Deploy 2012 R2 RDS DMZ
Hi,
We are Looking to deploy 2012 R2 RDS Environment in our compamy by deploying the Gateway and Web server in the DMZ and Host and in the Internal network but would like to authenticate using the internal DC so my question is
can we just use a Secure LDAP hole to make the RDS login process work?
Leroy Wisdom
Hi Leroy,
Thank you for posting in Windows Server Forum.
Firewall rules between the perimeter network (RD Gateway) and the internal network (domain controller) to authorize the user:
Server Protocol = LDAP
For LDAP: Port = TCP: 389, UDP: 389
You can go through following article for step guides to setup RD Gateway deployment in perimeter network.
http://blogs.msdn.com/b/rds/archive/2009/07/31/rd-gateway-deployment-in-a-perimeter-network-firewall-rules.aspx
Hope it helps!
Thanks.
Dharmesh Solanki
TechNet Community Support
Similar Messages
-
RDS gateway deployment options with no DMZ
Hello
I have setup an RDS server that is running nicely and I now need to deploy it externally. I have read through the deployment guides which state that you should deploy the gateway in a DMZ. My problem is that I do not have a DMZ and my firewall does not have
a DMZ port or an option to assign different IPs to different internal interfaces. What would be the best deployment option if no DMZ is available?Hi,
Thank you for posting in Windows Server Forum.
Agree with “Guna” comment, you can setup RD Gateway for accessing the server externally. For that you can refer following link to setup RD Gateway.
1. How To Work with RD Gateway in Windows Server 2012
2. Deploying Remote Desktop Gateway RDS 2012
Hope it helps!
Thanks.
Dharmesh Solanki -
Resizing User Profile Disks in Existing Server 2012 R2 RDS Deployment Question
Once the initial maximum size is set and the VHDXs have been created in a Server 2012 R2 RDS deployment, will attempting to increase Collection's maximum UPD size by say.. issuing a Powershell command of:
Set-RDSessionCollectionConfiguration -CollectionName MySpiffyNewCollection -MaxUserProfileDiskSizeGB 10
over-write the existing VHDXs instead of simply increasing their size? (max size is currently 5GB)
I'm not at a point where I can test this in a lab condition to find out, and I have not found this question asked (or at least not definitively answered) in this forum yet.
-GHi,
Thank you for posting in Windows Server Forum.
We can resize the UPD file with below command:
Resize-VHD –Path c:\BaseVHDX.vhdx –SizeBytes 1TB
After running this mount the .vhdx file and open disk manager and there will be unallocated disk, and then you can click extend disk/volume and its done.
You can refer following article for more information.
Resize User Profile Disks
Hope it helps!
Thanks.
Dharmesh Solanki
TechNet Community Support -
Manage SCCM 2012 clients in DMZ (OS Deploy, Windows updates) via DP/MP
Hi,
We ’d like to manage (=OS Deploy, Packages,Windows updates) Windows clients (Windows 2008/2012 R2 servers for now, about 20 of them) in a DMZ (= different domain).
There is this article
https://nikifoster.wordpress.com/2011/01/31/installing-configmgr-clients-on-servers-in-a-dmz/ which explains what to do … in 2011. Since then lots of things are changed I guess
Before I dive in, I’d need to have an overview + do some administrative tasks (like asking for firewall accesses).
Current setup DMZ:
Our SCCM 2012 R2 server is on a Windows 2008 R2 OS
Client communication is done via HTTP (not HTTPS)
An extra physical Distribution point is setup (only DP, nothing more) in our current domain
A new Windows 2012 server is setup in the DMZ which should host the DP and probably management point (since it should manage the clients over there)
There are clients in DMZ that are currenlty managed by SCCM 2007 but
this server will be phased out, these client have:
Correct sccm functionality
Correct DNS resolution
My steps/questions, please comment:
Add the DMZ ip range to SCCM 2012 boundary as “DMZ”
Add the network access account to be able to deploy as well clients as distribution point in DMZ
In the DMZ accesses on firewall for server VLAN have to be asked
When we have a distribution point and communication is “HTTP only” then http (port 80) from DMZ to sccm server should suffice, correct? Or are
extra firewall openings needed for management point access/packages and windows updates sync?
Now the sccm clients will be deployed to the servers in DMZ: deploy SCCM clients to hosts in DMZ, how this should be done: we connect a console to the SCCM-server in the DMZ then deploy the discovered clients?
OS Deploy should be made available, but no dhcp is available in DMZ and it is not an option either, therefore we would boot from an ISO then enter an ip (or pre-enter it so there is already filled in an ip?). So tasksequences/deployments
for servers in DMZ, where are they configured/deployed then? Via console access on DMZ management point or can we deploy on our domain SCCM management point (not in DMZ) and it will be synced to the DMZ management point? Not clear
Selective sync of software to this distribution point (howto? not sure), we don’t need any Windows 8 software/drivers to be synced.
Thanks for your input!
J.
Jan HoedtNo comment;
I think you mean the client push installation account and the site system installation account;
More ports are required, see site server > distribution point and distribution point > management point from the provided link;
The console will always be connected to your primary site server. The client will be pushed from the primary site server and it will provide the initial files. The other files will be downloaded from the local distribution point;
The task sequence deployment will be just like a normal taks sequence deployment. The only difference is the location of the server;
Only the content that's distributed to the distribution point in the DMZ will be available on that distribution point.
My Blog: http://www.petervanderwoude.nl/
Follow me on twitter: pvanderwoude -
How to Deploy 2012 RDS Licenses
http://blogs.msdn.com/b/rds/archive/2014/01/29/remote-desktop-services-upgrade-and-migration-guideli...
Check the link i postedWe are upgrading our Terminal Server from 2008 R2 to 2012 R2. We have an EA agreement that provides the necessary licenses.
Our license server is running on 2008 R2.
Do we have to upgrade our license server from 2008 to 2012 if we intend to deploy 2012 license on a Per User bases to the TS?
This topic first appeared in the Spiceworks Community -
2012 R2 RDS Deployment with RDCB HA and UPDs enabled. Everything was working fine with no issues until users started getting temporary profiles. Around the same time UPDs were being created but at the same time a user profile was created in C:\Users.
I actually rebuilt the entire RDS configuration except the SQL Server. It took about 5 hours and was not that big a deal but.... we still have the same issue!
Does anybody have the solution for this?Hi,
In most cases, the issue is caused by locked UPD. And the workaround is to log off the user. Please check if it is the case.
For example:
RDS user profile disks - getting error temporary profile are being used as UPD are not accessible
http://social.technet.microsoft.com/Forums/windowsserver/en-US/0d4b66fc-b53f-435e-b036-142b6ed15d0b/rds-user-profile-disks-getting-error-temporary-profile-are-being-used-as-upd-are-not-accesible?forum=winserverTS
Also, please check if you will get the temporary profile when logging on with a local account of the session host server.
If issue persists, please check if there is any related error in Event Viewer and provide us for further research.
Hope this helps.
Jeremy Wu
TechNet Community Support -
Windows Server 2012 R2 RDS: RDS Users are unable to delete files from their desktop
Hello,
We are working with Windows Server 2012 R2 RDS. We also implemented User Profile Disks. This is all working fine without problems. The only issue I have is that normal users are unable to delete files from their desktop. They are getting a message:
you'll need administrator permission to delete this file, with the prompt for administrator access.
They can edit, copy, rename, cut and paste files. But they cannot delete a file from their desktop.
I checked the security permissions of the files on the desktop (for example a normal self-created PDF file) and the users are owner and have "Full Control" over the files.
I checked the file permissions and took a look under "Advanced", selecting the specific domain user and checked the "Advanced Permissions" and the user has the "Delete" option checked. So he should be able to delete the
file.
I am guessing this is UPD related issue, or something in GPO. But I already unlinked the GPO objects, that I felt could be the source of this problem, but without results.
Could someone give me a hint on where to look? It's kinda annoying to users, that they can't delete their own files.Hello Bria,
What you should check first, is the NTFS permissions on the User Profile Disk to begin with. See if the user has full control over the items that are in the UPD.
Also check the GPO's that are enabled for the user and computer account. You can check that by running: gpresult /h <path>\gpresult.html
There are two GPO settings that could prevent the user from deleting his/her own items:
User
Configuration\\Policies\\Administrative Templates\\Windows Components\\Windows Explorer\
Hide these specified drives in My Computer
Prevent access to specified drives in My
Computer
There might be other GPO settings, that block deleting items on the UPD, but can't think of any out of my head.
I can only think NTFS and GPO settings that might prevent the user from deleting items. In my case it was a GPO setting, that I didn't suspect. -
File Associations in 2012 R2 RDS Server using Roaming Profiles
Background Information
We recently moved from using 2008 R2 RDS servers to 2012 R2 RDS Servers. All of our users
have roaming profiles. When we migrated from the old terminal servers to the
new terminal servers, the users got completely new profiles. The only thing
moved from their old profiles were documents and items on their desktops. We
have multiple PDF viewers/editors installed on our RDS servers. Mostly due to
the cost difference between Adobe Acrobat and other, cheaper products that a
lot of our users can get away with using that don't need the functionality of
Adobe Acrobat.
The Problem
Ever since moving to the new 2012 R2 RDS servers, whenever our users log off terminal
server, the next time they log in their default PDF Viewer association doesn't
load, and they have to go through the process of choosing a default PDF viewer.
This only occurs when there's more than one PDF viewer installed on the server.
We've tested it with only one PDF viewer program, and the setting remains after
logging off and back on. The problem we've found is that the registry key that
houses the default user choice:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoice
when set during the session, to Adobe Acrobat 11 for example, reads as such
inside that registry key. For example, the Progid key will say
Acrobat.Document.11 and this setting will persist until the user logs off. Upon
logging off and back on to the terminal servers, if you look at that same
Progid key, it has been converted in to a Hash value, and the Operating System
is unable to read the hashed value and determine what that user's default PDF
Viewer choice is, causing them to have to go through the process of setting it
again.
Things we've tried
We created a GPO that runs a script that exports the registry key upon log off that has
the non-hashed value, and have it set to import that value on log on. However,
by default this registry key has the DENY WRITE permission applied to it, so
when the system tries to import the registry key through the login script it is
unable to do so.
Summary
This issue only started happening once we moved over to 2012 R2 RDS servers. It only
occurs for users using Roaming Profiles. It only occurs when we have multiple
PDF Viewers installed on the servers. Any insight on why this is happening or
how to resolve it would be greatly appreciated.I would use GPP to push the value, 'not hashed'. You can give right to the registry too, so like adding everyone group to that registry branch. (https://technet.microsoft.com/en-ca/library/cc753092.aspx)
Regards, Philippe
Don't forget to mark as answer or vote as helpful to help identify good information. ( linkedin endorsement never hurt too :o) )
Answer an interesting question ? Create a
wiki article about it! -
Please Vote if you find this to be helpful!
App-V: A Configuration Template for Deploying to Stateless RDS Clients on Citrix Published Desktops with Citrix UPM for Profile Management
Just posted this to the wiki:
http://social.technet.microsoft.com/wiki/contents/articles/25318.app-v-a-configuration-template-for-deploying-to-stateless-rds-clients-on-citrix-published-desktops-with-citrix-upm-for-profile-management.aspxI would not recommend this and keep the package cache and the client on the same non-persistent drive and enable the Shared Content Store. If you separate the cache and the App-V client they could get out of sync and strange behaviour can occur.
You can use a temporary local profile with Citrix UPM or UE-V and specify what to roam/save.
You can use the Shared Content Store so packages will stream over the network. When the user logs on there is a publishing phase where shortcuts etc are created for the user, this will take some time.
Are you using the App-V full infrastructure?
Are you using a boot disk, partition or PXE in combination with PVS? -
2012 R2 RDS Shadowing "Permissions"
Hi All,
Just wondering if anyone has found a "workaround" for the requirement to be an Administrator to perform Remote Desktop Shadowing in Server 2012 R2?
We are a software development company, who offers a Remote Desktop service to our customers to use our software. Our support team needs to be able to take control of these sessions to support them.
We made the leap to 2012 R2 purely for the shadowing feature being re-implemented. However allowing 50+ support staff, some who have little to no knowledge of Server OS's, to have administrative control on an RDS server farm, including the AD server
which is the Connection Broker, is just not an option.
The best i can come up with, is to lock down permissions on all Administrative Tools to these users with implicit Deny ACL's, but that does not stop them from being able to launch Add/Remove Server Roles, and perform other tasks within Server Manager.
Also due to the Server Manager integration, gone are the days where you could permit a Terminal Services MMC for these users like we did in the "old days" of 2003.
Does anyone have any brilliant ideas in regards to either enabling Shadowing without Administrator rights, or locking down Server Manager to a set task list?
Thanks,
NashHi Nash,
A user does not need to be an Administrator to shadow other sessions under Server 2012 R2 RDS. You need to grant the non-admin user/group permissions to the RDP-Tcp listener on each RDSH server.
To do this, first create a security group in your domain and add the users as members that you would like to have shadow permission. Next log on to each 2012 R2 RDSH server, open an administrator command prompt, and enter the following
command (substitute your domain and group name):
wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSPermissionsSetting WHERE (TerminalName ="RDP-Tcp") CALL AddAccount "domain\group",2
The non-admin user can use the query session command to retrieve a list of logged-on users:
query session
If they want to view and control another session they may use the following command:
mstsc /shadow:<sessionid> /control
-TP
Brilliant! Thanks heaps - I saw this one a little earlier from the previous post and couldn't wait to give it a run.
Darmesh, despite saying it's not possible, the link you posted points to an article where the above process is outlined.
Appreciate the input guys, i will post back with the outcome! -
Users Cannot Change Passwords on a Server 2012 R2 RDS Farm
Hello I have a Server 2012 R2 RDS Farm consisting of 1 server that has connection broker and gateway configured and 4 RDS Session Hosts. The works great I even have a separate remote app farm to distribute the apps to the servers, my main issue is passwords
and the lack of the EU ability to change these, listed below are my symptoms.
Users password has expired denied logon instantly with no ability to change password.
User tries to change password whilst in 30 day warning period using ctrl alt end the user is advised the password does not meet complexity requirements I have checked this and they do meet them.
Expired passwords can be changed via the RDWeb site however this is not an option for us.
ChrisHi,
Firstly, based on my knowledge, remote users may have to change their passwords before expired. If not, they have to use OWA or logon on locally to change their passwords.
Regarding the issue, please let us know if the following policies are enabled in your domain.
Enforce password history
Minimum password age
Also, does a local domain user have the same issue?
Thanks.
Jeremy Wu
TechNet Community Support -
I've updated my App-V Startup script that I use. The new version includes Event Logging as well as detailed logging, and its in PowerShell finally)
Check out the wiki!
http://social.technet.microsoft.com/wiki/contents/articles/25318.app-v-a-configuration-template-for-deploying-to-stateless-rds-clients-on-citrix-published-desktops-with-citrix-upm-for-profile-management.aspxI've updated my App-V Startup script that I use. The new version includes Event Logging as well as detailed logging, and its in PowerShell finally)
Check out the wiki!
http://social.technet.microsoft.com/wiki/contents/articles/25318.app-v-a-configuration-template-for-deploying-to-stateless-rds-clients-on-citrix-published-desktops-with-citrix-upm-for-profile-management.aspx -
Multiple printers In Window 2012 R2 RDS
Hi All,
I have a windows server 2012 R2 RDS server.
For some reason when users log in to the RDS server they see 100 printers in the Devices and printers.
I had a look and all these printers belongs to all the users that connected on the network on other RDS servers.
Do you know how I can remove them ?
Regards,
MCSA, MCSE, MCITP:SA, MCITP:EA, MCITP:Enterprise Messaging Administrator 2010,MCTS:Virtualization,CCNAHi Shimon,
Thank you for posting in Windows Server Forum.
In respect to your issue there is one KB but it’s for server 2008 R2. Are you using Remote Desktop Easy Print for your environment?
This issue occurs because the Print Spooler adds a registry entry for each redirected printer under the following registry subkey for the user, and for all users logged on to the RD Session Host server:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Devices
This behavior occurs if you do not use the Remote Desktop Easy Print feature.
More information for reference.
KB 2620656
In addition, you can configure GPO policy where we can set the default printer per user session. For more information refer
this article.
Hope it helps!
Thanks.
Dharmesh Solanki -
How to add Windows 2012 R2 RDS to Existing Windows 2008 R2 Terminal Server
I currently have a Windows 2008 R2 Terminal Server running and I am looking to add a Windows Server 2012 R2 server to it. All I see when I google the setup is only for Windows Server 2012 R2 RDS, cant find anything to integrate with a current 2008 R2 Terminal
Server.
Can anyone help with this or point me to a blog I possibly missed?
Thanks.Hi,
Thanks for your comment.
Yeah, agree with diramoh; as already commented. If you want user session from RDS Server 2012 R2 then you need to install RDS License role on server 2012 R2, purchase and install RDS CAL (per user or per device) according your requirement and then you
can use user session for server 2012 R2 and also for lower version.
But as you already have Server 2008 R2 RDS CAL, then with that you can simply access lower version but can’t manage Server 2012\R2.
For more information, you can refer following document.
Licensing
Windows Server 2012 R2 Remote Desktop Services
Hope it helps!
Thanks.
Dharmesh Solanki -
2012 r2 rds deployment cannot connect to sql server after reboot
We have a ha connection broker setup with 2 connection brokers and everything was working fine up untill the servers were rebooted for updates. Now users cannot connect to thier collections and I have an error in the event log that the deployment could not
connect to the sql database.
at this point I am assume that the issue is related to security. I am able to query the database as admin from the effected servers and other services that use other databases in the same sql instance are no5 having issues.
I have checked the security group that both cb servers should be in and they are in the group and the group has sysadmin and dbo within sql
any ideas?
Please remember to mark my replies as answers if they helpHi,
Thank you for posting in Windows Server Forum.
Can you please create the database manually with below command and verify.
PS C:\> Set-RDConnectionBrokerHighAvailability –DatabaseConnectionString
"DRIVER=SQL Server Native Client 11.0;SERVER=<SQL Server
Name>;Trusted_Connection=Yes;APP=Remote Desktop Services Connection Broker;
DATABASE=<DB Name>" -DatabaseFilePath "C:\DbFiles\<DbName>.mdf"
-ClientAccessName "<DNS RR Name>"
Grant DBO permissions to the service account on the RDS server and try to run your wizard again.
More information.
RD Connection Broker High Availability in Windows Server 2012
http://blogs.msdn.com/b/rds/archive/2012/06/27/rd-connection-broker-high-availability-in-windows-server-2012.aspx
Hope it helps!
Thanks.
Dharmesh Solanki
TechNet Community Support
Maybe you are looking for
-
My ipod touch is not playing the songs on the playlist in the correct order.
-
Where can I find a users manual for Galaxy S5
I just bought my S5 yesterday and there are several things I need to do and cannot find any way to do them. Plus there are several things transferred from my old phone that need correcting and I am unable to do that, too.
-
Itunes won't open. continual error message
Itunes 8 won't open. I click to try to open it and I get "itunes has encountered a problem and needs to close." I've tried plugging in Ipod to see if it will help in opening itunes. it won't. I've uninstalled and reinstalled. I've tried taking itunes
-
IPhoto - how to create jpegs on a CD at 72 dpi?
I need to provide a copy of a picture on a CD. The image needs to be a JPEG at 72 dpi. How do I do this? The original file is in iPhoto and is 2448 x 3264 (2.2MB).
-
I'd like to sync an iCal calendar with a Google calendar. Is this possible?
Is it possible to sync from iCal to Google Cal? I know you can do it from Google Cal to iCal, but does it work the other way? Thanks, John