RDS 2012 Deployment guide

Similar Messages

• RDS 2012 Architecture Documentation

  I am looking for some guidance or documentation about designing a RDS 2012 environment both session hosted and virtual desktops.
  Some actual questions I have around RDS 2012 are:
  - Can RD Connection brokers shared over more than 1 datacenter with one collection of Session hosts? What connection is required between the datacenters?
  - Can RD Gateway shared over more than 1 datacenter with one of more collections? What connection is required between the datacenters?
  - Can we have 1 RD Gateway for more than 1 RDS Session host deployment in te same domain (not collections but complete seperated RDS environments)
  - Can we have 1 RD Web Access for more than 1 RDS Session host deployment in the same domain (not collections but complete seperated RDS environments)
  The only documentation I have found is the IPD of RDS 2008 R2, however there are a lot of changes in RDS 2012. Technet also doesn't have the RDS 2012 documentation online.
  Thnx,

  Hi have a look at the following site:
  RDS 2012 Deployment Guides and Info
  Ryan Mangan | Ryanmangansitblog.wordpress.com | Help keep the forums tidy, if this has helped please mark it as an answer

• Users see all applications in RDS 2012 Web access in one-way trust domain environment

  Hello!
  We have RDS 2012 deployment in domainA.local. There is a one-way trust between domainA.local and domainB.local: A trusts B and B doesn't trust A.
  A user from domainB.local authenticates in Web-access interface (wa.domainA.local) and sees
  every published application in every collection in the deployment independently of UserGroups setting of collections and applications. This occurs for any domainB user.
  In the security log of wa.domainA.local we can find an event :
  An account failed to log on.
  Subject:
  Security ID:                IIS APPPOOL\RDWebAccess
  Account Name:                RDWebAccess
  Account Domain:                IIS APPPOOL
  Logon ID:                0x2C7B16
  Logon Type:                        3
  Account For Which Logon Failed:
  Security ID:                NULL SID
  Account Name:                
  Account Domain:                
  Failure Information:
  Failure Reason:                An error occurred during logon
  Status:                        0xC000005E
  Sub Status:                0x0
  Also in network trace on wa.domainA.local kerberos error could be found:
  On TGS-REQ for krbtgt/[email protected] there is an answer: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7), server name krbtgt/domainB.
  How to deal with this issue? The aim is to show only specified applications to domainB users.
  Any help would be appreciated.

  Hi,
  Thank you for your posting in Windows Server Forum.
  Please check below links might useful for your case.
  “After adding the RDS server’s computer account to the Builtin Windows Authorization Access Group domain group, the RemoteApp icons displayed perfectly.” (Quoted from
  this article)
  1. Remote APP list empty
  2. RD
  Web Access unable to access Source (RD Server)
  In respect to Kerberos Error, refer this link for troubleshooting.
  1. Troubleshooting Kerberos Authentication problems – Name resolution issues
  2. Kerberos Authentication problems – Service Principal Name (SPN) issues - Part 2
  Hope it helps! 
  Thanks,
  Dharmesh

• RDS 2012 Deplyment RDG crashing

  Hi All,
  I hope someone out there can help us. We have a RDS 2012 deployment with the following configuration (.N.B. all servers are VMs on vSphere 5.5 Enterprise and brand new Dell servers and we have zero network issues as these have been fully checked several
  times)
  2 x RD Connection Brokers (2012 R2)
  2 RD Licence Servers (2012 R2)
  1 x RD Web Access (2012 R2)
  1 x RD Gateway server (2012 R2)
  2 x Session collections, one with 10 Session Hosts and one with 4 session hosts (all session hosts are 2012, not R2)
  We are experiencing a very very strange situation where the RDG simply stops procession connections randomly. there are absolutely no errors, warnings or critical events logged in ANY of the event logs (and we have trawled through every single one of them!(and
  the service does not stop or crash in the traditional sense. we also cannot launch the gateway manager console when this happens. if we restart the service then all is fine and users can reconnect. we have even replaced the gateway with a brand new box and
  the issue still prevails. All clients that connect through the RDG are a minimum on Windows 7 and have at least RDP 8.0 installed
  Has anyone else seen this? it is becoming a real issue for us and people are losing faith, as they do

  Hi Richard,
  Thank you for posting in Windows Server Forum.
  Have you installed any anti-virus software? Please try to disable the antivirus software to see if same issue exists. Also you can check with Performance monitor and see whether you can find anything useful part for further troubleshooting. In addition, please
  check the server & PC’s NIC and other driver (If facing issue with remote connection), whether it’s compatible and updated to latest version.
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  TechNet Community Support

• RDS 2012 Connection Broker and Web Access in different domains

  Hello!
  I'm trying to add Web Access (WA) server to RDS 2012 Deployment. WA server and other servers in Deployment are in different domains (in different forests with 2-way forest trust).
  WA server was added to Deployment
  successfully without any warnings.
  We have many applications published but in this new WA server there are no application icons in Rdweb page at all.
  There is nothing interesting in logs on WA server as well as on Connection broker servers. 
  Is this design
  acceptable? Which additional actions are needed to make application icons visible?

  Hi,
  Please refer below links and cross verify the Web Acess server settings.
  http://blog.kristinlgriffin.com/2010/03/rd-web-access-is-emply.html
  http://social.technet.microsoft.com/wiki/contents/articles/5974.the-case-of-invisible-remoteapp-programs-a-k-a-no-remoteapp-programs-listed-on-rd-web-access-site.aspx
  Regards,
  Manjunath Sullad

• Best practice for RDGW placement in RDS 2012 R2 deployment

  Hi,
  I have been setting up a RDS 2012 R2 farm deployment and the time has come for setting up the RDGW servers. I have a farm with 4 SH servers, 2 WA servers, 2 CB servers and 1 LS.
  Farm works great for LAN and VPN users.
  Now i want to add two domain joined RDGW servers.
  The question is; I've read a lot on technet and different sites about how to set the thing up, but no one mentions any best practices for where to place them.
  Should i:
  - set up WAP in my DMZ with ADFS in LAN, then place the RDGW in the LAN and reverse proxy in
  - place RDGW in the DMZ, opening all those required ports into the LAN
  - place the RDGW in the LAN, then port forward port 443 into it from internet
  Any help is greatly appreciated.
  This posting is provided "AS IS" with no warranties or guarantees and confers no rights

  Hi,
  The deployment is totally depends on your & company requirements as many things to taken care such as Hardware, Network, Security and other related stuff. Personally to setup RD Gateway server I would not prefer you to select 1st option. But as per my research,
  for best result you can use option 2 (To place RDG server in DMZ and then allowed the required ports). Because by doing so outside network can’t directly connect to your internal server and it’s difficult to break the network by any attackers. A perimeter
  network (DMZ) is a small network that is set up separately from an organization's private network and the Internet. In a network, the hosts most vulnerable to attack are those that provide services to users outside of the LAN, such as e-mail, web, RD Gateway,
  RD Web Access and DNS servers. Because of the increased potential of these hosts being compromised, they are placed into their own sub-network called a perimeter network in order to protect the rest of the network if an intruder were to succeed. You can refer
  beneath article for more information.
  RD Gateway deployment in a perimeter network & Firewall rules
  http://blogs.msdn.com/b/rds/archive/2009/07/31/rd-gateway-deployment-in-a-perimeter-network-firewall-rules.aspx
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Deployment Guide - Branchcache 2012 with Windows 7 clients

  Is there a deployment guide for branchcache using Server 2012 and Windows 7 clients? I can find 2 guides, 1 for Branchcache 2008 with Windows 7 and 1 for 2012 with Windows 8. Wondering if I should just follow the 2012 guide for configuring branchcache servers
  and 2008 guide for configuring Windows 7 clients including PKI?
  Thanks

  Hi,
  Thanks for your post.
  Windows Server 2012 is compatible with Windows 7.
  But BranchCache in Windows Server 2012 and Windows 8 provides substantial performance, manageability, scalability, and availability improvements. And there are some group policy only applied to client computers that are running Windows 8 not Windows 7.
  So i would suggest you may choose client computers that running Windows 8.
  More detail information, please refer to:
  http://technet.microsoft.com/en-us/library/jj127252.aspx
  Regards.
  Vivian Wang

• Just FYI, new Windows Server 2012 R2 RRAS Multitenant Gateway Deployment Guide

  New! Windows Server 2012 R2 RRAS Multitenant Gateway Deployment Guide
  This new guide is available on the Web at
  http://technet.microsoft.com/en-us/library/dn641937.aspx. It is also available for download in Word format at TechNet Gallery at
  http://gallery.technet.microsoft.com/Windows-Server-2012-R2-37eb8e17
  If you work for a Cloud Service Provider (CSP) or an organization that's planning on deploying cloud technologies, you might be interested in the new Windows Server 2012 R2 RRAS Multitenant Gateway Deployment Guide.
  You may already know that in Windows Server® 2012 R2, the Remote Access server role includes the Routing and Remote Access Service (RRAS) role service. (It also includes DirectAccess and Web Application Proxy, however those role services will not be discussed
  in this article.)
  The new deployment guide demonstrates how to use Windows PowerShell to deploy RRAS as a virtual machine (VM)-based multitenant software gateway and Border Gateway Protocol (BGP) router that allows CSPs and Enterprises to enable datacenter and cloud network
  traffic routing between virtual and physical networks, including the Internet.
  You can use the gateway with VM networks by using either Hyper-V Network Virtualization or Virtual Local Area Networks (VLANs) - but using Network Virtualization is recommended due to VLAN limitations such as difficult management and a limited number of
  available VLAN IDs.
  If you're using System Center Virtual Machine Manager (SC VMM), you can use SC VMM to deploy Windows Server Gateway; however even if you are using SC VMM, you can manage the gateway with the same Windows PowerShell commands that are used for the RRAS Multitenant
  Gateway. (Some Windows Server Gateway features are configurable only with Windows PowerShell.)
  For information on deploying Windows Server Gateway with SCVMM, see the Test Lab Guide: Windows Server 2012 R2 Hyper-V Network Virtualization with System Center 2012 R2 VMM, at
  http://www.microsoft.com/download/details.aspx?id=39284
  With the RRAS Multitenant Gateway, you can create site-to-site VPN connections between your tenants' physical locations and your cloud datacenter. You can also provide tenants with point-to-site VPN connections that allow tenant Administrators to access
  and manage their VM resources from anywhere. The RRAS Multitenant Gateway also allows you to configure Network Address Translation (NAT), so that tenant VMs can access the Internet, and you can deploy dynamic routing by configuring the gateway and tenant gateways
  with BGP.
  Thanks -
  James McIllece

  Hi,
  It is very useful , thanks for your sharing .
  Best Regards
  Elton Ji
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Just FYI, Windows Server 2012 R2 and Windows Server 2012 BranchCache Deployment Guide in Word format in the TechNet Gallery

  The Windows Server 2012 R2 and Windows Server 2012 BranchCache Deployment Guide is now available for download in Word format in the TechNet Gallery at
  http://bit.ly/1pYZT3F
  Thanks -
  James McIllece

  hello again,
  meanwhile I was lucky to find this article about Idenity Mapping in TechNet in the Storage Team Blog:
  http://blogs.technet.com/b/filecab/archive/2012/10/09/nfs-identity-mapping-in-windows-server-2012.aspx
  Likely to be overseen at the end of one paragraph it says:
  "Client for NFS does not support NFS V4.1 in Windows 8 or Windows Server 2012"
  Question : Is this an official statement and is it still valid with most recent
  Windows Server 2012 R2 that NFS client does NOT support NFSv4.x  ??
  thanks - Rainer

• RDS gateway deployment options with no DMZ

  Hello
  I have setup an RDS server that is running nicely and I now need to deploy it externally. I have read through the deployment guides which state that you should deploy the gateway in a DMZ. My problem is that I do not have a DMZ and my firewall does not have
  a DMZ port or an option to assign different IPs to different internal interfaces. What would be the best deployment option if no DMZ is available?

  Hi,
  Thank you for posting in Windows Server Forum.
  Agree with “Guna” comment, you can setup RD Gateway for accessing the server externally. For that you can refer following link to setup RD Gateway.
  1. How To Work with RD Gateway in Windows Server 2012
  2. Deploying Remote Desktop Gateway RDS 2012
  Hope it helps!
  Thanks.
  Dharmesh Solanki

• RDS 2012 App-V 5 SP2, Applications are not pinned in the Metro Start Menu

  Hey All,
  I've been building a new App-V 5 Environment using server 2012 R2 for the App-V management\Publishing\Reporting servers.
  I've installed app-v 5 SP2 on the RDS 2012 R2 servers and installed the App-V 5.1 SP1 Hotfix (KB2897087) for the 2012 R2 support.
  I have run into the following issue; When triggering a app-v publishing sync the applications are only added in the classic start menu. The applications aren't pinned in the Metro Start menu like our App-V sp1 RDS 2012 clients.
  I have checked the App-V client eventlogs (including the debug logs) and I haven't been able to find any errors that point out the cause of my issue.
  Has anyone experienced the same issue or has anyone got any tips to get the app-v 5 sp2 client on RDS 2012 R2 to pin the sequences to the Metro Start Menu?
  Thanks.

  This is the default behaviour of Windows 8.1 and Windows Server 2012 R2 - there are no programmatic ways to pin shortcuts to the Start screen.
  Here's a way to customise the Start screen layout: http://stealthpuppy.com/customizing-the-windows-8-1-start-screen-dont-follow-microsofts-guidance/
  Here's how to go it with Group Policy: http://www.grouppolicy.biz/2013/06/customising-windows-8-1-start-screen-layout-with-group-policy/
  Note that neither approach will help you pin shortcuts to the Start screen for users that have already logged on, without overwriting their existing preferences.
  Please remember to click "Mark as Answer" or "Vote as Helpful" on the post that answers your question (or click "Unmark as Answer" if a marked post does not actually
  answer your question). This can be beneficial to other community members reading the thread.
  This forum post is my own opinion and does not necessarily reflect the opinion or view of my employer, Microsoft, its employees, or other MVPs.
  Twitter:
  @stealthpuppy | Blog:
  stealthpuppy.com |
  The Definitive Guide to Delivering Microsoft Office with App-V

• RDS 2012 - Certificates

  Hi all,
  This is my setup :
  RDS 2012 R2
  Two connection brokers setup in HA:  FQDN = RDCB.Internaldomain.com
  Two Web Access servers for internal user setup with DSN Round Robin so I can have a basic HA: FQDN = InternalWA.internaldomain.com
  Two Gateway servers in HA:  FQDN:
   RemoteGW.InternalDomain.com
  Both Gateway server have RD Web Access installed and using DNS Round Robin to have a basic HA): FQDN 
  RemoteWA.ExternalDomain.com
  My company will not approve having a trusted wildcard certificate. So, in the “Edit Deployment Wizard”, I was thinking of deploying
  one public (and trusted) SAN certificate containing all the above FQDNs to all the Role Services (RD Connection Broker –Single Signon, RD Connection Broker -
   Publishing, RD Web Access and RD Gateway).
  Will this be ok or do I need to add other FQDNs to the certificate (for example the FQDN of all the Session Host servers)?
  Best regards,
  Jesmat.

  Hello,
  In your FQDN  did you forget to add a "." as : RDCB.Internaldomain.com
  and RemoteWA.ExternalDomain.com
  are 2 different domain names
  The SAN option i thiink will not be liable here . Except if you use self signed for your internal connection  ans
  the san for the external one.
  refer to :http://en.wikipedia.org/wiki/Wildcard_certificate
  But i cannot confirm that the san certificate will be allowed on the gateways.
  Hope it helps 
  Fred

• Certificate setup RDS 2012 R2

  Hi,
  I have set up an RDS 2012 R2 deployment for internal use. I plan to add a gateway server cluster for external access later (RDGW). That cluster will be placed in DMZ and use a public wildcard cert. It will connect external users to the farm. Internal or
  Direct Access (DA) users will use the Web Access servers to connect internally in the corp. LAN.
  For now, i have the following setup. Web Access role on 2 servers with DNS RR (RDWA). 2 clustered Connection Broker servers (RDCB), two Session Hosts (RDSH) and one licesning server. So a total of 7 servers (+ 2 GRGW servers in DMZ that are not set up
  yet).
  So, the issue is; I need to set up certificates. We have a CA in an AD top domain (our site is a sub.domain.com). We do not have access to that CA and need to order certs. from our corp. HQ. Ok, but what do i ask for? I need 3
  DER encoded binary X.509
  certs. That's the info i have. How can create a cert. request? See pictures below.
  This posting is provided "AS IS" with no warranties or guarantees and confers no rights

  Hi,
  Thank you for your posting in Windows Server Forum.
  Can you exactly let us know which certificate you want for your network (Self-signed or SSL)?
  As per my suggestion you can use wildcard or SAN certificate for your network which can be used for external network also. 
  If you want Self-signed certificate for internal use, you can create the certificate from Deployment properties of RDS page or IIS Manager as per below path.
  IIS Manager>Server Certificate>Create Self-Signed Certificate>Export the certificate on specified location then select the certificate in RDS installation process.
  But see that, the certificate is installed into computer’s “Personal” certificate store with its corresponding private key & it’s added under trusted root certificate authority.
  Please check below articles for detail.
  1. Certificate Requirements for Windows 2008 R2 and Windows 2012 Remote Desktop Services
  2. Configuring RDS 2012 Certificates and SSO
  3. Minimum Certificate Requirements for Typical RDS implementation
  Hope it helps!
  Thanks.
  Dharmesh Solanki

• 2 Separate RDS 2012 R2 Deployments in Same Domain ?

  We have a current RDS 2012 R2 deployment. We are changing hosting vendors and want to completely redo the entire deployment (rather than try to migrated the VMs). What is the best way to go about this?
  We do want to continue to use the GPO and user files will be migrated. How can we have the prod and dev RDS environments coexisting on the same domain? 
  Just to clarify, we do not want to use any of the existing infrastructure because it is all going to go away. Thank you!

  Hi,
  Thank you for posting in Windows Server Forum.
  I thinks that good way to start for new environment without any mixing up. Yes, everything can be setup under same domain. For common domain environment,
  You can buy one single wildcard certificate with domain name which can be used for all roles. As in domain joined environment, we can use to have them both RDS server use the same RD Gateway. For this we need to enter the same FQDN of working RDG into the Deployment
  properties of the second deployment.
  There are several other points which need to check, you can refer following article for depth understanding and configuration.
  1.Step by Step Windows 2012 R2 Remote Desktop Services – Part 2
  2. How To Work with RD Gateway in Windows Server 2012
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  TechNet Community Support

• RDS 2012 R2 cannot add 3rd party (parent domain) licensing server

  Hi,
  I have a RDS 2012 R2 farm and i cannot add a 3rd party licensing server that is in a parent domain (forest root domain - hosted by our corp HQ). I will edit deployment properties for the deployment in the first CB server to add a licensing server in per
  user mode. Seemes to work, however no licenses are given to SH servers. Have made GPO aswell to explicitly specify licensing server and mode, however i think this should not be neccessary.
  Any ideas?
  This posting is provided "AS IS" with no warranties or guarantees and confers no rights

  Hi,
  Thank you for posting in Windows Server Forum.
  1. In Server Manager -- RDS -- Overview -- Tasks -- Edit Deployment Properties -- RD Licensing tab, please make sure that the Licensing mode is set to match the type of licenses you purchased, and that the FQDN of your RD Licensing server is listed.
  2. In Server Manager -- RDS -- Collections -- <your collection> -- Host Servers, please make sure that your RDSH server is listed.  If you have more than one server with the RDSH Role Service in your deployment make sure that all of them are
  listed.  If they are not you may click Tasks -- Add RD Session Host Servers (make sure the servers are part of the Server Manager server pool prior to this).
  3. On Server 1, please open an Administrator PowerShell prompt and enter the following command:
  Add-WindowsFeature RDS-Licensing-UI
  4. After the above powershell command completes you should be able to open RD Licensing Manager (licmgr.exe) on Server 1 if you need to.  Please note that it is more important to have the licensing configured properly in deployment properties and your
  RDSH servers part of a collection than it is to be able to open RD Licensing Manager on both of your servers. 
  (Above one quoted from beneath thread)
  Source:
  RDS 2012 Can't add a licensing server
  In addition, check below article.
  RD Licensing Configuration on Windows Server 2012
  Hope it helps!
  Thanks.
  Dharmesh Solanki