Step by Step Windows 2012 R2 Remote Desktop Services – Part 3


A step by step guide to build a Windows 2012 R2 Remote Desktop Services deployment.

Part 3 – Adding Session Hosts and Load Balancing session collections.

In part two I detailed how to do an advanced installation, using separate servers for each role. In case you missed it, or want to check it out, look at this post: https://msfreaks.wordpress.com/2013/12/23/windows-2012-r2-remote-desktop-services-part-2/
In part one I detailed how to do a single server installation. In case you missed it, or want to check it out, look at this post:  https://msfreaks.wordpress.com/2013/12/09/windows-2012-r2-remote-desktop-services-part-1/

In this step by step guide we’ll be adding an extra RD Session Host server:
RDS Deployment - Add Session Host
ITWRDS05 will be the extra server. I used the same specs as in step 2 in this guide for the member servers, and used IPv4 192.168.66.25/24 and made it a member server of the domain.
If you’re building along and want to continue doing so for the next parts in this complete series, make snapshots of the servers before adding this extra server.

Software used in this guide:
Windows Server 2012 R2 ISO (evaluation can be downloaded here: http://technet.microsoft.com/en-us/evalcenter/dn205286.aspx)

This guide will not focus on adding a member server to the domain.
And again some basic knowledge is assumed in this guide.

Installing the Remote Desktop Services Roles
Log on to the Domain Controller, and in Server Manager right-click the All Servers node and add the new server using the Add Servers command (or select the All Servers node, click Manage and click Add Servers).

RDS Deployment - Add Session Host 01
Now that all servers needed in this deployment scenario are present, click Remote Desktop Services.

Server Manager
RDS Deployment - Add Session Host 02
In Overview, right-click RD Session Host and click Add RD Session Host Servers.
Note that the Remove RD Session Host servers option is used to remove one or more Session Host servers from the deployment. This will not uninstall the RD Session Host role service from the selected server(s), unless you choose to do so in the wizard.

Select a server
RDS Deployment - Add Session Host 03
Click the newly added server and click the Add button.
Notice here that the only server missing to choose from is ITWRDS04, which is of course because this already is a RD Session Host in the current deployment.
Click Next.

Confirm selections
RDS Deployment - Add Session Host 04
Check Restart the destination server automatically if required.
Click Add.

View progress
RDS Deployment - Add Session Host 05
Wait until the RD Session Host role service is deployed and the new RD Session Host server has restarted.
Click Close.

If you want Web Access users to be able to log on to this server, you need to add this server to the Resource Group for which we configured a policy on the RD Gateway server in the previous guide.

On the RD Gateway server, open the RD Gateway Manager tool and expand the server node, expand the Polices node and click the Resource Authorization Policies node.

RD Gateway Manager
RDS Deployment - Add Session Host 13
Click Manage Local Computer Groups.

RDS Deployment - Add Session Host 14
Make sure the Resource group is selected and click Properties.

RDS Deployment - Add Session Host 15
Type the name of the new server and click Add.
The Note you see here refers to the Remote Desktop Session Host server farm principle in case you also publish Windows 2008(R2) Remote Desktop deployments. In Windows 2012(R2) the farm concept is handled by the RD Broker and the RD Session Collections.
Click OK to apply the settings to the resource group and click Close to close the group manager.

Now let’s see what we can do if we have multiple Session Hosts in our deployment.
Of course you could add a new collection using the new session host server, but that’s no different than what I explained in step 2 of this guide collection.
Let’s do some new stuff with the new session host instead.

Load balancing an existing collection
In Server Manager click Remote Desktop Services, and then click the existing collection “Full Desktop”. Scroll down to Host Servers if this section is not immediately visible.

RDS Deployment - Add Session Host 06
Click Tasks and click Add RD Session Host Servers.
Note that the Remove RD Session Host servers option is used to remove one or more servers from a load balanced session collection.

Specify RD Session Host servers
RDS Deployment - Add Session Host 07
Since there’s only the new server in the deployment which has the role but isn’t assigned yet, that’s the only server we see here.
Select the server and click the add button.
Click Next.

Confirm selections
RDS Deployment - Add Session Host 08
The Wizard confirms that you selected the server.
Click Add.

View progress
RDS Deployment - Add Session Host 09
Wait until the server is added to the collection.
Click Close.

That’s it. The Full Desktop collection is now load balanced over 2 Session Hosts.

To confirm this, and see how we can influence the load balancing properties go back to Server Manager and click Remote Desktop Services, then click the Full Desktop collection.

Full Desktop collection
RDS Deployment - Add Session Host 10
Click tasks, then select Edit Properties.

Session Collection
RDS Deployment - Add Session Host 11
In this load balancing setup both servers are equally weighted for sessions. You could re-balance this if hardware resources are not the same across all servers in the collection.
While you’re in this screen, review the other properties of this session collection.

In this example we load balanced a Full Desktop session collection, but the steps to take for doing so is exactly the same for load balancing a RemoteApp program collection.

Managing a load balanced collection
Load balancing a collection makes it possible to do maintenance on your servers without annoying your users. You can put a server in maintenance without disrupting functionality.

In the Host Servers section for the collection right-click the server you want to do maintenance on.
RDS Deployment - Add Session Host 12
Then select Do not allow new connections.
Of course, you will have to wait until existing sessions are completed, or instruct users to log off and log back on, in which case they will be redirected by the RD Broker to the other server. Yes, this is a new session, there is currently no way to migrate sessions to other hosts without annoying the user.

If you want to continue building along with this series, remove everything that’s installed in this guide. You can revert to snapshots, or remove everything manually.

–          Remove the server from the session collection.
–          Remove the server from the RD deployment, removing the role services as well.
–          Remove the server from the RD Gateway Resource group
–          Remove the server from the domain

And I will see you in the next part in which I will finally show a step by step guide on deploying and publishing a RemoteApps program collection.

Arjan

Update: Part 4 – Publishing RemoteApps is now published.

20+ years experience in Microsoft powered environments. Enjoy automating stuff using scripts, powershell, and even batch files. In my free time (hah! as if there is any) I hunt achievements and gamerscore on anything Xbox Live enabled (Windows Mobile, Windows 8, Windows 10, Xbox 360 and Xbox One). When I'm not doing that I enjoy traveling or riding my Yamaha R1 on the edge ;)

Tagged with: , ,
Posted in Remote Desktop, Step-by-Step guide, Windows 2012 R2
192 comments on “Step by Step Windows 2012 R2 Remote Desktop Services – Part 3
  1. GMH77 says:

    Hey Arjan,
    This was so far a very helpfull blogg on how to implement and configure RDS 2012.
    I like it alot so thank you for using your time on this :)

    I have a issue where i try to connect to broker.domain.local from a client in the same network.
    I dont want to use RemoteApps,

    I just want high availablity for regular RDP sessions, but when I try to use RDP i get:
    “The connection was denied because the user account is not authorized for remote login”

    When I use RemoteApp, its all good, the users is able to logon and no problem.

    I have a server with Conenction Broker, LIcensing, Web Access and Gateway and four servers that is Session Host

    • Arjan Mensch says:

      Hi GMH,
      Don’t connect to the broker. Create round robin A-records for your session hosts instead and connect to the round robin A-record (also known as farm-record).
      Besides that, if you created a RemoteApp session collection with all the session hosts in it, you cannot use the same collection for Remote Desktop.

      • glennmh says:

        Thank you Arjan,
        I don’t want to use remoteApp at all for this solution – all users should get directly connected to a “terminal server session” or now called session host? Correct?

        So I will create an A record named “RDSH” pointing to “SrvNameSH01, 002, 003 and 004” ips?

        The I will have to configure gateway manager and Rap policy for the farm, right?

        I also have to remove the connection to remoteApp?

      • Arjan Mensch says:

        Hi Glenn,
        Yes correct about everything, but you do need a Session Collection, but it needs to be configured for Remote Desktop sessions, not for RemoteApps. The round robin dns entry should be in de RAP along with the real hostnames. The Broker doesn’t need to be there.

  2. GMH77 says:

    Back again :)
    What if I have already configured the RD connection Broker, dosent mather? Just connect to the GW ip? (On the same machine has the broker doh..

  3. Derek Romano says:

    One issue I am having is when we disable connections to one server users will still get connected to that server anyway and it will say logins have been disabled.

    Our setup
    One Server for RDGateway and RDWeb
    2 x Servers with Connection Broker and Session host roles
    DNS Round robin is enabled and A Record is created pointing to both IPs of the 2 CB / SH Servers

    When I ping rdcb.company.com its returning the IP of the server we disabled new connections on, also when we ping that FQDN from the Gateway server we get the same IP.

    My guess would be its something to do with the fact DNS is resolving the farm name to the IP of the Server that is not allowing new connections. How do we work around this issue?

    This is internal test so its bypassing the gateway i would guess as thats the default setting.

    I tried unchecking that option to make local connections go through the gateway but I get an error when launching the full desktop saying, Your computer can’t connect to the remote computer because no certificate was configured to use at the Remote Desktop Gateway server.

    • Arjan Mensch says:

      Hi Derek,
      The problem here is that you have combined the Broker and Session host roles.
      You should configure different DNS records (round robin) for the sessionhost functionality. Those 2 entries make up your session host “farm”. Now if a user connects to a server that is disabled for new logons, the broker will redirect the user to the correct server.

  4. Emil Abbas says:

    Hallo,

    I am bored with GPO settings:/
    i dont know what ti implement for basic settings.
    I want to install three 2012r2 servers with broker+sh on per server.
    What GPO’s i must link on OU where this servers reside.
    Thanks

    • Arjan Mensch says:

      Hi Emil,
      Best practice would be to create an OU for your RDS hosts and move the RDS Host accounts to this OU.
      Then create your GPO’s linked to that OU and configure loopback processing on the GPO so the user settings get propagated even if the GPO applies to a OU with computer accounts.

  5. Eli says:

    Hi I know this article has been up for a while but hoping you may be able to help with an issue I’m running into. I followed the previous 2 parts fine. but when I try to add an additional session host like in this Part. but when I to the step in server manager to ” add RD Session host servers” I get a compatibility Check failed. ” the RD Session host role service is not installed on the server” and my options are to Exclude or cancel . clicking either takes me back to the previous menu in the wizard to choose a different server.

    Im confused because in the wizard at the top it clearly says ” the wizard allows you to add rd session host servers. Select the severs on to which to INSTALL rd session host role service.

    I was hoping you could provide some insight on this. thanks again.

    • Arjan Mensch says:

      Hi Eli,

      If you use the RD overview to add extra session hosts it will install the session host role. Does the eventlog on the server you are trying to add show any errors?

    • Torsten says:

      Eli, did you get an answer to this? I have the same issue on a Server 2012R2 freshly installed onto an existing domain. There appears to be a group policy setting affecting the server’s security settings. The only thing that’s obvious is IE Intranet security is set to maximum.

      • Arjan Mensch says:

        Hi Torsten,
        Is it possible to test a freshly installed server that is moved to a test OU in AD on which policies are blocked? That would confirm or rule out domain policies.

    • Frank says:

      Hi Arjen,

      I have used your step by step guide to build our new RDP enviroment and so far it works great, however i have come across a few limitations RDP server 2012R2 brings. I hope you have any ideas on the issues im facing.

      our setup is:
      2 connection broker servers in HA
      1 Gatway server
      1 Webaccess server
      15 session host servers

      The default setup allows only one collection for a full desktop session spread out over the host servers. My company would like our users the choice of having the session started with a lower resolution (purpose to make stuff bigger :) ).

      The other is we have HP thinclients and default USB drive redirection is disabled, however a few users do have access. Also customizing this would require a second collection.

      Ideal would be to create multiple collections with the above settings directing you to all sessions host servers. I have found its possible for a collection pointing to a single server but using this means loadbalancing is gone.

      Any thoughts would be appeciated.

      Frank

  6. Aaron says:

    Hello, thank for for this terrific guide! I followed this guide but combined a few roles to save resources. My setup:

    –1 New 2012 R2 DC
    –1 New 2012 R2 server hosting broker, gateway and web server roles
    –2 New 2012 R2 session servers
    –1 SSL wildcard cert (seems to be working fine)

    From outside I am able to login to the web logging at https://address.us/RdWeb. Login works, click full desktop and login to desktop session works fine. My scenario is we have existing thin clients, many are older. I want to use the RDP client to connect to the FQDN outside address. I have checked on the Gateway properties within the Remote Desktop client. When I initiate a session, I am placed on to the web server, meaning my session foes directly to the web server. I do not have port 3389 open to any server at the firewall. I am not redirected to a session server. I have opened ports TCP 443 and UDP 3391 to the Gateway / Web server.

    How do I get an RDP client from outside the LAN to be able to receive a session from the “farm.” We are only looking for full desktop sessions, not RemoteApp sessions.

    Thank you for any assistance.

    • Arjan Mensch says:

      Hi Aaron.
      I’m typing this on a public computer with no resources at hand to check my setup, so this response is unverified:
      – If you want your TCs to connect to the outside address you might want to disable “do not use gateway for local addresses” in the app settings of IIS that hosts your WebAccess pages
      – If you want clients to connect using RDP I suggest using the Remote Applications app found in control panel. Your clients would connect to https://url/webaccess/webfeed/webfeed.aspx
      If you want your clients to use MSTSC.exe you must create an RDP file for those users with the Gateway option enabled.

      • Aaron says:

        Thank you for the quick response. We are trying to use the native RDP (mstsc.exe) from Windows 7 Embedded, Windows 8.1 desktop and older thin client devices that have older RDP versions. They currently hit Windows 2003 terminal servers so we want to deliver a similar desktop experience with minimal for the user to change, i.e., change the current IP address for the FQDN on the RDP client software. When we do this we get a session from the web server. If we login to the RdWeb site, pass logon credentials and download the RDP shortcut and manually run it we get a session from the session server. So when the .rdp file comes down from the web server everything works as expected. When we try to copy all the settings from that rdp file to a new one and save it we get connected to the web server and not the session server. How can we make the typical remote desktop client whether on a thin client or Windows machine work with the gateway services?

      • Arjan Mensch says:

        Hi Aaron,
        Best practice for internal clients: create a DNS round robin A-record that is on your cert. Create the round robin for all your session hosts. Connect the RDP file to this round robin file. Each session that is received directly by a session host will be redirected to the broker which in turn will redirect your client to the most suitable session host

  7. Yinka says:

    Hi Arjan,

    Very nice and detailed post. Kudos for the time spent on putting this together.

    I have a small setup and am wondering if this is possible, if so you can just give an highlight on how:

    1. Can i Load balance between two nodes SERVER A and SERVER B with each servers hosting all the roles (RD Connection Broker, Session Host, Web Access and Licensing etc. no need of RD Gateway, its being used internally) such that if SERVER A goes down, SERVER B will accept connections etc.

    I currently have one server setup with a few users doing remote apps. which is working fine and wondering how i can have redundancy should server A goes down. Keep in mind like i said, my present server is hosting all the roles including licensing.

    2. If that is possible, would it mean that i will have to separate the License Server role?

    Thanks

    Yinka

    • Arjan Mensch says:

      Hi Yinka,
      Yes you can load balance that way. Your WebAccess roles need to be load balanced using a virtual IP (Microsoft NLB works fine, or any third party load balancer will probably work as well).
      Confure the Broker in HA mode and you sessions are load balanced as well.
      I’s separate the license role which would work on any DC as well, and seprate the sql instance for the broker,

  8. Rogier says:

    Hello Arjan, great and crystal clear tutorial. Thx alot.

    After building a working 2012 R2 RDS farm, I started to create a VDI farm with multiple collections for Windows 7 SP1 and Windows 8.1.
    Unfortunantly I have a problem connecting to my Windows 7 VDI desktops externally, but I cant find a solution that solves my problem. Hope you can help me out. ;-)

    My setup:

    Our RDS/VDI farm has 1 RDWEB/GW, 1 RDS host, 2 HA RDBrokers and 1 RDVH.
    All servers are Windows Server 2012 R2. The domain internally and externally is the same “corpxx.eu”. Connecting via RDWeb to our 2012R2 RDS host works great, as well as connecting to our Windows 8.1 VDI desktops. This works internally as well as externally.
    We use a Comodo Possitive SSLwildcard certificate for “*.corpxx.eu”.

    I also created a collection for Windows 7 SP1 desktops. The Windows 7 master image has SP1 installed as well as all Windows Updates (including KB2592687). When I login externally via RDWeb and connect to the Windows 7 desktop pool, I get an certificate warning that “Win7-1.corpxx.eu” is using an non trusted certificate. We are able to logon to Windows 8.1 VDI desktops with no certificate warning, as well as our 2012 R2 RDS hosts. Only with Windows 7 SP1 VDI desktops we get this certificate warning. After pressing “yes” on the certificate warning the connection tries to establish but it hangs for hours on “The remote connection is starting…” and nothing happens.

    After hours of googling I cant find the solution.

    Hope you are familiar with my problem and you can help me out?

    Many thanks for your help.

    Grtz Rogier

    • Arjan Mensch says:

      Hi Rogier,
      No clue what could cause that. I’m running several Windows 7 pooled and personal collections with no problems at all.
      My images are also fully up to date. RDP version in my Windows 7 boxes is 6.3.9600.16415. Note that not all RDP updates are applied through Windows Update. You might have to download one or more updates manually. I based my version on this table: http://www.c-amie.co.uk/technical/mstsc-versions/

  9. Rohan says:

    Hi Arjan,

    In this we have two Session Server, so we can access through Gateway Name. how can we design if we want to put the two server behind the F5 load balancer. can you help on this.

    • Arjan Mensch says:

      Hi Rohan,
      I have no experience using the F5 as a loadbalancer for sessions. I’m not even sure if you can. You can use the F5 for loadbalancing the Web Access and Gateway roles though.
      I think you need to search the F5 community for a definitive answer to this one.

  10. Rohan says:

    Hi Arjan,

    Added Two Server in the Session Host, when i connect with one server and logoff and try to connect again, it will send me on the same server. i’m using server IP address to connect the servers

    • Arjan Mensch says:

      Hi Rohan,
      That is normal behaviour. The Broker determines where your session should go based on server availability, business, sessions, etc.
      If both servers are equal and no sessions exist, chances are you connect to the server you previously connected to. Load dividing by the Broker is not a round-robin process.

  11. Rohan says:

    Thanks Arjan,

    As we know if Redirector(RDCB) Goes down, user not able to Login to the Terminal Server(RDSH).

    If we Configure the add another RDCB on it, than how it work. will another server be a part of Exiting farm and how the connection being down with the SQL Server.

    or it’s fine to go with Single RDCB but that’s pointing to single point of failure even we have two RDSH server

    Thanks
    Rohan

  12. Rohan says:

    Adding on this.

    As per the above scenario, one (RDCB) and two (RDSH). Can we create two entries in the DNS as below? Rather than separate Zone.

    Broker.it-woroxx.nl – 192.168.66.24
    Broker.it-woroxx.nl – 192.168.66.25

    • Arjan Mensch says:

      Hi Rohan. You don’t need 2 entries if you have 1 CB. If you have 2 CBs, create 1 zone with 2 empty a-records, pointing to the ip-addresses of the CBs. If you have just 1 CB, then only 1 entry is needed.

      • Rohan says:

        single DNS entry for 2 session host, you mean to say if we have 1 CB and 3 or 4 SH server we need single entry for connection broker.

        and connection broker internally redirect the request with the Session host server as per the load.

      • Arjan Mensch says:

        Almost. In case of multiple Session Hosts, I’d create Round Robin DNS for the Session Hosts.
        A user connects to the Round Robin DNS name, gets redirected to the CB, and the CB redirects the user to the correct Session Host. A user session ALWAYS gets redirected to the CB.

  13. Steve Gross says:

    I have been struggling to produce a flawless RemoteApp deployment. Now I’m down to one last problem, but it’s a major one.

    There are two distinct user groups for my deployment. One group is remote web users. The second group is local users accessing via a thin client.

    If I set the Session security to “Negotiate”, then the deployment works correctly for Remote users, but local thin client users get prompted for a second set of credentials; moreover, once they type in the password again, it never works. If I set the Session security to “RDP Security Layer” or “TLS”, the local users work fine but the remote users hang and never can run the Remote Apps.

    Advice and suggestions welcome. Thanks.

  14. Rohan says:

    UPD support the NFS Share??

  15. bkleef says:

    Arjan you should check this out (didn’t wrote the article): http://virtualstation.azurewebsites.net/?p=6951.

  16. Dallas Bunton Jr says:

    We have 1 CB and 2 session hosts and in DNS we have 2 records for farmname 1 for each ip address of the session hosts. I can connect using the farmname and in my tests i keep going to the same session host. How do i know everything is ok and how does the CB come into play?

    • Arjan Mensch says:

      Hi Dallas,
      You can test this setup by disabling logons to that first server. You can do this in server manager.
      User -> connects to farm -> round robin DNS points to a session host -> session host asks CB where to put this session -> if resources and connections are allowed session stays on that host, if not, session is redirected by CB to another host.

  17. NK says:

    Hi Arjan,

    First of thank you for the getting everything through step by step. we have deployed everything using your steps. I have couple of question we have setup the process for web right now but we want to have the users access it from any devices not just the web only like ipad using the remote desktop client or android. Can you please guides us what need to enable to get this works from any devices.
    Thanks
    NK

  18. Sean-Ryan Sullivan says:

    I know this is an older article but I had a few questions that I can’t seem to find the answers to. 1) If I want to load balance multiple SH Application servers, do the same exact apps need to be installed on each SH? Does the CB know that the same apps are installed on each SH? and 2) If they are setup on the CB as being load balanced, do I still need to setup a round robin DNS entry for the farm name? It appeared according to this article that the CB performs all the load balancing between the SH’s.

    I currently have 2 RDS servers where both are SH’s but one of the two has all the other roles as well. My plan is to create a new server with just the CB, Web Access, and gateway roles and implement my existing SH’s (while removing the CB roles from the one) and create a new load balanced collection.

    Any help would be greatly appreciated.

  19. Adrian Graves says:

    I found this artical a great help , i have a quick question . If we had a application installed on only one server in the farm is it possible to share it amongs the other 3 servers to present it to the users the same as a Citrix session ?

  20. Tony says:

    Hi, Can you use server 2012R2 RDS as the old fashioned terminal server, so that people can just rdp to it.

  21. alessio says:

    Hello Arjan,
    just wanted to understand the role of CB in 2012r2 with a simple three servers setup: two RDSH and one CB (with web service installed).
    I’ve read that with 2012r2 the role is different from 2008r2, in the meaning all the connections pass trhough the CB and later distributed to the avaialble RDSH. So teoretically a DNS RoundRobin of the RDSH should not be necessary.
    Is that correct? If so, why do I get “connection denied because the user is not authorized for remote login” when I connect directly to the CB?

    many thanks

    • Arjan Mensch says:

      Hi alessio,

      The CB is not a session host, that is why you are denied.
      Always connect to a session host, using either round robin DNS farm name, or directly to the session host.
      When a session host receives a connection it always checks with the broker if it’s ok to set up the session. If the broker says another server is a better option for the session, the user gets redirected to the correct session host.
      To recap: don’t connect to the broker.

      • alessio says:

        Arjan, thanks for your quick answer!
        well I know It’s now a session host, either I did not install the service on that server, only Broker and it’s web part. My wondering was why is not redirecting to my RDSH servers
        For what I’ve read before jumping to your page, with 2012R2 the broker plays a more central role and clients should connect directly to him, via its web page or rdp and once the connection is set the broker redirects to the session hosts.
        Right now I’ve found this technet page that might explain why it’s not working:
        http://blogs.technet.com/b/askperf/archive/2015/06/11/walkthrough-on-session-hint-tsvurl-on-windows-server-2012.aspx

        we are trying to use some old sunray2 thin clients, so why we wanted a more “direct” connection

        thanks for your help!

      • Joel Chema says:

        Hi Arjan
        May you please explain the DNS farm name a bit more. I couldn’t find that in your blog.
        Are you taking about creating a Internal DNS zone name & adding all the 3 session host server in the zone? Is this for RDP session load balancing reason?
        Or if you can explain how to create the DNS Farm name?
        Thanks in advance

  22. YES says:

    Hello,

    I am having trouble with multiple rdp session (saved on network location) trying to connect a 2012 server and can’t remember the password. When password entered manually it works? Have enabled delegate NTLM setting in local GPO with. Followed all mentioned below:
    When using remote desktop connection to connect to windows server 2008, 2008 R2, sbs 2008, vista or windows 7 and would use saved credentials. This doesn’t work when you start the connection you get the following error:

    “Your system administrator does not allow the use of saved credentials to logon to the remote computer computername/ipadress because its identity is not fully verified. Please enter new credentials.” “The logon attempt failed”

    Solution: This happens when trying to connect to a computer / server in another domain and no trust relationships exists. Windows then steps back to use NTLM and the default domain machine policy prohibits use of saved credentials. You can change this domain based or for a individual machine:

    Start local group policy editor, start – run – gpedit.msc
    Go to Local Computer Policy –> Computer Configuration –> Administrative Templates –> System –> Credentials Delegation
    Edit “Allow Delegating Saved Credentials with NTLM-only Server Authentication”
    Enable the policy, click Show and enter the value “TERMSRV/*” into the list.

    Do the same thing for the following policies:
    “Allow Delegating Saved Credentials”, “Allow Delegating Default Credentials with NTLM-only Server Authentication” en “Allow Delegating Default Credentials”

    Close the policy editor,
    open a command prompt and use “gpupdate /force” to apply the policy directly
    – See more at: http://blog.ronnypot.nl/?p=247#sthash.j1c2OJXg.dpuf

    But DOESn’T work at all. Please help.

  23. jaz says:

    HI

    1 server RDCB,RDG,RDWS,RDLS hostname rdcb.xyz.com
    3 server RDSH host name sh1.xyz.com,sh2.xyz.com ,sh3.xyz.com

    I just want high availability of my all RDSH servers

    if i add a record on my DNS of all mt RDSH server with single name like

    remote.xyz.com 10.10.10.5
    remote.xyz.com 10.10.10.5
    remote.xyz.com 10.10.10.5

    question is

    1 How many certificate I need as per my understanding we need wild certificate right ?
    3 how client can access my RDS from outside with which name? (should I point my public IP to one of my RD host server with nat or what ?
    4 what I need to do with public dns point to remote.xyz.com ?

    Thanks is advanced

    • Arjan Mensch says:

      Hi Jaz,
      This is all answered in the blog series, but in short you don’t need a wildcard as I show in the series, you should deploy webaccess / gateway to allow outside access, and create public dns entries for those (can be the same).
      Add all session hosts round robin to DNS and make sure the farm name is an FQDN that has a public A-record as well (so no internal domain names). Don’t ever open public ports to RDS session hosts..

      • Jaz says:

        Thanks arjan for reply

        I am still confuse,

        You mean to say that public ip should be nat with gateway ip address ?

        Gateway fqdn name remote.dua.com

        Also created Round robin with same name remote.xyz.com

  24. beninmaliBen says:

    Hi, we can’t add any servers to our collection, we get an error stating “Unable to retrieve the session collection properties” any ideas?

  25. Joel Chema says:

    Hi
    Actually, I think I figured it out. thanks anyway

  26. adam says:

    We have been having fits with free Adobe Reader on our 2012 R2 RDS server. It is utilizing VHD for user profiles. Is there a solution?

    • Arjan Mensch says:

      Hi adam,

      Yes there is, but it’s not a nice one ;)

      Create a file called “acroct.ini”.
      Using a text editor, enter the following into the file:
      [WinFntSvr]
      TTToSysPrintDisabled=1
      T1ToTTDisabled=1

      Depending on your configuration, this is where you need to place the file for it to work:
      – C:\Windows
      – C:\users\\Windows
      – \Windows

      The problem is the way Acrobat Reader renders the fonts. This leaves Z@xxx.tmp files in the user’s profile, which are locked by some dll. The .ini solution should fix that.

  27. Joel Chema says:

    Hi Arjan,
    Me again, bumped into an issue.
    so my setup has 3 session hosts servers. I have already applied the wildcard certificate using the sever manager for webaccess,gateway,connectionbroker.
    I am using a DNS round robin session host farm for RDP.
    What I am noticing is, when I am trying to rdp using a the farm name, I am getting certificate error saying that the certificate was issued from the session host and the certificate has the internal fqdn of the session host server name and doesn’t have the wildcard cert name although I imported the wildcard cert in each session host servers local computer personal store.
    any suggestion?

    • Rei says:

      Hello Joel,
      I am stuck in this same place you are. I have battled this for quite a time to the best of my ability to no avail. I see that you did not get any reply to your question. Have you been able to do any progress. Any help is good.
      T H A N K Y O U ! !

      • Arjan Mensch says:

        Hi Rei, and sorry Joel for missing this one,
        You should not connect to the farm name, or use round robin for the session hosts.
        You should connect to a session host name. The session host will always redirect the session to the broker and the broker then determines which session host will handle the session.
        So loadbalancing sessions is no longer handled by DNS round robin (which isn’t loadbalancing at all!!) but by the broker.
        Do not let your users connect to the broker or the dns farm name. Both won’t work.

  28. Hasnain Naseem says:

    HI Arjan,
    I saw your demos on DaaS it is great and it helps me Alot Thank You for this.but i have one question ..
    Can you please tell me that how many users can be handle by one session host ?
    for example: if i Deploy DaaS service for 5000 users so how many session host will i need on deployment ?
    i want also make load balacing between multiple session hosts if you tell me how many session hosts i need for making DaaS environment for 5000 users so i will be very Thank full to you…

    • Arjan Mensch says:

      Hi Hasnain,
      It totally depends on the kind of applications that will run on the session hosts. Take Azure for example. Azure Remote Apps by default runs on A3 machines. That’s 4 cores, 7GB of ram, and depending on the plan that VM will host 10 sessions, or 5.
      Whenever I need to calculate on on-premise hardware however I stick by the ancient rule of thumb: 4cpu 30GB memory for 20 sessions, and work from there.
      Loadbalancing over the session hosts is handled by the connection broker.
      Word of caution however. 5000 Sessions is pushing the limits for Microsoft RDS. The server manager will disappoint you when 500+ concurrent sessions are reached, so look for other ways to manage sessions (powershell!).
      Microsoft recommends using partner software like Citrix of Dell Wyse vWorkspace (my favorite) when reaching 1000+ expected sessions.

      • Hasnain Naseem says:

        Thank you for the suggestion Arjan i will work on that. if i get any query or problem so i will contact you…once again Thank you

  29. Hasnain says:

    HI Arjan i need to ask a one more question from you..if i simply deploy RDS for 500 user’s so how much Cpu’s i required means how much RAM or Processor i have only two session host server .. can you help please .. i will be very thankfull to you .

    • Arjan Mensch says:

      Hi Hasnain,
      That would be near impossible I think. We calculate the number of servers by dividing the number of concurrent sessions by 20 (20 sessions per server). Depending on applications we then allow for 2-4 (v)CPUs and 20-32GB memory per server..

  30. Den says:

    Hi, I’m trying to make HA RDS Farm but with round robin DNS functionality it seems to be not very HA at least not that responsive as I want it to be… so I have two Connection Brokers configured in HA (should be fine but I haven’t tested yet what happens if one CB is down), I have one RDGW server and two RDSH servers. In my DNS server I have two records, say: rds.mydomain.com pointing to RDSH1 and another rds.mydomain.com pointing to RDSH2. when do nslookup for rds.mydomain.com I of course get two IP addresses, but when I do ping to rds.mydomain.com it stick with one IP address and doesn’t switch between two very often. So if I shutdown RDSH1 we will never be able to connect to RDSH2 using round robin DNS record. Some users will be lucky, but this doesn’t look like a solution. I think should be another way where we connect to a broker (otherwise what’s the point of that broker???) and broker determines which RDSHxx is alive which one is least loaded and so on…
    Thoughts?
    Thank you!

    • Arjan Mensch says:

      Hi Den.

      This has been answered a few times before. The brokers handle session loadbalancing and redirection. Do NOT use dns farm name or dns round robin or whatever dns trick you can think of. That’s not HA and doesn’t work. As long as your deployment has 2 or more session hosts, you’re fine.

      • Den says:

        Hi, thanks for that, I’ve seen those answers… I’ll rephrase my question: can we automatically redirect users to RDSH if one for that they have got a shortcut is down? Obviously, we can create as many shortcuts as we want for each RDSH in the deployment, but then it comes to tenths of servers and hundredths of PCs… How do you deal with that? Thanks.

      • Arjan Mensch says:

        Hi Den,

        Your best config for that would be to use the webaccess role and configure the remote desktop and apps program on each PC. That would put the published desktop RDP from webaccess into the user’s startmenu and will always work, no matter if one of the session hosts was down.

  31. Scott says:

    Hi, We have an RDS environment that has 7 collections in it with 35 Hosts. Everything works great, but last month we started to experience an annoying problem. One of the hosts will just stop accepting connections randomly and the users get “stuck” trying to login. It basically times out. The suspect host already has quite a few users on it. We have found the only way to resolve this is to reboot the server and all is well again. What could be causing this? We never lose the network connection to the hosts. We are thinking that it was caused by the last round of updates from M$ as that is when the issues started. Any feedback would be great

    • Arjan Mensch says:

      Hi Scott,
      The users that cannot logon anymore, is the session established at all or is it the client that times out before a session is established?

      • Scott says:

        The session never gets established. This happens to me also from my Surface tablet and I can ping the server. I can login to the server through the console(these are VM’s esx 6.0) and have found that if I restart the RDS service it allows users to login again, but it kicks everyone off the server. There servers are not overloaded, sometime they only have a couple of users connected to them. Thanks!

      • Scott says:

        So I have another symptom. When we notice a server does not have anyone on it, we open a console session and see there are a bunch of “ghost sessions” on it with 4 processes running and no user name. So in the task manager under users, we see a bunch of unnamed sessions with 4 processes running. These cannot be logged off but after 15 minutes or so they drop off.

  32. Ernesto Villalobos says:

    Hello! Thank you in advanced for taking the time to read all of our questions and reply them.

    I have the following scenario:

    1x Web Access Server
    1x Broker Server
    1x Gateway Server
    2x Session Host Servers

    I posses a SSL certificate under the name webaccess.mydomain.cl which contains inside two other subdomains: gateway.mydomain.cl and broker.mydomain.cl.

    I have installed this certificate on all servers; I followed all of the steps on the previous part but I do have an issue:

    I can connect internally and even run my APP (paint or calculator), but externally I can access the website, authenticate and even see the apps listed; once I try to open the rdp file that downloads, I authenticate (or at least asks for authentication) and then gives an error about gateway being temporarily unavailable.

    Do you have any ideas on what might be causing this issue? I only posses one public IP at the moment and I am redirecting 443 to the webaccess server and udp 3391 to the gateway server. Still wont work.

    Thanks again!

    • Arjan Mensch says:

      Hi Ernesto,
      If you have the Gateway Role and the Webaccess Role you MUST have 2 external IP’s or find another way to redirect webaccess:443 to the webaccess-server and gateway:443 to the gateway-server. Webaccess must be reachable on 443, Gateway must be reachable on 443, and optionally UDP 3391.
      If you only have 1 external IP, you can host the Webaccess and Gateway roles on the same machine, but both roles MUST use the same certificate / FQDN then.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog Authors
Donate Button

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 322 other followers

Blog Stats
  • 1,913,769 hits
%d bloggers like this: