RDS 2012 Deployment guide
Hi,
I'm looking for a RDS 2012 Deployment Guide or best practices document but not finding it. Basically I'm looking for the equivalent of the document below but for Server 2012 R2 instead of 2008 R2
<won't let me add link to body yet>
We are planning a new RDS implementation and want to make sure we get the environment and resources right from the beginning. Initially I'm mainly curious about the recommendations on how many servers are needed and which roles can be combined
on single servers and which need to be broken out onto their own boxes. For example is it best to have the RD Gateway and the RD Web Access roles on their own individual servers or should/can they be combined on to one box in the DMZ?
If separate; can one of them also double as the connection broker? That sort of thing.
Any help is appreciated. Thanks
Hi Col,
Have a look at the following articles:
http://ryanmangansitblog.com/2013/09/27/rds-2012-deployment-and-configuration-guides/
I would recommend that you look at splitting the roles on a large environment or use a layer 7 load balancer so you can scale up the number of Gateway/RDweb servers if your connections grow.
I would advise against configuring the connection broker on a server which has a connection to the public interface (web and remote access via gateway). I would advise against exceeding 400 connections per RD Gateway server.
a example configuration:
Server 1 : connection broker and Licensing role
Server 2 : Session host
Server 3 : RDWeb and RD Gateway.
This may help you with regards to capacity planning:
http://ryanmangansitblog.com/2014/06/24/capacity-planning-for-a-rds-2012-pooled-2000-seat-vdi-collection/
Ryan Mangan | Ryanmangansitblog.wordpress.com | Help keep the forums tidy, if this has helped please mark it as an answer
Similar Messages
-
RDS 2012 Architecture Documentation
I am looking for some guidance or documentation about designing a RDS 2012 environment both session hosted and virtual desktops.
Some actual questions I have around RDS 2012 are:
- Can RD Connection brokers shared over more than 1 datacenter with one collection of Session hosts? What connection is required between the datacenters?
- Can RD Gateway shared over more than 1 datacenter with one of more collections? What connection is required between the datacenters?
- Can we have 1 RD Gateway for more than 1 RDS Session host deployment in te same domain (not collections but complete seperated RDS environments)
- Can we have 1 RD Web Access for more than 1 RDS Session host deployment in the same domain (not collections but complete seperated RDS environments)
The only documentation I have found is the IPD of RDS 2008 R2, however there are a lot of changes in RDS 2012. Technet also doesn't have the RDS 2012 documentation online.
Thnx,Hi have a look at the following site:
RDS 2012 Deployment Guides and Info
Ryan Mangan | Ryanmangansitblog.wordpress.com | Help keep the forums tidy, if this has helped please mark it as an answer -
Users see all applications in RDS 2012 Web access in one-way trust domain environment
Hello!
We have RDS 2012 deployment in domainA.local. There is a one-way trust between domainA.local and domainB.local: A trusts B and B doesn't trust A.
A user from domainB.local authenticates in Web-access interface (wa.domainA.local) and sees
every published application in every collection in the deployment independently of UserGroups setting of collections and applications. This occurs for any domainB user.
In the security log of wa.domainA.local we can find an event :
An account failed to log on.
Subject:
Security ID: IIS APPPOOL\RDWebAccess
Account Name: RDWebAccess
Account Domain: IIS APPPOOL
Logon ID: 0x2C7B16
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name:
Account Domain:
Failure Information:
Failure Reason: An error occurred during logon
Status: 0xC000005E
Sub Status: 0x0
Also in network trace on wa.domainA.local kerberos error could be found:
On TGS-REQ for krbtgt/[email protected] there is an answer: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7), server name krbtgt/domainB.
How to deal with this issue? The aim is to show only specified applications to domainB users.
Any help would be appreciated.Hi,
Thank you for your posting in Windows Server Forum.
Please check below links might useful for your case.
“After adding the RDS server’s computer account to the Builtin Windows Authorization Access Group domain group, the RemoteApp icons displayed perfectly.” (Quoted from
this article)
1. Remote APP list empty
2. RD
Web Access unable to access Source (RD Server)
In respect to Kerberos Error, refer this link for troubleshooting.
1. Troubleshooting Kerberos Authentication problems – Name resolution issues
2. Kerberos Authentication problems – Service Principal Name (SPN) issues - Part 2
Hope it helps!
Thanks,
Dharmesh -
RDS 2012 Deplyment RDG crashing
Hi All,
I hope someone out there can help us. We have a RDS 2012 deployment with the following configuration (.N.B. all servers are VMs on vSphere 5.5 Enterprise and brand new Dell servers and we have zero network issues as these have been fully checked several
times)
2 x RD Connection Brokers (2012 R2)
2 RD Licence Servers (2012 R2)
1 x RD Web Access (2012 R2)
1 x RD Gateway server (2012 R2)
2 x Session collections, one with 10 Session Hosts and one with 4 session hosts (all session hosts are 2012, not R2)
We are experiencing a very very strange situation where the RDG simply stops procession connections randomly. there are absolutely no errors, warnings or critical events logged in ANY of the event logs (and we have trawled through every single one of them!(and
the service does not stop or crash in the traditional sense. we also cannot launch the gateway manager console when this happens. if we restart the service then all is fine and users can reconnect. we have even replaced the gateway with a brand new box and
the issue still prevails. All clients that connect through the RDG are a minimum on Windows 7 and have at least RDP 8.0 installed
Has anyone else seen this? it is becoming a real issue for us and people are losing faith, as they doHi Richard,
Thank you for posting in Windows Server Forum.
Have you installed any anti-virus software? Please try to disable the antivirus software to see if same issue exists. Also you can check with Performance monitor and see whether you can find anything useful part for further troubleshooting. In addition, please
check the server & PC’s NIC and other driver (If facing issue with remote connection), whether it’s compatible and updated to latest version.
Hope it helps!
Thanks.
Dharmesh Solanki
TechNet Community Support -
RDS 2012 Connection Broker and Web Access in different domains
Hello!
I'm trying to add Web Access (WA) server to RDS 2012 Deployment. WA server and other servers in Deployment are in different domains (in different forests with 2-way forest trust).
WA server was added to Deployment
successfully without any warnings.
We have many applications published but in this new WA server there are no application icons in Rdweb page at all.
There is nothing interesting in logs on WA server as well as on Connection broker servers.
Is this design
acceptable? Which additional actions are needed to make application icons visible?Hi,
Please refer below links and cross verify the Web Acess server settings.
http://blog.kristinlgriffin.com/2010/03/rd-web-access-is-emply.html
http://social.technet.microsoft.com/wiki/contents/articles/5974.the-case-of-invisible-remoteapp-programs-a-k-a-no-remoteapp-programs-listed-on-rd-web-access-site.aspx
Regards,
Manjunath Sullad -
Best practice for RDGW placement in RDS 2012 R2 deployment
Hi,
I have been setting up a RDS 2012 R2 farm deployment and the time has come for setting up the RDGW servers. I have a farm with 4 SH servers, 2 WA servers, 2 CB servers and 1 LS.
Farm works great for LAN and VPN users.
Now i want to add two domain joined RDGW servers.
The question is; I've read a lot on technet and different sites about how to set the thing up, but no one mentions any best practices for where to place them.
Should i:
- set up WAP in my DMZ with ADFS in LAN, then place the RDGW in the LAN and reverse proxy in
- place RDGW in the DMZ, opening all those required ports into the LAN
- place the RDGW in the LAN, then port forward port 443 into it from internet
Any help is greatly appreciated.
This posting is provided "AS IS" with no warranties or guarantees and confers no rightsHi,
The deployment is totally depends on your & company requirements as many things to taken care such as Hardware, Network, Security and other related stuff. Personally to setup RD Gateway server I would not prefer you to select 1st option. But as per my research,
for best result you can use option 2 (To place RDG server in DMZ and then allowed the required ports). Because by doing so outside network can’t directly connect to your internal server and it’s difficult to break the network by any attackers. A perimeter
network (DMZ) is a small network that is set up separately from an organization's private network and the Internet. In a network, the hosts most vulnerable to attack are those that provide services to users outside of the LAN, such as e-mail, web, RD Gateway,
RD Web Access and DNS servers. Because of the increased potential of these hosts being compromised, they are placed into their own sub-network called a perimeter network in order to protect the rest of the network if an intruder were to succeed. You can refer
beneath article for more information.
RD Gateway deployment in a perimeter network & Firewall rules
http://blogs.msdn.com/b/rds/archive/2009/07/31/rd-gateway-deployment-in-a-perimeter-network-firewall-rules.aspx
Hope it helps!
Thanks.
Dharmesh Solanki
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected] -
Deployment Guide - Branchcache 2012 with Windows 7 clients
Is there a deployment guide for branchcache using Server 2012 and Windows 7 clients? I can find 2 guides, 1 for Branchcache 2008 with Windows 7 and 1 for 2012 with Windows 8. Wondering if I should just follow the 2012 guide for configuring branchcache servers
and 2008 guide for configuring Windows 7 clients including PKI?
ThanksHi,
Thanks for your post.
Windows Server 2012 is compatible with Windows 7.
But BranchCache in Windows Server 2012 and Windows 8 provides substantial performance, manageability, scalability, and availability improvements. And there are some group policy only applied to client computers that are running Windows 8 not Windows 7.
So i would suggest you may choose client computers that running Windows 8.
More detail information, please refer to:
http://technet.microsoft.com/en-us/library/jj127252.aspx
Regards.
Vivian Wang -
Just FYI, new Windows Server 2012 R2 RRAS Multitenant Gateway Deployment Guide
New! Windows Server 2012 R2 RRAS Multitenant Gateway Deployment Guide
This new guide is available on the Web at
http://technet.microsoft.com/en-us/library/dn641937.aspx. It is also available for download in Word format at TechNet Gallery at
http://gallery.technet.microsoft.com/Windows-Server-2012-R2-37eb8e17
If you work for a Cloud Service Provider (CSP) or an organization that's planning on deploying cloud technologies, you might be interested in the new Windows Server 2012 R2 RRAS Multitenant Gateway Deployment Guide.
You may already know that in Windows Server® 2012 R2, the Remote Access server role includes the Routing and Remote Access Service (RRAS) role service. (It also includes DirectAccess and Web Application Proxy, however those role services will not be discussed
in this article.)
The new deployment guide demonstrates how to use Windows PowerShell to deploy RRAS as a virtual machine (VM)-based multitenant software gateway and Border Gateway Protocol (BGP) router that allows CSPs and Enterprises to enable datacenter and cloud network
traffic routing between virtual and physical networks, including the Internet.
You can use the gateway with VM networks by using either Hyper-V Network Virtualization or Virtual Local Area Networks (VLANs) - but using Network Virtualization is recommended due to VLAN limitations such as difficult management and a limited number of
available VLAN IDs.
If you're using System Center Virtual Machine Manager (SC VMM), you can use SC VMM to deploy Windows Server Gateway; however even if you are using SC VMM, you can manage the gateway with the same Windows PowerShell commands that are used for the RRAS Multitenant
Gateway. (Some Windows Server Gateway features are configurable only with Windows PowerShell.)
For information on deploying Windows Server Gateway with SCVMM, see the Test Lab Guide: Windows Server 2012 R2 Hyper-V Network Virtualization with System Center 2012 R2 VMM, at
http://www.microsoft.com/download/details.aspx?id=39284
With the RRAS Multitenant Gateway, you can create site-to-site VPN connections between your tenants' physical locations and your cloud datacenter. You can also provide tenants with point-to-site VPN connections that allow tenant Administrators to access
and manage their VM resources from anywhere. The RRAS Multitenant Gateway also allows you to configure Network Address Translation (NAT), so that tenant VMs can access the Internet, and you can deploy dynamic routing by configuring the gateway and tenant gateways
with BGP.
Thanks -
James McIlleceHi,
It is very useful , thanks for your sharing .
Best Regards
Elton Ji
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place. -
The Windows Server 2012 R2 and Windows Server 2012 BranchCache Deployment Guide is now available for download in Word format in the TechNet Gallery at
http://bit.ly/1pYZT3F
Thanks -
James McIllecehello again,
meanwhile I was lucky to find this article about Idenity Mapping in TechNet in the Storage Team Blog:
http://blogs.technet.com/b/filecab/archive/2012/10/09/nfs-identity-mapping-in-windows-server-2012.aspx
Likely to be overseen at the end of one paragraph it says:
"Client for NFS does not support NFS V4.1 in Windows 8 or Windows Server 2012"
Question : Is this an official statement and is it still valid with most recent
Windows Server 2012 R2 that NFS client does NOT support NFSv4.x ??
thanks - Rainer -
RDS gateway deployment options with no DMZ
Hello
I have setup an RDS server that is running nicely and I now need to deploy it externally. I have read through the deployment guides which state that you should deploy the gateway in a DMZ. My problem is that I do not have a DMZ and my firewall does not have
a DMZ port or an option to assign different IPs to different internal interfaces. What would be the best deployment option if no DMZ is available?Hi,
Thank you for posting in Windows Server Forum.
Agree with “Guna” comment, you can setup RD Gateway for accessing the server externally. For that you can refer following link to setup RD Gateway.
1. How To Work with RD Gateway in Windows Server 2012
2. Deploying Remote Desktop Gateway RDS 2012
Hope it helps!
Thanks.
Dharmesh Solanki -
RDS 2012 App-V 5 SP2, Applications are not pinned in the Metro Start Menu
Hey All,
I've been building a new App-V 5 Environment using server 2012 R2 for the App-V management\Publishing\Reporting servers.
I've installed app-v 5 SP2 on the RDS 2012 R2 servers and installed the App-V 5.1 SP1 Hotfix (KB2897087) for the 2012 R2 support.
I have run into the following issue; When triggering a app-v publishing sync the applications are only added in the classic start menu. The applications aren't pinned in the Metro Start menu like our App-V sp1 RDS 2012 clients.
I have checked the App-V client eventlogs (including the debug logs) and I haven't been able to find any errors that point out the cause of my issue.
Has anyone experienced the same issue or has anyone got any tips to get the app-v 5 sp2 client on RDS 2012 R2 to pin the sequences to the Metro Start Menu?
Thanks.This is the default behaviour of Windows 8.1 and Windows Server 2012 R2 - there are no programmatic ways to pin shortcuts to the Start screen.
Here's a way to customise the Start screen layout: http://stealthpuppy.com/customizing-the-windows-8-1-start-screen-dont-follow-microsofts-guidance/
Here's how to go it with Group Policy: http://www.grouppolicy.biz/2013/06/customising-windows-8-1-start-screen-layout-with-group-policy/
Note that neither approach will help you pin shortcuts to the Start screen for users that have already logged on, without overwriting their existing preferences.
Please remember to click "Mark as Answer" or "Vote as Helpful" on the post that answers your question (or click "Unmark as Answer" if a marked post does not actually
answer your question). This can be beneficial to other community members reading the thread.
This forum post is my own opinion and does not necessarily reflect the opinion or view of my employer, Microsoft, its employees, or other MVPs.
Twitter:
@stealthpuppy | Blog:
stealthpuppy.com |
The Definitive Guide to Delivering Microsoft Office with App-V -
Hi all,
This is my setup :
RDS 2012 R2
Two connection brokers setup in HA: FQDN = RDCB.Internaldomain.com
Two Web Access servers for internal user setup with DSN Round Robin so I can have a basic HA: FQDN = InternalWA.internaldomain.com
Two Gateway servers in HA: FQDN:
RemoteGW.InternalDomain.com
Both Gateway server have RD Web Access installed and using DNS Round Robin to have a basic HA): FQDN
RemoteWA.ExternalDomain.com
My company will not approve having a trusted wildcard certificate. So, in the “Edit Deployment Wizard”, I was thinking of deploying
one public (and trusted) SAN certificate containing all the above FQDNs to all the Role Services (RD Connection Broker –Single Signon, RD Connection Broker -
Publishing, RD Web Access and RD Gateway).
Will this be ok or do I need to add other FQDNs to the certificate (for example the FQDN of all the Session Host servers)?
Best regards,
Jesmat.Hello,
In your FQDN did you forget to add a "." as : RDCB.Internaldomain.com
and RemoteWA.ExternalDomain.com
are 2 different domain names
The SAN option i thiink will not be liable here . Except if you use self signed for your internal connection ans
the san for the external one.
refer to :http://en.wikipedia.org/wiki/Wildcard_certificate
But i cannot confirm that the san certificate will be allowed on the gateways.
Hope it helps
Fred -
Hi,
I have set up an RDS 2012 R2 deployment for internal use. I plan to add a gateway server cluster for external access later (RDGW). That cluster will be placed in DMZ and use a public wildcard cert. It will connect external users to the farm. Internal or
Direct Access (DA) users will use the Web Access servers to connect internally in the corp. LAN.
For now, i have the following setup. Web Access role on 2 servers with DNS RR (RDWA). 2 clustered Connection Broker servers (RDCB), two Session Hosts (RDSH) and one licesning server. So a total of 7 servers (+ 2 GRGW servers in DMZ that are not set up
yet).
So, the issue is; I need to set up certificates. We have a CA in an AD top domain (our site is a sub.domain.com). We do not have access to that CA and need to order certs. from our corp. HQ. Ok, but what do i ask for? I need 3
DER encoded binary X.509
certs. That's the info i have. How can create a cert. request? See pictures below.
This posting is provided "AS IS" with no warranties or guarantees and confers no rightsHi,
Thank you for your posting in Windows Server Forum.
Can you exactly let us know which certificate you want for your network (Self-signed or SSL)?
As per my suggestion you can use wildcard or SAN certificate for your network which can be used for external network also.
If you want Self-signed certificate for internal use, you can create the certificate from Deployment properties of RDS page or IIS Manager as per below path.
IIS Manager>Server Certificate>Create Self-Signed Certificate>Export the certificate on specified location then select the certificate in RDS installation process.
But see that, the certificate is installed into computer’s “Personal” certificate store with its corresponding private key & it’s added under trusted root certificate authority.
Please check below articles for detail.
1. Certificate Requirements for Windows 2008 R2 and Windows 2012 Remote Desktop Services
2. Configuring RDS 2012 Certificates and SSO
3. Minimum Certificate Requirements for Typical RDS implementation
Hope it helps!
Thanks.
Dharmesh Solanki -
2 Separate RDS 2012 R2 Deployments in Same Domain ?
We have a current RDS 2012 R2 deployment. We are changing hosting vendors and want to completely redo the entire deployment (rather than try to migrated the VMs). What is the best way to go about this?
We do want to continue to use the GPO and user files will be migrated. How can we have the prod and dev RDS environments coexisting on the same domain?
Just to clarify, we do not want to use any of the existing infrastructure because it is all going to go away. Thank you!Hi,
Thank you for posting in Windows Server Forum.
I thinks that good way to start for new environment without any mixing up. Yes, everything can be setup under same domain. For common domain environment,
You can buy one single wildcard certificate with domain name which can be used for all roles. As in domain joined environment, we can use to have them both RDS server use the same RD Gateway. For this we need to enter the same FQDN of working RDG into the Deployment
properties of the second deployment.
There are several other points which need to check, you can refer following article for depth understanding and configuration.
1.Step by Step Windows 2012 R2 Remote Desktop Services – Part 2
2. How To Work with RD Gateway in Windows Server 2012
Hope it helps!
Thanks.
Dharmesh Solanki
TechNet Community Support -
RDS 2012 R2 cannot add 3rd party (parent domain) licensing server
Hi,
I have a RDS 2012 R2 farm and i cannot add a 3rd party licensing server that is in a parent domain (forest root domain - hosted by our corp HQ). I will edit deployment properties for the deployment in the first CB server to add a licensing server in per
user mode. Seemes to work, however no licenses are given to SH servers. Have made GPO aswell to explicitly specify licensing server and mode, however i think this should not be neccessary.
Any ideas?
This posting is provided "AS IS" with no warranties or guarantees and confers no rightsHi,
Thank you for posting in Windows Server Forum.
1. In Server Manager -- RDS -- Overview -- Tasks -- Edit Deployment Properties -- RD Licensing tab, please make sure that the Licensing mode is set to match the type of licenses you purchased, and that the FQDN of your RD Licensing server is listed.
2. In Server Manager -- RDS -- Collections -- <your collection> -- Host Servers, please make sure that your RDSH server is listed. If you have more than one server with the RDSH Role Service in your deployment make sure that all of them are
listed. If they are not you may click Tasks -- Add RD Session Host Servers (make sure the servers are part of the Server Manager server pool prior to this).
3. On Server 1, please open an Administrator PowerShell prompt and enter the following command:
Add-WindowsFeature RDS-Licensing-UI
4. After the above powershell command completes you should be able to open RD Licensing Manager (licmgr.exe) on Server 1 if you need to. Please note that it is more important to have the licensing configured properly in deployment properties and your
RDSH servers part of a collection than it is to be able to open RD Licensing Manager on both of your servers.
(Above one quoted from beneath thread)
Source:
RDS 2012 Can't add a licensing server
In addition, check below article.
RD Licensing Configuration on Windows Server 2012
Hope it helps!
Thanks.
Dharmesh Solanki
Maybe you are looking for
-
Upgraded from 1st gen to 3G iPhone
i went to the apple store and bought a 3G iPhone last week. it took the place of my 1st generation iPhone. it works just swell. but my first generation iPhone still connects to my iTunes and i can add movies i've rented from the iTMS. i can do everyt
-
Http server cannot start after running the following JSP
Hi, I have 9iAS 1.0.2.2 and it has been working fine. My http server was running fine until I ran the following Jsp. Now I cannot start the Http server at all. I check the Oracle home and the path and make sure they match (i.e. if my Oracle Home is i
-
Hi Everyone, I'm running Windows Vista on a Dell Dimension 8300 with a SoundBlaster Audigy 2(WDM) card. I have a few no-mind questions about how these things all work together: . After I installed Creative's Vista driver upgrade for the SB Audigy 2 s
-
CO46 report not displaying all sales orders
Dear all We are not able to get details of all sales orders in CO46..(All item categories and different sales order types).Screen remains blank while executing..It doesn't show line items-Overview screen.. can u please tell us the reason for the same
-
SRM Classic Scenario & Invoicing Service Purchase Orders through SUS
Hi everyone, I hope I am able to provide enough information to ask this question. We are running SRM Classic Scenario in addition to SUS. We would like to be able to have our Vendors login to SUS and Invoice us. However, we are being told that in