Applies to: Windows Server 2012 and 2012 R2
A lot of people were pretty excited when Microsoft released RDS for 2012 and for good reason. Not only did they overcome the shortcomings of the previous release of RDS on Windows 2008 R2, they have also made it very easy to setup and configure. One of the many great features of 2012 and 2012 R2 is the ability to push roles and features to multiple servers in an environment from a single Server Manager console. Not only does this save time when rolling out a new RDS environment, it also makes it easy.The following will cover the step by step process in deploying the base components of a RDS 2012 /2012 R2 farm. Before we begin the process, let’s look at the different roles we will be deploying. Remote Desktop Connection Broker (RD Connection Broker): Connects or reconnects a client device to RemoteApp programs, session-based desktops and virtual desktops. Remote Desktop WebAccess (RD Web Access) Enables users to connect to resources provided by session collections and virtual desktop collections by using the Start menu or a web browser. Remote Desktop Session Host (RD Session Host RDSH): Enables a server to host RemoteApp programs or session-based desktops. Remote Desktop Gateway (RD Gateway): Enables authorized users to connect to virtual desktops, RemoteApp programs, and session-based desktops on the corporate network or over the Internet.
In our deployment, we will be logged into a single server and through Server Manager we will deploy our new Remote Desktop farm. Each of the servers designated in the environment are virtual, domain joined and were created from a template with the latest Windows updates. No other special changes or configurations were done to any of the servers with the exception of the RD Session Host servers. Some applications were installed on the RD Session Host servers in order for us to deploy our RemoteApp programs.
Here is a list of the servers which will be deployed in our RD Farm:RDBROKER01: RD Connection Broker and RD Web Access Server RDBROKER02: RD Connection Broker which will be used at later time for configuring HA for the RD connection brokers in the farm. RDSH01: RD Session Host servers RDSH02: RD Session Host servers RDGWY01: RD Gateway Server
Log into a domain joined 2012 or 2012 R2 server and launch Server Manager.
From the Dashboard, let’s create a new server group. This is not a requirement, however this is a good practice and helps organize the servers you will be managing.
Enter a name for the server group. Here we will call it RDS Farm.
Go to the Active Directory tab and search for the designated RD servers.
Once we find our servers, add them and hit ok.
Once the servers are added, you will see a new node in Server Manager with the server group name RDS Farm.
Now that we have all of our designated RD servers organized, go to the top right of Server Manager, click Manage and select Add Roles and Features.
On the before you begin screen, hit Next.
Here, Microsoft has separated the option of deploying Remote Desktop Services from all other roles and features. Select the option Remote Desktop Services Installation and hit next.
There are two different deployment types: Standard and Quick Start. Quick start is an option to be used mainly for testing purposes or for a proof of concept. The Quick start option will deploy each role for Remote Desktop Services on a single server. In this case we are doing a full deployment and will use the standard deployment option. Select Standard deployment and hit next.
There are two different deployment scenarios. The first is for a Virtual machine-based desktop deployment (VDI). Since we are focusing on the traditional form of Remote Desktop Services, we will choose the Session-based desktop deployment option. Click next.
On the Review Role Services screen it will list a description of the three minimum roles required for the deployment. Review the items and hit next.
Now we need to specify which server will be our RD Connection Broker. In our environment we have already determined the server RDBROKER01 will be our RD Connection Broker. Select and add RDBROKER01 and hit next.
The RD Web Access server has a very small footprint and a lot of times it is easier and more practical to share this role on the designated RD Connection Broker server(s). In some big environments, the RD Web Access role can be installed on its own servers, however for our environment we will be adding the role to our designated RD Connection Broker server RDBROKER01. To do this, check the box listed to install the RD Web Access role service on the RD Connection Broker server and hit next.
For the RD Session Host servers, we have 2 designated servers. Add both servers RDSH01 and RDSH02 and hit next.
On the confirmation screen we can see our proposed configuration. A message will appear stating the RD Session Host servers may require a restart. In order to proceed from this screen, you must check the box to “Restart the destination server automatically if required”. Once checked, hit Deploy.
During the deployment, you will be able to view the progress of each role as it is being deployed. Should there be any issues, it will list the issue along with an error. Wait for the deployment to be completed and hit close.
Go back to Server Manager and you will notice a new node called Remote Desktop Services. Go ahead and click on the Remote Desktop Services node.
In the Remote Desktop Services node, you will see the entire configuration for the new farm. This is where you can begin publishing RemoteApps or session based desktops, add more session host servers, configure HA for the RD Connection Brokers, etc… It is your single console for managing and configuring the Remote Desktop Farm. THANK YOU MICROSOFT!
Now that we have our farm deployed, we will need to install certificates. A Remote Desktop deployment requires certificates for server authentication, single sign on, and establishing secure connections. These certificates should be created prior to the RDS deployment. Since there are multiple roles which require a certificate, you can use a wildcard certificate to make things easier. In our deployment, I’ve already generated a wildcard certificate and placed it in the following location: \\dc01\d$\Certs\. To begin installing the certs, click on the Tasks drop-down and select the option “Edit Deployment Properties”
Highlight the Role service RD Connection Broker – Enable Single Sign On. Then click on the “Select Existing certificate” button.
On the select existing certificate window, click on the browse button.
Locate and select the certificate and hit the open button.
Enter the password for the certificate and check the box “Allow the Certificate to be added to the Trusted Root Certification Authorities store on the destination computers”. Hit OK.
Back on the deployment properties screen, hit apply.
Once the certificate is applied for the single sign on role service, go ahead and highlight the RD Connection Broker – Publishing option and click on the Select existing certificate button.
Browse and locate the certificate. Once found hit the open button.
Enter the password for the certificate and check the box “Allow the Certificate to be added to the Trusted Root Certification Authorities store on the destination computers”. Hit OK.
Back on the deployment properties screen, hit apply.
Once the certificate is applied for the publishing role service, go ahead and highlight the RD Web Access role service and click on the Select existing certificate button.
Browse and locate the certificate. Once found hit the open button.
Enter the password for the certificate and check the box “Allow the Certificate to be added to the Trusted Root Certification Authorities store on the destination computers”. Hit OK.
Back on the deployment properties screen, hit apply.
Once completed, hit OK.
You have successfully deployed a 2012 RDS farm. Now on to publishing RemoteApp programs.
Publishing RemoteApp programs and session based desktops. (Collections)
Configuring User Profile Disks
Deploying the RD Gateway role service for a 2012 RDS Farm
Configuring HA for the Remote Desktop Connection Broker in a 2012 RDS Farm
Configuring the RD Gateway Server for a 2012 RDS farm with HA enabled for the RD Connection Brokers
© 2014 Eddie Kwasnik “the Wolf” All Rights Reserved
#1 by Jusuf on April 15, 2014 - 6:20 am
am trying to learn new things.
And RDS is a tutorial i realy want to know.
Now i am stuck at insert an certifcate.
But you did already have an wildcard certifcate (can you tell me how to make this?)
Because on the web i can only find certificates SSl you must buy when you search in google under wildcard certificates.
Have try to use Active directory certificates services, but dident help….
#2 by Eddie Kwasnik on April 15, 2014 - 9:20 am
Since this was for a lab environment, I added my own Certificate Authority and was able to issue myself a wildcard SSL certificate for my RDS environment. In most production environments, I will typically use a third party to generate the cert.
Here are some links which might help you in the configuration of a CA as well the steps in successfully issuing a SSL certificate for your environment.
#3 by Koj on April 17, 2014 - 9:27 am
buying a third party PKI in a Windows infrastructure is a non sens.
I advice to install a RootCA & SubCA then deploy the ferme.
#4 by vps or dedicated server on April 29, 2014 - 8:35 am
Thank you for another magnificent article. Where else could anyone get that type of information in such an ideal manner of writing? I’ve a presentation next week, and I’m at the look for such info.
#5 by Ronald on April 30, 2014 - 5:43 am
Thanks for your blog, hope it will help me =)
I am kinda stuck on the wild card cert. I do run my own CA in my domain, so I can issue one, no problem, However, that will be for the domain, so the cert will be for *.shared.int. I also have a commercial wild card cert for my currently deployed external services, say *.mycomp.com. Which one should I use for the RDS deployment? I am intended to publish the gateway through TMG to the outside world, so I do need a commercial cert there anyway.
Do you have an advice? Like using the *.shared.int cert internally, use the *.mycomp.com cert on TMG and have TMG bridge that to the RDGW?
Please let me know your thoughts.
#6 by Eddie Kwasnik on May 1, 2014 - 9:31 am
The advantages of using a third party cert is the root certificate is most likely already installed on the client devices. If you were to use your domain cert, you would have to manually install the root certificate on any device which is not part of your domain. This can be a pain depending on the number of external users connecting to the environment. From a technical perspective, either of the certificates will achieve what you are looking for. As for using a mixture of certificates in the environment, I am one who likes to keep things simple so I would only use one of the certificates. Since you already paid for the third party wildcard cert, I would probably lean more to using that one. But that is more so my preference since either will achieve what you are looking for.
#7 by Scott on May 1, 2014 - 11:35 am
I could kiss you! Good write up. I had the same question as Ronald. So if i got a wildcard cert from a 3rd party for say *.publicdomain.com it would work for my *.internaldomain.local no problems? I’m planning a classic session based desktop deployment. Thanks again.
#8 by Eddie Kwasnik on May 1, 2014 - 1:29 pm
If you use a third party wildcard certificate for *.publicdomain.com, and plan to use this across the entire RDS environment, users internally would be utilizing the fqdn *.publicdomain.com instead of *.internaldomain.int. If you only wanted to use *.publicdomain.com on the RD Gateway for external users, and a different certificate (*.internaldomain.local) for single sign-on and publishing, when a user connects, they will require a root certificate for both Certs on their client device. One of the biggest benefits of using the third party certificate is users will most likely already have the root certificate installed on their client machine. You definitely can use both as long as the root certificates are installed on the client machines. I wish Microsoft would reduce the amount of certificates required for an RDS deployment.
#9 by dedicated server india on May 6, 2014 - 9:11 pm
I get pleasure from, cause I found exactly what I was looking for. You have ended my four day long hunt! God Bless you man. Have a nice day. Bye
#10 by vps reviews uk on May 17, 2014 - 3:38 pm
My brother suggested I might like this web site. He was once entirely right. This publish truly made my day. You can not consider simply how a lot time I had spent for this information! Thank you!
#11 by beach305 on May 24, 2014 - 12:03 pm
My question is can you know configure RDS on a windows 2012 R2 domain controller. I have three users that need access remotely and purchasing a separate server just for RDS is costly. In window 20008 this was a problem, but in Windows 2012 it was not allow. Now I think I’m hearing that 2012 R2 allows you again to run RDS on a single server environment.
#12 by Eddie Kwasnik on May 27, 2014 - 9:35 am
Great question. It is never recommended to install the RDS role onto a production Domain Controller, however Microsoft has given the ability to install all RDS roles onto a single server. This means you can installed the RD Connection Broker, RD Session Host, RD Web Access and RD Gateway roles on a single server. The easiest way to achieve this is to use the Quick Start option when deploying the roles. This option will install all of the roles with the exception of the RD Gateway onto the single server for you.
Here is a screenshot of the option:
#13 by beach305 on June 1, 2014 - 2:25 pm
Are you saying I can install RDS directly on the DC server or it is better to create a VM and install it there.
In windows Server 2008 R2, I was able to take a physical server configured as the DC and create a VM via Hyper-V from within. I then made that VM a Terminal Server. The users then had a remote desktop to work with. This better or is your way easier, better.
#14 by Eddie Kwasnik on June 1, 2014 - 7:15 pm
You shouldn’t install it on a dc. Create a vm for it.
#15 by Jo on June 1, 2014 - 4:02 am
Great step by step guide thank you. From which server did you run the Remote Desktop service installation?
#16 by Eddie Kwasnik on June 1, 2014 - 7:41 am
Thanks! I ran the entire deployment from a domain joined member server running 2012R2. That’s the beauty of Server Manager in 2012. Once you have the other servers added into Server Manager, you can deploy an entire RDS farm without having to log into one of the RDS servers.
#17 by Adam Weight on June 17, 2014 - 5:08 pm
Thank you so much for the tutorial. It helped me a lot. I am running into a problem that I can’t seem to fix however. I have deployed a farm based exactly on your instructions here (with name changes of course), and cannot get it to work from the outside.
When I connect to my public DNS name (NAT policy points it to the gateway server), initially there was no page to connect to. I had to install the RDWeb server role on the gateway server as well. But now, the users have no applications to connect to. The collections I set up on my CB server (earlier in the tutorial before implementing the gateway server) do not show up.
The same issue appears when I connect internally to the gateway server. Alternatively, if I connect internally to the CB server, the collections show up. However, my understanding of the Gateway server is that it is necessary for external connections, so I am kind of stuck. It appears that the Gateway server is not pointing users and passing them to the CB server for connections. It looks like it is only pointing to itself.
Any help would be greatly appreciated.
#18 by Eddie Kwasnik on June 18, 2014 - 10:36 am
Is the Gateway server in the DMZ? Does the Gateway server have full network access to the connection broker?
#19 by Adam Weight on June 18, 2014 - 12:00 pm
There is no DMZ. The Gateway is on the LAN side, and the firewall has a NAT rule that passes traffic from the public WAN side using a public IP to the Gateway on the LAN side. And yes, the Gateway has full access to anything on the connection broker.
#20 by Eddie Kwasnik on June 20, 2014 - 1:18 pm
You can try redeploying the rd web access role to the gateway server using rdms. This would require removing the role first and then redeploying it to the gateway server.
#21 by Adam Weight on June 20, 2014 - 2:48 pm
I just tried your suggestion today. I removed the RDWeb role from the connection broker, and added it instead to the gateway server. I tested logging into the system, and none of the published apps showed up. I removed the collection, and then re-added it, still no apps show up.
#22 by Eddie Kwasnik on June 20, 2014 - 3:09 pm
That’s an issue I have yet to run into. The other option is to place the RD Web Access back on the broker and have a NAT rule on the firewall for users to access the rd web access site off of the broker. Then if you have the setting: external users upon their connection will connect through the Gateway server.
#23 by Adam Weight on July 7, 2014 - 2:35 pm
So I finally got this working by completely rebuilding all the servers from the ground up (OS wipe), and following the instructions again. Now I am running into a different problem.
I have the RD environment set up to use HA and Gateway. I have my Connection Broker Round Robin set up as RDFarm.mydomain.com. None of the servers are directly accessible from the Public Internet except for the Gateway. I have a NAT policy on my firewall to allow access to that using a public IP address.
From inside the LAN where the systems reside, I am able to access the published app and launch without issue. I can do this using either the internal name, or public name going through the NAT policy.
However, from any computer outside the local LAN, I can get to the published app page and launch the app, but when it tries to connect to RDFarm.mydomain.com I receive an error:
“Remote Desktop cannot connect to the remote computer RDFarm.mydomain.com.”
It seems to me that it is only connecting when on the LAN because the local DNS has an entry for RDFarm.mydomain.com, but when on the public side of course, there is no DNS entry for that because that is behind the firewall on the local LAN.
I thought the point of the gateway was to allow connections from the outside and control access to the inside without having to make all your servers public? If I have to give a public IP to all my servers in the farm just to make this work doesn’t that kind of defeat the entire purpose?
#24 by Eddie Kwasnik on July 7, 2014 - 9:05 pm
I wonder if it is even trying to connect through the gateway. Usually the error would say something in the lines of
Could you send or post the rdp file? If you connect to the rd web access page from outside of your LAN, you can log in and instead of launching the remoteapp or desktop, right click on it and save it to your local machine. Then open the file using notepad.
#25 by Adam Weight on July 8, 2014 - 4:03 pm
Eddie, I’m not sure how to post the RDP file to here, or even a screenshot. I don’t see any option for attaching any kind of file, just to type text. So the best I can do I guess is paste in the RDP file config when opening it in a text editor:
prompt for credentials on client:i:1
allow font smoothing:i:1
use redirection server name:i:1
loadbalanceinfo:s:tsv://MS Terminal Services Plugin.1.Relativity_Apps
alternate full address:s:RDFARM.AD-REVIEWHOST.COM
signscope:s:Full Address,Alternate Full Address,Use Redirection Server Name,Server Port,GatewayHostname,GatewayUsageMethod,GatewayProfileUsageMethod,GatewayCredentialsSource,PromptCredentialOnce,Alternate Shell,RemoteApplicationProgram,RemoteApplicationMode,RemoteApplicationName,RemoteApplicationCmdLine,RedirectDrives,RedirectPrinters,RedirectCOMPorts,RedirectSmartCards,RedirectClipboard,DevicesToRedirect,DrivesToRedirect,LoadBalanceInfo
signature:s:AQABAAEAAAD3DwAAMIIP8wYJKoZIhvcNAQcCoIIP5DCCD+ACAQExCzAJBgUrDgMC GgUAMAsGCSqGSIb3DQEHAaCCDdMwggPFMIICraADAgECAgEAMA0GCSqGSIb3DQEB CwUAMIGDMQswCQYDVQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMK U2NvdHRzZGFsZTEaMBgGA1UEChMRR29EYWRkeS5jb20sIEluYy4xMTAvBgNVBAMT KEdvIERhZGR5IFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwHhcNMDkw OTAxMDAwMDAwWhcNMzcxMjMxMjM1OTU5WjCBgzELMAkGA1UEBhMCVVMxEDAOBgNV BAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoTEUdvRGFk ZHkuY29tLCBJbmMuMTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRpZmljYXRl IEF1dGhvcml0eSAtIEcyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA v3FiCPH6WTT3G8kYo/eASVjpIoMTpsUgQwE7hPHmhUmfJ+r2hBtOoLTbcJjHMgGx BT4HTu70+k8vWTAi56sZVmvigAf88xZ1gDlRe+X5NbZ0TqmNghPktj+pA4P6or6K FWp/3gvDthkUBcrqw6gElDtGfDIN8wBmIsiNaW02jBEYt9OyHGC0OPoCjM7T3UYH 3go+6118yHz7sCtTpJJiaVElBWEaRIGMLKlDliPfrDqBmg4pxRyp6V0etp6eMAo5 zvGIgPtLXcwy7IViQyU0AlYnAZG0O3AqP26x6JyIAX2f1PnbU21gnb8s51iruF9G /M7EGwM8CetJMVxpRrPgRwIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1Ud DwEB/wQEAwIBBjAdBgNVHQ4EFgQUOpqFBxBnKLbv9r0FQW4gwZTaD94wDQYJKoZI hvcNAQELBQADggEBAJnbXXnV+ZdZZwNh8X47BjF1LaEgjk9lh7T3ppy82Okv0Nta 7s90jHO0OELaBXv4AnW4/aWx1672194Ty1MQfopG0Zf6ty4rEauQsCeA+eifWuk3 n6vk32yzhRedPdkkT3mRNdZfBOuAg6uaAi21EPTYkMcEc0DtciWgqZ/snqtoEplX xo8SOgmkvUT9BhU3wZvkMqPtOOjYZPMsfhT8Auqfzf8HaBfbIpA4LXqN0VTxaeNf M8p6PXsK48p/Xznl4nW6xXYYM84s8C9Mrfex585PqMSbSlQGxX991QgP4hz+fhe4 rF721BayQwkMTfana7SZhGXKeoji4kS+XPfqHPUwggTQMIIDuKADAgECAgEHMA0G CSqGSIb3DQEBCwUAMIGDMQswCQYDVQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTET MBEGA1UEBxMKU2NvdHRzZGFsZTEaMBgGA1UEChMRR29EYWRkeS5jb20sIEluYy4x MTAvBgNVBAMTKEdvIERhZGR5IFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0g RzIwHhcNMTEwNTAzMDcwMDAwWhcNMzEwNTAzMDcwMDAwWjCBtDELMAkGA1UEBhMC VVMxEDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNV BAoTEUdvRGFkZHkuY29tLCBJbmMuMS0wKwYDVQQLEyRodHRwOi8vY2VydHMuZ29k YWRkeS5jb20vcmVwb3NpdG9yeS8xMzAxBgNVBAMTKkdvIERhZGR5IFNlY3VyZSBD ZXJ0aWZpY2F0ZSBBdXRob3JpdHkgLSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEP ADCCAQoCggEBALngyxDUr3a91JNi6zBkuIEIbMME2WIXji//PmXPj85i5jxSHNoW RUtVq3hrY4NikM4PaWyZyBoUi0zMRTPqiNyeo68r/oBhnXlXxM8u9D8wPF1H/JoW vMM3lkFRjhFLVPgovtCMvvAwOB7zsCb4Zkdjbd5xJkePOEdT0UYdtOPcAOpFrL28 cdmqbwDb280wOnlPX0xH+B3vW8LEnWA7sbJDkdikM07qs9YnT60liqXG9NXQpq50 BWRXiLVEVdQtKjo++Li96TIKApRkxBY6UPFKrud5M68MIAd/6N8EOcJpAmxjUvp3 wRvIdIfIuZMYUFQ1S2lOvDvTSS4f3MHSUvsCAwEAAaOCARowggEWMA8GA1UdEwEB /wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBRAwr0njsw0gzCiM9f7 bLPwtCyAzjAfBgNVHSMEGDAWgBQ6moUHEGcotu/2vQVBbiDBlNoP3jA0BggrBgEF BQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmdvZGFkZHkuY29tLzA1 BgNVHR8ELjAsMCqgKKAmhiRodHRwOi8vY3JsLmdvZGFkZHkuY29tL2dkcm9vdC1n Mi5jcmwwRgYDVR0gBD8wPTA7BgRVHSAAMDMwMQYIKwYBBQUHAgEWJWh0dHBzOi8v Y2VydHMuZ29kYWRkeS5jb20vcmVwb3NpdG9yeS8wDQYJKoZIhvcNAQELBQADggEB AAh+bJMQyDi4lqmQS/+hX08E72w+nIgGyVCPpnP3VzEbvrzkL9v4utNb4LTn5nli Dgyi12pjczG19ahIpDsILaJdkNe0fCVPEVYwxLZEnXssneVe5u8MYaq/5Cob7oSe uIN9wUPORKcTcA2RH/TIE62DYNnYcqhzJB61rCIOyheJYlhEG6uJJQEAD83EG2Lb UbTTD1Eqm/S8c/x2zjakzdnYLOqum/UqspDRTXUYij+KQZAjfVtL/qQDWJtGssNg YIP4fVBBzsKhkMO77wIv0hVU7kQV2Qqup4oz7bEtdjYm3ATrn/dhHxXch2/uRpYo raEmfQoJpy4Eo428+LwEMAEwggUyMIIEGqADAgECAgcET1sJqhE3MA0GCSqGSIb3 DQEBCwUAMIG0MQswCQYDVQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UE BxMKU2NvdHRzZGFsZTEaMBgGA1UEChMRR29EYWRkeS5jb20sIEluYy4xLTArBgNV BAsTJGh0dHA6Ly9jZXJ0cy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5LzEzMDEGA1UE AxMqR28gRGFkZHkgU2VjdXJlIENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4X DTE0MDYxMzIyMzAwMVoXDTE1MDYxMzIyMzAwMVowQTEhMB8GA1UECxMYRG9tYWlu IENvbnRyb2wgVmFsaWRhdGVkMRwwGgYDVQQDDBMqLmFkLXJldmlld2hvc3QuY29t MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2pvZapMY4zMFrrUsh8Gf k8r/PQ/70EbL5gofEMXAzo5sjfyyCQnljtQ9jC0Kg0Dh2XUdMJQ7lKTaDiB5jgIl SbxcJsCxMrK4fPKOhwjd2+9TVvNjplutr4/a9O12ArvRnRaaCm5oT9wSEkeS2wug +0VvvYhFdWqLYf/9R6PeMRGy3ayq+z3EWl32snHV6F8PnFmuqM8LPKfMNS8spCxn v9ir46a68c1dskt3kwsSkTCxM58qGqHFEaPNoJrhB1qbXBcH2IeS60oRM4jAgQxV 5Bo/oA/INPGXKCCH1DzgSr4HPVqYwmo3IyzL13HxyZH+o4QJKEalCfnfzDEKjywk kwIDAQABo4IBuTCCAbUwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcD AQYIKwYBBQUHAwIwDgYDVR0PAQH/BAQDAgWgMDYGA1UdHwQvMC0wK6ApoCeGJWh0 dHA6Ly9jcmwuZ29kYWRkeS5jb20vZ2RpZzJzMS03NC5jcmwwUwYDVR0gBEwwSjBI BgtghkgBhv1tAQcXATA5MDcGCCsGAQUFBwIBFitodHRwOi8vY2VydGlmaWNhdGVz LmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMHYGCCsGAQUFBwEBBGowaDAkBggrBgEF BQcwAYYYaHR0cDovL29jc3AuZ29kYWRkeS5jb20vMEAGCCsGAQUFBzAChjRodHRw Oi8vY2VydGlmaWNhdGVzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvZ2RpZzIuY3J0 MB8GA1UdIwQYMBaAFEDCvSeOzDSDMKIz1/tss/C0LIDOMDEGA1UdEQQqMCiCEyou YWQtcmV2aWV3aG9zdC5jb22CEWFkLXJldmlld2hvc3QuY29tMB0GA1UdDgQWBBRF r1gCI3XABdHzdw4c8Fprgp4oyzANBgkqhkiG9w0BAQsFAAOCAQEAlXR24aH9jPxp e5PeYKyPnJjZJROeSiTQ//IhOO3RLnIjaJyN1ASP3tB6gYANz4w7hpCgMBjZujWx m48Qmrf5e+QnM+akeYSA/jlelc6SzapmUviUQz96nyJGDGGsMCGByPraZEV95WNc 3FMrnMLqkpm0s0eVLgvaDlUCNLc3fPVKu1VQGChor6ft1E4V9ldGEHQVz3+O0exM QsRALowEWF7zwPAyE/h9d0ikUnVS8uIEnaeHg/7ff54og2N36xYniZeJVdrYxFjp UMyB7l5tfcXvYBr13Cw1+rs4DCSd/7dTeL/VLFCXKeiTe0/hjUl+nDc3tPY0/iin p6z/CjYoXDGCAegwggHkAgEBMIHAMIG0MQswCQYDVQQGEwJVUzEQMA4GA1UECBMH QXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTEaMBgGA1UEChMRR29EYWRkeS5j b20sIEluYy4xLTArBgNVBAsTJGh0dHA6Ly9jZXJ0cy5nb2RhZGR5LmNvbS9yZXBv c2l0b3J5LzEzMDEGA1UEAxMqR28gRGFkZHkgU2VjdXJlIENlcnRpZmljYXRlIEF1 dGhvcml0eSAtIEcyAgcET1sJqhE3MAkGBSsOAwIaBQAwDQYJKoZIhvcNAQEBBQAE ggEAhdyR4RrVXN784BAS2ArIh6Y+teM+DXTOpy9u3LNK969htu1Um9YKw/udK0wX dYQwl1u/+dmDcDnUiI7howacA4aHqWzcyxlG8iI7O1JRhgZvKn0pnQT+JX2jpsT2 4a6IpMKt6Qc8a9SyPzqjc/c8d3AZt2ZtYFNARLOJ3+CY1HKLeSjHvka7fPsBqEfP PnuM7NZdTK7z5Z0uRdWmWHvjPVTTXJ02uC1Sn9NvDWgcX0cJ/dll0EsgzSBGXOFc bUjOuZKQyycH9am27Zr4e7g0G7uC1fZgQfyu8xEE1iV6LXCPig7C6BMO3NOe4+G/ +umhm5++ZsLVTZ+D67C21tnn3w==
#26 by Eddie Kwasnik on July 9, 2014 - 10:33 am
From your Gateway server, can you successfully ping RDFARM.AD-REVIEWHOST.COM?
#27 by Adam Weight on July 9, 2014 - 11:48 am
Yes. From the gateway server I can ping the farm. See ping response below:
Pinging rdfarm.ad-reviewhost.com [192.168.110.14] with 32 bytes of data:
Reply from 192.168.110.14: bytes=32 time=1ms TTL=128
Reply from 192.168.110.14: bytes=32 time<1ms TTL=128
Reply from 192.168.110.14: bytes=32 time<1ms TTL=128
Reply from 192.168.110.14: bytes=32 time
#28 by Eddie Kwasnik on July 9, 2014 - 1:39 pm
Excellent. Can you check the event viewer on the RD Gateway server under Application and Services Logs\Microsoft\Windows\Terminal Services-Gateway\. Within there under the Operational Log, do you see anything with an exclamation icon? I believe its Event ID 304.
#29 by Adam Weight on July 9, 2014 - 2:23 pm
Ok, so I just attempted to connect from the outside (just to have it in the logs if there is an error), Then took a look at the logs on the Gateway server. I am seeing an error in the TerminalServices-Gateway Operational log. Evt 301, TerminalServices-Gateway:
Log Name: Microsoft-Windows-TerminalServices-Gateway/Operational
Date: 7/9/2014 11:00:38 AM
Event ID: 301
Task Category: (5)
Keywords: Audit Failure,(16777216)
User: NETWORK SERVICE
The user “AD-REVIEWHOST\tuser”, on client computer “22.214.171.124”, did not meet resource authorization policy requirements and was therefore not authorized to resource “AdRev-App-02.ad-reviewhost.com;ADREV-APP-02;192.168.110.124”. The following error occurred: “23002”.
The odd thing is, I have a RAP policy in place, and authorized users are members of the AD group “AD-REVIEWHOST\Review Users” of which the user account referenced in the error is a member. So I’m not sure why it’s being denied access to the system.
#30 by Eddie Kwasnik on July 9, 2014 - 3:40 pm
Did you go through the following steps as well?
If you already did, let me know and I will email you directly to see if we cant find what the issue is.
#31 by Adam Weight on July 9, 2014 - 6:15 pm
Yes I did already go through those steps to create the RAP for HA.
#32 by Adam Weight on July 11, 2014 - 6:45 pm
Just wanted to say thanks again! With your help I now have my environment fully functional.
#33 by Adam Weight on July 16, 2014 - 12:45 pm
Sorry to keep hitting you up for assistance Eddie. I have a new issue now. I attempted to add a new system as a second connection broker in my HA environment. I was able to add the system just fine and everything appeared to work however I started getting certificate errors when connecting.
Taking a look at the deployment properties, I noticed both connection broker certificates now show a status of Error. I thought perhaps this is because the cert is not installed on the second broker, so I went through the process to add the cert in the deployment properties.
When I attempted to do that I get the error: “Could not configure the certificate on one or more servers. Ensure that the servers are available on the network and apply the certificate again”
This happens no matter how many times I try to load the cert. Both systems are on the same network and have full access to one another. Both show up properly in the HA database. I even looked at the local certificate store, and the valid cert is on both machines.
I searched the Internet for answers for hours but kept coming up blank.
#34 by Adam Weight on July 21, 2014 - 8:11 pm
Thanks again for all your help. This is resolved now.
#35 by Eddie Kwasnik on July 22, 2014 - 1:22 pm
No Problem. Im glad everything is working.
#36 by duncan on June 21, 2014 - 8:17 pm
this article is a great help. I would like to know if you have a setup with HA brokers and session hosts (no gateway or webaccess) do you still need certificates. my install worked fine till I added the HA broker then everything stopped.HELP
#37 by Eddie Kwasnik on June 23, 2014 - 9:21 am
You should still put a cert on the broker for the publishing and SSO. This will eliminate the numerous pop-ups users will get when trying to establish a connection. When you say it stopped working, are you getting an error when trying to connect?
#38 by duncan on June 23, 2014 - 7:10 pm
yes the server has ERROR
Error id 1306 Microsoft-Windows_terminalservices-sessionbroker-clent
Remote desktop connection broker client failed to redirect the user to centacare\test_rds_user1
I can edit the rdp file to get it working but I did not get this in my POC and we have over 1000 users not all on the domain so sending a modified rdp file is not really a solution
#39 by Eddie Kwasnik on June 24, 2014 - 9:41 am
Usually this error means its a communication issue between the RDSH servers and the brokers. What item are you editing in the rdp file to get it working?
#40 by duncan on June 24, 2014 - 7:21 pm
we have added the following 5 lines
use redirection server name:i:1
loadbalanceinfo:s:tsv://MS Terminal Services Plugin.1.RDS_Users
alternate full address:s:rds.cent.org
#41 by Eddie Kwasnik on June 26, 2014 - 9:49 am
Are you able to communicate fully from the Broker to the RDSH servers and vice-versa?
#42 by Lynne Nimmo on June 25, 2014 - 12:29 pm
Is there a limit to how many RDS servers you can have in one 2012 farm?
#43 by Eddie Kwasnik on June 26, 2014 - 10:10 am
With the capability of using the HA options for the broker servers you have the ability to add a lot more RDSH servers to an RDS farm than you did with 2008R2, however as for the maximum limit of how many servers you can use in a farm is one I do not know.
#44 by Rob on August 4, 2014 - 9:27 am
Great set of articles and I am learning this stuff as we go along.
I have got myself a Server 2012 R2 server up and running on the domain with some published apps and this all works fine internally with no issues.
Now i would like to get some apps published via the Internet through our firewall infrastructure. However it seems that this is not easy to do. Do i still need an RD Gateway server even if we have an existing firewall (Cisco)?
It seems at the moment the Cisco ASA just will not talk to the RDWeb server.
Keep up the good work!
#45 by Eddie Kwasnik on August 4, 2014 - 9:45 am
Thanks for the great comments! Im not 100% sure what could be the issue on the ASA, but the RD web access server should be treated as a normal web server using https. As for the gateway server, many firewall appliances have some form of built in technologies which can allow it to act as an RD gateway server. However if your device does not have that functionality, I highly recommend using a RD Gateway server. This will minimize the amount of rules you will need to place on the firewall providing users a single point of entry. The firewall will provide access to the gateway server and the gateway server will provide access to your farm.
#46 by Rob on August 5, 2014 - 2:51 am
Thanks for the reply. I will take a look at putting in a gateway server i think as the minimum I have to get done on the firewall the better.
Thanks again for your reply and have a great day.
#47 by Rob on August 10, 2014 - 7:51 pm
I am following this guide, and when i get to the point of providing my own wildcard cert from digicert that we use for our linux web servers, it always has
RD connection broker – enable SSO – Trusted – Error
RD connection broker – publishing – Trusted – OK
RD Web access – trusted – Error
RD Gateway – trusted – Error
I have added the cert manually to the computer, personal, trust and remote desktop locations in cert manager, but always get “could not configure the certificate on one or more servers. Ensure that the servers are available on the network and apply the certificate again. This is a brand new install
any .rdp files it gives, results in the client (mac) saying that the .RDP file is not valid (and its not signed)
prompt for credentials on client:i:1
allow font smoothing:i:1
loadbalanceinfo:s:tsv://MS Terminal Services Plugin.1.myrdshhost
#48 by Eddie Kwasnik on August 12, 2014 - 11:17 am
It may be something with the certificate itself. You can validate the certificate to match the requirements found on the following link:
#49 by julisanto on August 20, 2014 - 8:03 am
it is really really a great article you have there. But i have a question if you don’t mind. So i have only 1 box server. So, i have no choice but to install RDCB, RDSH, RDWA in the same box. There won’t be HA in RDCB and RDSH. But right now i am struggling with the feature of RDCB where “user get reconnect their existing session / apps if they get unintentional disconnection or intentional”. Can you advise me please? thanks.
#50 by Eddie Kwasnik on August 20, 2014 - 1:47 pm
So the users when disconnected, are not able to reconnect to their disconnected session?
#51 by julisanto on August 20, 2014 - 10:19 pm
my previous implementation on RD services using windows 2008 r2 (with multiple RDSH though), when user login and open some app. If they didn’t log out properly, just directly close browser, the app will close as well. When they login again, the last opened (unsaved) app will run itself and back to the state of last seen. I am trying to achieve this in windows 2012 (the difference is, now i only have 1x RDSH). i login, run paint and word pad. i edit both of them, and leave it unsaved. I close my browser, the app doesn’t close… so even if i close the app (it will ask me if i want to save or not). If i choose not to save, then i login to rdweb access, the app won’t auto run and bring me to last seen. Hopefully i don’t confuse you, i will await your great advise, thank you in advance.
#52 by Eddie Kwasnik on August 21, 2014 - 9:21 am
Closing the Internet Browser will not close the existing RemoteApp connections. The browser is simply an interface which along with the RDWeb Access server presents the user with a RDP file to initiate the user’s connection. The connection is independent from the browser connection to the RD Web Access server. So closing one will not affect the other.
If the user however is disconnected from their session, when they log back in, it will reconnect them to their existing disconnected session.
#53 by Juli santo on August 21, 2014 - 10:05 am
In this case, how do i simulate user get disconnected and reconnect them? Can advise a way? And to confirm , reconnecting their session also means their running apps will auto launch with content right?
#54 by Eddie Kwasnik on August 21, 2014 - 11:51 am
One way to simulate a disconnection is to unplug the network from the client device. After the session disconnects, plug back into the network and once the user launches their applications, it should connect them back to their disconnected session.
#55 by Heera Sharma on September 8, 2014 - 2:48 pm
This is a great post. I created a new VDI collection on RDS using New-RDVirtualDesktopCollection cmdlet. I tried changing the name of the collection itself using Set-RDVirtualDesktopCollectionConfiguration. But it would not allow me to change the name of collection. I can change the collection name via RDS User Interface but no equivalent PowerShell seems to be available.
I posted the question the RDS Windows 2012 R2 forum as well. Here is the link to that:
Any insight you can provide to achieve change in collection name would be greatly appreciated.
#56 by Eddie Kwasnik on September 15, 2014 - 8:36 am
I looked and I was unable to find a cmdlet to change the collection name. If I do come across it, I will make sure to share out the information.
#57 by usman on September 12, 2014 - 7:19 am
I am planning to run web access on two servers, do I need to create them in load balance and publish one IP to DNS record or it will be take care by HA connection broker setup?
#58 by Eddie Kwasnik on September 15, 2014 - 8:34 am
If you have two RD web access servers, you should be able to load balance them with a hardware or software load balanced solution.
#59 by Anthony Larson on September 19, 2014 - 12:13 am
We are attempting to configure a “simple” RDS 2012 R2 Farm.
One server with a Connection Broker & license server installed, and 4 separate RDSH 2012 R2 Servers.
We have configured the Connection Broker RDS “Collection” named as RDSFarm with the 4 RDSH Servers.
We want the users to connect to the 4 RDSH Servers Remote Session Desktops via RDP 3389.
We are not using RDweb or RDapps, only the Remote Desktop Sessions on the hosts.
We do not have a RDS Gateway configured, as we do not anticipate the need for remote external connections.
Our DNS has configured the 4 RDSH servers as 192.168.0.101 – 104 and the RDCB as .110.
We have made a DNS RR name of “RDSFarm” for the 4 RDSH.
1) Currently when a user connects via RDP to the RDSFarm (DNS RR), they are requested to login their domain credentials twice.
I’m assuming that this is because they are routed to one RDSH server first via DNS RR, and then the RDCB server takes over and reroutes them to a a different RDSH server.
Is there a way I can fix this so they only have to enter credentials once?
2) Does the RDP Client need any configuration in the “Gateway settings” section, perhaps entering in the RDCB server settings?
Thanks for your help!
#60 by Eddie Kwasnik on September 23, 2014 - 8:48 am
Sorry for the late reply. Can you try the following and see if you still get prompted twice?
1. Try connecting directly to on of the RDSH servers using the actual server name and/or IP address. Do you get prompted twice?
2. Try connecting, but this time using the RDWEB server and see if you get prompted twice.
#61 by Anthony Larson on September 24, 2014 - 4:42 pm
Thanks for replying back.
1. Using only the IP Address or server name of one RDSH server I occasionally get prompted twice.
I think what occurs when I get prompted twice is when RDCB server decides to put me on a different RDSH server than I was just logged into. If RDCB server decides to put me on the same server I was just on, then I only receive the login prompt once.
2. I don’t have RDWeb installed.
#62 by Neill Fleetwood on September 30, 2014 - 6:01 am
Firstly, Brilliant articles. Have used them religiously to setup my own farm. I am however encountering the same issue that Adam did in post #29. I was all working fine up until yesterday when i added my trusted certs but i cant see how they would be causing the issue.
I have checked my RAP and CAP multiple times and they check out fine.
Brief topology is:
RD Webb & connection broker on same server in a HA 2nd server
RD Gateway server
RD licencing on WSUS server
12 RDS Host servers
If i navigate to my external URL internally i authenticate with my test user and am able to successfully log onto the host server(s). Externally I get as far as authenticating on the RDweb and get connected to the RD Workplace but then when selecting the RDS Farm RDP icon i get the error:
The user “user”, on client computer “IP”, did not meet resource authorization policy requirements and was therefore not authorized to resource “RDS4.internaldomain.local;RDS4;IP”. The following error occurred: “23002”.
It is getting to the gateway server so i cant see how certs would be a problem.
Any help or advice would be great.
#63 by Eddie Kwasnik on September 30, 2014 - 8:31 am
Neill, Thanks for the great comments. Can you check the event viewer on the RD Gateway server under Application and Services Logs\Microsoft\Windows\Terminal Services-Gateway\. Within there under the Operational Log, do you see anything with an exclamation icon? I believe its Event ID 304.
#64 by Neill Fleetwood on October 17, 2014 - 8:49 am
Sorry for the late reply, been in the states for the past 2 weeks. I do have errors with ID 301 with the error as stated above. Now however i am not getting these but a totally different issue. I cant RDP to the Host servers at all. Web access works fine up to when trying to connect. The error is on the Connection Broker:
Remote Desktop Connection Broker Client failed while getting redirection packet from Connection Broker.
User : domain\user
Error: Remote Desktop Connection Broker is not ready for RPC communication.
Log Name: Microsoft-Windows-TerminalServices-SessionBroker-Client/Operational
EVENT ID: 1296
I am also getting Event ID 1306, Remote Desktop Connection Broker Client failed to redirect the user
Still researching but everything is pointing to RDS2008 as present.
#65 by Jeremy on October 10, 2014 - 3:22 pm
Is there anyway you could tell us how you helped Eddie in Post #31? I’m able to access internally, but not externally. I’ve only added one firewall rule for port 443 to the GW. I followed your instructions on deployment. This is my setup:
SH01 PHYSICAL C AND F DRIVE
SH02 PHYSICAL C DRIVE
CB01 VIRTUAL CONNNECTION BROKER
VIRTUAL LICENSE SERVER
GW01 Physical Gateway
Physical RD WEB ACCESS
#66 by Eddie Kwasnik on October 13, 2014 - 3:38 pm
For that particular issue on post 31, it was the RAP policies which wascausing the problem. Are you getting a specific error when trying to connect through the gateway?
#67 by Jeremy on October 14, 2014 - 1:16 pm
Sorry for that short description, I was pretty swamped when I wrote that out. When I’m on a windows 8 laptop on the network (not a domain computer) I can connect just fine. I can connect just fine on a domain computer as well on the network. On that very same laptop if I switch over to my phone’s shared internet or from home the connection times out. This happens on more than one windows 8 laptop. What is odd is that I picked up my surface from home this morning and was able to remote in just fine. Is it possible that the laptop isn’t using the https address? If it’s only using http then it will fail. The error I’m getting is: “The computer can’t connect to the remote computer. The two computers couldn’t connect in the time allotted….” Thanks for any feedback you may have.
#68 by Neill Fleetwood on October 31, 2014 - 8:03 am
Me again. I have flattened my 1st RDS Farm and built from scratch. Everything is fine however i am unable to connect to the Farm Externally. Internally it works perfectly fine. I get to the RDWeb no issue and authenticate. I see the RDP icon for the Farm and click. Everything looks like it is about to connect but then i get the RDP error that my user does not meet RAP on the gateway.
Triple Triple checking the user is in the security group that is specified to connect to the Farm. Checking the Gateway logs i see:
The user “DOMAIN\GPtest”, on client computer “External IP”, did not meet resource authorization policy requirements and was therefore not authorized to resource “RDS2.DOMAIN.local;RDS2;Internal IP”. The following error occurred: “23002”.
I have set the Farm as per your article with 2 RDBrokers in a HA and a gateway. The RAP is configured as per your article. If i set the RAP to allow any resource the connection is successful.
I have checked all the deployment settings and cannot find an issue.
Any suggestions would be greatly appreciated.
#69 by Aaron on November 12, 2014 - 8:49 pm
Thank you for the tutorial.
I have followed the instructions in this article, built a RD farm with self-signed certs. I have not changed anything in the DNS yet. There are 5 user RD licenses installed. The RD license server shows no error.
I have setup 4 virtual servers: (All the firewalls on these servers are disabled for now.)
1. RDCB01: 10.10.1.11 (Connection Broker, also the RD Gateway and RD License server)
2. RDFarm01: 10.10.1.15 (RD Session Host)
3. RDFarm01: 10.10.1.16 (RD Session Host)
4. RDFarm01: 10.10.1.17 (RD Session Host)
All four servers are in a domain.
The computer, call it TestWS, I used for test is on a separated network with different public IP.
I have forwarded ports 3389/TCP and 443/TCP to serevr RDCB01 (10.10.1.11).
The problem is that when I log in externally with the server’s public IP, I always connected to the RDCB01, not any of the RD session hosts.
The tests that I have done:
1. Log in to the server with Remote Desktop Connection using the server’s public IP from TestWS, with a non-administrator user account. But, I was always connected to the server RDCB01.
2. I was able to log in to the same server the second time with a different non-administrative account, while the first connection is still active. Still logged in to the server RDCB01.
3. When I did this for the third time, it asked me to disconnect one of the two previous connections.
4. While in login to RDCB01 remotely, I was able to remote desktop to all of the RD Session Hosts with their internal IPs, using a non-administrative account.
Why wasn’t I connected to the session hosts? What have I missed?
#70 by Eddie Kwasnik on December 1, 2014 - 9:21 am
Looks like you have one firewall rule to connect all connections over 3389 to the broker server. This is why you are only able to connect to the broker from the outside. In order to make things easier since you have only one public IP, deploy an RD gateway server and make that server the one which is exposed to the outside. This will allow the gateway server to connect users to the RDSH servers.
#71 by Michael on January 16, 2015 - 5:58 am
Can this environment be tested without a Certificate?
#72 by Eddie Kwasnik on January 16, 2015 - 8:50 am
You will not be able to use the RD Gateway server. If there are no certs, the users will receive numerous annoying pop-ups when trying to connect as well.
#73 by KickAssVPS on January 19, 2015 - 7:22 am
Thank you for a great article, your recommendations helped me a lot!
#74 by Malcolm on January 29, 2015 - 7:28 am
With regards to the certification bit, the certificate i have is a .crt file whereas the wizard is looking for a .pfx.
Is there a way I can convert, or does it not work like that?
#75 by Eddie Kwasnik on January 29, 2015 - 9:40 am
the .pfx also contains the private key within the certificate. How did you acquire your cert? What I did was install my certificate on a single server and then exported it along with its private key to create my .pfx file. Then used this so the private key was part of the process.
#76 by Michael on January 29, 2015 - 9:02 am
What kind of certificate is needed for RD GW? Server/user/website certificate?
#77 by Eddie Kwasnik on January 29, 2015 - 9:48 am
The certificate type and/or its Enhanced Key Usage should be “Server Authentication”.
#78 by Jeremy on January 30, 2015 - 11:06 am
Is it possible to provide our users with two RDWEB icons. One for single monitor and one for dual monitors? If not, how would someone address this issue. Most of our users have dual monitors, but a handful have single. Thanks for your help!
#79 by Eddie Kwasnik on February 2, 2015 - 10:18 am
The RDP connection should detect the amount of monitors on the client device and the user should be able to expand the session across both monitors without having any special configurations. As long as the rdp client is at the latest, it should work automatically for you.
#80 by Ilya on February 6, 2015 - 5:36 am
Hi Eddie! Thanks for article!
I have problem with connecting to my RDS Farm trough RDGateway.
From external i can connect as domain admin, but as domain user i get error “This computer can’t connect to the remote computer because the Terminal Services Gateway server address requested and the certificate subject name do not match”
If i try connect from inside LAN, as domain admin its fine, but as domain user i just promted to enter login/password again and again without any error.
RAP/CAP policy configured for all domain users.
#81 by Eddie Kwasnik on February 6, 2015 - 9:02 am
That’s strange that it works for a domain admin and a regular user is getting a cert error. Whats is the RD Gateway FQDN set to as well as what is the FQDN on the actual cert?
#82 by Ilya on February 9, 2015 - 5:23 am
Yes it is. And i solve this problem. problem was in our network config, computer from external domain unable to get CRL.
But now i get new error “The user “username@domain”, on client computer “x.x.x.x:x”, has initiated an outbound connection. This connection may not be authenticated yet.”
#83 by James Walls on February 11, 2015 - 4:32 am
Hi Eddie, we are just starting to set up RD Services at the moment, using your guide. I have a few questions. just to be clear in my head. 😉
1. RD Gateway, do you need this for Load Balancing? can it be done without?
2. DNS RR and RD Gateway, is it a case of one or the other, of do you need both?
thanks for your replys
#84 by Eddie Kwasnik on February 11, 2015 - 8:12 am
The RD Gateway is only for securing external connections into the RDSFarm. So it is not required. As for the DNS RR, this is for the broker servers in a HA configuration and the brokers will handle the load balancing for the RDS environment.
#85 by James Walls on February 11, 2015 - 9:28 am
thanks for the reply Eddie,ok thats fine that helps my head a bit
I have followed your guide, i am having an issue, as i am using 2 session hosts, and want to load balance them, what else do i need to configure to achieve this?
thanks again Eddie
#86 by Steve James on February 13, 2015 - 10:13 am
What software do you use to install Apps on RDS hosts ? For example we have 10 RDS servers and want to install Sage Line 50. What are you using to roll this out ?
#87 by Eddie Kwasnik on February 13, 2015 - 10:20 am
You can manually install the applications directly on the RDSH servers. Once the applications are installed, you can then begin publishing them as RemoteApps.
#88 by Steve James on February 13, 2015 - 10:25 am
Thanks for the quick response. So your manually installing an Application 10 times ? For example : Sage on rds01 – rds10.
#89 by Eddie Kwasnik on February 13, 2015 - 10:35 am
If you want to host the application on all 10 rdsh servers then you will need to manually install it on each of the servers. You can also try cloning a single machine that has each application installed as well.
#90 by James Walls on February 16, 2015 - 6:18 am
Has anyone have any idea how to get load balancing working( had a few goes, with no luck) Not HA, just load balancing , step by step . i’m after, basically an £add on” to Eddies fine guide?
#91 by Eddie Kwasnik on February 16, 2015 - 1:16 pm
What is wrong with the load balancing? How many RDSH servers do you have as part of your collection?
#92 by James Walls on February 17, 2015 - 3:26 am
2x RDSH servers (app1 and app2) internally it works fine, externally everyone connects to app1, never app2, i have made a test system, no firewalls or any restrictions, and i get the same, I’m using round robin DNS, am i right in saying that you either use RRDNS or the RD Gateway not both ?.
Done the test set up a few times , cant get it to work at all, i must be missing /not understanding something,
thanks in advance
#93 by Eddie Kwasnik on February 18, 2015 - 9:02 am
Does anyone ever connect to the other RDSH server going through the Gateway?
#94 by James Walls on February 18, 2015 - 9:46 am
Only if the users are inside the network,then its ok (both servers balance)
Connecting to Farm-name from outside the company network, only connects to app1,
#95 by Eddie Kwasnik on February 18, 2015 - 9:59 am
What happens if you only leave app2 as part of the collection. Can external user connect to it?
#96 by James Walls on February 18, 2015 - 10:25 am
i get an error ‘Remote Logins are Currently Disabled’
#97 by Eddie Kwasnik on February 18, 2015 - 10:36 am
That’s strange since internally it is working. From app2, can you run the following command at the command prompt?
change logon /query
#98 by James Walls on February 18, 2015 - 10:50 am
App2 : Session Logins are currently Enabled
App1 : New Logons and Disabled, but reconnections to existing sessions are enabled
#99 by Eddie Kwasnik on February 18, 2015 - 10:57 am
I’m wondering if the RD Gateway is hitting a different machine when trying to get to App2. Can you verify DNS between the RD Gateway and app2?
#100 by James Walls on February 18, 2015 - 11:52 am
dns is fine, everything pings everything , using dns names. however i ran change logon /enable , on APP1 as it had been saying new logons were disabled, now both app1 and app2 are enabled. tried logging in again , and still the same , APP1 gets all external connections. hmmm
#101 by James Walls on March 10, 2015 - 7:52 am
so I have re-installed the farm and , still the same app1 gets everything external, and app2 gets internal if I specify app2 in the computer name, connecting to the farm name internally I go to app1 every time. its as if the broker just ignores everything, is there another way I can check that the broker is doing something??
#102 by Eddie Kwasnik on March 10, 2015 - 10:20 am
That definitely sounds like a weird one. Are you connecting to the farm using rd web access?
#103 by James Walls on March 10, 2015 - 10:34 am
no Eddie, using remote desktop, I am currently updating all the servers in the test lab, to the latest windows updates, as im hoping this is possibly fixed now, as I don’t see anything on the internet with my issue at all, can I check something with you?
round robin DNS for the farm name is a 2008 r2 thing, and you don’t need it in server 2012, is this correct?
if so ,how does it work in Server 2012 if no RRDNS (is this when the broker kicks in)
#104 by Jeremy on February 20, 2015 - 10:43 am
Has anyone had an issue where Windows 7 clients could connect to a 2012 RDS farm, but Windows 8.1 clients could not? I’m talking about non-domain clients on the WAN. Non-Domain clients running windows 8.1 on the LAN are able to connect. If I connect that same client to the WAN, it won’t connect. Normally, I would point to DNS, but why does the Windows 7 client work? Thanks for any help. I’m trying to deploy this to production ASAP so I could use all the help I can get. Thanks again.
#105 by Eddie Kwasnik on February 20, 2015 - 10:46 am
Do you get any errors when it fails to connect?
#106 by Jeremy on February 20, 2015 - 11:35 am
Hey Eddie, thanks for your help. I get the REmote desktop can’t connec to the remote computer for one of the reasons: 1. RDS not enabled, 2. RDS turned off. 3. RDS not available.
In the Gateway log, I see this:
The user “user1@domain”, on client computer “XX.X.XXX.XX:XXXXX”, has initiated an outbound connection. This connection may not be authenticated yet.
I don’t see any logs in the Connection Broker for this connection attempt.
#107 by Jeremy on February 20, 2015 - 11:38 am
On a succesful connection, the GW log shows this:
The user “domain\user”, on client computer “XX.XX.XX.XXX”, connected to resource “RDS-SH”. Connection protocol used: “RPC-HTTP”.
That computer above happens to be a windows 7 machine/non-domain/WAN.
#108 by Jeremy on February 20, 2015 - 12:45 pm
Hey Eddie, I’m not sure if this is the right fix, but it’s working now. I had to go into the Local Group Policy of the non-domain windows 8 machine and set the “Network security:LAN Manager authentication level” to “Send NTLMV2 response only”. Do you know of anything I could change server side so that I don’t have to touch each and every windows 8.1 machine? I only have about 50, but that’s still a lot for one person on a tight deadline. Let me know what you think. Thanks again!
#109 by JoelT on March 24, 2015 - 7:19 pm
I am trying to do this as simply as possible but I want to allow more than 3 connections so old application role for ts services now called Remote Desktop Services. I have the following questions if you are familiar:
1.Have you had to deploy a simple 2012 RDS Session host server yet?
2.Is the minimum amount of roles 3?
1.Remote Session Host
3.Install Connection broker on sql standalone not a ha solution or with their ha solution just using a single server.
Any info you are familiar with would be of great help. I can’t seem to find any documentation except how to make a enterprise setup with lots of servers. I just want the smallest deployment possible for 10 users.
#110 by Eddie Kwasnik on March 25, 2015 - 9:56 am
You can actually install all of the roles on a single server. As you begin the deployment, there is an option called “Quick Start”. Choosing this options will install all of the necessary roles for your deployment. Its a great way to test out RDS as well as for a small environment. See the following screenshot.
#111 by Xavier GSP on March 30, 2015 - 6:36 am
First, it’s really a great article that helped me a lot.
I’m looking for a solution for my issue :
I have a deployment built in the following way : 2 RDSH, 2 RDCB with HA, 2 RDG/RDWeb (roles in the same servers) and there is a HLB in front of both RDG/RDWeb servers with the name “apps.mycompany.com”.
The servers are in “*.mydomain.local” and I have a wildcard certificate “*.mycompany.com”. In the “deployment properties” of my Broker, in “certificate”, I setup my wildcard in all the roles (SSO, Publishing, RD Web and Gateway). The apps works internally and externaly across the web portal, but through an external connection, I have a warning that said me there is a certificate mismatch because the RDSH appears as “RDSH.mydomain.local”.
The apps must be published for external clients.
How can I fix this warning ?
Thanks for your help.
#112 by Eddie Kwasnik on March 30, 2015 - 10:20 am
Thank you. This is a common issue and wish Microsoft would do a better job in addressing it. You can find more information here in how to get around it. There are a few options and one is to change the cert which is used on the RDSH servers.
#113 by Xavier GSP on April 1, 2015 - 9:05 am
Thanks for your reply, I tried all the things on Ryan’s Blog, and nothing better …
The only thing that worked is to put the authentication level to 0. But It sucks for production environment …
Any ideas ?
#114 by Eddy Jay on April 6, 2015 - 3:11 am
Hi Eddie/ all,
I have a public domain panatit.com with public IP address and set up the following servers on my local domain controller panatit.com
RDCBWEB: RD Connection Broker and RD Web Access Server
RDSH01: RD Session Host servers
RDSH02: RD Session Host servers
RDGWY01: RD Gateway Server (still in the internal domain but to be moved to the Perimeter network)
I can access Remote app internally through https://RDCBWEB.panatit.com/rdweb, but how and where can I point the URL to be https://rds.panatit.com/rdweb ?
What DNS setting do i need to setup internally for rds.panatit.com as it not resolving internally
What setting do i need to configure for my RD Gateway?
Also, how can I point the both the Internal and External URL to be the same?
My Public IP address is pointing to rds.panatit.com
#115 by Eddie Kwasnik on April 13, 2015 - 8:44 am
You can put an entry in your internal dns to point directly to the rdweb access server. That will allow internal access to go to rdcbweb.
#116 by Eddy Jay on April 6, 2015 - 3:17 am
My environment is Win 2012 R2
#117 by Geir O. Jensen on April 10, 2015 - 6:24 am
Okay… so this isn’t working as I wanted it to. Followed the guides here and I believed it worked just perfect. Only thing I did different was publish the RDWeb role on the RDGateway server since I’m going to access it externally. All my testing was done internally and I figured it was all ok… (I haven’t done the HA setup yet since I wanted a real concept running before messing with it).
It seems that the RDGateway simply doesn’t do what I’m supposing it’s meant to do… external users get the same error you pointed out in #24 https://thewolfblog.com/2014/02/08/deploying-a-2012-2012r2-remote-desktop-services-farm/#comment-2039 above.
Actually, if I change the deployment rules to NOT bypass the gateway for local addresses I get the same error internally. I have zero certificate errors (all signed by a 3rd party CA) or anything else going wrong… I log in fine, but the issue pops up when I try to access a published app. I press Connect and almost immediately I get the error that the gateway is temporarily unavailable.
In the event logs on the gateway server I have successful logons for my user in the Security log. There are NO entries in the TerminalServices-Gateway log so it’s almost like the request never gets there.
I’ve googled for 2 days now, but I only find old references to SSB or 2008 – and none of the suggestions seems to have any validity for this situation.
Is running RDWeb on the RDGateway supported and possible? I’ve seen it mentioned in comments here, but your guide installs the RDWeb bit on the broker…
#118 by Geir O. Jensen on April 13, 2015 - 7:14 am
Uhm. Nevermind. Installed the RDWeb on another server, removed from the gateway and put it back on… and now both Gateway and RDWeb works. Nor sure why the gateway just broke – but it’s back now so…
#119 by Eddie Kwasnik on April 13, 2015 - 8:37 am
Sorry for the late reply. Glad you got it working. That is strange though since I’ve used the rdweb access component on the gateway server many times before.
#120 by Geir O. Jensen on April 13, 2015 - 3:41 pm
It seems to break if I mess around with IIS… restarting the site for instance… I’m going to try out a few scenarios tomorrow.
#121 by Brent on April 13, 2015 - 3:58 pm
Hello, Very Nice Articles! I currently have a 3 cluster Farm using Windows 2008 R2.(Broker, Gateway, LIcenses, Load Balancing) On that Farm, If I want a Program (lets use Office 2010 as an example) to be available via RDS, I must install Office 2010 on all 3 Host Servers. Do I still need to install Office 2010 onto all Host servers in my New 2012 R2 Farm? if not, is there an article explaining how to access Office 2010 no matter what RDS Server you happen to get logged onto?
#122 by Eddie Kwasnik on April 14, 2015 - 9:27 am
If you will be hosting an application on a session host server, the application will need to be installed on it. So you will need to install office 2010 on all of the session host servers which will be hosting it.
#123 by wendell on May 6, 2015 - 12:34 pm
Hello, i have a 2008 server farm with 13 Session hosts and 1 broker and would like the active active broker clustering. can i just replace the current broker with the 2012, configure HA and redirect the hosts to it?also would the 2012 brokers require additional licenses?
#124 by Eddie Kwasnik on May 7, 2015 - 9:18 am
Not sure it will be backwards compatible with 2088R2. When using 2012, your RDS CALs will need to be for 2012 as well. So you will need to create a new RDS farm on 2012 to get HA for the brokers.
#125 by tabc on May 25, 2015 - 8:20 am
HI! while configuring the certificates I get error “Could not configure the certificate on one or more servers. Ensure that the servers are available on the network and apply the certificate again”
I have gone through whole comments and but non of the solution mentioned above solved my issue. can you help me out?
-redid the certificate.
-checked DNS records
-done group policy thing too
-and checked all the pre-requisites for cert. as mentioned above
#126 by Eddie Kwasnik on May 26, 2015 - 4:44 pm
anything in the event logs? Is windows firewall turned on?
#127 by Miguel Salinas on June 26, 2015 - 12:57 pm
“Now that we have our farm deployed, we will need to install certificates”.. Where do we create/find these certificates?
#128 by Miguel Salinas on June 26, 2015 - 1:17 pm
#129 by Fernando on December 16, 2015 - 1:23 pm
Hi, I’ve successfully installed a 2012R2 Remote Desktop Services on my Dell server. But now i would like to add another server into the “server pool” how do i do this? and do i need to install RDS on the new server as well?
#130 by Junior on April 13, 2016 - 3:21 pm
Eddie, passing just to say tks a lot ! It helped me a lot… god bless you !
#131 by Jonathan on April 13, 2016 - 9:46 pm
Hows it going I am having such a nightmare with the certificate portion
My current domain is a .local domain and every time I connect via rdp or Rdweb I always get certificate warning that contain the internal name of my rds.local.
I have tried implementing an internal ca and publishing and internal cert with local rds servers in the subject name however the clients still get the issue.
Is there anything that can be done with with this or it is what it is because I have a .local domain?
#132 by rei on May 6, 2016 - 10:11 am
Not sure that Eddie is still answering question on this post but I will try this anyway. This is my problem.
I have a simple farm that includes a connection broker (CB01), a license server (L01) and three remote desktop session hosts (RD01, RD02 and RD03). Kind of obvious but anyway we are trying to implement a traditional remote desktop services environment.
Installation goes well. I created three DSN Host A records with the same name RDFarm pointing to the ip address of RD01, RD02 and RD03. I also created a wild card certificate using our own CA in Active Directory *.company.pvt . I enable SSO for the connection broker and also was able to successfully install the certificate in the deployment configuration (using the deployment properties window) for the RD connection broker Enable SSO and Publishing.
All seems ok but I cannot get rid of the certificates warning. I am accessing the farm by rdping to RDFarm. I can see that the connection takes me to different servers so the redirection part of it is working properly, but the certificate warning appears in all the servers !!!. I have also played substantially with the certificates in each server but I would like to have this out of the conversation at least for the moment to keep this as simple as possible. I honestly do not see why with what I have described till here I do not get this to work. Any advice is very very appreciated.
#133 by isabel bast on August 4, 2016 - 12:47 pm
Good comments . I loved the information . Does someone know where my assistant could get ahold of a sample IRS 1040-A document to use ?
#134 by Travis Treadway on October 20, 2016 - 4:22 pm
I am attempting to connect web access. how do I change the url from https://servername.domain.local/rdweb to the address I want my end users are going to be connecting to: https://connect.externaldomain.com/rdweb? I have purchased a third party wildcard cert but cannot figure out what I am doing wrong. All advice is much appreciated.
#135 by Ricardo Reus on January 20, 2017 - 7:47 am
Hi, i got a strange Broker problem.
My setup is as Following: 5 Session hosts, 1 Broker with licensing server.
The broker (I think) is a little to aggressive. it redirects users over session hosts like normal. but when a user disconnects its session (just closing the window, not logging off) and reconnects directly, it is picking up the disconnected session. but when you wait like half an hour, and then you reconnect, then you will be redirected to another server. then you have 2 sessions spreaded and your cant connect to your older session..
I really have trubble with this isseu because we have desktop users and laptop users.
Can someone help me out?
Thanks in advance!
#136 by MANEESH on April 23, 2017 - 5:41 am
Dear Eddie ,
It is a wonderful blog.Could you please help me with an implementation of RDS in a production environment.
I need to deploy an infrastructure for a company with 50 employees.
I need to deploy an AD server ,an SQL application server with fail-over and need to provide remote desktop session for each users which can be accessed from anywhere.
I need RDS with load balanced mode.So my question is how i can deploy this infra with minimum servers.
how many physical servers i have to buy?
I just planned to but two physical servers for AD and SQL.
and TWO physical servers for RDS. The users outside from corporate network access their session using VPN gateway.So i think i do not need the RD gateway role.
if i load balanced the RDS do i need to make fail over clustering ?
What i mean is that, i have plan to buy TWO physical server for RDS .SO if virtualize it using HYPER-V,like install two VMS in one physical host and Two VMS in another physical host
In one physical host with 2 VMs. One Vm for RD connection Broker 1 One VM for RD session Host
In another Physical host One VM for RD connection Broker 2 and One VM for RD session host02
if i configured HA ,do i need to configure fail-over clustering
and i believe i also need to buy a SAN/NAS for SQL fail over clustering .
Also can you suggest do i need to buy another physical server for SQL clustering or i can manage it using any extra VMs in the Two physical host dedicated for RDS.
Please assist me.I dont believe all my conceptions are true.
if you can advise me with your ideas it will be a great help.
Sorry for my English.
#137 by AAA on May 18, 2017 - 2:46 pm
Does anyone know if SQL Server 2016 is supported with RDS 2012 R2?