Deploy 2012 R2 RDS DMZ

Similar Messages

• RDS gateway deployment options with no DMZ

  Hello
  I have setup an RDS server that is running nicely and I now need to deploy it externally. I have read through the deployment guides which state that you should deploy the gateway in a DMZ. My problem is that I do not have a DMZ and my firewall does not have
  a DMZ port or an option to assign different IPs to different internal interfaces. What would be the best deployment option if no DMZ is available?

  Hi,
  Thank you for posting in Windows Server Forum.
  Agree with “Guna” comment, you can setup RD Gateway for accessing the server externally. For that you can refer following link to setup RD Gateway.
  1. How To Work with RD Gateway in Windows Server 2012
  2. Deploying Remote Desktop Gateway RDS 2012
  Hope it helps!
  Thanks.
  Dharmesh Solanki

• Resizing User Profile Disks in Existing Server 2012 R2 RDS Deployment Question

  Once the initial maximum size is set and the VHDXs have been created in a Server 2012 R2 RDS deployment, will attempting to increase Collection's maximum UPD size by say.. issuing a Powershell command of:
  Set-RDSessionCollectionConfiguration -CollectionName MySpiffyNewCollection -MaxUserProfileDiskSizeGB 10
  over-write the existing VHDXs instead of simply increasing their size? (max size is currently 5GB)
  I'm not at a point where I can test this in a lab condition to find out, and I have not found this question asked (or at least not definitively answered) in this forum yet.
  -G

  Hi,
  Thank you for posting in Windows Server Forum.
  We can resize the UPD file with below command:
  Resize-VHD –Path c:\BaseVHDX.vhdx –SizeBytes 1TB
  After running this mount the .vhdx file and open disk manager and there will be unallocated disk, and then you can click extend disk/volume and its done.
  You can refer following article for more information.
  Resize User Profile Disks
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  TechNet Community Support

• Manage SCCM 2012 clients in DMZ (OS Deploy, Windows updates) via DP/MP

  Hi,
  We ’d like to manage (=OS Deploy, Packages,Windows updates) Windows clients (Windows 2008/2012 R2 servers for now, about 20 of them) in a DMZ (= different domain).
  There is this article
  https://nikifoster.wordpress.com/2011/01/31/installing-configmgr-clients-on-servers-in-a-dmz/ which explains what to do … in 2011. Since then lots of things are changed I guess
  Before I dive in, I’d need to have an overview + do some administrative tasks (like asking for firewall accesses).
  Current setup DMZ:
  Our SCCM 2012 R2 server is on a Windows 2008 R2 OS
  Client communication is done via HTTP (not HTTPS)
  An extra physical Distribution point is setup (only DP, nothing more) in our current domain
  A new Windows 2012 server is setup in the DMZ which should host the DP and probably management point (since it should manage the clients over there)
  There are clients in DMZ that are currenlty managed by SCCM 2007 but 
  this server will be phased out, these client have:
  Correct sccm functionality
  Correct DNS resolution
  My steps/questions, please comment:
  Add the DMZ ip range to SCCM 2012 boundary as “DMZ”
  Add the network access account to be able to deploy as well clients as distribution point in DMZ
  In the DMZ accesses on firewall for server VLAN have to be asked
  When we have a distribution point and communication is “HTTP only” then http (port 80) from DMZ to sccm server should suffice, correct? Or are
   extra firewall openings needed for management point access/packages and windows updates sync?
  Now the sccm clients will be deployed to the servers in DMZ: deploy SCCM clients to hosts in DMZ, how this should be done: we connect a console to the SCCM-server in the DMZ then deploy the discovered clients?
  OS Deploy should be made available, but no dhcp is available in DMZ and it is not an option either, therefore we would boot from an ISO then enter an ip (or pre-enter it so there is already filled in an ip?). So tasksequences/deployments
  for servers in DMZ, where are they configured/deployed then? Via console access on DMZ management point or can we deploy on our domain SCCM management point (not in DMZ) and it will be synced to the DMZ management point? Not clear
  Selective sync of software to this distribution point (howto? not sure), we don’t need any Windows 8 software/drivers to be synced.
  Thanks for your input!
  J.
  Jan Hoedt

  No comment;
  I think you mean the client push installation account and the site system installation account;
  More ports are required, see site server > distribution point and distribution point > management point from the provided link;
  The console will always be connected to your primary site server. The client will be pushed from the primary site server and it will provide the initial files. The other files will be downloaded from the local distribution point;
  The task sequence deployment will be just like a normal taks sequence deployment. The only difference is the location of the server;
  Only the content that's distributed to the distribution point in the DMZ will be available on that distribution point.
  My Blog: http://www.petervanderwoude.nl/
  Follow me on twitter: pvanderwoude

• How to Deploy 2012 RDS Licenses

  http://blogs.msdn.com/b/rds/archive/2014/01/29/remote-desktop-services-upgrade-and-migration-guideli...
  Check the link i posted

  We are upgrading our Terminal Server from 2008 R2 to 2012 R2. We have an EA agreement that provides the necessary licenses.
  Our license server is running on 2008 R2. 
  Do we have to upgrade our license server from 2008 to 2012 if we intend to deploy 2012 license on a Per User bases to the TS?
  This topic first appeared in the Spiceworks Community

• Server 2012 R2 RDS, User Profile Disks are created but local profiles are created as well. The UPDs aren't mounting correctly.

  2012 R2 RDS Deployment with RDCB HA and UPDs enabled. Everything was working fine with no issues until users started getting temporary profiles. Around the same time UPDs were being created but at the same time a user profile was created in C:\Users. 
  I actually rebuilt the entire RDS configuration except the SQL Server. It took about 5 hours and was not that big a deal but.... we still have the same issue! 
  Does anybody have the solution for this?

  Hi,
  In most cases, the issue is caused by locked UPD. And the workaround is to log off the user. Please check if it is the case.
  For example:
  RDS user profile disks - getting error temporary profile are being used as UPD are not accessible
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/0d4b66fc-b53f-435e-b036-142b6ed15d0b/rds-user-profile-disks-getting-error-temporary-profile-are-being-used-as-upd-are-not-accesible?forum=winserverTS
  Also, please check if you will get the temporary profile when logging on with a local account of the session host server.
  If issue persists, please check if there is any related error in Event Viewer and provide us for further research.
  Hope this helps.
  Jeremy Wu
  TechNet Community Support

• Windows Server 2012 R2 RDS: RDS Users are unable to delete files from their desktop

  Hello,
  We are working with Windows Server 2012 R2 RDS. We also implemented User Profile Disks. This is all working fine without problems. The only issue I have is that normal users are unable to delete files from their desktop. They are getting a message:
  you'll need administrator permission to delete this file, with the prompt for administrator access.
  They can edit, copy, rename, cut and paste files. But they cannot delete a file from their desktop.
  I checked the security permissions of the files on the desktop (for example a normal self-created PDF file) and the users are owner and have "Full Control" over the files.
  I checked the file permissions and took a look under "Advanced", selecting the specific domain user and checked the "Advanced Permissions" and the user has the "Delete" option checked. So he should be able to delete the
  file.
  I am guessing this is UPD related issue, or something in GPO. But I already unlinked the GPO objects, that I felt could be the source of this problem, but without results.
  Could someone give me a hint on where to look? It's kinda annoying to users, that they can't delete their own files.

  Hello Bria,
  What you should check first, is the NTFS permissions on the User Profile Disk to begin with. See if the user has full control over the items that are in the UPD.
  Also check the GPO's that are enabled for the user and computer account. You can check that by running: gpresult /h <path>\gpresult.html
  There are two GPO settings that could prevent the user from deleting his/her own items: 
  User
  Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Explorer\
  Hide these specified drives in My Computer
  Prevent access to specified drives in My
  Computer
  There might be other GPO settings, that block deleting items on the UPD, but can't think of any out of my head.
  I can only think NTFS and GPO settings that might prevent the user from deleting items. In my case it was a GPO setting, that I didn't suspect.

• File Associations in 2012 R2 RDS Server using Roaming Profiles

  Background Information
  We recently moved from using 2008 R2 RDS servers to 2012 R2 RDS Servers. All of our users
  have roaming profiles. When we migrated from the old terminal servers to the
  new terminal servers, the users got completely new profiles. The only thing
  moved from their old profiles were documents and items on their desktops. We
  have multiple PDF viewers/editors installed on our RDS servers. Mostly due to
  the cost difference between Adobe Acrobat and other, cheaper products that a
  lot of our users can get away with using that don't need the functionality of
  Adobe Acrobat.
  The Problem
  Ever since moving to the new 2012 R2 RDS servers, whenever our users log off terminal
  server, the next time they log in their default PDF Viewer association doesn't
  load, and they have to go through the process of choosing a default PDF viewer.
  This only occurs when there's more than one PDF viewer installed on the server.
  We've tested it with only one PDF viewer program, and the setting remains after
  logging off and back on. The problem we've found is that the registry key that
  houses the default user choice:
  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoice
  when set during the session, to Adobe Acrobat 11 for example, reads as such
  inside that registry key. For example, the Progid key will say
  Acrobat.Document.11 and this setting will persist until the user logs off. Upon
  logging off and back on to the terminal servers, if you look at that same
  Progid key, it has been converted in to a Hash value, and the Operating System
  is unable to read the hashed value and determine what that user's default PDF
  Viewer choice is, causing them to have to go through the process of setting it
  again.
  Things we've tried
  We created a GPO that runs a script that exports the registry key upon log off that has
  the non-hashed value, and have it set to import that value on log on. However,
  by default this registry key has the DENY WRITE permission applied to it, so
  when the system tries to import the registry key through the login script it is
  unable to do so. 
  Summary
  This issue only started happening once we moved over to 2012 R2 RDS servers. It only
  occurs for users using Roaming Profiles. It only occurs when we have multiple
  PDF Viewers installed on the servers. Any insight on why this is happening or
  how to resolve it would be greatly appreciated.

  I would use GPP to push the value, 'not hashed'. You can give right to the registry too, so like adding everyone group to that registry branch. (https://technet.microsoft.com/en-ca/library/cc753092.aspx)
  Regards, Philippe
  Don't forget to mark as answer or vote as helpful to help identify good information. ( linkedin endorsement never hurt too :o) )
  Answer an interesting question ? Create a
  wiki article about it!

• App-V: A Configuration Template for Deploying to Stateless RDS Clients on Citrix Published Desktops with Citrix UPM for Profile Management

  Please Vote if you find this to be helpful!
  App-V:  A Configuration Template for Deploying to Stateless RDS Clients on Citrix Published Desktops with Citrix UPM for Profile Management
  Just posted this to the wiki:
  http://social.technet.microsoft.com/wiki/contents/articles/25318.app-v-a-configuration-template-for-deploying-to-stateless-rds-clients-on-citrix-published-desktops-with-citrix-upm-for-profile-management.aspx

  I would not recommend this and keep the package cache and the client on the same non-persistent drive and enable the Shared Content Store. If you separate the cache and the App-V client they could get out of sync and strange behaviour can occur. 
  You can use a temporary local profile with Citrix UPM or UE-V and specify what to roam/save.
  You can use the Shared Content Store so packages will stream over the network. When the user logs on there is a publishing phase where shortcuts etc are created for the user, this will take some time.
  Are you using the App-V full infrastructure?
  Are you using a boot disk, partition or PXE in combination with PVS?

• 2012 R2 RDS Shadowing "Permissions"

  Hi All,
  Just wondering if anyone has found a "workaround" for the requirement to be an Administrator to perform Remote Desktop Shadowing in Server 2012 R2?
  We are a software development company, who offers a Remote Desktop service to our customers to use our software. Our support team needs to be able to take control of these sessions to support them.
  We made the leap to 2012 R2 purely for the shadowing feature being re-implemented. However allowing 50+ support staff, some who have little to no knowledge of Server OS's, to have administrative control on an RDS server farm, including the AD server
  which is the Connection Broker, is just not an option.
  The best i can come up with, is to lock down permissions on all Administrative Tools to these users with implicit Deny ACL's, but that does not stop them from being able to launch Add/Remove Server Roles, and perform other tasks within Server Manager.
  Also due to the Server Manager integration, gone are the days where you could permit a Terminal Services MMC for these users like we did in the "old days" of 2003.
  Does anyone have any brilliant ideas in regards to either enabling Shadowing without Administrator rights, or locking down Server Manager to a set task list?
  Thanks,
  Nash

  Hi Nash,
  A user does not need to be an Administrator to shadow other sessions under Server 2012 R2 RDS.  You need to grant the non-admin user/group permissions to the RDP-Tcp listener on each RDSH server. 
  To do this, first create a security group in your domain and add the users as members that you would like to have shadow permission.  Next log on to each 2012 R2 RDSH server, open an administrator command prompt, and enter the following
  command (substitute your domain and group name):
  wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSPermissionsSetting WHERE (TerminalName ="RDP-Tcp") CALL AddAccount "domain\group",2
  The non-admin user can use the query session command to retrieve a list of logged-on users:
  query session
  If they want to view and control another session they may use the following command:
  mstsc /shadow:<sessionid> /control
  -TP
  Brilliant! Thanks heaps - I saw this one a little earlier from the previous post and couldn't wait to give it a run.
  Darmesh, despite saying it's not possible, the link you posted points to an article where the above process is outlined.
  Appreciate the input guys, i will post back with the outcome!

• Users Cannot Change Passwords on a Server 2012 R2 RDS Farm

  Hello I have a Server 2012 R2 RDS Farm consisting of 1 server that has connection broker and gateway configured and 4 RDS Session Hosts. The works great I even have a separate remote app farm to distribute the apps to the servers, my main issue is passwords
  and the lack of the EU ability to change these, listed below are my symptoms.
  Users password has expired denied logon instantly with no ability to change password.
  User tries to change password whilst in 30 day warning period using ctrl alt end the user is advised the password does not meet complexity requirements I have checked this and they do meet them.
  Expired passwords can be changed via the RDWeb site however this is not an option for us.
  Chris

  Hi,
  Firstly, based on my knowledge, remote users may have to change their passwords before expired. If not, they have to use OWA or logon on locally to change their passwords.
  Regarding the issue, please let us know if the following policies are enabled in your domain.
  Enforce password history
  Minimum password age
  Also, does a local domain user have the same issue?
  Thanks.
  Jeremy Wu
  TechNet Community Support

• Updated! App-V: A Configuration Template for Deploying to Stateless RDS Clients on Citrix Published Desktops with Citrix UPM for Profile Management

  I've updated my App-V Startup script that I use.  The new version includes Event Logging as well as detailed logging, and its in PowerShell finally)
  Check out the wiki!
  http://social.technet.microsoft.com/wiki/contents/articles/25318.app-v-a-configuration-template-for-deploying-to-stateless-rds-clients-on-citrix-published-desktops-with-citrix-upm-for-profile-management.aspx

  I've updated my App-V Startup script that I use.  The new version includes Event Logging as well as detailed logging, and its in PowerShell finally)
  Check out the wiki!
  http://social.technet.microsoft.com/wiki/contents/articles/25318.app-v-a-configuration-template-for-deploying-to-stateless-rds-clients-on-citrix-published-desktops-with-citrix-upm-for-profile-management.aspx

• Multiple printers In Window 2012 R2 RDS

  Hi All,
  I have a windows server 2012 R2 RDS server.
  For some reason when users log in to the RDS server they see 100 printers in the Devices and printers.
  I had a look and all these printers belongs to all the users that connected on the network on other RDS servers.
  Do you know how I can remove them ?
  Regards,
  MCSA, MCSE, MCITP:SA, MCITP:EA, MCITP:Enterprise Messaging Administrator 2010,MCTS:Virtualization,CCNA

  Hi Shimon,
  Thank you for posting in Windows Server Forum.
  In respect to your issue there is one KB but it’s for server 2008 R2. Are you using Remote Desktop Easy Print for your environment?
  This issue occurs because the Print Spooler adds a registry entry for each redirected printer under the following registry subkey for the user, and for all users logged on to the RD Session Host server:
  HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Devices
  This behavior occurs if you do not use the Remote Desktop Easy Print feature.
  More information for reference.
  KB 2620656
  In addition, you can configure GPO policy where we can set the default printer per user session. For more information refer
  this article.
  Hope it helps!
  Thanks.
  Dharmesh Solanki

• How to add Windows 2012 R2 RDS to Existing Windows 2008 R2 Terminal Server

  I currently have a Windows 2008 R2 Terminal Server running and I am looking to add a Windows Server 2012 R2 server to it. All I see when I google the setup is only for Windows Server 2012 R2 RDS, cant find anything to integrate with a current 2008 R2 Terminal
  Server.
  Can anyone help with this or point me to a blog I possibly missed?
  Thanks.

  Hi,
  Thanks for your comment.
  Yeah, agree with diramoh; as already commented. If you want user session from RDS Server 2012 R2 then you need to  install RDS License role on server 2012 R2, purchase and install RDS CAL (per user or per device) according your requirement and then you
  can use user session for server 2012 R2 and also for lower version. 
  But as you already have Server 2008 R2 RDS CAL, then with that you can simply access lower version but can’t manage Server 2012\R2. 
  For more information, you can refer following document.
  Licensing
  Windows Server 2012 R2 Remote Desktop Services
  Hope it helps!
  Thanks.
  Dharmesh Solanki

• 2012 r2 rds deployment cannot connect to sql server after reboot

  We have a ha connection broker setup with 2 connection brokers and everything was working fine up untill the servers were rebooted for updates. Now users cannot connect to thier collections and I have an error in the event log that the deployment could not
  connect to the sql database.
  at this point I am assume that the issue is related to security. I am able to query the database as admin from the effected servers and other services that use other databases in the same sql instance are no5 having issues.
  I have checked the security group that both cb servers should be in and they are in the group and the group has sysadmin and dbo within sql
  any ideas?
  Please remember to mark my replies as answers if they help

  Hi,
  Thank you for posting in Windows Server Forum.
  Can you please create the database manually with below command and verify.
  PS C:\> Set-RDConnectionBrokerHighAvailability –DatabaseConnectionString
   "DRIVER=SQL Server Native Client 11.0;SERVER=<SQL Server
   Name>;Trusted_Connection=Yes;APP=Remote Desktop Services Connection Broker;
  DATABASE=<DB Name>" -DatabaseFilePath "C:\DbFiles\<DbName>.mdf"
   -ClientAccessName "<DNS RR Name>"
  Grant DBO permissions to the service account on the RDS server and try to run your wizard again.
  More information.
  RD Connection Broker High Availability in Windows Server 2012
  http://blogs.msdn.com/b/rds/archive/2012/06/27/rd-connection-broker-high-availability-in-windows-server-2012.aspx
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  TechNet Community Support