Step by Step Windows 2012 R2 Remote Desktop Services – Part 2


A step by step guide to build a Windows 2012 R2 Remote Desktop Services deployment.

Part 2 – Deploying an advanced setup.

In part one I detailed how to do a single server installation. In case you missed it, or want to check it out, look at this post:  https://msfreaks.wordpress.com/2013/12/09/windows-2012-r2-remote-desktop-services-part-1/

In this step by step guide we’ll be building a more complex setup:
RDS Deployment - Advanced setup
As you can see we’ll deploy 3 certificates in this setup. The names I will use for this will be “webaccess.it-worxx.nl”, “gateway.it-worxx.nl” and “broker.it-worxx.nl” for obvious reasons. You may consider using a wildcard certificate.

Software used in this guide: Windows Server 2012 R2 ISO (evaluation can be downloaded here: http://technet.microsoft.com/en-us/evalcenter/dn205286.aspx)
SQL Server 2012 SP1 Express x64 With tools (free version can be downloaded here: http://www.microsoft.com/en-us/download/details.aspx?id=35579. After clicking the download button select SQLEXPRWT_x64_ENU.exe)
SQL Server 2012 SP1 Native Client (free version can be downloaded here: http://www.microsoft.com/en-us/download/details.aspx?id=35580. After clicking the download button select ENU\x64\sqlncli.msi)
And three certificates. I got mine for free from https://startssl.com. The certificate need to contain the FQDNs you will use for publishing the RD Web Access (webaccess.it-worxx.nl) and RD Gateway (gateway.it-worxx.nl) roles. You’ll also need one for the RD Broker role, even though we won’t publish this server to the internet. The files need to be in .pfx format and you need to have the private key in them.

As in the previous guide, this guide will not focus on building a domain using a single domain controller and adding the other servers as member servers to this domain.
And again some basic knowledge is assumed in this guide.

I will be using Hyper-V 3.0 on my Windows 8.1 laptop and I have prepared 5 servers. The servers will be similar to the 2 I used in the previous guide. All servers have the .NET Framework 3.5 added as a feature.
All servers have 1vCPU, 512MB memory, and a dynamic 60GB Harddisk) I configured ITWDC01 as a Domain Controller in a new forest: itw.test.
I added the rest of the servers as member servers to the itw.test domain and configured them to use ITWDC01 as their primary DNS server.

Installing the Remote Desktop Services Roles

Log on to the Domain Controller, and in Server Manager right-click the All Servers node and add all other servers using the Add Servers command (or select the All Servers node, click Manage and click Add Servers).
RDS Deployment - Advanced 01

Now that all servers needed in this deployment scenario are present, click Manage, and click Add Roles & Features.
 

Before you begin
RDS Deployment - Single Server - 2

Click Next.

Select Installation Type
RDS Deployment - Single Server - 3

Select Remote Desktop Services installation. Click Next.

Select Deployment Type
RDS Deployment - Single Server - 4

Select Standard deployment.
Click Next.

Select Deployment Scenario
RDS Deployment - Single Server - 5

Select Session-based desktop deployment. The other option will be a different post in this series.
Click Next.

Review Role Services
RDS Deployment - Single Server - 6

Review the services that will be installed.
Click Next.

Specify RD Connection Broker server
RDS Deployment - Advanced 02
Click the preferred server and click the Add button.
Click Next.

Specify RD Web Access server
RDS Deployment - Advanced 03

Click the preferred server and click the Add button.
Click Next.

Specify RD Session Host server
RDS Deployment - Advanced 04

Click the preferred server and click the Add button.
Click Next.

Confirm selections
RDS Deployment - Advanced 05

Check Restart the destination server automatically if required.
Click Deploy.

View progress
RDS Deployment - Advanced 06

Wait until all role services are deployed and the RD Session Host server has restarted.
Click Close.

In Server Manager click Remote Desktop Services and scroll down to the overview.
RDS Deployment - Advanced 07

As you can see the deployment is missing a RD Gateway server and a RD Licensing server.
 

RDS Deployment - Single Server - 13
Click the Add RD Licensing server button.

Select a server
RDS Deployment - Advanced 08

Click the domain controller and click the Add button.
Click Next. 

Confirm selections
RDS Deployment - Single Server - 15
Click Add.

View progress
RDS Deployment - Single Server - 16
Wait until the role service is deployed. No restart is needed.
Click Close.

RDS Deployment - Single Server - 17
Click the Add RD Gateway server button.

Select a server
RDS Deployment - Advanced 09

Click the correct server and click the Add button.
Click Next.

Name the self-signed SSL certificate
RDS Deployment - Single Server - 19

The wizard creates a self-signed certificate. We will deal with certificates in this deployment in a little bit. Enter the external Fully Qualified Domain Name for the Gateway URL. In my case, for lack of a better name, I used “gateway.it-worxx.nl.
Click Next.

Confirm selections
RDS Deployment - Advanced 10

Click Add.

View progress
RDS Deployment - Advanced 11

Wait until the role service is deployed. No restart is needed.
Notice that “gateway.it-worxx.nl” was configured for the deployment as a FQDN.
Also notice that certificate configuration is needed.
Notice the link in the bottom to “Review the RD Gateway properties for the deployment”.

Click Configure certificate.

Configure the deployment
RDS Deployment - Advanced 12

Click RD Connection Broker – Enable Single Sign On.
Notice the purpose of this certificate.

Click Select Existing Certificate.

Select Existing Certificate
RDS Deployment - Advanced 13
Click Browse to browse to the .pfx which you prepared for the RD Connection Broker server, enter the password for that .pfx and check “Allow the certificate to be added to the Trusted Root Certification Authorities certificate store on the destination computers”.
Click OK.

RDS Deployment - Single Server - 44
Click Apply to apply the certificate changes. Do not click OK because we need to configure the other certificate options as well and we can configure only one at a time.

Configure the deployment
RDS Deployment - Advanced 14

Select RD Connection Broker – Publishing.
Notice the purpose of this certificate.

Click Select Existing Certificate and add the same certificate you added for RD Connection Broker – Enable Single Sign On.

RDS Deployment - Single Server - 44
Click Apply to apply the certificate changes. Do not click OK because we need to configure the other certificate options as well and we can configure only one at a time.

Configure the deployment
RDS Deployment - Advanced 15

Select RD Web Access.
Notice the purpose of this certificate. 

Click Select Existing Certificate and add the certificate you prepared for the RD Web Access server.

RDS Deployment - Single Server - 44
Click Apply to apply the certificate changes. Do not click OK because we need to configure the other certificate options as well and we can configure only one at a time.

Configure the deployment
RDS Deployment - Advanced 16

Select RD Gateway.
Notice the purpose of this certificate.
Also notice that we need to restart the RD Gateway server after we configured it to use the certificate.

Click Select Existing Certificate and add the certificate you prepared for the RD Gateway server.

RDS Deployment - Single Server - 44
Click Apply to apply the certificate changes. Do not click OK because we need to configure the rest of the deployment options, since we already have this wizard open.

Configure the deployment
RDS Deployment - Single Server - 23

Review the RD Gateway settings and notice what settings are available.
Click RD Licensing.

Configure the deployment
RDS Deployment - Single Server - 24

Notice that a RD License server is available, but no license type is selected yet.
I selected Per User, but since this is just a demonstration setup, it really doesn’t matter.
Click RD Web Access.

Configure the deployment
RDS Deployment - Single Server - 60

By default the RD Web Access IIS application is installed in /RdWeb. If you want to know how to change this, check another post: https://msfreaks.wordpress.com/2013/12/07/redirect-to-the-remote-web-access-pages-rdweb/

Click OK, and click Close to finish the RD Gateway wizard.

Reboot the RD Gateway server.

Open DNS Manager on the domain controller and browse to Forward Lookup Zones.
RDS Deployment - Single Server - 33

Right click Forward Lookup Zones and click New Zone… Go through this wizard accepting the defaults until you have to enter a Zone Name.
RDS Deployment - Advanced 18

Enter the external FQDN which will also be used by the Connection Broker (which is also on the RD Connection broker’s certificate.
Finish the rest of the wizard accepting the defaults.

Browse to the newly created zone.
RDS Deployment - Advanced 19

Right click the newly created zone and click New Host (A or AAAA)…

New Host
RDS Deployment - Advanced 20

Leave the Name field blank, but enter the member server’s (holding the RD Connection Broker role) internal IPv4 address.
Click Add Host.

Repeat these DNS steps for gateway.it-worxx.nl and for webaccess.it-worxx.nl.
RDS Deployment - Advanced 21

We’ve effectively enabled the deployment to be useable by internal users as well by configuring these DNS zones.

Create a new Global Security Group called “RDS Connection Brokers” and add the computer account for the member server holding this role to it as a group member.

We need this group to be able to convert the RD Connection Broker to a highly available RD Connection Broker. You’ll see why we need to do this in a few steps.

Reboot the member server holding the RD Connection Broker role to let it know it’s a member of the RDS Connection Brokers security group.

Install SQL Express on the Domain Controller (or use an existing SQL Server if you already have one). For a list of needed features, and a little more detail visit Part 1 of this series, https://msfreaks.wordpress.com/2013/12/09/windows-2012-r2-remote-desktop-services-part-1. That post lists the does and don’ts for using SQL Express with an RD deployment. This includes adding the SQL login for the RD Connection Broker servers. Do not continue with this guide unless you have a working and configured SQL environment.

Install the SQL Native Client on the member server holding the RD Connection Broker role (Client Components only). Install the client which corresponds to your SQL Server version!

Everything we need is in place to convert the RD Connection Broker, so let’s do just that. This procedure is similar to the single server setup.

In Server Manager click Remote Desktop Services and scroll down to the overview.
RDS Deployment - Single Server - 31

Right click RD Connection Broker and click Configure High Availability.

Before you begin
RDS Deployment - Single Server - 32
Look at the pre-requisites.
Click Next.

Configure RD Connection Broker for High Availability
RDS Deployment - Advanced 22

Database connection string:
DRIVER=SQL Server Native Client 11.0;SERVER=ITWDC01;Trusted_Connection=Yes;APP=Remote Desktop Services Connection Broker;DATABASE=ITWRDCB

  • Or any other database name you want, the database will be created by this wizard.
  • Replace the DRIVER= part with the version you installed if it’s anything other than SQL Server 2012 (SP1)

Folder to store database files:
C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA
I used the instance default folder.

  • Note that this points to a folder on the SQL Server.

DNS round robin name:
The DNS Zone name we configured in DNS earlier.

  • And now you see why we had to create this zone in internal DNS as well. This needs to be locally resolvable.

Click Next.

Confirmation
RDS Deployment - Advanced 23

If you get an error before this page:

  • Check if TCP/IP is enabled in client protocols and for your instance
  • Check if you can reach port 1433 on the SQL Server from the member server

Click Configure. 

Progress
RDS Deployment - Single Server - 40

If you get an error on this page:

  • Check SQL permissions for the security group
  • Check if the database path you entered is correct

Click Close.

RDS Deployment - Single Server - 41
The RD Connection Broker is now in High Availability Mode and we are finally ready to complete the configuration.

Since the RD Connection Broker is known within the deployment for broker.it-worxx.nl and thus not a FQDN that’s associated with the internal domain (itw.test) we need to tell the gateway that external users are allowed to connect to it.

On the RD Gateway server, open Server Manager
RDS Deployment - Advanced 32

Click Remote Desktop Services (yes, it says it’s missing servers, just ignore this), click Servers and then right click the RD Gateway server.
Click RD Gateway Manager.

RD Gateway Manager
RDS Deployment - Advanced 33

Navigate to Policies – Resource Authorization Policies. There’s the default policy. Right click the default policy and disable it.
In the Actions pane to the right, click Manage Local Computer Groups.

Manage locally stored computer groups
RDS Deployment - Advanced 34

Click Create group…

RDS Deployment - Advanced 35
Name the new group.

RDS Deployment - Advanced 36
On the Network Resources tab, add the RD Session Host(s) and the DNS external name of the broker.
Click OK.

RD Gateway Manager
RDS Deployment - Advanced 37
Right click the Resource Authorization Policies node, click Create New Policy, Click Custom.

RDS Deployment - Advanced 38
Name the policy, click User Groups

RDS Deployment - Advanced 39
Add Domain Users, or any group you wish to grant access, click Network Resource

RDS Deployment - Advanced 40
Click Select an existing RD Gateway-managed group or create a new one, and then browse to select the group you created a few steps back. Notice that upon selecting the group the RD Gateway-managed group members box shows the members of the group.

Review the Allowed Ports tab.
Click OK.

That’s it, configured all servers, configured certificates, configured RAP..

One thing left to do: Tell our RDS environment exactly what to publish.

Let’s publish full desktop sessions again, like in the single server setup. Next post we we’ll dig into publishing remote applications, I promise :)
RDS Deployment - Single Server - 49

In Server Manager, Remote Desktop Services, Session Collections, click Tasks and click Create Session Collection.

Before you begin
RDS Deployment - Single Server - 50

Review the requirements. This won’t be an issue in this setup, but you could restrict access to this collection by selecting a select group of people.
Click Next.

Name the collection
RDS Deployment - Single Server - 51
Enter a descriptive name. This name will be displayed under its icon in the Web Access interface.
Click Next.

Specify RD Session Host servers
RDS Deployment - Advanced 24

Click the member server holding the RD Session Host role and click the Add button.
Click Next.

Specify user groups
RDS Deployment - Single Server - 53
You can limit access here. Add one or more groups to restrict access to these groups only. In this setup Domain Users will do fine.
Click Next.

Specify user profile disks
RDS Deployment - Advanced 25
First, create a folder on the domain controller “UserProfileDisks” and a subfolder “RDS”. Share “UserProfileDisks”. Now in the Create Collection wizard enter \\itwdc01.itw.test\userprofiledisks\rds and set the Maximum size to 2GB. Further does and don’ts for User Profile Disks will be covered in a future post.
Click Next. 

Confirm selections
RDS Deployment - Advanced 26
Review the information and click Create.

View Progress
RDS Deployment - Advanced 27

Wait until the collection is created and the server is added to the collection.
Click Close.

Time to test the setup!

 On a machine that has access to your test setup (you may have to add the external FQDN for the RD Gateway and for the RD Web Access to your hosts file if you didn’t publish it to the internet) open https://webaccess.it-worxx.nl/rdweb
RDS Deployment - Advanced 28
Hey! The RD Web Access application works.
 If you want to get rid of the /RDWeb part in the url, check out this post: https://msfreaks.wordpress.com/2013/12/07/redirect-to-the-remote-web-access-pages-rdweb

Enter a valid username and password (ITW\username or username@itw.test).
Create a user for this, or simply use the domain admin account.
Click Sign in.

RDS Deployment - Advanced 29
After logging in you are presented with the full desktop session collection we created.
Also notice the popup in your taskbar as soon as you’re connected:
RDS Deployment - Advanced 30
Again, sorry, but I’ll handle that in a future post.

Click the “Full Desktop” icon to open it and another popup appears:
RDS Deployment - Advanced 31

This is just a warning that the resource you’re requesting wants to redirect your local devices.
But it also tells us that it is signed by “broker.it-worxx.nl”, and we’re using a gateway to connect to the remote resource..

And when you click Connect, you actually connect.
RDS Deployment - Advanced 41

Because I connected as an admin I can see on which server I am logged on by clicking Local Server. And this screenshot also shows that it’s the broker that provided me the connection..

In the next part of this series I will show how to extend this setup with another RD Session Host, but this time we’ll publish some apps. Oh, and that post will probably be a lot shorter.

 

Arjan

Upate: Part 3 in the series was just published. Find it here: https://msfreaks.wordpress.com/2013/12/26/windows-2012-r2-remote-desktop-services-part-3/

Advertisements

20+ years experience in Microsoft powered environments. Enjoy automating stuff using scripts, powershell, and even batch files. In my free time (hah! as if there is any) I hunt achievements and gamerscore on anything Xbox Live enabled (Windows Mobile, Windows 8, Windows 10, Xbox 360 and Xbox One). When I'm not doing that I enjoy traveling or riding my Yamaha R1 on the edge ;)

Tagged with: , ,
Posted in Remote Desktop, Step-by-Step guide, Windows 2012 R2
274 comments on “Step by Step Windows 2012 R2 Remote Desktop Services – Part 2
  1. mauricio de liz says:

    Do you know the maximum number of connections per broker?

  2. Hi. Hope you can help.

    First of all, great guide.. follow, and it looks like the most works.

    But now i need some help.

    I have set up the following server.

    GW01 – Gateway, connection broker, Webaccess
    TS02 – session host
    TS01 – session host.

    i have created a public IP, pointing to GW01.
    and certifikate with the public DNS name also.

    But when i am sitting internaly, i can connect to https://site/rdweb and then chose full desktop.

    But i will like to connect by MSTSC externaly to the puclic DNS name.
    but this dont work?

    Should i point the pucblic to one of the session host server? ore what to do?

  3. anonymous says:

    Hi, I’ll try if someone can help me. I have tried setting up RDS services.

    I’m getting error: “RemoteApp Disconnected”. “Your computer can’t connect to the remote computer because authentication to the firewall failed due to missing firewall credentials. To resolve the issue, go to the firewall website that your network administrator recommends, and then try the connection again, or contact your network administrator for assistance.

    I have following setup:

    External address: https://remote.domain.com/rdweb

    Internal Lan:
    1x RDS Server (gateway, session host, licensing, connection broker, Web)
    1x ADFS (created relying party trust between ADFS and WAP)
    1x PKI
    1x DC

    DMZ:
    1x WAP Server https://remote.domain.com published. I’ve made relying party trust with ADFS server. I’ve added my ADFS and Remote Desktop server to it’s host file.

    Certificate:
    PKI *.domain.com

    Network settings DMZ -> LAN
    – HTTPS traffic allowed.
    – Port forwarding 443 -> ADFS Web application proxy server (dmz).

    Public DNS records (A)
    – Remote.domain.com -> port forward 443 -> DMZ (WAP server)

    Extra information: I’ve checked my firewall log. It seems that when I’m trying to open application, it tries to access my LAN with RDP protocol. Something wrong here…

    I can log succefully in to my published remote desktop service, but it’s just that I can’t get app open.

    Your help is greatly valued! thank you if you can help.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog Authors
Donate Button

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 371 other followers

Blog Stats
  • 2,455,542 hits
%d bloggers like this: