Step by Step Windows 2012 R2 Remote Desktop Services – Part 2


A step by step guide to build a Windows 2012 R2 Remote Desktop Services deployment.

Part 2 – Deploying an advanced setup.

In part one I detailed how to do a single server installation. In case you missed it, or want to check it out, look at this post:  https://msfreaks.wordpress.com/2013/12/09/windows-2012-r2-remote-desktop-services-part-1/

In this step by step guide we’ll be building a more complex setup:
RDS Deployment - Advanced setup
As you can see we’ll deploy 3 certificates in this setup. The names I will use for this will be “webaccess.it-worxx.nl”, “gateway.it-worxx.nl” and “broker.it-worxx.nl” for obvious reasons. You may consider using a wildcard certificate.

Software used in this guide: Windows Server 2012 R2 ISO (evaluation can be downloaded here: http://technet.microsoft.com/en-us/evalcenter/dn205286.aspx)
SQL Server 2012 SP1 Express x64 With tools (free version can be downloaded here: http://www.microsoft.com/en-us/download/details.aspx?id=35579. After clicking the download button select SQLEXPRWT_x64_ENU.exe)
SQL Server 2012 SP1 Native Client (free version can be downloaded here: http://www.microsoft.com/en-us/download/details.aspx?id=35580. After clicking the download button select ENU\x64\sqlncli.msi)
And three certificates. I got mine for free from https://startssl.com. The certificate need to contain the FQDNs you will use for publishing the RD Web Access (webaccess.it-worxx.nl) and RD Gateway (gateway.it-worxx.nl) roles. You’ll also need one for the RD Broker role, even though we won’t publish this server to the internet. The files need to be in .pfx format and you need to have the private key in them.

As in the previous guide, this guide will not focus on building a domain using a single domain controller and adding the other servers as member servers to this domain.
And again some basic knowledge is assumed in this guide.

I will be using Hyper-V 3.0 on my Windows 8.1 laptop and I have prepared 5 servers. The servers will be similar to the 2 I used in the previous guide. All servers have the .NET Framework 3.5 added as a feature.
All servers have 1vCPU, 512MB memory, and a dynamic 60GB Harddisk) I configured ITWDC01 as a Domain Controller in a new forest: itw.test.
I added the rest of the servers as member servers to the itw.test domain and configured them to use ITWDC01 as their primary DNS server.

Installing the Remote Desktop Services Roles

Log on to the Domain Controller, and in Server Manager right-click the All Servers node and add all other servers using the Add Servers command (or select the All Servers node, click Manage and click Add Servers).
RDS Deployment - Advanced 01

Now that all servers needed in this deployment scenario are present, click Manage, and click Add Roles & Features.
 

Before you begin
RDS Deployment - Single Server - 2

Click Next.

Select Installation Type
RDS Deployment - Single Server - 3

Select Remote Desktop Services installation. Click Next.

Select Deployment Type
RDS Deployment - Single Server - 4

Select Standard deployment.
Click Next.

Select Deployment Scenario
RDS Deployment - Single Server - 5

Select Session-based desktop deployment. The other option will be a different post in this series.
Click Next.

Review Role Services
RDS Deployment - Single Server - 6

Review the services that will be installed.
Click Next.

Specify RD Connection Broker server
RDS Deployment - Advanced 02
Click the preferred server and click the Add button.
Click Next.

Specify RD Web Access server
RDS Deployment - Advanced 03

Click the preferred server and click the Add button.
Click Next.

Specify RD Session Host server
RDS Deployment - Advanced 04

Click the preferred server and click the Add button.
Click Next.

Confirm selections
RDS Deployment - Advanced 05

Check Restart the destination server automatically if required.
Click Deploy.

View progress
RDS Deployment - Advanced 06

Wait until all role services are deployed and the RD Session Host server has restarted.
Click Close.

In Server Manager click Remote Desktop Services and scroll down to the overview.
RDS Deployment - Advanced 07

As you can see the deployment is missing a RD Gateway server and a RD Licensing server.
 

RDS Deployment - Single Server - 13
Click the Add RD Licensing server button.

Select a server
RDS Deployment - Advanced 08

Click the domain controller and click the Add button.
Click Next. 

Confirm selections
RDS Deployment - Single Server - 15
Click Add.

View progress
RDS Deployment - Single Server - 16
Wait until the role service is deployed. No restart is needed.
Click Close.

RDS Deployment - Single Server - 17
Click the Add RD Gateway server button.

Select a server
RDS Deployment - Advanced 09

Click the correct server and click the Add button.
Click Next.

Name the self-signed SSL certificate
RDS Deployment - Single Server - 19

The wizard creates a self-signed certificate. We will deal with certificates in this deployment in a little bit. Enter the external Fully Qualified Domain Name for the Gateway URL. In my case, for lack of a better name, I used “gateway.it-worxx.nl.
Click Next.

Confirm selections
RDS Deployment - Advanced 10

Click Add.

View progress
RDS Deployment - Advanced 11

Wait until the role service is deployed. No restart is needed.
Notice that “gateway.it-worxx.nl” was configured for the deployment as a FQDN.
Also notice that certificate configuration is needed.
Notice the link in the bottom to “Review the RD Gateway properties for the deployment”.

Click Configure certificate.

Configure the deployment
RDS Deployment - Advanced 12

Click RD Connection Broker – Enable Single Sign On.
Notice the purpose of this certificate.

Click Select Existing Certificate.

Select Existing Certificate
RDS Deployment - Advanced 13
Click Browse to browse to the .pfx which you prepared for the RD Connection Broker server, enter the password for that .pfx and check “Allow the certificate to be added to the Trusted Root Certification Authorities certificate store on the destination computers”.
Click OK.

RDS Deployment - Single Server - 44
Click Apply to apply the certificate changes. Do not click OK because we need to configure the other certificate options as well and we can configure only one at a time.

Configure the deployment
RDS Deployment - Advanced 14

Select RD Connection Broker – Publishing.
Notice the purpose of this certificate.

Click Select Existing Certificate and add the same certificate you added for RD Connection Broker – Enable Single Sign On.

RDS Deployment - Single Server - 44
Click Apply to apply the certificate changes. Do not click OK because we need to configure the other certificate options as well and we can configure only one at a time.

Configure the deployment
RDS Deployment - Advanced 15

Select RD Web Access.
Notice the purpose of this certificate. 

Click Select Existing Certificate and add the certificate you prepared for the RD Web Access server.

RDS Deployment - Single Server - 44
Click Apply to apply the certificate changes. Do not click OK because we need to configure the other certificate options as well and we can configure only one at a time.

Configure the deployment
RDS Deployment - Advanced 16

Select RD Gateway.
Notice the purpose of this certificate.
Also notice that we need to restart the RD Gateway server after we configured it to use the certificate.

Click Select Existing Certificate and add the certificate you prepared for the RD Gateway server.

RDS Deployment - Single Server - 44
Click Apply to apply the certificate changes. Do not click OK because we need to configure the rest of the deployment options, since we already have this wizard open.

Configure the deployment
RDS Deployment - Single Server - 23

Review the RD Gateway settings and notice what settings are available.
Click RD Licensing.

Configure the deployment
RDS Deployment - Single Server - 24

Notice that a RD License server is available, but no license type is selected yet.
I selected Per User, but since this is just a demonstration setup, it really doesn’t matter.
Click RD Web Access.

Configure the deployment
RDS Deployment - Single Server - 60

By default the RD Web Access IIS application is installed in /RdWeb. If you want to know how to change this, check another post: https://msfreaks.wordpress.com/2013/12/07/redirect-to-the-remote-web-access-pages-rdweb/

Click OK, and click Close to finish the RD Gateway wizard.

Reboot the RD Gateway server.

Open DNS Manager on the domain controller and browse to Forward Lookup Zones.
RDS Deployment - Single Server - 33

Right click Forward Lookup Zones and click New Zone… Go through this wizard accepting the defaults until you have to enter a Zone Name.
RDS Deployment - Advanced 18

Enter the external FQDN which will also be used by the Connection Broker (which is also on the RD Connection broker’s certificate.
Finish the rest of the wizard accepting the defaults.

Browse to the newly created zone.
RDS Deployment - Advanced 19

Right click the newly created zone and click New Host (A or AAAA)…

New Host
RDS Deployment - Advanced 20

Leave the Name field blank, but enter the member server’s (holding the RD Connection Broker role) internal IPv4 address.
Click Add Host.

Repeat these DNS steps for gateway.it-worxx.nl and for webaccess.it-worxx.nl.
RDS Deployment - Advanced 21

We’ve effectively enabled the deployment to be useable by internal users as well by configuring these DNS zones.

Create a new Global Security Group called “RDS Connection Brokers” and add the computer account for the member server holding this role to it as a group member.

We need this group to be able to convert the RD Connection Broker to a highly available RD Connection Broker. You’ll see why we need to do this in a few steps.

Reboot the member server holding the RD Connection Broker role to let it know it’s a member of the RDS Connection Brokers security group.

Install SQL Express on the Domain Controller (or use an existing SQL Server if you already have one). For a list of needed features, and a little more detail visit Part 1 of this series, https://msfreaks.wordpress.com/2013/12/09/windows-2012-r2-remote-desktop-services-part-1. That post lists the does and don’ts for using SQL Express with an RD deployment. This includes adding the SQL login for the RD Connection Broker servers. Do not continue with this guide unless you have a working and configured SQL environment.

Install the SQL Native Client on the member server holding the RD Connection Broker role (Client Components only). Install the client which corresponds to your SQL Server version!

Everything we need is in place to convert the RD Connection Broker, so let’s do just that. This procedure is similar to the single server setup.

In Server Manager click Remote Desktop Services and scroll down to the overview.
RDS Deployment - Single Server - 31

Right click RD Connection Broker and click Configure High Availability.

Before you begin
RDS Deployment - Single Server - 32
Look at the pre-requisites.
Click Next.

Configure RD Connection Broker for High Availability
RDS Deployment - Advanced 22

Database connection string:
DRIVER=SQL Server Native Client 11.0;SERVER=ITWDC01;Trusted_Connection=Yes;APP=Remote Desktop Services Connection Broker;DATABASE=ITWRDCB

  • Or any other database name you want, the database will be created by this wizard.
  • Replace the DRIVER= part with the version you installed if it’s anything other than SQL Server 2012 (SP1)

Folder to store database files:
C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA
I used the instance default folder.

  • Note that this points to a folder on the SQL Server.

DNS round robin name:
The DNS Zone name we configured in DNS earlier.

  • And now you see why we had to create this zone in internal DNS as well. This needs to be locally resolvable.

Click Next.

Confirmation
RDS Deployment - Advanced 23

If you get an error before this page:

  • Check if TCP/IP is enabled in client protocols and for your instance
  • Check if you can reach port 1433 on the SQL Server from the member server

Click Configure. 

Progress
RDS Deployment - Single Server - 40

If you get an error on this page:

  • Check SQL permissions for the security group
  • Check if the database path you entered is correct

Click Close.

RDS Deployment - Single Server - 41
The RD Connection Broker is now in High Availability Mode and we are finally ready to complete the configuration.

Since the RD Connection Broker is known within the deployment for broker.it-worxx.nl and thus not a FQDN that’s associated with the internal domain (itw.test) we need to tell the gateway that external users are allowed to connect to it.

On the RD Gateway server, open Server Manager
RDS Deployment - Advanced 32

Click Remote Desktop Services (yes, it says it’s missing servers, just ignore this), click Servers and then right click the RD Gateway server.
Click RD Gateway Manager.

RD Gateway Manager
RDS Deployment - Advanced 33

Navigate to Policies – Resource Authorization Policies. There’s the default policy. Right click the default policy and disable it.
In the Actions pane to the right, click Manage Local Computer Groups.

Manage locally stored computer groups
RDS Deployment - Advanced 34

Click Create group…

RDS Deployment - Advanced 35
Name the new group.

RDS Deployment - Advanced 36
On the Network Resources tab, add the RD Session Host(s) and the DNS external name of the broker.
Click OK.

RD Gateway Manager
RDS Deployment - Advanced 37
Right click the Resource Authorization Policies node, click Create New Policy, Click Custom.

RDS Deployment - Advanced 38
Name the policy, click User Groups

RDS Deployment - Advanced 39
Add Domain Users, or any group you wish to grant access, click Network Resource

RDS Deployment - Advanced 40
Click Select an existing RD Gateway-managed group or create a new one, and then browse to select the group you created a few steps back. Notice that upon selecting the group the RD Gateway-managed group members box shows the members of the group.

Review the Allowed Ports tab.
Click OK.

That’s it, configured all servers, configured certificates, configured RAP..

One thing left to do: Tell our RDS environment exactly what to publish.

Let’s publish full desktop sessions again, like in the single server setup. Next post we we’ll dig into publishing remote applications, I promise :)
RDS Deployment - Single Server - 49

In Server Manager, Remote Desktop Services, Session Collections, click Tasks and click Create Session Collection.

Before you begin
RDS Deployment - Single Server - 50

Review the requirements. This won’t be an issue in this setup, but you could restrict access to this collection by selecting a select group of people.
Click Next.

Name the collection
RDS Deployment - Single Server - 51
Enter a descriptive name. This name will be displayed under its icon in the Web Access interface.
Click Next.

Specify RD Session Host servers
RDS Deployment - Advanced 24

Click the member server holding the RD Session Host role and click the Add button.
Click Next.

Specify user groups
RDS Deployment - Single Server - 53
You can limit access here. Add one or more groups to restrict access to these groups only. In this setup Domain Users will do fine.
Click Next.

Specify user profile disks
RDS Deployment - Advanced 25
First, create a folder on the domain controller “UserProfileDisks” and a subfolder “RDS”. Share “UserProfileDisks”. Now in the Create Collection wizard enter \\itwdc01.itw.test\userprofiledisks\rds and set the Maximum size to 2GB. Further does and don’ts for User Profile Disks will be covered in a future post.
Click Next. 

Confirm selections
RDS Deployment - Advanced 26
Review the information and click Create.

View Progress
RDS Deployment - Advanced 27

Wait until the collection is created and the server is added to the collection.
Click Close.

Time to test the setup!

 On a machine that has access to your test setup (you may have to add the external FQDN for the RD Gateway and for the RD Web Access to your hosts file if you didn’t publish it to the internet) open https://webaccess.it-worxx.nl/rdweb
RDS Deployment - Advanced 28
Hey! The RD Web Access application works.
 If you want to get rid of the /RDWeb part in the url, check out this post: https://msfreaks.wordpress.com/2013/12/07/redirect-to-the-remote-web-access-pages-rdweb

Enter a valid username and password (ITW\username or username@itw.test).
Create a user for this, or simply use the domain admin account.
Click Sign in.

RDS Deployment - Advanced 29
After logging in you are presented with the full desktop session collection we created.
Also notice the popup in your taskbar as soon as you’re connected:
RDS Deployment - Advanced 30
Again, sorry, but I’ll handle that in a future post.

Click the “Full Desktop” icon to open it and another popup appears:
RDS Deployment - Advanced 31

This is just a warning that the resource you’re requesting wants to redirect your local devices.
But it also tells us that it is signed by “broker.it-worxx.nl”, and we’re using a gateway to connect to the remote resource..

And when you click Connect, you actually connect.
RDS Deployment - Advanced 41

Because I connected as an admin I can see on which server I am logged on by clicking Local Server. And this screenshot also shows that it’s the broker that provided me the connection..

In the next part of this series I will show how to extend this setup with another RD Session Host, but this time we’ll publish some apps. Oh, and that post will probably be a lot shorter.

 

Arjan

Upate: Part 3 in the series was just published. Find it here: https://msfreaks.wordpress.com/2013/12/26/windows-2012-r2-remote-desktop-services-part-3/

20+ years experience in Microsoft powered environments. Enjoy automating stuff using scripts, powershell, and even batch files. In my free time (hah! as if there is any) I hunt achievements and gamerscore on anything Xbox Live enabled (Windows Mobile, Windows 8, Windows 10, Xbox 360 and Xbox One). When I'm not doing that I enjoy traveling or riding my Yamaha R1 on the edge ;)

Tagged with: , ,
Posted in Remote Desktop, Step-by-Step guide, Windows 2012 R2
264 comments on “Step by Step Windows 2012 R2 Remote Desktop Services – Part 2
  1. Diego says:

    Hi Arjan,
    First of all thank you for the great tutorial. It’s helping me a lot.
    I have some doubts and I would be very thankful if you help me.
    -The first one is how exactly all these things work, I mean once you connect on the gateway, is the gateway or your device that connects on a session host?

    -I have a firewall that protects my network from the internet, Do I have to allow and make NAT just on port 443 when I have gateway and web access on the same server?

    -Can I change the port on which the gateway is listening to other port? If I do this, the web server will continue to listening on port 443 or on the new port?

    Thank you :)

    • Arjan Mensch says:

      Hi Diego,
      – it’s your device that connects through the gateway. You can monitor this in the gateway tool
      – yes, if you combined the Web Access role and the Gateway role on one server, only port 443 is neededon TCP. Open 3391 on UDP.
      – yes you can, and this article shows how: http://windowsitpro.com/windows-server/change-remote-desktop-gateway-port. The Web Access role will continue to use 443.

      • Diego says:

        Thank you very much Arjan. The arcticle you mentioned was very usefull for me.
        The main problem that was freaking me out was how would I change the port on a RDP file when using Remoteapp, but the article shows how to figure this out: using the command Set-RDSessionCollectionConfiguration. Or by changing the register. Both ways are well explained.
        Hey guys, if you are having this kind of problem just read the article that Arjan posted above.

        Arjan thank you very much :)

  2. Rizmi says:

    Hi Arjan,

    Since I have deployed the same using Three Server (1 Gateway, 1 License and rest roles on another), I do get an error when trying to connect via external (using internet) saying 404 Server Error.

    I did all relevant changes in RD Gateway, but no improvement could be seen.

    Please advise what I can do to mitigate this;

    Rizz

    rizmirazik@gmail.com

    • Arjan Mensch says:

      Hi Rizmi,
      I think your problem has to do with Web Access and Broker being on the Session Host?
      I suggest you move all non Session Host roles to the Gateway server.

  3. Marios says:

    I want to ask if there is anyone who use RDS and has an experience on performance of the server.

    I mean i want to know an example of load of the session host server and approximately what kind of programs the client loads on the server , or even someone to recommended a server (hardware what cpu and Ram) for me for as i mention 20 max users not max load applications such as cad but not even just a word.

    Imagine some low-medium usage programs that can run in i3 and use in max 20-30% of cpu load and 1.5 gb of ram.

    including on that software is definitely an office (word , excel , outlook etc) and some other low-medium load software.

    Also one last question , if i use User cals the license is annually or annually ?

    Thank you in advance.

    Kindly regards.

    Marios.

  4. Frank says:

    Hi,

    First of all, thank you for a great article. This has helped a lot setting up my installation.

    I have a question though.
    I would like to change my default port in the gateway, thats the easy part.

    When I enter the collection deployment properties, I can configure the
    RD Gateway
    RD Licensing
    RD Web access
    Certificates.

    In the RD-Gateway, below the “Use these RD Gateway settings” I would like to key in the server and port I have chosen, but it seems it is only possible to key in the servername.
    If I for instance try to write : “Gatewayserver.dk:3215”, it will not allow the port.
    Only “Gatewayserver.dk”.

    I am aware that I can construct the rdp files myself, however the ones built by
    RDS can not be altered by users.

    Are there any solution to this issue?

  5. Ariel says:

    Hi Arjan,

    I followed most your steps except on the DNS side. I used a self-signed certificates and which gives me an ‘Untrusted’ level on each server. When I connect using a thin client to the RDWeb, though the connection was successful I don’t have the ‘FullDesktop’ session icon on my thin client. What could be the issue?

    Thank you.

    • Arjan Mensch says:

      Hi Ariel,
      That could easily be an issue in your Gateway RAP and CAP settings. For testing purposes open these up for any device to any resource and test again.

  6. Nicolas says:

    Hi Arjan,

    Thank you for posting this article, very useful for deployment.

    I face an issue with my deployment, It works fine on the LAN, but if I connect from remote site (VPN) or internet I have an issue where credentials are not passed to the session host and then I have an error regarding “an authentication error that is not handled by kerberos domain” (translated from french.

    Do I have to make some policy regarding allowed networks or something else ?

    Thank you in advance

  7. rahuljainalw1789 says:

    Hello Arjan,

    That was a really good article. Thank you very much for all that information.

    Can you give some details on sizing of the server. Specially RD Web Access, RD Gateway and RD Connection Broker.

    You have taken virtual machines with 1vCPU and 512 MB RAM. Up to how many users this will hold good.

    What should be the sizing for around 50 concurrent users. And which machine will require more resources as the number of users grow?

    Thanks,
    Rahul Jain

    • Arjan Mensch says:

      Hi Rahul,
      1cpu / 512mb is only good for labs, and I selected dynamic memory, so no telling what it would grow to.
      For 50 users 2cpu / 4096mb should suffice for a machine that holds a combination of RDWA and RDGW, or for the broker.
      Around 4500 users is the max at the moment, and I would assign 2cpu / 8gb per node, and create two loadbalanced nodes.

  8. Greg says:

    Hi Arjan,

    In the configuration of Certificates you say “Click Browse to browse to the .pfx which you prepared for the RD Connection Broker server”. You mention certificates prepared for some of these Service Roles a couple of times. Do we need to create/prepare these certificates ourselves? How do we go about this? Or are you saying we just use the certificate created initially by the Wizard for all of these Role Services? I have the issue of them all being untrusted and also sometimes get a connection error saying the address on the certificate is wrong…

    I am also trying to configure a pretend thin client using a Win Embedded 8.1 Industry Pro VM to connect to Remote Apps, a Virtual Desktop and a Session Desktop preferably using RDP files. Can you help me with this or point me somewhere I can get more help?

    Thanks for your help,

    Greg

    • Arjan Mensch says:

      Hi Greg,

      Late reply. sorry.
      With preparing I just mean you need to have them at hand. They need to be from a public CA, you cannot make this work with self signed certificates (what the wizard does), unless you make sure all possible clients trust that self signed certificates.
      As for your other question, no I cannot besides that I can tell you that if you use Firefox or Chrome to browse to the WebAccess site, you can download the signed RDP files, which you can then use on thin clients, or any other client for that matter.

  9. SARGuy says:

    Hi Arjan,

    I have my environment setup but I am having a couple issues.

    1) You have the broker FQDN listed in the resources as well as the RDSH servers. If I put in the name of the broker, I just get connected to the broker.

    2) For non-admin users, I am getting an error because of Remote Access Policy (TS_RAP), even though I’ve verified those users are part of the groups I added.

    Any thoughts or words of wisdom?

    • Arjan Mensch says:

      Hi SARGuy,
      When you say “connected to the broker” do you mean “using mstsc”? If so, just connect to 1 of the session hosts using mstsc. The session host will ALWAYS redirect to the broker first to ask if it’s ok to host the session. If not the broker will redirect the client to another session host. Bottom line: never connect to the broker fqdn using mstsc.

  10. Dave A says:

    Has anyone had any experience using Windows 10 Home Edition to connect to RDS 2012 on Server 2012 R2? Win 10 Enterprise edition seems to work fine, but Home edition from an external network fails. Very generic error given saying it can’t connect. Thanks to this blog, our RDS environment has been working flawlessly…unitl Windows 10 Home. This is the only error produced on the Gateway as a result: Event id 4625 in the security log

    An account failed to log on.

    Subject:
    Security ID: IIS APPPOOL\RDWebAccess
    Account Name: RDWebAccess
    Account Domain: IIS APPPOOL
    Logon ID: 0xC79B3

    Logon Type: 3

    Account For Which Logon Failed:
    Security ID: NULL SID
    Account Name:
    Account Domain:

    Failure Information:
    Failure Reason: Unknown user name or bad password.
    Status: 0xC000006D
    Sub Status: 0xC000006A

  11. Norm says:

    What if you already have an appropriate licensing server? When you click “Add RD Licensing” and choose the existing server, will that server get broken?

  12. Ivan says:

    Hi Arjan,

    This guide had really helped me but as I am new to RDS there is one massive question.

    I have the following setup which are all 2012R2 :

    2 RDS Gateway in the DMZ
    4 Session Hosts on the LAN
    2 WebAccess on the LAN
    2 Brokers on the LAN

    Internally this is working really well and even managed to customise the WebPage internally so it appends the Domain to the username automatically.

    But I am not sure how to login from the internet ?

    I was expecting to use a webrowser from an external PC that hit the RDS Gateway website but this is not the case as there is no rdweb site on the Gateway server. I know the internal website is https://mysite.domain.internal/rdweb but how do I get to the internal Remote Apps \ Published desktops on the session hosts from external ?

    Hope you can hep as racking my brain and tried Googling the answer but nothing has come up.

    Regards Ivan

    • Arjan Mensch says:

      Hi Ivan,

      This is all answered in the blog series, but basically you need to make your web access servers available publicly.

      • Ivan says:

        Thanks for the reply. Do you have a section on your site on how to do this please as I have not seen it ?

      • Arjan Mensch says:

        Hi Ivan,
        Not as such. If you want user to be able to use RDP from outside your network, with only the Gateway role published to the internet they can manually RDP to inside resources, if the provide the gateway address and username and password. If you also publish the web access role, users simply open that in the browser, log in, and are presented all the connections you allow.
        Whichever method you chose, you must define in the gateway policies which users and which resources are allowed.

    • Steve Welsh says:

      Hi Ivan,

      I believe you should have your Web Access servers in the DMZ also. They need to present the RDWeb site externally and (if you’ve set up the DMZ to LAN firewall correctly) you will be preventing https access to the LAN.

      Regards,
      Steve

  13. Ben says:

    Hi Arjan,

    I setup the scenario using your instructions on Part 1. I then realized that I couldn’t publish apps and have a full desktop in the same collection. So I created another server 2012 vm and added it to the RD session host. I was then able to create a second collection and publish apps and have the full desktop as well. My question is if this is for about 10-15 users would this scenario be okay? So to recap my environment looks like this:
    All 2012R2 vm’s
    DC = has RD Licensing
    RDSql = for sql database
    RDS1 = is for RD Web Access, RD Gateway, RD Connection Broker, RD Visualization Host, RD Session Host
    RDS2 = 2nd RD Session Host
    My internal DNS = gateway.xyz.com to RDS1 IP

    When I log into https://gateway.xyz.com/rdweb I get both published apps and full desktop

    Should I think about changing this? Am I going to create an issue going forward? I know the farm is what is recommended if you want multiple collections, but since this worked I wanted to see this is a viable option?

    Thank for the great articles…

    • Arjan Mensch says:

      Hi Ben,
      You’re good to go. You can always add extra session hosts to either collections, thus creating multi host session collections, either for full desktops or published apps, depending on your needs.

      • Ben says:

        So there is no downside to what I did? I’m just trying to understand if there is any reason for the farm compared to what I did that my cause me issues going forward?

        Thank you again.

      • Arjan Mensch says:

        Hi Ben,
        Like I said, good to go. Any other role is fairly easy to loadbalance or otherwise make highly available at any point going forward. Having 2 or more session collections to support your needs is fully supported.

      • Ben says:

        Hi Arjan,

        So one issue I came across is when I’m external to the network and I go to the web page. When I click on either app or full desktop get the following error:
        1) Your user account is not listed in the RD Gateway’s permission list
        2) You might have specified the remote computer in NetBIOS format (for example. computer1). but the RD Gateway is expecting an FQDN or IP address format (for example, computer1.fabrikam.com or 157.60.0.1).

        I went into the RAP policy and changed permission under network resource to allow users to connect to any network resource. Then it allows me to connect. If I choose a AD security group that I created that contains both RDS servers it fails with the error above. Is there something I’m missing here?

        Thanks.

      • Arjan Mensch says:

        Hi Ben,
        Did you restart your session hosts after adding them to the security group? Does it work when you add the session hosts individually instead of adding the group?

  14. Ben says:

    I did restart and that didn’t work. I also tried adding the servers individually but couldn’t b/c it would only allow me to add groups in the policy. I went into network resources and chose select an existing RD Gateway managed group or create a new one. I created a new one and added external name (gateway.xyzcomp.com) and ip address of both session servers. Then it worked. Is that normal behavior?

    • Arjan Mensch says:

      Hi Ben,
      It is recommended to use a Gateway local group. This group should contain all session hosts that are accessible through the Gateway and all brokers. The sessions hosts should be added using the internal FQDN, the brokers should be added using the external FQDN, that is, the FQDN that is on the certificate. The gateway itself should not be added, unless it’s the same machine that hosts the broker role using the same name of course.

  15. Mike Nowak says:

    can you explain exactly how to create the certificates.
    I am just not sure how to create the private key and other certificate details.

    As you can see we’ll deploy 3 certificates in this setup. The names I will use for this will be “webaccess.it-worxx.nl”, “gateway.it-worxx.nl” and “broker.it-worxx.nl” for obvious reasons. You may consider using a wildcard certificate.

  16. Ben says:

    Hi Arjan,

    if I have a 2008 DC and want to deploy 2012 R2 RDS server would there be an issue with following the steps you have listed? I can’t upgrade the DC currently but need to setup the RDS server.

  17. Jeff Chow says:

    Can I please clarify Something Here,
    Following this guide, I was running in to a constant issue where database creation was failing although DSN was successful, the Error log indicated “Access Issue” although I had all the right permission.
    My Setup is
    SRV1 – holds RD Licensing, SQL Express, Database is installed in a separate drive called E:\
    SRV2 – Connection broker.
    When configuring HA from SRV2, the last page where I have to click configure I was putting database file path as – \\SRV1\E$\
    This is why the database creation was failing.
    Since SQL looks for local file path and connects to the database server using the DSN, when I changed the database file path to E:\ only, that solved the problem

    • Arjan Mensch says:

      Hi Jeff,

      You are correct. Like I said in the guide:

      Folder to store database files:
      C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA
      I used the instance default folder.
      •Note that this points to a folder on the SQL Server.

      Do not use a UNC path for the database files!

      • Joel Chema says:

        Hi Arjan
        Thanks for reply. I have got everything right.
        So when users connects to RDS from externally, I can see that they are connecting to the broker & via gateway. for this they basically going to lets say https://webaccess.company.com/RdWeb
        But Internally if they are rdping into webaccess, its actually logging them in to the web access server and not broker as you showing to the very end of this post.

        how do I make internal RDP connection to become round robin to different session hosts also?
        So if I rdp to broker, once connected, I am actually connected to one of the connection broker, shouldn’t the connected to server name show connected to one of the session host?

      • Arjan Mensch says:

        Hi Joel,
        If you don’t want your internal users to connect to webacces, just let them RDP to one of the session hosts, or use the application feed to configure internal users.
        If a user RDPs to a session host that session host will always redirect to the broker and let the broker decide if the session host can handle the session, or should the user be redirected to a different session host. Never RDP to the broker address.

  18. Joel Chema says:

    Hi Arjan
    Thanks for the reply. What do you mean by use the application feed to configure internal users? And thank you, I will create RDP access from session host servers

  19. Diego says:

    Hi! Your guides are amazing!
    I have only one question.
    When i connect to “Full desktop” in the RDWEB site, i connect to broker.it-worxx.nl but in the RDP title bar i see the Session host hostname. Infact i see the name itwrds04.itw.test.
    Do you know where i can do the mistake? I try to recheck your guide but i can’t find the mistake.

  20. Jeff says:

    Hi,

    I have an RDS Implementation using 2012 R2 with HA Brokers. 4 VM’s The first pair are each configured as Web/Brokers(HA), and Gateways. The other two VM’s are just App Servers.

    I am just in the POC phase, and looking to have a clean login from the Remote App Website which allows an app to start without any additional login. The Cert for the external FQDN’s is applied to all 4 functions, Web/Broker(single signon and publishing)/Gateway.

    I continually get a double login to start an app… One from the Web Site and the other before the app starts. I am beginning to suspect this is because public cert (applied at all 4 cert levels) doesn’t work for each of the internal RDS Session Hosts. The external FQDN of the brokers/web/gateway’s is apps.domain.com while the internal AD domain is [servername].corp.domain.com. I am wondering if I am seeing the double login because of this.

    Is this the compelling argument for purchasing a wildcard cert as *.domain.com and will this work when apps.domain.com is the external FQDN and the internal servers are [servername].corp.domain.com? (using SAN)

    I am just not entirely sure the wildcard cert is causing the snag I am experiencing. I get that other prompts can appear about trusting the publisher, but the double login is really a big deal.

    Thanks in advance for any insights.

    Jeff

  21. Joel Chema says:

    Hi Arjan
    Hope you can shed some light,,
    I created a RDS environment, following your blog (thanks for the write up), it consists of 7 VMS
    Internal Domain Name – xy.xyz.net.au
    External Domain Name – xyz.org.au
    VM0 = Licensing & SQL Express server
    VM1 = Webaccess Server, (has a public address), Http to Https redirection,
    VM2 = Gateway Server, (no public address)
    VM3 = Connection broker 1, (no public address) – HA using RD HA setup
    VM4 = Session Host1, (no public address)
    VM5 = Connection broker 2, (no public address) – HA using RD HA setup
    VM6 = Session Host2, (no public address)
    VM7 = Session Host3, (no public address)

    I have applied a wildcard cert for the 4 roles (sso,gatway,CB,webaccess)
    I have not changed the FQDN names of the any of the server to external FQDN name,
    I have not applied the wildcard certificate in any of the host servers.

    In my internal DNS Server I have created 2 split zones as suggested in your blog.
    Primary Zone – xy.xyz.net.au
    Split Zone – zyz.org.au (this is so internal users can access internal resources that is publicly available internally)
    Split Zone 1 for RDS – broker.xyz.org.au – this has both of the connection broker internal address
    Split Zone 2 for RDS – gateway.xyz.org.au – this has the gateway server internal address
    Webaccess url – remote.xyz.org.au, I have added this as a host record under the internal split zone – xyz.org.au
    I have also created a host record named (RDSH) under this split zone & added all the 3 session collection’s internal address. so if I ever need to RDP then I can do round robin.

    I have created a session collection for Applications and published bunch of apps. I have also published a RDP Application & made it available in the web session collection. For the RDP application, I have put parameter details as – rdsh.xyz.org.au

    Problem facing:
    1) When I access the web access URL internally & click on any published app, I can see I am being connected to remote computer=broker.xyz.org.au & gateway=gateway.xyz.org.au, and the connection authenticates and opens the app.
    However when I click on the RDP icon that is configured to transfer the rdp session to round robin DNS name=RDSH.xyz.org.au, I constantly get prompted for credential error saying RDSH.xyz.org.au couldn’t verify credential.

    2) if I change the RDP app parameters to transfer rdp session to one of the session collection server DNS name=vm4.xy.xyz.net.au then I get error message saying connection is being redirected to another computer that belongs to a session farm host, must use the farm name to connect.

    3) If I don’t log in via webaccess url and simply RDP internally using round robin DNS name (without putting the gateway name in the gateway setting) – RDSH.xyz.org.au then I get error saying the certificate is from the local computer and not trusted but allows me to log in.

    4) If I log in to web access URL Externally, I try to click on any of the published app or published RDP app from the webapp, I get error message indicating Gateway server is not available, try connecting later.

    Are you able to help me with the above please?
    Do I have to make the gateway server publicly available also since the FQDN of the gateway server I used is an external FQDN?

    At this stage I am a bit confused as I am unable to pin point where the problem is..

    • Arjan Mensch says:

      Hi Joel,
      First of all, edit your comment, it has one entry where you didn’t hide your actual external domain name (split zone 2) ;)
      Couple of things with your setup:
      1. You do not need to add a farm dns round robin structure when using RDS 2012 or 2012R2. The broker handles all load balancing and session redirections. Simply RDP to VM4.xy.xyz.net.au and if the broker thinks that’s the most suitable SH your session lands there, if not the broker tells the client to go to one of the other VMs. That should probably fix problem 1 2 and 3, provided you have added the internal SH names to the Gateway policies.
      2. If your gateway server is not on the webaccess server, both servers should have an external IP and TCP 443 available externally (not 3389!). That should fix problem 4.

      • Joel Chema says:

        Lol,
        totally didn’t see that, how do I edit the comment? I cant see the option for editing it?

  22. Joel Chema says:

    Hi Arjan
    Further information, I am in the process of sorting out the public interface for the gateway server.
    internally, I have now removed the DNS round robin configuration,
    I have changed the publish RDP app parameters to one of the host servers
    that reads below when I click on the RDP icon from the webaccess pulished app page
    “/v:vm4.xy.xyz.net.au” (without the colon)
    I have also added both internal DNS name and external dns name of the all 3 the session hosts servers in the gateway configuration.
    This time, I can see that my authentication is accepted and group policy mapped and I was presented with a 2nd username & password box, which after I put the credential in, I get below error

    ” the remote computer vm4.xy.xyz.net.au you are trying to connect to is redirecting you to another remote computer vm6,xy.xyz.net.au. remote desktop connection cannot verify the computer belong to the same RD session Host server farm, you must use the Farm name, not the computer name, when you connect to the a RD host server farm.

    I don’t remember creating a Farm name at all, I don’t see any Farm name setting, This is why I thought the round robing DNS name was the Farm name? that points to 3 session host server?

    • Joel Chema says:

      Further update,
      So just for the testing, I rebooted all my VM’s and tried to go to rdweb internally, now I am able to log in to RDSH.xyz.org.au from the RDP Add that was published from the webaap page. it automatically re-directs me to one of the session host server.
      I then sign out, and re-try to log in to rdsh.xyz.org.au internally from webapp page, I can see my session goes to gpo, applies policies then I get presented with another credential box, where no matter how many times I punch in credential it keeps presenting me credential box.

      This looks like, once one rdp session istablished, although I signed out, a 2nd session is not establishing.

      • Arjan Mensch says:

        Hi Joel,
        You are publishing the RDP file because you want to publish a Remote Desktop for your users?
        Any reason why you’re not creating a session collection that publishes the desktop?

  23. Joel Chema says:

    Hi Arjan,
    thanks for the reply,
    Basically, looks like, once I have used the 3 session host server to publish remote app collection, If I go to create a new collection for Full Desktop, I cant? the session hosts servers doesn’t appear in the list of available server for me to publish full desktop collection?

    • Joel Chema says:

      also, I have now put a public address to my gateway server and updated external DNS
      when I try to access webaccess page (externally) – remote.xyz.org.au,
      I get a popup window that says,
      connecting to Remote computer – broker.xyz.org.au, Gateway Server: gateway.xyz.org.au
      when I click connect I am still getting the same error message, gateway server is temporarily unavailable try again later.
      Do I have to do a http to https redirect via IIS in gateway server & in webaccess server?
      Do I have to give a public ip to the broker server aswell? I have 2 connection broker for HA .. (do I have to give 2 public ip then to the both broker?)

      • Arjan Mensch says:

        Hi Joel,
        Correct, you can either use session hosts for RemoteApps or for full desktops. Not both.
        And no to your other question. If configured correctly you need an external IP on your webaccess server and forward 80 and 443 to that server, do your http to https redirect on the webaccess server. You need an external IP on your gatewayserver, forward 443 on that IP to the gatewayserver. Your brokers do not need to have an external IP. They do need to have the split dns externally resolvable name because the certificate used needs to be publicly trusted for external access to work.
        So external IP and external A record in DNS for webaccess (80 and 443), external IP and external A record in DNS for gateway (443), internal IPs and split dns zone with non-named A records to internal IPs of the brokers. Add split dns zone name to Gateway policies.
        If you use webaccess and gateway internally as well, add those as internal dns zones as well, add non-named A records to internal IPs of webaccess and gateway servers respectively.

  24. Joel Chema says:

    Hey Arjan
    Thanks again for the reply. Ok, so I have now made some more changes as suggested above, its looking better, so with the ports open, I am now able to atleast reach my gateway server, I have added (internal DNS name of the session hosts server, external FQDN name of the session hosts servers in the gateway policy, and I have added the ip address of the session hosts severs, I have also enabled all domain user) but now I am getting error message ” Remote desktop couldn’t connect to the remote computer, for
    1) your account isn’t listed in RD gateway policy
    2) you might have specified remote computer in NetBIOS format but the RD gateway is expecting FQDN & IP
    I have checked gateway server, application, terminal server event log and I can see error message says domain\user didn’t meet authorisation policy.
    Although, I have done much of look on the new error message but just thought I would ask you.
    other than that, I think all is sorted, I am just one step away from finishing the deployment..

    Cheers
    Joel

  25. Joel Chema says:

    Hey Arjan
    thanks for your help. I made some more changes,
    I think I am about one step away from completing this.
    The only error message I am getting now is
    1) your user account is not listed in the RD Gateway’s permission list
    2) You might have specified the remote pc in NETBIOS format. but the RD Gateway is expecting an FQDN or IP address.
    When I check the RD Gateway, in the terminal server gateway operational event log I can see error – the user domain\user on client computer x.x.x.x didn’t meet the authorisation policy requirement and was therefore not authorised to resource broker.xyz.orr.au error 23002

    when looking at that error in several blog, I have already put internal IP, FQDN or server name & internal DNS name of the session host servers in gateway RAP local policies, I already have domain\domain users in the CAP policies.. so not sure where its not working now?

    Any idea?

    • Arjan Mensch says:

      Hi Joel,
      You could easily start troubleshooting that by not limiting the computers that can be reached through the gateway by selecting All Network Resources in the gateway’s RAP.

      • Joel Chema says:

        Very Strange
        I have adjusted the RAP policy, re adjusted rap policy again to include the internal address of 2 broker servers,
        When I try to access the webapp from an android phone using MS RDP APP
        I still get the same error message
        1) your account is not listed in the RD gateways permission
        2) RD is expecting FQDN or IP addres

        this time though in the terminal server gateway event I see below
        user on client comp x.x.x.x initiated an inbound connection. the connection may not be authenticated yet
        user on client comp x.x.x.x initiated an outbound connection. the connection may not be authenticated yet
        User on client computer met the authorisation policy and was therefore authorized to access RD gateway, authorisation method used was NTLM, connection protocol was HTTP
        But rightaway I get another message in the event log saying
        User on client computer x.x.x.x didn’t meet authorisation policy and therefore wasn’t authorised to resource broker.xyz.org.au …

  26. Joel Chema says:

    OMG, I cant believe, I didn’t add the test user account in the remote desktop user group in AD..
    DAMN, … stupid me. .
    it all works now..

  27. Joel Chema says:

    actually, no, spoke to early, I was accidently trying on internal subnet rather than from external ..

  28. Joel Chema says:

    Anyone had any similar issue like me?
    Internally everything is working fine.
    but externally I am getting below issues

    1) your account is not listed in the RD gateways permission
    2) RD is expecting FQDN or IP addres

    in the terminal server gateway event I see
    user on client comp x.x.x.x initiated an inbound connection. the connection may not be authenticated yet
    user on client comp x.x.x.x initiated an outbound connection. the connection may not be authenticated yet
    User on client computer met the authorisation policy and was therefore authorized to access RD gateway, authorisation method used was NTLM, connection protocol was HTTP
    But rightaway I get another message in the event log saying
    User on client computer x.x.x.x didn’t meet authorisation policy and therefore wasn’t authorised to resource broker.xyz.org.au …

    I have made sure, RAP policy has FQDN, DNS name & ip address of session host servers. I have made sure all server can ping using FQDN & DNS names.
    I think I hit a road block …

    • Arjan Mensch says:

      Hi Joel,
      RAP needs internal names for the session hosts, External FQDN for broker.
      Have you tested with “allow access to all resources”?

      • Joel Chema says:

        Hi Arjan

        finally, figured it out,
        all working now, it was the port. In the RAP policy allowed port, I had allowed ports open to 443, default was 3389, which I removed,
        when I changed the port back to allow connection to any ports it was working, then I changed the port to 3389, its working.
        ran wireshark and I could see it was acknowledging to port 443 as per gateway policy and then dropping the session.
        I think, the listener port needs to be configured to 443 to overcome this completely.
        I will play with the TS listener setting but for now its working over port 3389.
        Name resolution was not a problem cause I could resolve all names from any of the deployed server lists.
        Thank you for all your replies and help and for this blog, need to buy you a beer, please give out paypal address :)

        I will send you a separate post explaining the issue I faced, its up to you, maybe update the blog with those extra info, might be helpful for someone else?

        Cheers again
        Joel

  29. Joel Chema says:

    Hi Arjan
    So the challenges I had was
    1) The SQL native client configure,

    Ans – the drive letter needs to be mentioned, in my case, I was using drive letter E:\ in server dc1.xyz. so the native client I was putting in \\dc1\e$\ – which wasn’t working
    Since the native client configuration new the server where the sql was loaded all I had to do was put in the database path as E:\programfiles\

    2) The Gateway server didn’t upload the SSL certificate properly, so I had to go to properties of the gateway manager and in the SSL certificate TAB I had to manually place put in the SSL

    3) I had to put in the host servers, FQDN, IP address, & dns name in the RAP policy

    4) In the RAP policies properties allowed port I had to use port 3389 for now for external access to work properly. but I think the ts gateway listener will need to be changed to match port 443 and then change the allowed port of the RAP to 443 would work.

    Feel free to delete this entry from your blog if you don’t feel its appropriate, but otherwise if you don’t mind & want to, update with, problems you may face and solution section?

    here is a link I updated also

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/7719fca6-6afe-45a3-a631-33cc4f57c2ba/the-user-xysman-on-client-computer-xxxx-didnt-meet-resource-authorisation-policy-requirement-?forum=winserverTS

    • Arjan Mensch says:

      Hi Joel,
      1) Correct, the database path must be the local path on the database server, not a UNC, I think I mention that in the posts?
      2) Strange, never had this issue before deploying the certificate from the deployment properties wizard, but good find.
      3) Have you tested this with just the internal DNS names, internal IP addresses for the session hosts? There’s no need for external DNS for the session hosts.
      4) gateway accepts 443, RAP defines what is tunneled, in this case 3389, which is proven by the fact that the setup works without opening 3389 externally..

      I don’t delete comments (that are not spam), so thank you!

  30. Richard Frazier says:

    Hi Arjan,

    Brilliant post thank you. I followed your article in my test lab and everything worked perfectly except when run externally or from a non domain joined pc.

    I click RDP full session from work resources I get the popup:
    publisher:- broker.****.co.uk
    Type :- Remote Desktop Connection
    Gateway:- gateway.****.co.uk

    I click connect and get the error :- Your computer can’t connect to the remote computer because the remote desktop gateway server address requested and the certificate subject name do not match. contact your network administrator for assistance.

    All certificate are trusted

    Any thoughts would be appreciated.

    Thanks again Richard

    • Joel Chema says:

      Hi Richard
      Do you have a public DNS externally so external computer or non domain joined computer can resolve the gateway server?

      Also, from the gateway server, open the gateway properties/configuration & check the SSL tab to confirm that the cert has been applied to the gateway properly.

      Also, (I could be wrong) but sounds like, you may also need to the update the certificate hash

      Follow this – https://support.microsoft.com/en-us/kb/3042780#bookmark-fixitformealways

      please note – the last suggestion is a guess only (as I am not entirely sure about the error message you are receiving)
      before you do the last step, make sure to take a snapshot so you can roll back.

  31. Richard Frazier says:

    Hi Joel,

    Thank for reply Yes I do have public DNS externally. I have opened up port 3389 and 443 to my gateway server, I can then RDP to round robin DNS internally with advanced settings in RDP client to set an gateway server and load balancing between the two season hosts works perfectly but not via work resources.

    It must be a port rule on my firewall.

    • Joel Chema says:

      Hi Richard

      ok, so you have a public record for the gateway server & webaccess server?
      When you say not via work resources, do you mean, Remote APPS via webaccess?

      Of the top of my head some things you want to look for are below
      1) you can resolve all server names from each other using host name and FQDN name.

      2) you also want to check server published fqdn name – https://gallery.technet.microsoft.com/Change-published-FQDN-for-2a029b80 (this might give some indication)

      3) If you still getting certificate error, does your certificate name match external FQDN name?
      Also check if the trusted certificate are imported properly and in your webaccess & gateway the binding associated to your ip and port

      Can you give a brief description of your exact setup? What you have setup & how you are trying to access it, just so I can provide exact suggestion? If you need a fresh pair of eyes, let me know, might be able to do a team viewer session (depending on time differences)
      email-riyad008@hotmail.com

    • Joel Chema says:

      Hi Richard
      No problem. Of the top of my head, below are some of the things you want to go over
      1) Make sure you have external address for both your webaccess & gateway
      2) Make sure your external published FQDN name is as per your external domain name –

      https://gallery.technet.microsoft.com/Change-published-FQDN-for-2a029b80

      which should match your certificate if you get SAN cert or wild card cert
      3) Make sure that the certificate is imported and binding with the public address to over port 80 & 443 is fine
      4) Turn of all windows firewall for all RD involving server (just for testing purposes)
      5) Make sure you can resolve all server names from each other using internal DNS name & FQDN name

      Maybe provide an exact description of the setup, and exact description of what happens when you try internal access vs external access. what happens for webaccess vs rdp.

      These are basics I can thing off that I would look.
      if you need a fresh pair of eyes, let me know by email – riyad008@hotmail.com
      would be happy to do a team viewer session to see if I can help (depending on time differences).

    • Joel Chema says:

      no problem,, let us know if you me to look into it over a team viewer session

  32. Joel Chema says:

    Hi Richard
    No problem. Of the top of my head, below are some of the things you want to go over
    1) Make sure you have external address for both your webaccess & gateway
    2) Make sure your external published FQDN name is as per your external domain name –

    https://gallery.technet.microsoft.com/Change-published-FQDN-for-2a029b80

    which should match your certificate if you get SAN cert or wild card cert
    3) Make sure that the certificate is imported and binding with the public address to over port 80 & 443 is fine
    4) Turn of all windows firewall for all RD involving server (just for testing purposes)
    5) Make sure you can resolve all server names from each other using internal DNS name & FQDN name

    Maybe provide an exact description of the setup, and exact description of what happens when you try internal access vs external access. what happens for webaccess vs rdp.

    These are basics I can thing off that I would look.
    if you need a fresh pair of eyes, let me know by email – riyad008@hotmail.com
    would be happy to do a team viewer session to see if I can help (depending on time differences).

  33. Martin Willcox says:

    Hi,

    I have 1 GW, 1 CB & 3 SH’s.
    If I connect remotely via MSTSC i get logged onto the CB instead of one of the SH’s.
    In a previous comment you mentioned to connect directly to the SH instead of the CB and it will always ask the CB first permission to host the session. Yes this works perfectly, i get a mix of SH’s hosting my session.

    2 Questions;

    1) Should I change my internal broker.example.com DNS entry to one of the SH addresses? This I assume will make the external connection work BUT won’t this mean that if we shutdown the SH with that IP (maybe for maintenance) we won’t have a working TS cluster?

    2) How can I fix this so I can use broker address to host the cluster redirection? Anywhere I can look? I followed the guide and have gone through a couple of times to see if I missed a step but cannot see anything.

    Hope you can help,
    Mart

    • Arjan Mensch says:

      Hi Martin,
      If you want your users to connect using MSTSC the best way to go about this is to browse to the web access page using chrome of firefox. If you then click the remote desktop icon it downloads the RDP file instead of starting it. Give this RDP to your users and all is fine.
      Do not point the DNS entry for the broker to one of the session hosts, this will break your whole setup. It won’t work.

      • Martin Willcox says:

        Thanks Arjan,

        That works. What is the setting im missing to be able to create the RDP icon myself?
        Would be good to know what is needed. I am familiar with editing RDP icon’s from notepad.

        Kind Regards,
        Martin

      • Arjan Mensch says:

        Hi Martin,
        It’s not really about settings in the RDP but the way the RDP file is signed using the broker certificate I think.
        But you can check that by opening the downloaded RDP file in notepad(++)..

      • Martin Willcox says:

        Arjan,

        Further on from my question above;
        Using RDS 2012 with HA, all is working well with the RDP icon I downloaded from the Web Gateway. Unfortunately this only fixes Windows Users. We have a couple of Mac users with the latest version of Microsoft Remote Desktop client. When we try to access the server I can see the session is attempting to log on to the Connection Broker. As the users don’t have permission it doesn’t work. Additionally we have iPad users who want to RDP to the RDS Cluster.

        Can you identify whats going wrong here with my setup?

      • Martin Willcox says:

        Hi Arjan, did you see my message from the other day? Im really struggling to get this to work as I would expect.

        As below;
        Using RDS 2012 with HA, all is working well with the RDP icon I downloaded from the Web Gateway. Unfortunately this only fixes Windows Users. We have a couple of Mac users with the latest version of Microsoft Remote Desktop client. When we try to access the server I can see the session is attempting to log on to the Connection Broker. As the users don’t have permission it doesn’t work. Additionally we have iPad users who want to RDP to the RDS Cluster.

        Can you identify whats going wrong here with my setup?

      • Arjan Mensch says:

        Hi Martin,
        I’m not familiar with the Mac client, but things you can try:
        – If you are able to specify a server to connect to, specify one of your session host servers (internal DNS name). This only works if you can specify a gateway server separately. You should enter the external DNS name of the gateway server.
        – If you are able to use the webfeed address for your configuration, enter that. (https://url to webaccess server/rdweb/feed/webfeed.aspx)
        Again, never try to connect using the broker dns name.

  34. John says:

    This is the best article out there to create and manage this. I just have a few questions. I will start with my lack of knowledge on the Forward Lookup Zones. What is the reason that this is setup in DNS internally and an A record is created to look to the internal IP of the Connection Broker? I just want to understand this more and know what that does?

    • Arjan Mensch says:

      Hi John,
      Since the resources will be available both internally (your own domain) and publicly (from the internet), you must use certificates in your deployment that are from a trusted public provider.
      Since you can no longer add local FQDNs as Subject Alternative Names, you need a method by which internal clients access the resources using the external FQDNs. Hence the DNS “trick”.

      • John says:

        Thanks for the reply. So for me to understand, in the example if I was not to add the IP address of the connection broker to the Internal DNS rules for broker.it-worxx.nl as an A record; what would break specifically?
        Would the remote app still work from the outside?
        Would the connections through mstsc to a session host that gets rerouted via the connection broker still function properly?
        In our internal environment we connect into servers via internal IP, would that still work as well?
        That does lead me to my next question. When we connect now to internal IP it gets rerouted to whatever server the connection broker chooses. How can I set it up to connect into a certain host for admin purposes?

      • Arjan Mensch says:

        Hi John,
        Yes externally everything would still work.
        Using internal IPs or internal FQDN would still work.
        To force a connection to a specific session host use the /admin switch with MSTSC (max 2 connections simultaneous connections).

      • John says:

        Ok, all that sounds great. Thanks for all the info. Another question:
        Just a simple overview of what these servers do, to my understanding. If you could comment in if I have something wrong that would be great.
        Connection broker – routes the connections to the best available session hosts and stores the information about the hosts and connections?
        Web Access – provides the access to remote apps that are published on a session host?
        Gateway – used to authenticate traffic coming in to validate the users authenticity and security of the connection?

        So my question is when I setup the remote app (published app), it asked me what session host to use for the app. Lets say I used Session Host 1. What if I take that host offline for maintenance, would the users still be able to connect in via remote app? Would the connection broker route the users to another host?

      • Arjan Mensch says:

        Hi John.
        Everything is spot on.
        As to your last question: If you have an app published to just one server the user would get a message after trying to connect. Server unavailable, or unreachable, or something like that.

      • John says:

        Ok, fantastic! So how do I set up the published app to be redundant? Or how would I set this up to work if a Server is down?

  35. John says:

    One other question/recommendation I need from you: How do you prefer or choose to setup the licensing Server? Can this be on the Gateway Server or WebAccess Server without issue?
    Also, I wanted to make the Connection Broker, Gateway and Web Access Servers all the same VM and be the Licensing Server. I want to have high availability to the Connection Broker. Is this an ok setup to have? Would it cause any issues?
    Would I be able to make the Gateway/WebAccess/Licensing Server redundant as well? So if I have them all 3 in one or this scenario 4 in one, would they 2nd VM with all 4 as well work and still route traffic, authenticate and provide access if the 1st one was taken offline?

    • Arjan Mensch says:

      Hi John,
      I would prefer to keep the license server separate, for instance on a domain controller. As far as I know it’s not possible to make this role highly available.
      If you have two servers both hosting the broker, webaccess and gateway roles you can make each role highly available. And yes, this means you could take one offline. Remember the broker needs an SQL instance. In your case, don’t put this on one of the nodes, but keep it separate as well.

      • John says:

        Thanks so much for all the guidance so far. This I think is my last question. So I have all setup, the gateway and web access are on one, the license and dns (domain controller) are on one and the connection broker is on one. I have 2 brokers (high availability) active/active so both are reading and writing to SQL and getting info from there to service connections to hosts, this will not be available externally (does it need to be?). I have 2 gateway/web access servers and those will be accessible from the outside (external IP). I have an external address cloudgateway.company.com linked to an outside IP. Question: in the router/firewall, how do I link the outside IP to the internal IP’s of the 2 gateway servers? I want to be able to have fault tolerance, so that if one gateway server goes down then the other one will take all the traffic, is this possible? Or is it round robin setup for address translation from outside IP to internal IP, so I would have 1 outside IP connected to cloudgateway.company.com to the 2 internal IP’s? Again, thanks for all your help!

      • Arjan Mensch says:

        Hi John,
        You need to use a Network Loadbalancer to publish externally.

  36. Darryl says:

    Your guides are great, thank you. I’ve setup a single server solution. It’s working great except for I have a user that likes to logon from a RDP session instead of published applications. How can I stop users from doing this? If I stope the domain users group from logging on, then no one can access the published connections. Any assistance would be greatly appreciated.

    • John says:

      I am not sure the reasoning behind the limits of Published app. But, I can say that if you wanted to you could use GPO’s to launch the programs that you want to allow only instead of full desktops even if they come in through RDP.

    • Arjan Mensch says:

      Hi Darryl,
      I know it’s not pretty, but there’s a policy that defines which application to run when a user logs on. This seems to refer to full desktop access. Set this policy for users (not admins) to run c:\windows\system32\logoff.exe

  37. Rei says:

    Hi Arjan,
    I have read your post and all the question/answer and comments after, some of them related to my problem, to no avail. I also, before getting to your post, used the white paper you cited here:
    http://www.rdsgurus.com/ssl-certificates/windows-2012-r2-how-to-create-a-mostly-seamless-logon-experience-for-your-remote-desktop-services-environment/
    I cannot just figure this out and this should not be this difficult. Maybe I am missing something here that you could point me to.
    I have a very simple farm that includes one connection broker (CB01 and three remote desktop session hosts (RD01, RD02 and RD03. I am trying to implement a traditional remote desktop services environment in our domain company.pvt
    Installation goes well. No problems there. Then I created three DSN Host A records in the company.pvt zone, with the same name (RDFarm) pointing to the ip addresses of RD01, RD02 and RD03. I also created a wild card certificate ( *.company.pvt) using our own CA in Active Directory. I enable SSO for the connection broker and also I was able to successfully install the certificate in the deployment configuration (using the deployment properties window) for the RD connection broker, Enable SSO and Publishing.
    To make this simple let’s focused just in the remote desktop from computers joined to the domain inside the organization. No Web access or gateway involved here.
    Now the problem. I cannot get rid of the certificates warning when “rdping” to RDSFarm. The redirection works just fine, but I get messages with name mismatch and no trusted certificates that are issued by the Remote Desktop Session Host servers itself.
    I have played so much with all this that I do not really know what else to do. I have installed certificates through the RD Deployment, I have installed certificates manually in each server involved in the deployment, etc. and cannot get this straight.
    Any advices is highly appreciated !!!

    • Arjan Mensch says:

      Hi Rei,
      See my other answer. Clients do not connect to “dns farm name”. There’s no need for that.
      I have no experience using certificates from internal PKI, but my advice would be to find out how to use your private certificate(s) to bind them on the session hosts as session host certificates.
      Your clients connect to a session host, not to a farm. The session host redirects to the broker, the broker determines to which session host the session goes.
      Trying to use a “dns farm name” and using round robin complicates things and isn’t necessary.
      Hope that helps.

      • Rei says:

        Hi Arjan,
        From your answer I get that I do not need any DNS Round Robin Load balancing if I do this with W2012R2. It works exactly the same by just connecting to one of the Session Host Servers. That is good.
        Regarding the certificates, I will have to continue digging on that since what you suggest is what I have been trying to do without success for some time already with our internal PKI. The problem is that I do not have another choice since our internal domain is a “domain.local” and I cannot get a wildcard for that from an external CA.
        Thanks a lot.
        Rei

  38. John says:

    Can you describe how to setup multiple gateway servers? So that if one goes down the other one will pick up the connections, for fault tolerance.

  39. Bikram Gurung says:

    Hi Arjan,

    Nice article, I followed thoroughly and setup and RDS infrastructure.
    I have:
    1 x RD Gateway
    1 x RD Webaccess
    1 x RD Broker
    2 x Session Hosts.

    I acquired wildcard certificate from local CA. *.domain.com.

    I have published full desktop as on your article.

    When I test it internally, I enter https://webaccess.domain.com/rdweb and works well.

    Now I went to my firewall and forwarded port 443 (TCP) and 3391 (UDP) to the webaccess server. (Should I forward to Gateway server or Webaccess server?)

    Then I enter https://gateway.domain.com/rdweb and I get to the full desktop icon but when I clicked on it, it gives me following error:

    “This computer can’t connect to the remote computer because the Terminal Services Gateway server is temporarily unavailable. Try reconnecting later or contact your network administrator for assistance.”

    Can you please guide me or help me where I went wrong?

    I am guessing I didn’t get well the port forwarding part, whether I should forward to gateway or webaccess…

    Your help would be highly appreciated..

    Biksuni

    • Arjan Mensch says:

      Hi Biksuni,
      If you have the webaccess and the gateway roles on separate machines:
      – Both WebAccess and Gateway should have TCP port 443 opened.
      – Gateway should have UDP port 3391 opened.
      If you are using *.domain.com from an internal CA, make sure your external clients trust the certificate chain for the *.domain.com certificate.

      • Bikram Gurung says:

        Thanks Arjan.
        Since I just have one public IP, I can’t open 443 to two servers. So, now my options are either change the listening port of gateway to something else or get a second public IP from my provider and route to my private IP.
        Or just don’t use the webaccess server !!!!
        Or re-start the RDS infrastructure with webaccess and gateway on a same server !!!
        What do you think?

      • Arjan Mensch says:

        Hi Bikram,
        You can just add another Gateway role to the webaccess server, at least that is what I would do in your situation. When that is done and configured you can remove your initial gateway server.
        Use the wizard from server manager to add the new gateway role.

  40. Bikram Gurung says:

    “or get a second public IP from my provider and route to my private IP.” I meant to say “my primary IP”…

  41. Solomon says:

    Hi,
    Pretty late request, I set this up through your instructions. I guess nothing else is comprehensive enough on the net (even though that this post is about 3 years old) . But I fail to understand the differences in using the Web Access and a regular remote desktop connection. When i log in on the browser it opens up the rdp client on the windows machine. How is this different from just clicking a remote desktop file ? I cant understand the difference between “web access” and “regular rdp client” on windows

    • Arjan Mensch says:

      Hi Solomon.

      The RDP in webaccess is generated by the webfeed and signed using the certificate for the CB.

      Normal RDP using mstsc or 3rd party app is unsigned and will yield a certificate error when you try to connect to a session host.

  42. Paul says:

    Hi Arjan,

    Great article.

    Quick question. I’ve set everything up and it’s working perfectly providing full desktop sessions to users. However, I want to make some changes to the settings, such as turning off local drives and such. I have downloaded the app from rdweb using Chrome but the settings are greed out. How do I change settings like this so that all users would get them? Do I create a new collection or can I adjust the current collection.

    Thanks

  43. Akbar says:

    Hello Arjan,

    First of all, Thank you for the great article. I am very new to RDS environment and I have learned a lot about RDS from your articles and detailed implementation guides. I have requirement of RDS deployment Need your help and suggestions for my POC.

    Requirement:
    ————

    1. Two servers will hosted with RD Gateway & RD Web Access, Should be load balanced
    2. Two Servers will be hosted with RD Connection Broker and Load Balanced
    3. Two servers will be hosted with Session Host servers
    4. RD Licensing – Planning host on either on AD server (or) one of the Session Host (or) One of the Connection Broker Server
    4. we wiill use an existing SQL for the High availability and Existing file server for Profile Data

    Requirement is that Users should be able to access the apps internally and externally as well ?

    Could you help me with standards and below questions.

    1. Can I create a Host record of Gateway Certificate name and Broker Certificate name (ex:Gateway.domain.com) in primary zone (domain.com) ? does this help people accessing the RDS environment from externally & inetrnally?
    2. why do we have to create additional zones (with Unique name of Gateway, Broker, Web access names) ? can these be accomidated in primary zone (Ex: Domain.com)that company is handling?
    2. How do I load balance both Web access & Gateway roles hosted on two servers using NLB ? Customer do not want to go for third party load balancer
    3. How my users will access the RDS Environment from externally from internet ? Using RDweb Url or Gateway Url ?
    4. How do I load balance the Session host servers ? (users will access only the apps published in RDWeb console. No requirement of accessing Session hosts servers using RDP)
    5. The certificates which we apply for Broker SSO, broker Pub, Gateway, Web Access – Do we need to apply those certificates to client machines well ? (who wants access the RDS enviromment)
    6. Will apply the High availability for RDCB server and will add the second RDCB server. Does this enough for RDCB servers to load balance or do we need to apply NLB ?
    7. Can I first deploy 1 server with RDWA & Gateway, 1 Server with SH , and 1 server with CB, by installing the required certificates and make high availability of RD CB? and then add secondary servers to the RDS environment (Gateway, SH, CB)? Do I need to consider any additional points if I go with this method?

    I am sorry for asking basic questions and some may sound silly too. But I really appriciate your suggestions for the above requirement.

    • Arjan Mensch says:

      Hi Akbar,

      Quick and dirty answers:
      1. Create name for gateway in external DNS, create both broker and gateway name in internal DNS, like in my articles. Without the name in external DNS users can’t connect externally. Broker name in internal DNS is a must have.
      2. since your external IP is different from internal IP you must do both. External DNS for external users, internal DNS for internal users and inter-role communications.
      2. Use Microsoft NLB, it’s free.
      3. RDweb url shows the users a nice web interface, if you plan to give RDP files to the external users, they connect through the gateway only
      4. The brokers handle load balancing bewteen session hosts.
      5. All your clients need to trust the certificate authority that issued the certificates
      6. That is enough
      7. Nope, you can add second, third, Nth servers whenever you want, but you can start with one, no problem

  44. Ben says:

    Hi Arjan,

    I accidentally mispelled the domain name in the DNS round robin name is HA setup section. I already applied the change, so when I browse to the site I can login, but when I get to the actual RDS session and try to login it says I can’t b/c the name is not correct. Is there anyway to re-do the HA settings? When I try to edit the deployment it doesn’t let me?

  45. sk8erbender says:

    Hello ! I have 2 servers. One is setup as gateway remote.test.com I bought single domain certificate for that. Another server is Terminal server called server9. When I connect using Gateway it says error The identity of the remote computer cannot be verified. The server name on the certificate is incorrect.. Says requested computer server9 name in the certificate remote.test.com … How do i fix it? Only by buing Wildcard certificate ? or.. how?

    • Arjan Mensch says:

      Hi sk8erbender,
      You should deploy terminal services using a broker as well, like in my guide.
      If you just want to RDP to server9 through the gateway for administration purposes you could simply export the server cert from server9 and add that to trusted root on the machine you use to connect.

  46. Kash Choudhury says:

    Hi Argan, Thanks for this great article!! I followed your details for (Part 1 – single node broker server) and everything worked fine!!

    However when I tried to add a second broker server I get the error message :

    The database specified in the connection string DRIVER=SQL Server Native Client 11.0;SERVER=EZ321DC01;Trusted_Connection=Yes;APP=Remote
    Desktop Services Connection Broker;DATABASE=ITWRDCB is not available from the RD Connection Broker server BROKER2.EASY321.CO.UK. Ensure
    that the database server is available on the network, the SQL Server Native Client is installed on all RD Connection Broker servers, and
    the computer accounts of the RD Connection Broker servers are members of the RDS Management Servers group on the database server.”
    >>

    Also –
    I have added the “SQL Client” to the additional broker server “BROKER2”
    I have added the new server to the security group “RDS Broker Servers”

    Do I need to create/add any extra DNS records ?
    Anything else I need to add/amend

    Thanks
    Kash

    • Arjan Mensch says:

      Hi Kash, you just need to make sure broker2 can reach te SQL server on tcp 1433 and that you have rebooted the server to apply the new security token.

      • Kash Choudhury says:

        Hi Argen

        I have allowed TCP 1433 on machine (SQL server) & (BROKER2) , I have re-booted everything still having same problem. I have also added an “A” record for the new broker2 on the public facing mail zone record see below

        i.e. record “mail.easy321.co.uk” has the following contents:

        host record 10.1.1.112 – 1st broker – this one works
        host record 10.1.1.114 – 2nd broker – add manually – the one trying to add.

        Do need to add a round robin DNS record for the brokers?
        Do I need to add the new broker2 to the sql database somehow ?!
        (I have also switched off all firewalls on all servers for testing purposes)

        Many thanks
        Kash

      • Arjan Mensch says:

        Thr brokers should have a record in the internal dns. Only the HA fqdn should be an fqdn that you can register on a public certificate.
        There is no need for the brokers themselves to have a public fqdn.
        Both brokers should be member of a security group that has DB creator rights on the SQL instance, and both must use the same DB connection string.

  47. Giulian says:

    Hi

    can you explain how i can do with startssl, i use class1 for a sub-domain.

    i receive .cer file for webserver but nothing in PFX, how i can do for get pfx file for using it at the step of certificate configuration

  48. David Fox says:

    I need a little help with the cert mismatch issue – my config is:
    RDS01 – Session Host
    RDS02 – Web, Broker, Gateway
    DC01 – Licensing

    I have Internal DNS setup for broker.domain.com, gw.domain.com and webaccess.domain.com.

    Wildcard cert being used *.domain.com

    I can login to webaccess fine and launch Session Collection, but get the issue of “Name mismatch: remote computer rds01.domain.local certificate *.domain.com.

    I have tried to follow https://ryanmangansitblog.com/2013/03/10/configuring-rds-2012-certificates-and-sso/ to no avail.

    • Arjan Mensch says:

      Hi David,
      If you have the gateway and webaccess roles on the same server, use the same external FQDN for both roles.
      Is your single broker in a HA configuration?

      • David Fox says:

        Yes webaccess, broker and gateway are all on same server. Yes HA configured with SQL express.

        So to only use the same external FQDN I have simply updated in IIS to redirect using new FQDN of gw.domain.com, and added external DNS for gw.domain.com. Is that the only change I need to do?

      • David Fox says:

        Same thing happened ….. I can;t help but feel the Broker should not be using a name.domain.local but instead something on *.domain.com as we are using a wildcard cert.

      • David Fox says:

        Am going to remove all roles and start again …… will come back to you with a result either way :)

      • Arjan Mensch says:

        Hi David,
        Couple of thing before you do that:
        – If the webaccess and gateway are on the same machine, make sure that in Deployment Settings the same FQDN is configured for both roles, and that both roles are using the same Certificate (as stated in the warning)
        – The broker MUST have a domain.com FQDN, that is exactly the reason why you need to configure HA, even with a single broker.

        Do not redirect your gw.domain.com to wa.domain.com or something silly like that, there’s no need.

      • David Fox says:

        Roles removed :(

        I had already checked all certs are using *.domain.com and thought the FQDN redirection would make 0 difference.

        I will re-add roles now and hopefully get this online – still in beta so not affecting production.

      • David Fox says:

        Removed Roles and re-added but same issue … aaaaargggh.

        In Deployment Properties WebAccess shows:
        RDS02.domain.local https://RDS02.domain.local

        Based upon your comment below about these two roles needing to be configured the same, where do I change for WebAccess?

        GW is configured to use gw.doimain.com.

        Original problem/error still shows RDS01.domain.local as ‘Requested remote computer’ and *.domain.com as certificate.

      • David Fox says:

        I agree so why is the cert my wildcard for this connection between broker and session host? Is it picked up from cert store on session host somewhere?

      • Arjan Mensch says:

        Hi David,
        No, external users are entering your environment through the gateway, which is in domain.com. They then automagically connect to one of the session hosts, which (with wrong broker configuration) presents the domain.local (self-signed) certificate.
        With a correct configured broker (domain.com!!) this is prevented by the broker. The client will be fooled into connection to the broker.
        Internally you probably bypass the gateway, so the client connects through the wrongly configured broker (domain.local) which is (by default) trusted by internal clients, hence no errors on the certificate presentation.

      • David Fox says:

        All sorted now after rebuild of Session Host – did not have to make any further change to DNS etc. My feeling is that Broker when authenticating with Session Host was picking up wildcard cert which may of been added to Session Host in an effort to fix something else :) Thank you for getting back to me and stepping me through this.

    • David Fox says:

      Also ….. connecting from Internal as no certificate mismatch error/warning.

  49. David Fox says:

    Another question on this deployment …. so externally connection works as expected, but how do we deploy an RDP file internally so Users do not need to login to WebAccess?

  50. Mark Teh says:

    Hi Arjan,

    Amazing step by step guide you have here. I have being trying to configure everything so far, but was stucked at the High Availability configuration. I was able to enter in the Database String, folder path and the round robin name, but when I click “Configure”, it shows that error “could not create the database ‘dbname'”. I have ensure that Full permission was given to the SQL server folder (where the MS Sql server is installed) from the Connection Broker server, I have ensure that port 1433 is opened, have ensured all sql logins are given dbcreator. But it show error in Events ID 32776 “Microsoft-Windows-Rdms-UI”.
    Have you encounter this before or did I missed out anything? Maybe you can guide me through on how to troubleshoot it myself.
    Thanks alot and great job for the guides you’ve shared

    Mark TGK

    • David Fox says:

      Hey Mark – I have recently used this guide and very impressed. I also tripped when it came to this and my issue was the version of SQL Native Client and therefore the version mentioned in path for “SQL Server Native Client 11.0”.

      • Mark Teh says:

        Hi David – The SQL server I’ve installed is the SQL Server Express(SQLEXPRWT_x64_ENU.exe) and the SQL Native Client 11.0(ENU\x64\sqlncli.msi) from the url provided on the guide. Its the same version when I checked it on the control panel. As for the path, I’ve followed exactly the same as given, and change the server name and database name. Anything else should I be aware off?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog Authors
Donate Button

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 322 other followers

Blog Stats
  • 1,913,769 hits
%d bloggers like this: