print Drivers on Clients”
on page 894.

One person, meaning only one user can’t print. If only one person can’t print, the
problem likely has to do with application software, the user’s computer, or per-
missions. Start with the user’s computer and perform the following actions:

Check the application being used for printing. The application might be
incorrectly confi gured, or the default printer might not be what the user
thinks it is.

Check the user’s computer. The Print Spooler service must be running
for the user to print. The computer must have suffi cient temporary space
to generate the initial spool fi le. The computer must have other essential
services confi gured. The list goes on. Essentially, it is better if you restart
the computer if you suspect the problem has to do with that computer
specifi cally.

Check to make sure the user’s computer can connect over the network to
other resources. Try pinging the router or the printer in question.
Printer Maintenance and Troubleshooting 917
Chapter 27
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.

Check the error message generated when printing. If the client gets an
error stating it must install a print driver when connecting to a printer, this
means the correct drivers are installed on the server but aren’t available to
the client. See “Installing and Updating Print Drivers on Clients” on page

894. If the client gets an “Access Denied” error, this is a permissions issue.

Check the printer permissions and the permissions on the spool folder to
see if the user or groups of which the user is a member have appropriate
access. If the permissions are set incorrectly, the spooling won’t work. See
“Confi guring Print Spool, Logging, and Notifi cation Settings” on page 889
and the Troubleshooting sidebar “Check permissions on the spool folder”
on page 881.
Resolving Garbled or Incorrect Printing
If the printer prints garbled or incorrect pages, this can be a sign that the printer is
incorrectly confi gured. You should check the print driver and the print processor set-
tings. You might want to reinstall the print driver as discussed in “Viewing and Con-
fi guring Print Drivers” on page 887. You might want to change the print processor data
type to RAW or EMF to see if this clears up the problem. See “Viewing the Print Proces-
sor and Default Data Type” on page 901.
To resolve this problem, check the following:

Ensure that the complete document is transferred to the printer before printing
starts by selecting the Start Printing After Last Page Is Spooled option. See “Con-
fi guring Print Spooling” on page 900.

Try using the RAW data type or the EMF data type to see if this clears up the
problem. See “Viewing the Print Processor and Default Data Type” on page 901.

Try removing any separator page that is used, because this might be setting the
printer page description language incorrectly. See “Confi guring Separator Pages”
on page 902.

Try clearing the Enable Advanced Printing Features check box on the Advanced
tab. This disables metafi le spooling. Windows 95, Windows 98, and Windows Me

clients use SMB connections and spool RAW-formatted fi les to the print server.
See “Confi guring Print Spooling” on page 900.
Chapter 27
918 Chapter 27 Managing and Maintaining Print Services
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
T
erminal Services lets users run Microsoft Windows–based applications on a remote
server. When users run an application on a terminal server, the execution and pro-
cessing take place on the server, and only the data from devices such as the display,
keyboard, and mouse are transmitted over the network. A client logged on to a terminal
server and running applications remotely is said to be using a virtual session. Although
there may be dozens or hundreds of users simultaneously logged on to a terminal
server, users see only their own virtual sessions.
Using Terminal Services
You can use Terminal Services to rapidly deploy and centrally manage Windows-based
applications. One advantage of this method is that you can be sure that all users are
running the same version of an application and that they can do so from any computer.
Another advantage is that organizations with older computers running earlier ver-
sions of Windows can get more mileage out of their computers by having users run
applications on terminal servers instead of locally on their desktops. Terminal Services
involves these key elements:

Terminal Services clients

Terminal Services servers

Terminal Services licensing
Terminal Services Clients
Within the organization, the primary client used to establish connections to a terminal
server is the Remote Desktop Connection (RDC) client. This client comes installed

on the Microsoft Windows XP, Windows Vista, Windows Server 2003, and Windows
Server 2008 operating systems and is available for installation on other versions of
Windows as well. For details on the use and features of this client, see “Supporting
Remote Desktop Connection Clients” on page 613.
Using Terminal Services . . . . . . . . . . . . . . . . . . . . . . . . . 919
Designing the Terminal Services Infrastructure . . . . . . 927
Setting Up Terminal Services . . . . . . . . . . . . . . . . . . . . . 936
Using the Terminal Services Configuration Tool . . . . . . 957
Configuring RemoteApps . . . . . . . . . . . . . . . . . . . . . . . . 966
Using Terminal Services Manager . . . . . . . . . . . . . . . . . 975
Managing Terminal Services from the
Command Line. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 978
Other Useful Terminal Services Commands . . . . . . . . . 980
Configuring Terminal Services Per-User Settings . . . . . 981
CHAPTER 28
Deploying Terminal Services
919
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
By sending only the data required for I/O devices to and from the server, Terminal Ser-
vices signifi cantly reduces the amount of data transferred between a client and a server.
This reduces the amount of network bandwidth used, allowing Terminal Services to
operate in low-bandwidth environments. In addition, users are able to optimize per-
formance based on the speed of their connection. On a 28.8 Kbps modem, a user has
only the essential features to ensure the best overall performance possible. As a user
goes from a 28.8 Kbps modem connection to a LAN connection at 10 Mbps or higher,
Windows features are automatically added to enhance the user experience. Admin-
istrators can also confi gure Terminal Services to restrict the additional features. For
example, if hundreds of users are using a terminal server, you might need to restrict
enhancements to ensure the overall performance of the server. If you don’t do this and
the terminal server is overworked, it might fail.

For access to remote applications from the Internet or the enterprise intranet, Microsoft
provides several new options for Windows Server 2008:

Terminal Services Remote Application (RemoteApp) is a program that a user
accesses remotely through Terminal Services and appears as if it is running
on the user’s local computer. Thus, instead of being presented to the user on
the desktop of the remote terminal server, a RemoteApp runs in its own resiz-
able window and has its own entry o n the taskbar. Although each RemoteApp
appears to be separate on the desktop, multiple RemoteApps running on the
same desktop share the same Terminal Services session.

Terminal Services Gateway (TS Gateway) enables authorized users to connect to
network resources from any Internet-connected device that can run the Remote
Desktop Connection client. TS Gateway uses the Remote Desktop Protocol (RDP)
over HTTPS to establish secure, encrypted connections between remote users
and network resources. Network resources available through TS gateways include
terminal servers as well as computers with Remote Desktop enabled. Because TS
gateways operate over HTTPS, they can be used to easily traverse fi rewalls and
NATs.

TS Web Access, which provides access to terminal servers through a Web
browser. The default TS Web Access Web page includes a customizable frame
and Web part. This page provides clickable links to the available programs des-
ignated as Remote Applications (RemoteApps). When you install TS Web Access,
Windows installs Internet Information Services (IIS) 7.0 as well and uses IIS 7.0
to provide access to your RemoteApps.
These options allow you to deploy Terminal Services in many additional ways and to
improve the overall experience for end users. However, TS Gateway and TS Web Access
can greatly increase the overall complexity of a Terminal Services implementation.
Because of these additional complexities, you might want to consider having separate

Terminal Services installations, as follows:

One or more installations that’ll be used internally only with standard options,
such as the RDC client and RemoteApps. For ease of reference throughout this
Chapter 28
920 Chapter 28 Deploying Terminal Services
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
chapter, I will refer to servers with this type of installation as standard terminal
servers when I need to differentiate between the two types of installations.

One or more installations that’ll be used for Internet-based or intranet-based
access with TS Gateway and TS Web Access. For ease of reference throughout
this chapter, I will refer to servers with this type of installation as Web access or
gateway terminal servers when I need to differentiate between the two types of
installations.
In this way, you ensure that there are separate environments with separate require-
ments and separate procedures.
Terminal Services Servers
It’s very easy to set up a standard terminal server. What isn’t so easy is getting the
infrastructure right before you do so and maintaining the installation after it’s in place.
Before you install Terminal Services, it is essential to plan the environment and to
deploy Terminal Services before you install applications on the terminal server. After
you deploy Terminal Services, you will confi gure the environment, install applications,
and make those applications available to remote users.
The features for the Remote Desktop Connection client were discussed in “Supporting
Remote Desktop Connection Clients” on page 613. For Windows Server 2008, there are
many standard features and enhancements as well. The administration tools for Termi-
nal Services include the following:

Terminal Services Manager

Terminal Services Manager, shown in the following
screen, is the primary tool for managing terminal servers and client connections.
Unlike previous versions, the current version doesn’t automatically enumerate
all the terminal servers that are available. Instead, it gives direct access to a local
server if it is running Terminal Services and allows you to selectively enumer-
ate servers and add servers to a list of favorites for easier management. In a large
installation with many terminal servers, this makes Terminal Services Manager
more responsive.
Note
It is important to note that certain features of Terminal Services Manager work only
when you run the tool from a client. For example, if you run Terminal Services Manager
on a terminal server, you won’t be able to use the Remote Control and Connect features.
Note
It is important to note that certain features of Terminal Services Manager work only
when you run the tool from a client. For example, if you run Terminal Services Manager
on a terminal server, you won’t be able to use the Remote Control and Connect features.
Using Terminal Services 921
Chapter 28
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.

TS Licensing Manager
TS Licensing Manager, shown in the following screen,
is used to install licenses and activate a Terminal Services license server. The
enhanced interface makes it easier to install licenses and to activate or deactivate
license servers.

Terminal Services Confi guration
Terminal Ser vices Confi guration, shown in the
following screen, is used to manage terminal server connections as well as global
and default server settings. Terminal server connections and the Remote Desktop

Protocol (RDP) are what allow users to establish remote connections to a terminal
server. Server settings also enable you to easily set terminal server policy. A key
policy is the single session policy, which, when activated, limits a user to a single
session, whether the session is active or not.

TS RemoteApp Manager
TS RemoteApp Manager, shown in the following screen,
confi gures RemoteApps as well as deployment settings that apply to RemoteApps.
After you’ve confi gure a terminal server, you can copy the list of RemoteApp
Chapter 28
922 Chapter 28 Deploying Terminal Services
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
programs and deployment settings from that server to another using export and
import tasks.

TS Gateway Manager
TS Gateway Manager, shown in the following screen, is
used to confi gure authorization policies that control access to network resources
according to group membership. You use Terminal Services connection authori-
zation policies (TS CAPs) to specify who can connect to a TS Gateway server, and
Terminal Services resource authorization policies (TS RAPs) to specify the inter-
nal network resources to which users can connect through a TS Gateway server.

TS Web Access Administration
TS Web Access Administration, shown in the
following screen, provides access to the IIS server hosting the Web applications
required for Web access to Terminal Services, including a primary TS application
and two RPC proxy applications. Similar to what a user sees, you can view the list
of available RemoteApp programs or connect to remote desktops to which you
have access.

Using Terminal Services 923
Chapter 28
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
You can access the Terminal Services administration tools on the Administrative Tools\
Terminal Services menu. To access a tool, click Start, All Programs, Administrative
Tools, Terminal Services, and then select the desired tool, such as Terminal Services
Manager.
Terminal Services has important changes for security as well. For internal access, you
have the option of adding users and groups to the Remote Desktop Users group. This
is a standard group for which you can confi gure membership in Active Directory Users
And Computers. By adding the Domain Users group to the Remote Desktop Users
group, you allow all authenticated users to use Terminal Services. If instead you were to
add the special group Everyone, anyone with access to the network could use Terminal
Services.
For Internet-based or intranet-based access, you can specify TS Gateway user groups
that can access Terminal Services using RDP over HTTPS. No standard groups are
created for you, so you should consider what groups you might need as part of your
deployment plans and then create these groups in Active Directory Users And Comput-
ers. For example, you might want to create a group called External TS Users. To grant
Internet-based or intranet-based access, you would then add specifi c groups or users as
members of this group. To enhance security you typically would not want to make the
Domain Users or Everyone groups members of your special external access group or
groups.
Terminal Services supports 128-bit encryption as well as encryption compliant with
the Federal Information Processing Standard (FIPS). Using 128-bit encryption ensures
a high level of encryption, which provides powerful protection of the data sent between
a Terminal Services client and a server. FIPS encryption is added to provide compliance
with FIPS 140-1 and FIPS 140-2, which are standards for Security Requirements for
Cryptographic Modules, a necessity for some organizations.
Terminal Services printing has been enhanced in Windows Server 2008 with the addi-

tion of the Terminal Services Easy Print driver and a Group Policy setting that enables
you to redirect only the default client printer. The Terminal Services Easy Print driver
allows users to reliably print from a RemoteApp program or from a terminal server
desktop session to the correct printer confi gured for use on their client computers. It
Chapter 28
924 Chapter 28 Deploying Terminal Services
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
also enables users to have a much more consistent printing experience between local
and remote sessions.
The Redirect Only The Default Client Printer setting in Group Policy allows you to
specify whether the default client printer is the only printer that is redirected in Termi-
nal Services sessions, which helps to limit the number of printers that the spooler must
enumerate, therefore improving terminal server scalability.
Note
To use the Terminal Services Easy Print driver, clients must be running Remote Desktop
Connection (RDC) client version 6.1 or later and have Microsoft .NET Framework 3.0
Service Pack 1 (SP1) installed. Note also that the terminal server fallback printer driver is
not included with Windows Server 2008. Although the Specify Terminal Server Fallback
Printer Driver Behavior setting still exists in Group Policy, it cannot be used with terminal
servers running Windows Server 2008.
Terminal Services Licensing
A Terminal Services license server is required to set up Terminal Services (see Figure
28-1). The license server, responsible for issuing licenses and tracking their usage,
maintains a pool of all available licenses. The assigned licenses are also tracked so that
they can be validated. Terminal Services requires that you get offi cial licenses from
Microsoft and activate them through the Microsoft Clearinghouse.
Terminal Services
license server
Microsoft
Clearinghouse

License pack
activation
Terminal server
License
pool
License
Terminal
Services
Client
Session
Figure 28-1 Terminal Services implementation with a license server.
Note
To use the Terminal Services Easy Print driver, clients must be running Remote Desktop
Connection (RDC) client version 6.1 or later and have Microsoft .NET Framework 3.0
Service Pack 1 (SP1) installed. Note also that the terminal server fallback printer driver is
not included with Windows Server 2008. Although the Specify Terminal Server Fallback
Printer Driver Behavior setting still exists in Group Policy, it cannot be used with terminal
servers running Windows Server 2008.
Using Terminal Services 925
Chapter 28
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
The fi rst time a client connects to a terminal server, the terminal server checks for a
license. If the client has a license, the terminal server validates it and allows the cli-
ent to connect. If the client doesn’t have a license, the terminal server locates a license
server (using a network broadcast in workgroups or through Active Directory in
domains) and requests a new license. If that license server doesn’t have a license to
offer, the client is not allowed to connect.
Note
For the fi rst 120 days after deployment, clients can be granted a temporary license if an
activated license server is not available. After this grace period, Terminal Services will

stop serving unlicensed clients.
Provided that the server has a license, it will give the license to the terminal server,
which in turn issues it to the client. Client access licenses provided by Terminal Ser-
vices are issued per device or per user, so the way licensing works depends on the
licensing confi guration—which can be mixed and matched as necessary. With per-
device licensing, the license is valid only for a particular computer and will be validated
in the future to the globally unique identifi er (GUID) of the machine on which the cli-
ent is running. With per-user licensing, the license is valid only for that user and will be
validated in the future to the GUID of the user’s account.
Note
Terminal Services client access licenses are issued per device or per user only. They are
not available in per-server mode because Windows sessions are not allowed in per-server
mode.
An issued license is valid for a period of 52 to 89 days; the interval is assigned ran-
domly. When the client later disconnects or logs off the terminal server, the license is
not returned to the pool. The expiration date serves to return unused licenses to the
license pool. Each time a client connects to a terminal server, the expiration date of its
license is checked. If the current date is within seven days of the expiration date, the
license server renews the license for another 52 to 89 days. If a client doesn’t log back
on to the terminal server before its license expires, the license is returned to the license
pool, which makes it available to other clients.
TS Licensing for Windows Server 2008 now includes the ability to track the issuance of
TS Per User CALs in TS Licensing Manager. If the terminal server is in Per User licens-
ing mode, the user connecting to it must have a TS Per User CAL. If the user does not
have the required TS Per User CAL, the terminal server will contact the license server
to get the CAL for the user. After the license server issues a TS Per User CAL to the user,
you can track the issuance of the CAL in TS Licensing Manager.
Note
For the fi rst 120 days after deployment, clients can be granted a temporary license if an
activated license server is not available. After this grace period, Terminal Services will

stop serving unlicensed clients.
Note
Terminal Services client access licenses are issued per device or per user only. They are
not available in per-server mode because Windows sessions are not allowed in per-server
mode.
Chapter 28
926 Chapter 28 Deploying Terminal Services
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
You can reassign a client access license from one device to another device or from one
user to another user. However, there are some limitations. The license must be either
permanently reassigned away from its existing owner (device or user), or it must be
temporarily reassigned to a loaner device while a permanent device is out of service, or
to a temporary worker while a regular employee is absent.

Anyone who wants to use Terminal Services must have a client access license. This
remains true whether a user connects to the terminal server using Remote Desktop
Protocol (RDP), RDP over HTTPS, or another vendor’s protocol. You can purchase client
access licenses using the licensing programs discussed in “Selecting a Software Licensing
Program” on page 63. This means that small companies can purchase licenses in packs of
5, 20, or more, while bigger companies can purchase licenses under programs such as the
Microsoft Open License.
When you purchase licenses in packs, you’ll receive a product activation code that can be
used one time to activate the number of licenses purchased. When you use Open License
or other programs, you purchase a set number of licenses. With Open License, you are
then issued an Open License Authorization and a set of license numbers that you can use
to activate licenses. Under Select and Enterprise licensing agreements, you provide your
Enrollment Agreement Number to activate licenses.
In the past, the requirement for a Terminal Services client access license was waived if the
device accessing the terminal server was running the same or later version of an equiva-
lent desktop operating system. For example, a client running Windows XP Professional

could access a Windows 2000 terminal server without needing a Terminal Services client
access license. With the release of Windows Server 2003 and Windows Server 2008, all
clients are required to have a Terminal Services client access license.
Designing the Terminal Services Infrastructure
Terminal Services can be deployed in single-server and multi-server environments. The
fi rst thing to plan is Terminal Services capacity. Capacity planning can help you deter-
mine the actual number of users that a specifi c Terminal Services confi guration can
support.
Capacity Planning for Terminal Services
It is important to note that Windows Server 2008 has signifi cant scalability advan-
tages over its predecessors. Primarily this is because the Windows Server 2008 kernel
provides better use of the 32-bit virtual address space. Because a terminal server must
allocate virtual resources for all users who are logged on, whether they are active or in
a disconnected state, the improved memory handling in Windows Server 2008 gives it
signifi cant advantages over Windows 2000 Server and some advantage over Windows
SIDE OUT
Terminal Services licensing changes
Anyone who wants to use Terminal Services must have a client access license. This
remains true whether a user connects to the terminal server using Remote Desktop
Protocol (RDP), RDP over HTTPS, or another vendor’s protocol. You can purchase client
access licenses using the licensing programs discussed in “Selecting a Software Licensing
Program” on page 63. This means that small companies can purchase licenses in packs of
5, 20, or more, while bigger companies can purchase licenses under programs such as the
Microsoft Open License.
When you purchase licenses in packs, you’ll receive a product activation code that can be
used one time to activate the number of licenses purchased. When you use Open License
or other programs, you purchase a set number of licenses. With Open License, you are
then issued an Open License Authorization and a set of license numbers that you can use
to activate licenses. Under Select and Enterprise licensing agreements, you provide your
Enrollment Agreement Number to activate licenses.

In the past, the requirement for a Terminal Services client access license was waived if the
device accessing the terminal server was running the same or later version of an equiva-
lent desktop operating system. For example, a client running Windows XP Professional
could access a Windows 2000 terminal server without needing a Terminal Services client
access license. With the release of Windows Server 2003 and Windows Server 2008, all
clients are required to have a Terminal Services client access license.
Designing the Terminal Services Infrastructure 927
Chapter 28
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Server 2003. In addition, Windows Server 2008 is more effective at using faster proces-
sors and system buses. This again gives Windows Server 2008 signifi cant advantages
over Windows 2000 Server and some advantage over Windows Server 2003.
Because remote serving of applications is both processor-intensive and memory-
intensive, the most signifi cant limits on the number of users a server can support
are imposed by a server’s processing power and available RAM. Network bandwidth
and disk performance can also be factors, but typically, a server’s capacity to handle
requests will be exhausted well before the network bandwidth and disk drive subsys-
tems have reached maximum utilization.
Planning should start by looking at not only the number of users you need to support
but also the following factors:

The type of users you need to support

The applications users will be running

The way users work
These latter characteristics play a signifi cant role in the actual usage of a server. Users
can be divided into three general types as follows:

Data entry worker

Data entry workers provide data input. They typically perform
data entry, transcription, order entry, or clerical work. Data entry workers typi-
cally have low impact on a server on a per-user basis. This means a server used
primarily by data entry workers could scale to a larger number of users than a
server used by other types of workers.

Knowledge worker
Knowledge workers perform day-to-day tasks using business
applications. Rather than providing strictly data input, knowledge workers create
documents, spreadsheets, presentations, and reports. Knowledge workers typi-
cally have moderate impact on a server on a per-user basis. This means a server
being used primarily by knowledge workers would not scale as well as a server
being used by data entry workers.

Productivity worker
Productivity workers are the high-performance workers in
the business environment. Their daily tasks include specialized applications for
graphic design, CAD, 3D animation, and applications that perform complex cal-
culations or require a high amount of processing. Productivity workers typically
have high impact on a server on a per-user basis. This means a server being used
primarily by productivity workers would scale to a lower number of users than a
server used by the other types of workers.
The impact of these types of users can best be illustrated graphically. Consider the sce-
nario in Figure 28-2. The chart shows the number of different types of users that can be
supported on three different server confi gurations.

Server A is a four-processor system with high-end processors and 4 GB RAM.

Server B is a two-processor system with high-end processors and 4 GB RAM.


Server C is a one-processor system with a high-end processor and 4 GB RAM.
Chapter 28
928 Chapter 28 Deploying Terminal Services
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Number of Users
600
500
400
300
200
100
0
Data Entry Worker Knowledge Worker
Productivity Worker
A
B
C
A
A
B
B
C
C
Figure 28-2 Terminal Services capacity example.
As you can see from the example, each server can handle a large number of data entry
workers relative to other types of workers. Because CPU power and RAM are so impor-
tant, the servers are given fast processors and a lot of RAM. These results are based on
using Intel Xeon processors operating at 3.2 gigahertz (GHz) and using a 2 megabyte
(MB) L2 cache with an 800 megahertz (MHz) front side bus.
Although the example takes into account the types of users and the types of applica-

tions being used, it doesn’t take into account the way users work. The way users work
can also have a signifi cant impact on Terminal Services. You should also consider these
factors:

Users’ typing speed

Users’ work habits

Experience settings on the client
Believe it or not, typing speed can affect performance. Many users who type very
quickly will make more updates and require more processing than a group of users
who type slowly. You don’t want to tell users to type more slowly, but you do want to
take their typing skills into account.
Designing the Terminal Services Infrastructure 929
Chapter 28
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Users with poor work habits can have a signifi cant impact on performance. Consider
the case of a user who exits applications rather than switching among them: The user
starts Microsoft Outlook to check his mail, exits Outlook, starts Microsoft Word to type
a document, exits Word, starts Outlook again to check his e-mail, exits Outlook, and so
on—and does this all day long. Starting and exiting applications requires more process-
ing and resources than simply switching among applications as you use them.
The experience settings on the client can have a signifi cant impact on performance as
well. If users have optimized their experience settings for LAN connections of 10 Mbps
or higher, they will have desktop backgrounds, themes, menu and window animation,
and other extras that require a lot more processing on the server. The only experience
setting that actually improves performance is bitmap caching, which ensures that cach-
ing is used as much as possible to reduce the amount of data that has to be passed to
the client. Client display settings also affect server performance. The default display set-
ting is for High Color (16 bit). An additional option is available for True Color (24 bit).

As 24-bit color requires a lot more processing than 16-bit color, this setting should only
be used only by those who need high-end color resolution, such as graphic designers.
Having covered factors that can affect performance, let’s take a closer look at how to
plan for capacity. Start by determining the average number of Terminal Services users.
Remember that both active users and those with inactive or disconnected sessions use
system resources. Then consider the types and average numbers of applications users
will be running. Run those applications and use the techniques discussed in Chapter
11, “Performance Monitoring and Tuning,” and Chapter 12, “Comprehensive Perfor-
mance Analysis and Logging,” to determine how much physical and virtual memory
each application uses on average. This should give you a good baseline for capacity
planning.
If a server will have 100 users, who each run four applications on average, and those
applications collectively use 10 MB of physical memory and 24 MB of virtual memory
on average, you know the system will need a minimum of 1 gigabyte (GB) of RAM for
good performance. That’s the baseline. You typically want to have 50 percent capacity
above the baseline usage to ensure that the server can handle peak usage loads and can
support additional users if necessary. Therefore, in this scenario you’d want to have a
minimum of 1.5 GB of RAM above what the operating system and confi gured roles, role
services, and features require.
Processing power is as important as RAM. A server’s processors need to be able to keep
up with the processing workload. As you scale up, you need to be able to add proces-
sors to handle the additional processing load of additional users. If you are monitoring
server performance, pay particular attention to the Copy Read Hits % performance
counter of the Cache performance object. This counter tracks the percentage of cache
copy read requests that did not require a disk read to provide access to the page in
cache. For best performance, you want this counter to be at 95 percent or above (opti-
mally at 99 percent). If the counter is below 95 percent, the server is reading from the
page fi le on disk frequently and this can affect performance. You can resolve this prob-
lem by adding RAM to the system.
Chapter 28

930 Chapter 28 Deploying Terminal Services
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Also consider network bandwidth and disk confi guration in capacity planning. A
network running at 100 megabits per second (Mbps) can handle hundreds of Termi-
nal Services users. A network running at 1,000 Mbps (Gigabit Ethernet) can handle
thousands of Terminal Services users. Consider existing traffi c on the network before
Terminal Services is deployed as a limiting factor. For capacity planning, you can test
the average amount of bandwidth a client uses when working with a terminal server by
monitoring the Bytes Total/Sec counter of the Network Interface performance object.
If a client uses 1,250 bytes per second on average, this is 10,000 bits per second. In
theory, a network running at 100 Mbps could handle 10,000 of these clients. Reduce
this by 50 percent to shift from the theoretical to what is probably possible, and then
subtract current bandwidth usage to come up with a working number.
Disk subsystem performance can also have a substantial impact on overall perfor-
mance, especially on a server that makes moderate to heavy use of the paging fi le.
Because the number and frequency of standard read/write operations for fi les affects
the design of the disk subsystem, these operations will also affect overall performance.
Ideally, the disk subsystem on a terminal server will be confi gured with hardware RAID
and multiple RAID controllers rather than software RAID. When multiple SCSI/RAID
controllers are used, disks should be confi gured to distribute the load. When you
install applications that will be used with Terminal Services, you can help spread the
load by installing and confi guring applications to use different disk sets on different
SCSI/RAID controllers.
Planning Organizational Structure for Terminal Services
When you are deploying Terminal Services, your planning should include deciding
where in the organizational structure your terminal servers should be located. As dis-
cussed in Chapter 19, “Using Remote Desktop for Administration,” servers running
in Terminal Server mode should be clearly separated from servers running in Remote
Desktop for Administration mode. This ensures that administrators and support per-
sonnel can use Remote Desktop for Administration throughout the organization and

that selected users can make use of terminal servers.
The best way to achieve separation of these services is to deploy terminal servers in a
separate organizational unit (OU), which I will call the Terminal Services OU. You can
then implement policies and restrictions for Terminal Services separately from those for
the rest of the organization. To start, you should place the computer accounts for your
terminal servers in the Terminal Services OU. When you do this, you can apply system-
wide restrictions to terminal servers and enforce these restrictions using a computer-
based policy. These restrictions then replace or are added to the restrictions a Terminal
Services user usually has when logging on to the domain.
If you need to provide additional restrictions for Terminal Services users, you can do so
on a per-user basis by placing the user account in the Terminal Services OU and defi n-
ing user-based policy restrictions. In this way, the restrictions are enforced wherever
the user logs on to the domain.
Designing the Terminal Services Infrastructure 931
Chapter 28
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Deploying TS Gateway and TS Web Access requires considerable additional planning.
To ensure secure connectivity, you’ll need:

A terminal server

An IIS server

A Network Policy Server

A Routing and Remote Access server
Although one physical server could act as all these servers in a small installation, the
confi guration required to make it all work is fairly extensive. You must:

Create an authentication certifi cate for the server using either a certifi cate author-

ity or a self-signed certifi cate

Defi ne authorization policies that control connections and resource access on ter-
minal servers

Confi gure network policy and access services that control connections from
remote locations

Confi gure IIS to provide the necessary Web hosting services for Terminal
Services
Not only must you develop plans to confi gure these servers, but you must also develop
maintenance plans that include regular monitoring and periodic optimization of the
environment.
Deploying Single-Server Environments
Deploying Terminal Services in a single-server environment is much easier than
deploying Terminal Services in a multi-server environment. In a single-server deploy-
ment, a group of clients always connects to the same server, so that although your
organization might have three terminal servers, Group A always uses Server 1, Group B
always uses Server 2, and Group C always uses Server 3, as shown in Figure 28-3.
A single-server confi guration is the easiest to set up, as you need to perform only the
following steps:
1. Install the operating system on your designated server and confi gure the server
so it is optimized as appropriate for its intended use.
2. Install the required Terminal Services roles using the Add Roles Wizard to make
Terminal Services available to clients.
3. Install applications to be used by clients using the Install Application On
Terminal Server tool under Programs in Control Panel, which ensures that the
applications are set up using Install mode for Terminal Services rather than
Execute mode.
4. Install a Terminal Services license server and confi gure licenses for use.

Chapter 28
932 Chapter 28 Deploying Terminal Services
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
5. Install terminal clients and confi gure them to use the Remote Desktop
Connection client or RDC over HTTP. Alternately, confi gure applications to run
as RemoteApps.
Steps 2 through 4 are discussed in detail in this chapter. Chapter 19 discussed Remote
Desktop Connection client setup and support.
Client 1
Client Group A
...
Client 2
Client 3
Client N
Terminal Server 1
Terminal
Services
Sessions
Terminal Server 2
Terminal
Services
Sessions
Client 1
Client Group B
Client 2
Client 3
Client N
...
Terminal Server 3
Terminal

Services
Sessions
Client 1
Client Group C
Client 2
Client 3
Client N
...
Figure 28-3 Terminal Services in a single-server environment.
Deploying Multi-Server Environments
Deploying Terminal Services in a multi-server environment requires a lot of planning
and an advanced setup. In a multi-server environment, you use load balancing to create
a farm of terminal servers whose incoming connections are distributed across mul-
tiple servers. Clients see the load-balanced terminal server farm as a single server. The
farm has a single virtual IP address, and client requests are directed to this virtual IP
address, allowing for seamless use of multiple servers.
Multi-server Terminal Services environments can be implemented using load balanc-
ing. A variety of techniques is possible, including using TS Session Broker Load Bal-
ancing with DNS round robin, TS Session Broker Load Balancing with routing tokens,
Designing the Terminal Services Infrastructure 933
Chapter 28
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Microsoft Network Load Balancing, and hardware load balancers. A client that connects
to a load-balanced terminal server is said to be in a virtual session. If that session is dis-
connected, processing continues in a disconnected state and the client can be confi g-
ured to automatically try to reconnect the session. In a load-balanced farm, you always
want a client to connect to the server it was originally working with. This enables users
to continue where they left off without loss of data and without having to restart their
applications, open documents, and so on.
For multi-server Terminal Services environments, session information is managed

using a TS Session Broker server (see Figure 28-4). A TS Session Broker server is a
server that uses the Terminal Services Session Broker (TS Session Broker) role service
to maintain a TS Session Broker database, which contains a record for each session. The
record includes the user name under which the session was established, the session ID,
and the server to which the session is connected in the load-balanced farm. TS Session
Broker servers are a new feature for Windows Server 2008.
Whenever a client tries to establish a Terminal Services connection and the user is
authenticated, the session database is queried to see if a session record for that user
exists. In this way, a user who was disconnected from a session can reconnect to the
original session on the correct server. Without session management, the user might be
connected to a different server and have to start a new session.
The TS Session Broker server can be a separate server running the TS Session Broker
service as shown in Figure 28-4, or it can be one of the servers in the load-balanced
farm running the TS Session Broker service. The advantage to using a separate server
is that the overhead of maintaining sessions doesn’t eat up resources that would other-
wise be available to provide network resources to users.
To use a TS Session Broker, all servers in the farm must be running Windows Server
2008 Enterprise or Windows Server 2008 Datacenter. A multi-server environment is
more complex to set up than a single-server environment. To confi gure Terminal Ser-
vices in a multi-server environment, you must follow these steps:
1. Install the operating system on your designated server and confi gure the server
so it is optimized as appropriate for its intended use.
2. Install the required Terminal Services roles using the Add Roles Wizard to make
Terminal Services available to clients.
3. Install applications to be used by clients using the Install Application On
Terminal Server tool under Programs in Control Panel, which ensures that the
applications are set up using Install mode for Terminal Services rather than
Execute mode.
4. Install and confi gure the TS Session Broker role service on a separate TS Session
Broker server or on one of the member servers in the load-balanced farm. This

installs and starts the Terminal Services Session Broker service and creates a
local Session Directory Computers group.
Chapter 28
934 Chapter 28 Deploying Terminal Services
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Client 1
...
TS Session
Broker server
Sessions
Session
Client 2 Client 3
Client N
Server
farm
address
Terminal
Server 1
Terminal
Server 2
Terminal
Server 3
Figure 28-4 A multi-server Terminal Services deployment.
5. Add each terminal server in the farm to the local Session Directory Computers
group on the TS Session Broker server.
6. Confi gure a terminal server to join a farm in TS Session Broker and to participate
in TS Session Broker Load Balancing (or your desired load balancing technique).
7. Install a Terminal Services license server and confi gure licenses for use.
8. Install terminal clients and confi gure them to use the Remote Desktop
Connection client or RDC over HTTP. Alternatively, confi gure applications to run

as RemoteApps.
Steps 2 through 7 are discussed in detail in this chapter. Chapter 39, “Preparing and
Deploying Server Clusters,” discussed Microsoft Network Load Balancing setup and
support. Chapter 19 discussed Remote Desktop Connection client setup and support.
Designing the Terminal Services Infrastructure 935
Chapter 28
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Setting Up Terminal Services
The tasks required to set up Terminal Services in single-server and multi-server envi-
ronments are discussed in the sections that follow. As you read these sections, remem-
ber that if you want to use a multi-server environment with the TS Session Broker
service, all the servers involved must be running Windows Server 2008 Enterprise
or later.
Installing a Terminal Server
You can install a terminal server by following these steps:
1. In Server Manager, select the Roles node in the left pane and then click Add Roles.
This starts the Add Roles Wizard. If the wizard displays the Before You Begin
page, read the welcome text and then click Next.
2. On the Select Server Roles page, select the Terminal Services check box and then
click Next. Read the introductory page and then click Next again.
3. On the Select Role Services page, select the check box for one or more role
services to install, as shown in Figure 28-5.

Figure 28-5 Select the appropriate role services for the terminal server.
4. Click Next to display the Uninstall And Reinstall Applications For Compatibility
page. This page tells you the basic rules for using applications with Terminal
Chapter 28
936 Chapter 28 Deploying Terminal Services
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.