A step by step guide to build a Windows 2012 R2 Remote Desktop Services deployment.
Part 2 – Deploying an advanced setup.
In part one I detailed how to do a single server installation. In case you missed it, or want to check it out, look at this post: https://msfreaks.wordpress.com/2013/12/09/windows-2012-r2-remote-desktop-services-part-1/
In this step by step guide we’ll be building a more complex setup:
As you can see we’ll deploy 3 certificates in this setup. The names I will use for this will be “webaccess.it-worxx.nl”, “gateway.it-worxx.nl” and “broker.it-worxx.nl” for obvious reasons. You may consider using a wildcard certificate.
Software used in this guide: Windows Server 2012 R2 ISO (evaluation can be downloaded here: http://technet.microsoft.com/en-us/evalcenter/dn205286.aspx)
SQL Server 2012 SP1 Express x64 With tools (free version can be downloaded here: http://www.microsoft.com/en-us/download/details.aspx?id=35579. After clicking the download button select SQLEXPRWT_x64_ENU.exe)
SQL Server 2012 SP1 Native Client (free version can be downloaded here: http://www.microsoft.com/en-us/download/details.aspx?id=35580. After clicking the download button select ENU\x64\sqlncli.msi)
And three certificates. I got mine for free from https://startssl.com. The certificate need to contain the FQDNs you will use for publishing the RD Web Access (webaccess.it-worxx.nl) and RD Gateway (gateway.it-worxx.nl) roles. You’ll also need one for the RD Broker role, even though we won’t publish this server to the internet. The files need to be in .pfx format and you need to have the private key in them.
As in the previous guide, this guide will not focus on building a domain using a single domain controller and adding the other servers as member servers to this domain.
And again some basic knowledge is assumed in this guide.
I will be using Hyper-V 3.0 on my Windows 8.1 laptop and I have prepared 5 servers. The servers will be similar to the 2 I used in the previous guide. All servers have the .NET Framework 3.5 added as a feature.
All servers have 1vCPU, 512MB memory, and a dynamic 60GB Harddisk) I configured ITWDC01 as a Domain Controller in a new forest: itw.test.
I added the rest of the servers as member servers to the itw.test domain and configured them to use ITWDC01 as their primary DNS server.
Installing the Remote Desktop Services Roles
Log on to the Domain Controller, and in Server Manager right-click the All Servers node and add all other servers using the Add Servers command (or select the All Servers node, click Manage and click Add Servers).
Now that all servers needed in this deployment scenario are present, click Manage, and click Add Roles & Features.
Name the self-signed SSL certificate
The wizard creates a self-signed certificate. We will deal with certificates in this deployment in a little bit. Enter the external Fully Qualified Domain Name for the Gateway URL. In my case, for lack of a better name, I used “gateway.it-worxx.nl.
Wait until the role service is deployed. No restart is needed.
Notice that “gateway.it-worxx.nl” was configured for the deployment as a FQDN.
Also notice that certificate configuration is needed.
Notice the link in the bottom to “Review the RD Gateway properties for the deployment”.
Click Configure certificate.
Click Select Existing Certificate.
Select Existing Certificate
Click Browse to browse to the .pfx which you prepared for the RD Connection Broker server, enter the password for that .pfx and check “Allow the certificate to be added to the Trusted Root Certification Authorities certificate store on the destination computers”.
Click Select Existing Certificate and add the same certificate you added for RD Connection Broker – Enable Single Sign On.
Click Select Existing Certificate and add the certificate you prepared for the RD Web Access server.
Click Select Existing Certificate and add the certificate you prepared for the RD Gateway server.
Configure the deployment
Review the RD Gateway settings and notice what settings are available.
Click RD Licensing.
Configure the deployment
Notice that a RD License server is available, but no license type is selected yet.
I selected Per User, but since this is just a demonstration setup, it really doesn’t matter.
Click RD Web Access.
Configure the deployment
By default the RD Web Access IIS application is installed in /RdWeb. If you want to know how to change this, check another post: https://msfreaks.wordpress.com/2013/12/07/redirect-to-the-remote-web-access-pages-rdweb/
Click OK, and click Close to finish the RD Gateway wizard.
Reboot the RD Gateway server.
Open DNS Manager on the domain controller and browse to Forward Lookup Zones.
Right click Forward Lookup Zones and click New Zone… Go through this wizard accepting the defaults until you have to enter a Zone Name.
Enter the external FQDN which will also be used by the Connection Broker (which is also on the RD Connection broker’s certificate.
Finish the rest of the wizard accepting the defaults.
Create a new Global Security Group called “RDS Connection Brokers” and add the computer account for the member server holding this role to it as a group member.
We need this group to be able to convert the RD Connection Broker to a highly available RD Connection Broker. You’ll see why we need to do this in a few steps.
Reboot the member server holding the RD Connection Broker role to let it know it’s a member of the RDS Connection Brokers security group.
Install SQL Express on the Domain Controller (or use an existing SQL Server if you already have one). For a list of needed features, and a little more detail visit Part 1 of this series, https://msfreaks.wordpress.com/2013/12/09/windows-2012-r2-remote-desktop-services-part-1. That post lists the does and don’ts for using SQL Express with an RD deployment. This includes adding the SQL login for the RD Connection Broker servers. Do not continue with this guide unless you have a working and configured SQL environment.
Install the SQL Native Client on the member server holding the RD Connection Broker role (Client Components only). Install the client which corresponds to your SQL Server version!
Everything we need is in place to convert the RD Connection Broker, so let’s do just that. This procedure is similar to the single server setup.
Configure RD Connection Broker for High Availability
Database connection string:
DRIVER=SQL Server Native Client 11.0;SERVER=ITWDC01;Trusted_Connection=Yes;APP=Remote Desktop Services Connection Broker;DATABASE=ITWRDCB
- Or any other database name you want, the database will be created by this wizard.
- Replace the DRIVER= part with the version you installed if it’s anything other than SQL Server 2012 (SP1)
Folder to store database files:
C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA
I used the instance default folder.
- Note that this points to a folder on the SQL Server.
DNS round robin name:
The DNS Zone name we configured in DNS earlier.
- And now you see why we had to create this zone in internal DNS as well. This needs to be locally resolvable.
- Check if TCP/IP is enabled in client protocols and for your instance
- Check if you can reach port 1433 on the SQL Server from the member server
- Check SQL permissions for the security group
- Check if the database path you entered is correct
Since the RD Connection Broker is known within the deployment for broker.it-worxx.nl and thus not a FQDN that’s associated with the internal domain (itw.test) we need to tell the gateway that external users are allowed to connect to it.
On the RD Gateway server, open Server Manager
Click Remote Desktop Services (yes, it says it’s missing servers, just ignore this), click Servers and then right click the RD Gateway server.
Click RD Gateway Manager.
RD Gateway Manager
Navigate to Policies – Resource Authorization Policies. There’s the default policy. Right click the default policy and disable it.
In the Actions pane to the right, click Manage Local Computer Groups.
Click Select an existing RD Gateway-managed group or create a new one, and then browse to select the group you created a few steps back. Notice that upon selecting the group the RD Gateway-managed group members box shows the members of the group.
Review the Allowed Ports tab.
That’s it, configured all servers, configured certificates, configured RAP..
One thing left to do: Tell our RDS environment exactly what to publish.
Let’s publish full desktop sessions again, like in the single server setup. Next post we we’ll dig into publishing remote applications, I promise :)
In Server Manager, Remote Desktop Services, Session Collections, click Tasks and click Create Session Collection.
Specify user profile disks
First, create a folder on the domain controller “UserProfileDisks” and a subfolder “RDS”. Share “UserProfileDisks”. Now in the Create Collection wizard enter \\itwdc01.itw.test\userprofiledisks\rds and set the Maximum size to 2GB. Further does and don’ts for User Profile Disks will be covered in a future post.
Time to test the setup!
On a machine that has access to your test setup (you may have to add the external FQDN for the RD Gateway and for the RD Web Access to your hosts file if you didn’t publish it to the internet) open https://webaccess.it-worxx.nl/rdweb
Hey! The RD Web Access application works. If you want to get rid of the /RDWeb part in the url, check out this post: https://msfreaks.wordpress.com/2013/12/07/redirect-to-the-remote-web-access-pages-rdweb
Enter a valid username and password (ITW\username or email@example.com).
Create a user for this, or simply use the domain admin account.
Click Sign in.
After logging in you are presented with the full desktop session collection we created.
Also notice the popup in your taskbar as soon as you’re connected:
Again, sorry, but I’ll handle that in a future post.
Click the “Full Desktop” icon to open it and another popup appears:
This is just a warning that the resource you’re requesting wants to redirect your local devices.
But it also tells us that it is signed by “broker.it-worxx.nl”, and we’re using a gateway to connect to the remote resource..
And when you click Connect, you actually connect.
Because I connected as an admin I can see on which server I am logged on by clicking Local Server. And this screenshot also shows that it’s the broker that provided me the connection..
In the next part of this series I will show how to extend this setup with another RD Session Host, but this time we’ll publish some apps. Oh, and that post will probably be a lot shorter.
Upate: Part 3 in the series was just published. Find it here: https://msfreaks.wordpress.com/2013/12/26/windows-2012-r2-remote-desktop-services-part-3/