Deploying a 2012 / 2012R2 Remote Desktop Services (RDS) farm

Applies to: Windows Server 2012 and 2012 R2

A lot of people were pretty excited when Microsoft released RDS for 2012 and for good reason. Not only did they overcome the shortcomings of the previous release of RDS on Windows 2008 R2, they have also made it very easy to setup and configure. One of the many great features of 2012 and 2012 R2 is the ability to push roles and features to multiple servers in an environment from a single Server Manager console. Not only does this save time when rolling out a new RDS environment, it also makes it easy.

The following will cover the step by step process in deploying the base components of a RDS 2012 /2012 R2 farm. Before we begin the process, let’s look at the different roles we will be deploying.
 
Remote Desktop Connection Broker (RD Connection Broker):
Connects or reconnects a client device to RemoteApp programs, session-based desktops and virtual desktops.
 
Remote Desktop WebAccess (RD Web Access)
Enables users to connect to resources provided by session collections and virtual desktop collections by using the Start menu or a web browser.
 
Remote Desktop Session Host (RD Session Host RDSH):
Enables a server to host RemoteApp programs or session-based desktops.
 
Remote Desktop Gateway (RD Gateway):
Enables authorized users to connect to virtual desktops, RemoteApp programs, and session-based desktops on the corporate network or over the Internet.

In our deployment, we will be logged into a single server and through Server Manager we will deploy our new Remote Desktop farm. Each of the servers designated in the environment are virtual, domain joined and were created from a template with the latest Windows updates. No other special changes or configurations were done to any of the servers with the exception of the RD Session Host servers. Some applications were installed on the RD Session Host servers in order for us to deploy our RemoteApp programs.

Here is a list of the servers which will be deployed in our RD Farm:

RDBROKER01:
RD Connection Broker and RD Web Access Server
RDBROKER02:
RD Connection Broker which will be used at later time for configuring HA for the RD connection brokers in the farm.
RDSH01:
RD Session Host servers
RDSH02:
RD Session Host servers
RDGWY01:
RD Gateway Server

Log into a domain joined 2012 or 2012 R2 server and launch Server Manager.

From the Dashboard, let’s create a new server group. This is not a requirement, however this is a good practice and helps organize the servers you will be managing.

2-4-2014 8-25-46 AM

Enter a name for the server group. Here we will call it RDS Farm.

2-4-2014 8-26-51 AM

Go to the Active Directory tab and search for the designated RD servers.

2-4-2014 8-27-12 AM

Once we find our servers, add them and hit ok.

2-4-2014 8-28-05 AM

Once the servers are added, you will see a new node in Server Manager with the server group name RDS Farm.

2-4-2014 8-29-12 AM

Now that we have all of our designated RD servers organized, go to the top right of Server Manager, click Manage and select Add Roles and Features.

2-4-2014 8-32-49 AM

On the before you begin screen, hit Next.

2-4-2014 8-33-16 AM

Here, Microsoft has separated the option of deploying Remote Desktop Services from all other roles and features. Select the option Remote Desktop Services Installation and hit next.

2-4-2014 8-33-30 AM

There are two different deployment types: Standard and Quick Start. Quick start is an option to be used mainly for testing purposes or for a proof of concept. The Quick start option will deploy each role for Remote Desktop Services on a single server. In this case we are doing a full deployment and will use the standard deployment option. Select Standard deployment and hit next.

2-4-2014 8-33-47 AM

There are two different deployment scenarios. The first is for a Virtual machine-based desktop deployment (VDI). Since we are focusing on the traditional form of Remote Desktop Services, we will choose the Session-based desktop deployment option. Click next.

2-4-2014 8-33-59 AM

On the Review Role Services screen it will list a description of the three minimum roles required for the deployment. Review the items and hit next.

2-4-2014 8-34-11 AM

Now we need to specify which server will be our RD Connection Broker. In our environment we have already determined the server RDBROKER01 will be our RD Connection Broker. Select and add RDBROKER01 and hit next.

2-4-2014 8-34-58 AM

The RD Web Access server has a very small footprint and a lot of times it is easier and more practical to share this role on the designated RD Connection Broker server(s). In some big environments, the RD Web Access role can be installed on its own servers, however for our environment we will be adding the role to our designated RD Connection Broker server RDBROKER01. To do this, check the box listed to install the RD Web Access role service on the RD Connection Broker server and hit next.

2-4-2014 10-48-48 AM

For the RD Session Host servers, we have 2 designated servers. Add both servers RDSH01 and RDSH02 and hit next.

2-4-2014 10-50-04 AM

On the confirmation screen we can see our proposed configuration. A message will appear stating the RD Session Host servers may require a restart. In order to proceed from this screen, you must check the box to “Restart the destination server automatically if required”. Once checked, hit Deploy.

2-4-2014 10-50-44 AM

During the deployment, you will be able to view the progress of each role as it is being deployed. Should there be any issues, it will list the issue along with an error. Wait for the deployment to be completed and hit close.

2-4-2014 10-57-47 AM

Go back to Server Manager and you will notice a new node called Remote Desktop Services. Go ahead and click on the Remote Desktop Services node.

2-4-2014 10-58-47 AM

In the Remote Desktop Services node, you will see the entire configuration for the new farm. This is where you can begin publishing RemoteApps or session based desktops, add more session host servers, configure HA for the RD Connection Brokers, etc…  It is your single console for managing and configuring the Remote Desktop Farm. THANK YOU MICROSOFT!

2-4-2014 10-59-46 AM

Now that we have our farm deployed, we will need to install certificates. A Remote Desktop deployment requires certificates for server authentication, single sign on, and establishing secure connections. These certificates should be created prior to the RDS deployment. Since there are multiple roles which require a certificate, you can use a wildcard certificate to make things easier. In our deployment, I’ve already generated a wildcard certificate and placed it in the following location: \\dc01\d$\Certs\. To begin installing the certs, click on the Tasks drop-down and select the option “Edit Deployment Properties”

2-5-2014 1-19-43 PM

Highlight the Role service RD Connection Broker – Enable Single Sign On. Then click on the “Select Existing certificate” button.

2-5-2014 1-20-32 PM

On the select existing certificate window, click on the browse button.

2-5-2014 1-22-09 PM

Locate and select the certificate and hit the open button.

2-5-2014 1-22-34 PM

Enter the password for the certificate and check the box “Allow the Certificate to be added to the Trusted Root Certification Authorities store on the destination computers”.  Hit OK.

2-5-2014 1-23-30 PM

Back on the deployment properties screen, hit apply.

2-5-2014 1-25-07 PM

Once the certificate is applied for the single sign on role service, go ahead and highlight the RD Connection Broker – Publishing option and click on the Select existing certificate button.

2-5-2014 1-25-55 PM

Browse and locate the certificate. Once found hit the open button.

2-5-2014 1-22-09 PM 2-5-2014 1-22-34 PM

Enter the password for the certificate and check the box “Allow the Certificate to be added to the Trusted Root Certification Authorities store on the destination computers”.  Hit OK.

2-5-2014 1-23-30 PM

Back on the deployment properties screen, hit apply.

2-5-2014 1-26-15 PM

Once the certificate is applied for the publishing role service, go ahead and highlight the RD Web Access role service and click on the Select existing certificate button.

2-5-2014 1-26-47 PM

Browse and locate the certificate. Once found hit the open button.

2-5-2014 1-22-09 PM 2-5-2014 1-22-34 PM

Enter the password for the certificate and check the box “Allow the Certificate to be added to the Trusted Root Certification Authorities store on the destination computers”.  Hit OK.

2-5-2014 1-23-30 PM

Back on the deployment properties screen, hit apply.

2-5-2014 1-27-22 PM

Once completed, hit OK.

2-5-2014 1-28-45 PM

You have successfully deployed a 2012 RDS farm. Now on to publishing RemoteApp programs.

Publishing RemoteApp programs and session based desktops. (Collections)

Configuring User Profile Disks

Deploying the RD Gateway role service for a 2012 RDS Farm

Configuring HA for the Remote Desktop Connection Broker in a 2012 RDS Farm

Configuring the RD Gateway Server for a 2012 RDS farm with HA enabled for the RD Connection Brokers

About these ads

, , , , , , , , ,

  1. #1 by Jusuf on April 15, 2014 - 6:20 am

    Hello

    am trying to learn new things.
    And RDS is a tutorial i realy want to know.
    Now i am stuck at insert an certifcate.
    But you did already have an wildcard certifcate (can you tell me how to make this?)
    Because on the web i can only find certificates SSl you must buy when you search in google under wildcard certificates.

    Have try to use Active directory certificates services, but dident help….

    • #2 by Eddie Kwasnik on April 15, 2014 - 9:20 am

      Since this was for a lab environment, I added my own Certificate Authority and was able to issue myself a wildcard SSL certificate for my RDS environment. In most production environments, I will typically use a third party to generate the cert.
      Here are some links which might help you in the configuration of a CA as well the steps in successfully issuing a SSL certificate for your environment.

      http://technet.microsoft.com/en-us/library/hh831740.aspx

      http://technet.microsoft.com/en-us/library/cc772393%28v=ws.10%29.aspx

      • #3 by Koj on April 17, 2014 - 9:27 am

        buying a third party PKI in a Windows infrastructure is a non sens.
        I advice to install a RootCA & SubCA then deploy the ferme.

  2. #4 by vps or dedicated server on April 29, 2014 - 8:35 am

    Thank you for another magnificent article. Where else could anyone get that type of information in such an ideal manner of writing? I’ve a presentation next week, and I’m at the look for such info.

  3. #5 by Ronald on April 30, 2014 - 5:43 am

    Hi Eddie,

    Thanks for your blog, hope it will help me =)
    I am kinda stuck on the wild card cert. I do run my own CA in my domain, so I can issue one, no problem, However, that will be for the domain, so the cert will be for *.shared.int. I also have a commercial wild card cert for my currently deployed external services, say *.mycomp.com. Which one should I use for the RDS deployment? I am intended to publish the gateway through TMG to the outside world, so I do need a commercial cert there anyway.

    Do you have an advice? Like using the *.shared.int cert internally, use the *.mycomp.com cert on TMG and have TMG bridge that to the RDGW?

    Please let me know your thoughts.

    BR,

    Ronald

    • #6 by Eddie Kwasnik on May 1, 2014 - 9:31 am

      The advantages of using a third party cert is the root certificate is most likely already installed on the client devices. If you were to use your domain cert, you would have to manually install the root certificate on any device which is not part of your domain. This can be a pain depending on the number of external users connecting to the environment. From a technical perspective, either of the certificates will achieve what you are looking for. As for using a mixture of certificates in the environment, I am one who likes to keep things simple so I would only use one of the certificates. Since you already paid for the third party wildcard cert, I would probably lean more to using that one. But that is more so my preference since either will achieve what you are looking for.

      Eddie

      • #7 by Scott on May 1, 2014 - 11:35 am

        I could kiss you! Good write up. I had the same question as Ronald. So if i got a wildcard cert from a 3rd party for say *.publicdomain.com it would work for my *.internaldomain.local no problems? I’m planning a classic session based desktop deployment. Thanks again.

      • #8 by Eddie Kwasnik on May 1, 2014 - 1:29 pm

        If you use a third party wildcard certificate for *.publicdomain.com, and plan to use this across the entire RDS environment, users internally would be utilizing the fqdn *.publicdomain.com instead of *.internaldomain.int. If you only wanted to use *.publicdomain.com on the RD Gateway for external users, and a different certificate (*.internaldomain.local) for single sign-on and publishing, when a user connects, they will require a root certificate for both Certs on their client device. One of the biggest benefits of using the third party certificate is users will most likely already have the root certificate installed on their client machine. You definitely can use both as long as the root certificates are installed on the client machines. I wish Microsoft would reduce the amount of certificates required for an RDS deployment.

  4. #9 by dedicated server india on May 6, 2014 - 9:11 pm

    I get pleasure from, cause I found exactly what I was looking for. You have ended my four day long hunt! God Bless you man. Have a nice day. Bye

  5. #10 by vps reviews uk on May 17, 2014 - 3:38 pm

    My brother suggested I might like this web site. He was once entirely right. This publish truly made my day. You can not consider simply how a lot time I had spent for this information! Thank you!

  6. #11 by beach305 on May 24, 2014 - 12:03 pm

    My question is can you know configure RDS on a windows 2012 R2 domain controller. I have three users that need access remotely and purchasing a separate server just for RDS is costly. In window 20008 this was a problem, but in Windows 2012 it was not allow. Now I think I’m hearing that 2012 R2 allows you again to run RDS on a single server environment.

    • #12 by Eddie Kwasnik on May 27, 2014 - 9:35 am

      Great question. It is never recommended to install the RDS role onto a production Domain Controller, however Microsoft has given the ability to install all RDS roles onto a single server. This means you can installed the RD Connection Broker, RD Session Host, RD Web Access and RD Gateway roles on a single server. The easiest way to achieve this is to use the Quick Start option when deploying the roles. This option will install all of the roles with the exception of the RD Gateway onto the single server for you.

      Here is a screenshot of the option:

      QuickStart

      • #13 by beach305 on June 1, 2014 - 2:25 pm

        Are you saying I can install RDS directly on the DC server or it is better to create a VM and install it there.

        In windows Server 2008 R2, I was able to take a physical server configured as the DC and create a VM via Hyper-V from within. I then made that VM a Terminal Server. The users then had a remote desktop to work with. This better or is your way easier, better.

      • #14 by Eddie Kwasnik on June 1, 2014 - 7:15 pm

        You shouldn’t install it on a dc. Create a vm for it.

  7. #15 by Jo on June 1, 2014 - 4:02 am

    Hi Eddie
    Great step by step guide thank you. From which server did you run the Remote Desktop service installation?

    • #16 by Eddie Kwasnik on June 1, 2014 - 7:41 am

      Thanks! I ran the entire deployment from a domain joined member server running 2012R2. That’s the beauty of Server Manager in 2012. Once you have the other servers added into Server Manager, you can deploy an entire RDS farm without having to log into one of the RDS servers.

  8. #17 by Adam Weight on June 17, 2014 - 5:08 pm

    Thank you so much for the tutorial. It helped me a lot. I am running into a problem that I can’t seem to fix however. I have deployed a farm based exactly on your instructions here (with name changes of course), and cannot get it to work from the outside.

    When I connect to my public DNS name (NAT policy points it to the gateway server), initially there was no page to connect to. I had to install the RDWeb server role on the gateway server as well. But now, the users have no applications to connect to. The collections I set up on my CB server (earlier in the tutorial before implementing the gateway server) do not show up.

    The same issue appears when I connect internally to the gateway server. Alternatively, if I connect internally to the CB server, the collections show up. However, my understanding of the Gateway server is that it is necessary for external connections, so I am kind of stuck. It appears that the Gateway server is not pointing users and passing them to the CB server for connections. It looks like it is only pointing to itself.

    Any help would be greatly appreciated.

    • #18 by Eddie Kwasnik on June 18, 2014 - 10:36 am

      Is the Gateway server in the DMZ? Does the Gateway server have full network access to the connection broker?

      • #19 by Adam Weight on June 18, 2014 - 12:00 pm

        There is no DMZ. The Gateway is on the LAN side, and the firewall has a NAT rule that passes traffic from the public WAN side using a public IP to the Gateway on the LAN side. And yes, the Gateway has full access to anything on the connection broker.

      • #20 by Eddie Kwasnik on June 20, 2014 - 1:18 pm

        You can try redeploying the rd web access role to the gateway server using rdms. This would require removing the role first and then redeploying it to the gateway server.

      • #21 by Adam Weight on June 20, 2014 - 2:48 pm

        I just tried your suggestion today. I removed the RDWeb role from the connection broker, and added it instead to the gateway server. I tested logging into the system, and none of the published apps showed up. I removed the collection, and then re-added it, still no apps show up.

      • #22 by Eddie Kwasnik on June 20, 2014 - 3:09 pm

        That’s an issue I have yet to run into. The other option is to place the RD Web Access back on the broker and have a NAT rule on the firewall for users to access the rd web access site off of the broker. Then if you have the setting: external users upon their connection will connect through the Gateway server.

      • #23 by Adam Weight on July 7, 2014 - 2:35 pm

        So I finally got this working by completely rebuilding all the servers from the ground up (OS wipe), and following the instructions again. Now I am running into a different problem.

        I have the RD environment set up to use HA and Gateway. I have my Connection Broker Round Robin set up as RDFarm.mydomain.com. None of the servers are directly accessible from the Public Internet except for the Gateway. I have a NAT policy on my firewall to allow access to that using a public IP address.

        From inside the LAN where the systems reside, I am able to access the published app and launch without issue. I can do this using either the internal name, or public name going through the NAT policy.

        However, from any computer outside the local LAN, I can get to the published app page and launch the app, but when it tries to connect to RDFarm.mydomain.com I receive an error:

        “Remote Desktop cannot connect to the remote computer RDFarm.mydomain.com.”

        It seems to me that it is only connecting when on the LAN because the local DNS has an entry for RDFarm.mydomain.com, but when on the public side of course, there is no DNS entry for that because that is behind the firewall on the local LAN.

        I thought the point of the gateway was to allow connections from the outside and control access to the inside without having to make all your servers public? If I have to give a public IP to all my servers in the farm just to make this work doesn’t that kind of defeat the entire purpose?

      • #24 by Eddie Kwasnik on July 7, 2014 - 9:05 pm

        I wonder if it is even trying to connect through the gateway. Usually the error would say something in the lines of

        Could you send or post the rdp file? If you connect to the rd web access page from outside of your LAN, you can log in and instead of launching the remoteapp or desktop, right click on it and save it to your local machine. Then open the file using notepad.

    • #25 by Adam Weight on July 8, 2014 - 4:03 pm

      Eddie, I’m not sure how to post the RDP file to here, or even a screenshot. I don’t see any option for attaching any kind of file, just to type text. So the best I can do I guess is paste in the RDP file config when opening it in a text editor:

      **************************************************************************************
      redirectclipboard:i:1
      redirectprinters:i:1
      redirectcomports:i:0
      redirectsmartcards:i:1
      devicestoredirect:s:*
      drivestoredirect:s:*
      redirectdrives:i:1
      session bpp:i:32
      prompt for credentials on client:i:1
      span monitors:i:1
      use multimon:i:1
      remoteapplicationmode:i:1
      server port:i:3389
      allow font smoothing:i:1
      promptcredentialonce:i:1
      videoplaybackmode:i:1
      audiocapturemode:i:1
      gatewayusagemethod:i:2
      gatewayprofileusagemethod:i:1
      gatewaycredentialssource:i:0
      full address:s:RDFARM.AD-REVIEWHOST.COM
      alternate shell:s:||iexplore
      remoteapplicationprogram:s:||iexplore
      gatewayhostname:s:apps.ad-reviewhost.com
      remoteapplicationname:s:Relativity
      remoteapplicationcmdline:s:
      workspace id:s:RDFARM.AD-REVIEWHOST.COM
      use redirection server name:i:1
      loadbalanceinfo:s:tsv://MS Terminal Services Plugin.1.Relativity_Apps
      alternate full address:s:RDFARM.AD-REVIEWHOST.COM
      signscope:s:Full Address,Alternate Full Address,Use Redirection Server Name,Server Port,GatewayHostname,GatewayUsageMethod,GatewayProfileUsageMethod,GatewayCredentialsSource,PromptCredentialOnce,Alternate Shell,RemoteApplicationProgram,RemoteApplicationMode,RemoteApplicationName,RemoteApplicationCmdLine,RedirectDrives,RedirectPrinters,RedirectCOMPorts,RedirectSmartCards,RedirectClipboard,DevicesToRedirect,DrivesToRedirect,LoadBalanceInfo
      signature:s:AQABAAEAAAD3DwAAMIIP8wYJKoZIhvcNAQcCoIIP5DCCD+ACAQExCzAJBgUrDgMC GgUAMAsGCSqGSIb3DQEHAaCCDdMwggPFMIICraADAgECAgEAMA0GCSqGSIb3DQEB CwUAMIGDMQswCQYDVQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMK U2NvdHRzZGFsZTEaMBgGA1UEChMRR29EYWRkeS5jb20sIEluYy4xMTAvBgNVBAMT KEdvIERhZGR5IFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwHhcNMDkw OTAxMDAwMDAwWhcNMzcxMjMxMjM1OTU5WjCBgzELMAkGA1UEBhMCVVMxEDAOBgNV BAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoTEUdvRGFk ZHkuY29tLCBJbmMuMTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRpZmljYXRl IEF1dGhvcml0eSAtIEcyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA v3FiCPH6WTT3G8kYo/eASVjpIoMTpsUgQwE7hPHmhUmfJ+r2hBtOoLTbcJjHMgGx BT4HTu70+k8vWTAi56sZVmvigAf88xZ1gDlRe+X5NbZ0TqmNghPktj+pA4P6or6K FWp/3gvDthkUBcrqw6gElDtGfDIN8wBmIsiNaW02jBEYt9OyHGC0OPoCjM7T3UYH 3go+6118yHz7sCtTpJJiaVElBWEaRIGMLKlDliPfrDqBmg4pxRyp6V0etp6eMAo5 zvGIgPtLXcwy7IViQyU0AlYnAZG0O3AqP26x6JyIAX2f1PnbU21gnb8s51iruF9G /M7EGwM8CetJMVxpRrPgRwIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1Ud DwEB/wQEAwIBBjAdBgNVHQ4EFgQUOpqFBxBnKLbv9r0FQW4gwZTaD94wDQYJKoZI hvcNAQELBQADggEBAJnbXXnV+ZdZZwNh8X47BjF1LaEgjk9lh7T3ppy82Okv0Nta 7s90jHO0OELaBXv4AnW4/aWx1672194Ty1MQfopG0Zf6ty4rEauQsCeA+eifWuk3 n6vk32yzhRedPdkkT3mRNdZfBOuAg6uaAi21EPTYkMcEc0DtciWgqZ/snqtoEplX xo8SOgmkvUT9BhU3wZvkMqPtOOjYZPMsfhT8Auqfzf8HaBfbIpA4LXqN0VTxaeNf M8p6PXsK48p/Xznl4nW6xXYYM84s8C9Mrfex585PqMSbSlQGxX991QgP4hz+fhe4 rF721BayQwkMTfana7SZhGXKeoji4kS+XPfqHPUwggTQMIIDuKADAgECAgEHMA0G CSqGSIb3DQEBCwUAMIGDMQswCQYDVQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTET MBEGA1UEBxMKU2NvdHRzZGFsZTEaMBgGA1UEChMRR29EYWRkeS5jb20sIEluYy4x MTAvBgNVBAMTKEdvIERhZGR5IFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0g RzIwHhcNMTEwNTAzMDcwMDAwWhcNMzEwNTAzMDcwMDAwWjCBtDELMAkGA1UEBhMC VVMxEDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNV BAoTEUdvRGFkZHkuY29tLCBJbmMuMS0wKwYDVQQLEyRodHRwOi8vY2VydHMuZ29k YWRkeS5jb20vcmVwb3NpdG9yeS8xMzAxBgNVBAMTKkdvIERhZGR5IFNlY3VyZSBD ZXJ0aWZpY2F0ZSBBdXRob3JpdHkgLSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEP ADCCAQoCggEBALngyxDUr3a91JNi6zBkuIEIbMME2WIXji//PmXPj85i5jxSHNoW RUtVq3hrY4NikM4PaWyZyBoUi0zMRTPqiNyeo68r/oBhnXlXxM8u9D8wPF1H/JoW vMM3lkFRjhFLVPgovtCMvvAwOB7zsCb4Zkdjbd5xJkePOEdT0UYdtOPcAOpFrL28 cdmqbwDb280wOnlPX0xH+B3vW8LEnWA7sbJDkdikM07qs9YnT60liqXG9NXQpq50 BWRXiLVEVdQtKjo++Li96TIKApRkxBY6UPFKrud5M68MIAd/6N8EOcJpAmxjUvp3 wRvIdIfIuZMYUFQ1S2lOvDvTSS4f3MHSUvsCAwEAAaOCARowggEWMA8GA1UdEwEB /wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBRAwr0njsw0gzCiM9f7 bLPwtCyAzjAfBgNVHSMEGDAWgBQ6moUHEGcotu/2vQVBbiDBlNoP3jA0BggrBgEF BQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmdvZGFkZHkuY29tLzA1 BgNVHR8ELjAsMCqgKKAmhiRodHRwOi8vY3JsLmdvZGFkZHkuY29tL2dkcm9vdC1n Mi5jcmwwRgYDVR0gBD8wPTA7BgRVHSAAMDMwMQYIKwYBBQUHAgEWJWh0dHBzOi8v Y2VydHMuZ29kYWRkeS5jb20vcmVwb3NpdG9yeS8wDQYJKoZIhvcNAQELBQADggEB AAh+bJMQyDi4lqmQS/+hX08E72w+nIgGyVCPpnP3VzEbvrzkL9v4utNb4LTn5nli Dgyi12pjczG19ahIpDsILaJdkNe0fCVPEVYwxLZEnXssneVe5u8MYaq/5Cob7oSe uIN9wUPORKcTcA2RH/TIE62DYNnYcqhzJB61rCIOyheJYlhEG6uJJQEAD83EG2Lb UbTTD1Eqm/S8c/x2zjakzdnYLOqum/UqspDRTXUYij+KQZAjfVtL/qQDWJtGssNg YIP4fVBBzsKhkMO77wIv0hVU7kQV2Qqup4oz7bEtdjYm3ATrn/dhHxXch2/uRpYo raEmfQoJpy4Eo428+LwEMAEwggUyMIIEGqADAgECAgcET1sJqhE3MA0GCSqGSIb3 DQEBCwUAMIG0MQswCQYDVQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UE BxMKU2NvdHRzZGFsZTEaMBgGA1UEChMRR29EYWRkeS5jb20sIEluYy4xLTArBgNV BAsTJGh0dHA6Ly9jZXJ0cy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5LzEzMDEGA1UE AxMqR28gRGFkZHkgU2VjdXJlIENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4X DTE0MDYxMzIyMzAwMVoXDTE1MDYxMzIyMzAwMVowQTEhMB8GA1UECxMYRG9tYWlu IENvbnRyb2wgVmFsaWRhdGVkMRwwGgYDVQQDDBMqLmFkLXJldmlld2hvc3QuY29t MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2pvZapMY4zMFrrUsh8Gf k8r/PQ/70EbL5gofEMXAzo5sjfyyCQnljtQ9jC0Kg0Dh2XUdMJQ7lKTaDiB5jgIl SbxcJsCxMrK4fPKOhwjd2+9TVvNjplutr4/a9O12ArvRnRaaCm5oT9wSEkeS2wug +0VvvYhFdWqLYf/9R6PeMRGy3ayq+z3EWl32snHV6F8PnFmuqM8LPKfMNS8spCxn v9ir46a68c1dskt3kwsSkTCxM58qGqHFEaPNoJrhB1qbXBcH2IeS60oRM4jAgQxV 5Bo/oA/INPGXKCCH1DzgSr4HPVqYwmo3IyzL13HxyZH+o4QJKEalCfnfzDEKjywk kwIDAQABo4IBuTCCAbUwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcD AQYIKwYBBQUHAwIwDgYDVR0PAQH/BAQDAgWgMDYGA1UdHwQvMC0wK6ApoCeGJWh0 dHA6Ly9jcmwuZ29kYWRkeS5jb20vZ2RpZzJzMS03NC5jcmwwUwYDVR0gBEwwSjBI BgtghkgBhv1tAQcXATA5MDcGCCsGAQUFBwIBFitodHRwOi8vY2VydGlmaWNhdGVz LmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMHYGCCsGAQUFBwEBBGowaDAkBggrBgEF BQcwAYYYaHR0cDovL29jc3AuZ29kYWRkeS5jb20vMEAGCCsGAQUFBzAChjRodHRw Oi8vY2VydGlmaWNhdGVzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvZ2RpZzIuY3J0 MB8GA1UdIwQYMBaAFEDCvSeOzDSDMKIz1/tss/C0LIDOMDEGA1UdEQQqMCiCEyou YWQtcmV2aWV3aG9zdC5jb22CEWFkLXJldmlld2hvc3QuY29tMB0GA1UdDgQWBBRF r1gCI3XABdHzdw4c8Fprgp4oyzANBgkqhkiG9w0BAQsFAAOCAQEAlXR24aH9jPxp e5PeYKyPnJjZJROeSiTQ//IhOO3RLnIjaJyN1ASP3tB6gYANz4w7hpCgMBjZujWx m48Qmrf5e+QnM+akeYSA/jlelc6SzapmUviUQz96nyJGDGGsMCGByPraZEV95WNc 3FMrnMLqkpm0s0eVLgvaDlUCNLc3fPVKu1VQGChor6ft1E4V9ldGEHQVz3+O0exM QsRALowEWF7zwPAyE/h9d0ikUnVS8uIEnaeHg/7ff54og2N36xYniZeJVdrYxFjp UMyB7l5tfcXvYBr13Cw1+rs4DCSd/7dTeL/VLFCXKeiTe0/hjUl+nDc3tPY0/iin p6z/CjYoXDGCAegwggHkAgEBMIHAMIG0MQswCQYDVQQGEwJVUzEQMA4GA1UECBMH QXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTEaMBgGA1UEChMRR29EYWRkeS5j b20sIEluYy4xLTArBgNVBAsTJGh0dHA6Ly9jZXJ0cy5nb2RhZGR5LmNvbS9yZXBv c2l0b3J5LzEzMDEGA1UEAxMqR28gRGFkZHkgU2VjdXJlIENlcnRpZmljYXRlIEF1 dGhvcml0eSAtIEcyAgcET1sJqhE3MAkGBSsOAwIaBQAwDQYJKoZIhvcNAQEBBQAE ggEAhdyR4RrVXN784BAS2ArIh6Y+teM+DXTOpy9u3LNK969htu1Um9YKw/udK0wX dYQwl1u/+dmDcDnUiI7howacA4aHqWzcyxlG8iI7O1JRhgZvKn0pnQT+JX2jpsT2 4a6IpMKt6Qc8a9SyPzqjc/c8d3AZt2ZtYFNARLOJ3+CY1HKLeSjHvka7fPsBqEfP PnuM7NZdTK7z5Z0uRdWmWHvjPVTTXJ02uC1Sn9NvDWgcX0cJ/dll0EsgzSBGXOFc bUjOuZKQyycH9am27Zr4e7g0G7uC1fZgQfyu8xEE1iV6LXCPig7C6BMO3NOe4+G/ +umhm5++ZsLVTZ+D67C21tnn3w==
      *************************************************************************************************

      • #26 by Eddie Kwasnik on July 9, 2014 - 10:33 am

        Adam,

        From your Gateway server, can you successfully ping RDFARM.AD-REVIEWHOST.COM?

        Thanks,
        Eddie

      • #27 by Adam Weight on July 9, 2014 - 11:48 am

        Yes. From the gateway server I can ping the farm. See ping response below:

        ********************************************************************************
        C:\Users\aw-admin>ping rdfarm.ad-reviewhost.com

        Pinging rdfarm.ad-reviewhost.com [192.168.110.14] with 32 bytes of data:
        Reply from 192.168.110.14: bytes=32 time=1ms TTL=128
        Reply from 192.168.110.14: bytes=32 time<1ms TTL=128
        Reply from 192.168.110.14: bytes=32 time<1ms TTL=128
        Reply from 192.168.110.14: bytes=32 time
        ********************************************************************************

      • #28 by Eddie Kwasnik on July 9, 2014 - 1:39 pm

        Excellent. Can you check the event viewer on the RD Gateway server under Application and Services Logs\Microsoft\Windows\Terminal Services-Gateway\. Within there under the Operational Log, do you see anything with an exclamation icon? I believe its Event ID 304.

      • #29 by Adam Weight on July 9, 2014 - 2:23 pm

        Ok, so I just attempted to connect from the outside (just to have it in the logs if there is an error), Then took a look at the logs on the Gateway server. I am seeing an error in the TerminalServices-Gateway Operational log. Evt 301, TerminalServices-Gateway:

        ********************************************************************************
        Log Name: Microsoft-Windows-TerminalServices-Gateway/Operational
        Source: Microsoft-Windows-TerminalServices-Gateway
        Date: 7/9/2014 11:00:38 AM
        Event ID: 301
        Task Category: (5)
        Level: Error
        Keywords: Audit Failure,(16777216)
        User: NETWORK SERVICE
        Computer: AdRev-Gate-01.ad-reviewhost.com
        Description:
        The user “AD-REVIEWHOST\tuser”, on client computer “216.253.194.194”, did not meet resource authorization policy requirements and was therefore not authorized to resource “AdRev-App-02.ad-reviewhost.com;ADREV-APP-02;192.168.110.124″. The following error occurred: “23002”.
        ********************************************************************************

        The odd thing is, I have a RAP policy in place, and authorized users are members of the AD group “AD-REVIEWHOST\Review Users” of which the user account referenced in the error is a member. So I’m not sure why it’s being denied access to the system.

      • #30 by Eddie Kwasnik on July 9, 2014 - 3:40 pm

        Did you go through the following steps as well?
        http://thewolfblog.com/2014/02/02/configuring-the-rd-gateway-server-for-an-rds-farm-with-ha-enabled-for-the-rd-brokers/

        If you already did, let me know and I will email you directly to see if we cant find what the issue is.

        Thanks,
        Eddie

      • #31 by Adam Weight on July 9, 2014 - 6:15 pm

        Eddie,

        Yes I did already go through those steps to create the RAP for HA.

      • #32 by Adam Weight on July 11, 2014 - 6:45 pm

        Just wanted to say thanks again! With your help I now have my environment fully functional.

      • #33 by Adam Weight on July 16, 2014 - 12:45 pm

        Sorry to keep hitting you up for assistance Eddie. I have a new issue now. I attempted to add a new system as a second connection broker in my HA environment. I was able to add the system just fine and everything appeared to work however I started getting certificate errors when connecting.

        Taking a look at the deployment properties, I noticed both connection broker certificates now show a status of Error. I thought perhaps this is because the cert is not installed on the second broker, so I went through the process to add the cert in the deployment properties.

        When I attempted to do that I get the error: “Could not configure the certificate on one or more servers. Ensure that the servers are available on the network and apply the certificate again”

        This happens no matter how many times I try to load the cert. Both systems are on the same network and have full access to one another. Both show up properly in the HA database. I even looked at the local certificate store, and the valid cert is on both machines.

        I searched the Internet for answers for hours but kept coming up blank.

      • #34 by Adam Weight on July 21, 2014 - 8:11 pm

        Thanks again for all your help. This is resolved now.

      • #35 by Eddie Kwasnik on July 22, 2014 - 1:22 pm

        No Problem. Im glad everything is working.

  9. #36 by duncan on June 21, 2014 - 8:17 pm

    this article is a great help. I would like to know if you have a setup with HA brokers and session hosts (no gateway or webaccess) do you still need certificates. my install worked fine till I added the HA broker then everything stopped.HELP

    • #37 by Eddie Kwasnik on June 23, 2014 - 9:21 am

      Duncan,

      You should still put a cert on the broker for the publishing and SSO. This will eliminate the numerous pop-ups users will get when trying to establish a connection. When you say it stopped working, are you getting an error when trying to connect?

      Eddie

    • #38 by duncan on June 23, 2014 - 7:10 pm

      yes the server has ERROR
      Error id 1306 Microsoft-Windows_terminalservices-sessionbroker-clent

      Remote desktop connection broker client failed to redirect the user to centacare\test_rds_user1
      Error: NULL
      I can edit the rdp file to get it working but I did not get this in my POC and we have over 1000 users not all on the domain so sending a modified rdp file is not really a solution

      • #39 by Eddie Kwasnik on June 24, 2014 - 9:41 am

        Hi Duncan,

        Usually this error means its a communication issue between the RDSH servers and the brokers. What item are you editing in the rdp file to get it working?

        Eddie

      • #40 by duncan on June 24, 2014 - 7:21 pm

        we have added the following 5 lines
        full address:s:rds.cent.org
        workspace id:s:rds.cent.org
        use redirection server name:i:1
        loadbalanceinfo:s:tsv://MS Terminal Services Plugin.1.RDS_Users
        alternate full address:s:rds.cent.org

      • #41 by Eddie Kwasnik on June 26, 2014 - 9:49 am

        Are you able to communicate fully from the Broker to the RDSH servers and vice-versa?

  10. #42 by Lynne Nimmo on June 25, 2014 - 12:29 pm

    Is there a limit to how many RDS servers you can have in one 2012 farm?

    • #43 by Eddie Kwasnik on June 26, 2014 - 10:10 am

      With the capability of using the HA options for the broker servers you have the ability to add a lot more RDSH servers to an RDS farm than you did with 2008R2, however as for the maximum limit of how many servers you can use in a farm is one I do not know.

  11. #44 by Rob on August 4, 2014 - 9:27 am

    Hi Eddie,

    Great set of articles and I am learning this stuff as we go along.
    I have got myself a Server 2012 R2 server up and running on the domain with some published apps and this all works fine internally with no issues.
    Now i would like to get some apps published via the Internet through our firewall infrastructure. However it seems that this is not easy to do. Do i still need an RD Gateway server even if we have an existing firewall (Cisco)?
    It seems at the moment the Cisco ASA just will not talk to the RDWeb server.
    Any thoughts?
    Keep up the good work!

    • #45 by Eddie Kwasnik on August 4, 2014 - 9:45 am

      Rob,

      Thanks for the great comments! Im not 100% sure what could be the issue on the ASA, but the RD web access server should be treated as a normal web server using https. As for the gateway server, many firewall appliances have some form of built in technologies which can allow it to act as an RD gateway server. However if your device does not have that functionality, I highly recommend using a RD Gateway server. This will minimize the amount of rules you will need to place on the firewall providing users a single point of entry. The firewall will provide access to the gateway server and the gateway server will provide access to your farm.

      Eddie

  12. #46 by Rob on August 5, 2014 - 2:51 am

    Eddie,

    Thanks for the reply. I will take a look at putting in a gateway server i think as the minimum I have to get done on the firewall the better.
    Thanks again for your reply and have a great day.

    Rob

  13. #47 by Rob on August 10, 2014 - 7:51 pm

    Hi,
    I am following this guide, and when i get to the point of providing my own wildcard cert from digicert that we use for our linux web servers, it always has
    RD connection broker – enable SSO – Trusted – Error
    RD connection broker – publishing – Trusted – OK
    RD Web access – trusted – Error
    RD Gateway – trusted – Error

    I have added the cert manually to the computer, personal, trust and remote desktop locations in cert manager, but always get “could not configure the certificate on one or more servers. Ensure that the servers are available on the network and apply the certificate again. This is a brand new install

    any .rdp files it gives, results in the client (mac) saying that the .RDP file is not valid (and its not signed)

    redirectclipboard:i:1
    redirectprinters:i:1
    redirectcomports:i:1
    redirectsmartcards:i:1
    devicestoredirect:s:*
    drivestoredirect:s:*
    redirectdrives:i:1
    session bpp:i:32
    prompt for credentials on client:i:1
    span monitors:i:1
    use multimon:i:1
    remoteapplicationmode:i:1
    server port:i:3389
    allow font smoothing:i:1
    promptcredentialonce:i:1
    gatewayusagemethod:i:1
    gatewayprofileusagemethod:i:1
    gatewaycredentialssource:i:0
    alternate shell:s:||calc
    remoteapplicationprogram:s:||calc
    gatewayhostname:s:mygatewayexternalname.domain.com
    remoteapplicationname:s:Calculator
    remoteapplicationcmdline:s:
    workspace id:s:myserver.sub.sub.domain.com
    loadbalanceinfo:s:tsv://MS Terminal Services Plugin.1.myrdshhost

  14. #49 by julisanto on August 20, 2014 - 8:03 am

    Hi,

    it is really really a great article you have there. But i have a question if you don’t mind. So i have only 1 box server. So, i have no choice but to install RDCB, RDSH, RDWA in the same box. There won’t be HA in RDCB and RDSH. But right now i am struggling with the feature of RDCB where “user get reconnect their existing session / apps if they get unintentional disconnection or intentional”. Can you advise me please? thanks.

    • #50 by Eddie Kwasnik on August 20, 2014 - 1:47 pm

      So the users when disconnected, are not able to reconnect to their disconnected session?

      • #51 by julisanto on August 20, 2014 - 10:19 pm

        Hi Eddie,

        my previous implementation on RD services using windows 2008 r2 (with multiple RDSH though), when user login and open some app. If they didn’t log out properly, just directly close browser, the app will close as well. When they login again, the last opened (unsaved) app will run itself and back to the state of last seen. I am trying to achieve this in windows 2012 (the difference is, now i only have 1x RDSH). i login, run paint and word pad. i edit both of them, and leave it unsaved. I close my browser, the app doesn’t close… so even if i close the app (it will ask me if i want to save or not). If i choose not to save, then i login to rdweb access, the app won’t auto run and bring me to last seen. Hopefully i don’t confuse you, i will await your great advise, thank you in advance.

      • #52 by Eddie Kwasnik on August 21, 2014 - 9:21 am

        Closing the Internet Browser will not close the existing RemoteApp connections. The browser is simply an interface which along with the RDWeb Access server presents the user with a RDP file to initiate the user’s connection. The connection is independent from the browser connection to the RD Web Access server. So closing one will not affect the other.

        If the user however is disconnected from their session, when they log back in, it will reconnect them to their existing disconnected session.

        Eddie

      • #53 by Juli santo on August 21, 2014 - 10:05 am

        Hi eddie,

        In this case, how do i simulate user get disconnected and reconnect them? Can advise a way? And to confirm , reconnecting their session also means their running apps will auto launch with content right?

      • #54 by Eddie Kwasnik on August 21, 2014 - 11:51 am

        One way to simulate a disconnection is to unplug the network from the client device. After the session disconnects, plug back into the network and once the user launches their applications, it should connect them back to their disconnected session.

  15. #55 by Heera Sharma on September 8, 2014 - 2:48 pm

    Hi Eddie,

    This is a great post. I created a new VDI collection on RDS using New-RDVirtualDesktopCollection cmdlet. I tried changing the name of the collection itself using Set-RDVirtualDesktopCollectionConfiguration. But it would not allow me to change the name of collection. I can change the collection name via RDS User Interface but no equivalent PowerShell seems to be available.

    I posted the question the RDS Windows 2012 R2 forum as well. Here is the link to that:

    http://social.technet.microsoft.com/Forums/windowsserver/en-US/49ae30dc-da5c-48aa-b330-fd35ecdd6ad7/powershell-cmdlet-to-rename-a-rds-collection?forum=winserverTS

    Any insight you can provide to achieve change in collection name would be greatly appreciated.

    Thanks,
    Heera

    • #56 by Eddie Kwasnik on September 15, 2014 - 8:36 am

      I looked and I was unable to find a cmdlet to change the collection name. If I do come across it, I will make sure to share out the information.

      Eddie

  16. #57 by usman on September 12, 2014 - 7:19 am

    I am planning to run web access on two servers, do I need to create them in load balance and publish one IP to DNS record or it will be take care by HA connection broker setup?

    • #58 by Eddie Kwasnik on September 15, 2014 - 8:34 am

      If you have two RD web access servers, you should be able to load balance them with a hardware or software load balanced solution.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: