We’re pleased to announce that MCITP Self-Paced Training Kit (Exam 70-647) Windows Server 2008 Enterprise Administrator (2nd Edition) (ISBN 9780735656659; 624 pages) is available for purchase. This Training Kit is designed for enterprise administrators who have several years’ experience managing the overall IT environment and architecture of medium to large organizations and who plan to take the Microsoft Certified Information Technology Professional (MCITP) 70-647 exam.
This 2-in-1 kit includes the official Microsoft study guide, plus practice tests on CD to help you assess your skills. It comes packed with the tools and features exam candidates want most—including in-depth, self-paced training based on final exam content; rigorous, objective-by-objective review; exam tips from expert, exam-certified authors; and customizable testing options. It also provides real-world scenarios, case study examples, and troubleshooting labs for the skills and expertise you can use on the job.
You can find the book’s table of contents in this previous post.
Here is an excerpt from this Training Kit:
Chapter 7: Designing Remote Desktop Services and Application Deployment
Application deployment would be a simple affair if all you needed to do was deploy the same set of applications to all users in your environment. The realities of software licensing mean that large organizations can realize significant cost savings by ensuring that only those workers who need an application have it deployed to their computers. In this chapter, you learn how to plan the distribution of applications to the workers in your environment by using several tools, each of which is appropriate for a certain set of circumstances. Methods of deploying applications to users discussed in this chapter include Remote Desktop Session Host (RD Session Host), Microsoft System Center Essentials 2007 SP1, Microsoft System Center Configuration Manager 2007, and traditional deployment through Active Directory Domain Services (AD DS) software publishing functionality.
Exam objectives in this chapter:
- Plan for Remote Desktop.
- Plan for application delivery.
Lessons in this chapter:
- Lesson 1: Designing Remote Desktop Services
- Lesson 2: Designing Application Deployment
Before You Begin
Ensure that you have installed a Microsoft Windows Server 2008 R2 Enterprise domain controller named Glasgow as described in Chapter 1, “Designing Name Resolution and Internet Protocol Addressing.” No additional configuration is required for this chapter.
Lesson 1: Designing Remote Desktop Services
Planning the deployment of Remote Desktop Services in your enterprise environment means taking into consideration licensing, server resilience, how clients connect, and how applications are deployed to the Remote Desktop Session Host. In this lesson, you learn how each of these factors influences the plans you develop to deploy Remote Desktop Services in your own organization’s enterprise environment.
Planning a Remote Desktop Session Deployment
As an experienced enterprise administrator, you are aware of the role Remote Desktop Services plays on your organizational network. You understand how client computers connect using Remote Desktop Connections, how to install applications on a Remote Desktop Session Host, and the basics of managing and configuring an individual Remote Desktop Session server. In this lesson, you go beyond the maintenance and configuration of this technology and learn how to plan the deployment of Remote Desktop Services so that it best meets the needs of your organization.
The first step in planning a deployment is understanding how the following Remote Desktop Services components fit together:
- Remote Desktop Session Host The Remote Desktop Session Host (RD Session Host) role service, formerly the Terminal Server role service, is the core component of a Remote Desktop Services deployment. This is the server to which clients connect so they can access their applications.
- Remote Desktop Session Host server farm The RD Session Host server farm, formerly called the Terminal Server farm, is a collection of RD Session Host servers used to provide high availability and load balancing to clients on the organizational network. Client connections to RD Session Host server farms are mediated by Remote Desktop Connection Brokers. RD Session Host server farms are more likely to be deployed at large sites than are individual RD Session Host servers.
- Remote Desktop Licensing The Remote Desktop Licensing (RD Licensing) role service, formerly called the Terminal Server Licensing role service, provides Remote Desktop Session client access licenses (CALs) to RD Session Host servers on the network. Unless an RD Licensing role service is deployed, clients are able to connect using Remote Desktop Services for only a limited amount of time (120 days).
- Remote Desktop Gateway The Remote Desktop Gateway (RD Gateway) role service was formerly called the Terminal Server Gateway role service. This role service provides access to authorized remote users from untrusted networks. In enterprise networks, the RD Gateway server provides a bridge between the protected internal network and the internal corporate network where the RD Session Host server farm resides. The RD Gateway role service enforces secure, encrypted connections between remote users and internal resources.
- RemoteApp and Desktop Connection The service formerly called RemoteApp programs in Windows Server 2008 Terminal Services provided the ability to run applications that appear to be running locally. With RemoteApp and Desktop Connection, you now have the ability to group and manage the applications so that they are personalized for the individual remote users and accessible to the remote users from their Start menus.
- Remote Desktop Virtualization Host The Remote Desktop Virtualization Host (RD Virtualization Host) is a new role service included in Windows Server 2008 R2 that integrates with Hyper-V to provide access to a unique virtual machine for every individual user through RemoteApp and Desktop Connection. The RD Virtualization Host role service will not install if you are running or testing Remote Desktop Services on a virtual machine—you must be running on supported physical hardware.
- Microsoft RemoteFX RemoteFX is a new client enrichment feature provided in Windows Server 2008 R2 with Service Pack 1. RemoteFX provides the ability to add a fuller complement of codecs, device support, USB redirection, and additional 3D experience to an enterprise desktop accessing applications through a remote desktop connection.
When planning the deployment of individual RD Session Host servers and RD Session Host server farms, ensure that the software applications installed on the RD Session Host servers that will be used by the remote clients are installed after the RD Session Host role is deployed. Many applications perform a check during installation to determine whether the target of the installation is an RD Session Host. In some cases, different executable files will be installed when the installation target is an RD Session Host using the Remote Desktop Web Access role service for application deployment. Alternatively, some applications will generate a pop-up dialog box informing you that installing the application on a Remote Desktop server is not recommended and that the vendor does not support this deployment configuration.
Applications that are deployed on a RD Session Host server might conflict with one another in unexpected ways. Your Remote Desktop Services deployment plan should include a testing period so that you can verify that each Remote Desktop server’s application configuration does not lead to unforeseen conflicts. If conflicts are detected, you will need to plan to either deploy conflicting applications on separate terminal servers or to deploy applications by using Microsoft Application Virtualization (App-V), which is covered in more detail in Chapter 8, “Designing Virtualization.”
Remote Desktop Licensing
Perhaps the most critical aspect of planning the deployment of Remote Desktop Services in enterprise environments is ensuring that licensing is configured appropriately. The loss of one RD Session Host server in an environment in which there are 100 RD Session Host servers is a potential problem. The loss of a license server in an environment in which there are 100 RD Session Host servers is a potential disaster.
All clients that connect to an RD Session Host server require a Remote Desktop Services CAL. This license is not included with Windows Vista or Windows 7 and is not a part of the standard CALs that you use when licensing a Windows-based server. Remote Desktop Services CALs for the RD Licensing role service are managed by the RD Licensing Manager. When planning a Remote Desktop services deployment, answer the following questions when considering the deployment of a Remote Desktop license server:
- What will be the anticipated deployment size for remote users and devices?
- Will there be a need to provide Remote Desktop Session licensing for Windows Server 2008 Terminal Services? If so, what is the scope of the license server? Will it service clients in the domain or workgroup, or manage the licenses for all clients in the forest?
- How will the license server be activated with Microsoft? How will additional licenses be purchased and installed?
- How many license servers are required to service the needs of your organization?
- What type of licenses will be deployed?
License Server Deployment
An RD Session Host server must be able to contact a Remote Desktop License server to fulfill requests by remote users or devices connecting to the RD Session Host server. Automatic discovery of Remote Desktop License servers is no longer supported for Windows Server 2008 R2 running RD Session Host server. An RD Session Host server is permitted to request RDS CALs from a license server running either Windows Server 2008 R2 or Windows Server 2008.
To determine the need for multiple RD Licensing servers, you should determine the necessity for fault-tolerant connectivity in your environment. It is usually a best practice to install any critical service with servers configured for redundancy. To configure redundancy for the RD Licensing server, you only need to install more than one RD Licensing server and configure each of the RD Session Host servers to use more than one RD Licensing server.
In smaller environments, you can deploy the RD Licensing server on the RD Session Host servers. Larger environments, where there will be substantial overhead with providing Remote Desktop Services CALs for remote users and devices, should consider separating the role services onto separate Windows Server 2008 R2 servers. Figure 7-1 displays the dialog box accessed from the RD Session Host Configuration console.
If Windows Server 2008 Terminal Servers, Windows Server 2003, or Windows 2000 is still in use, it will be necessary to specify a license server’s discovery scope. This is used by previous versions of terminal servers and remote desktop clients to automatically detect the license server. You configure the license server scope during the installation of the Remote Desktop Licensing role service, as shown in Figure 7-2. You can change the scope after it is set. The three possible discovery scopes are This Workgroup, This Domain, and The Forest.
- This Workgroup This scope is not available if the license server is joined to an Active Directory service domain. This discovery scope is most often installed on a computer that hosts the RD Session Host service. RD Session Hosts and clients in the same workgroup can automatically discover this license server.
- This Domain The domain discovery scope enables RD Session Hosts and clients that are members of the same domain to acquire Remote Desktop Services CALs automatically. Plan to use this scope if Remote Desktop Services CALs in your organization are going to be purchased and managed on a per-domain basis.
- The Forest The forest discovery scope enables RD Session Hosts and clients located anywhere in the same Active Directory forest to acquire Remote Desktop Services CALs automatically. You should plan to use this scope when licensing issues are handled at the organizational level rather than at the domain level.
For example, if your organization has a single forest with a separate domain for each state division, but all software purchasing and licensing is handled centrally, you would plan to deploy a license server set to the forest discovery scope. This enables the people responsible for licensing to check a central location to determine your organization’s compliance with its Remote Desktop client licensing responsibilities. It saves them from having to check each state division’s Remote Desktop license server. If, however, your nationwide organization has software and purchasing managed on a regional basis, it makes sense to deploy RD Licensing servers on the same basis. In that case, you would plan to deploy RD Licensing servers by using the domain discovery scope.
License Server Activation
Another important component of a Remote Desktop server deployment plan is choosing a license server activation method. Before a Remote Desktop license server can issue Remote Desktop Services CALs, it must be activated with Microsoft in a procedure similar to Windows product activation. During the activation process, a Microsoft-issued digital certificate validating both server ownership and identity is installed on the Remote Desktop license server. This certificate will be used in transactions with Microsoft for the acquisition and installation of further licenses. As shown in Figure 7-3, a license server can be activated through three methods.
The first method occurs transparently through a wizard, like Windows product activation. This method requires the server to be able to connect to the Internet directly, using an SSL connection, which means that it will not work with certain firewall configurations.
The second method involves navigating to a webpage. This method can be used on a computer other than the license server and is appropriate in environments in which the network infrastructure does not support a direct SSL connection from the internal network to an Internet host.
The third method involves placing a telephone call to a Microsoft clearinghouse operator. This is a toll-free call from most locations. The method you use for activation will also validate Remote Desktop Services CALs that are purchased at a later date, although you can change this method by editing the Remote Desktop license server’s properties. If a license server is not activated, it can issue temporary CALs only, which are valid for 120 days.
When planning disaster recovery contingencies for your Remote Desktop Services deployment, consider that if the certificate acquired during the activation process expires or becomes corrupted, you might need to deactivate the license server. A deactivated license server cannot issue permanent Remote Desktop Services per-device CALs, although it can still issue Remote Desktop Services per-user CALs and temporary Remote Desktop per-device CALs. You can deactivate Remote Desktop license servers by using the automatic method or over the telephone, but you cannot deactivate them by using a web browser on another computer.
Remote Desktop Services Client Access Licenses
When planning the deployment of Remote Desktop Services, you must determine which sort of Remote Desktop Services CAL is most appropriate for your organization. A Windows Server 2008 Remote Desktop license server can issue two types of CALs: the per-device CAL and the per-user CAL. The differences between these licenses are as follows:
- Remote Desktop Services per device CAL The Remote Desktop Services per-device CAL gives a specific computer or device the ability to connect to a terminal server. Remote Desktop Services per-device CALs are automatically reclaimed by the RD Licensing server after a random period ranging from 52 to 89 days. This will not affect clients that regularly use these CALs because any available CAL will simply be reissued the next time the device reconnects. In the event that you run out of available CALs, you can revoke 20 percent of issued Remote Desktop Services per-device CALs for a specific operating system by using the Remote Desktop Licensing Manager console on the license server. For example, 20 percent of issued Windows Vista Remote Desktop Services per-device CALs or 20 percent of issued Microsoft Windows Server 2003 per-device CALs can be revoked at any one time. Revocation is not a substitute for ensuring that your organization has purchased the requisite number of Remote Device Services per-device CALs for your environment.
- Remote Desktop Services per user CAL A Remote Desktop Services per-user CAL gives a specific user account the ability to access any terminal server in an organization from any computer or device. Remote Desktop Services per-user CALs are not enforced by Remote Desktop Services licensing, and it is possible to have more client connections occurring in an organization than actual Remote Desktop Services per-user CALs installed on the license server. Failure to have the appropriate number of per-user CALs is a violation of license terms. You can determine the number of per-user CALs in use by using the Remote Desktop Licensing Manager console on the license server. You can either examine the Reports node or use the console to create a Per-User CAL Usage report.
When planning the deployment of Remote Desktop license servers, remember that Remote Desktop Services CALs can be purchased directly from the server if the Remote Desktop server is capable of making a direct SSL connection to the Internet. Alternatively, it is possible to use a separate computer that is connected to the Internet to purchase Remote Desktop Services CALs by navigating to a website or to call the Microsoft clearinghouse directly.
Backing Up and Restoring a License Server
To back up a Remote Desktop license server, you need to back up the system state data and the folder in which the Remote Desktop licensing database is installed. You can use Review Configuration, shown in Figure 7-4, to determine the location of the Remote Desktop licensing database. To restore the license server, rebuild the server, and reinstall the Remote Desktop Licensing Server role, restore the system state data and then restore the Remote Desktop licensing database. When restored to a different computer, unissued licenses will not be restored, and you will need to contact the Microsoft clearinghouse to get the licenses reissued.
License Server Deployment
When planning the deployment of Windows Server 2008 R2 Remote Desktop Services in an environment with Terminal Services running on earlier versions of a Microsoft-based server operating system, consider that Windows Server 2003 Terminal Services license servers and Microsoft Windows 2000 Server Terminal Services license servers cannot issue licenses to Windows Server 2008 terminal servers or Windows Server 2008 R2 RD Session Host servers. Windows Server 2008 R2 Remote Desktop license servers, however, support the licensing requirements of earlier versions of Terminal Services. If your organization’s Windows Server 2003 terminal servers or Windows Server 2008 terminal servers will coexist with Windows Server 2008 R2 RD Session Host servers for a time, upgrade your organization’s license servers to Windows Server 2008 R2 so that they can support both the new RD Session Host servers and previously installed terminal servers.
License Server High Availability
When planning a high-availability strategy for license servers supporting versions of Terminal Services prior to Windows Server 2008 R2, plan the deployment of two separate Remote Desktop license servers configured with the appropriate scope (domain versus enterprise) and install 50 percent of the Terminal Services CALs on each license server. Because the location of previous versions of license servers is published within AD DS, it is not necessary to use a technology such as Domain Name System (DNS) round robin, Network Load Balancing (NLB), or failover clustering for the deployment of license servers. Current versions of Windows Server 2008 R2 RD Session Host servers will be manually configured for each of the deployed Remote Desktop license servers.
Your deployment plan for license servers should include regular backups so that if a license server does fail, the purchased licenses can be quickly recovered and redeployed. Remember that licenses that have been installed but not issued will be lost when a server is recovered. It is possible to recover these licenses from the Microsoft clearinghouse, but your license deployment plan should ensure that only the required number of licenses is purchased. You should not purchase a significant number of extra licenses for possible future use. It is easier to purchase those licenses when they will actually be used than to worry about recovering unused licenses if the license server fails.