RDS 2012 Two RD SH collections : duplicate applications

Similar Messages

• RDS 2012 R2 Separate Session Collection Behavior

  Hi everyone!  I should start by saying that I've found a number of threads which are semi-related to this topic, but they just don't seem to address my particular complaint.  I'm not sure if this is a bug, a configuration error on my part, or if
  it is expected behavior (which would be unfortunate for my intended use cases).
  The issue is that I need to provide two separate collections of RemoteApps, and I only want the collection appropriate to the logged-in user to be displayed in Web Access (or in the feed, for that matter).  One collection includes an expansive set of
  RemoteApps, and the other collection includes a limited subset of those published in the first.
  Now, I know that a SH can only belong to one session collection.  That makes sense, and in my case, I wouldn't want it any other way.  It offers better separation between the user environment intended for use by employees, and the user environment
  intended for use by non-employees, which is a bit more restrictive.  (Those are the actual purposes of the two collections described earlier.)  So far, so good.  Now, it seems to me like every other role beside the SH role should be able to
  do its job for all collections.  What other purpose could the concept of a "Collection" possibly serve, after all?  If I had to stand-up Connection Broker, Web Access, Gateway, and Session Host for every collection of RemoteApps, then there
  wouldn't need to exist any concept in RDS 2012 R2 called "Collections".  So, I figured that Connection Broker, Web Access, and Gateway could serve all collections, and Session Host is of course limited to serving one single collection.  And,
  I guess, that's largely the way it works, with one exception.
  My issue is that in Web Access, all RemoteApps from all published RemoteApp collections are presented to every user who has access to one collection OR the other, despite my best intentions of having provisioned each collection with seprate user group assignments
  using two separate AD groups.  I don't want to advertise all RemoteApps from all collections in the Web Access namespace!  To me, the presence of "User Group" configuration at both the Collection level and at the RemoteApp level implies
  that there is some user group filtering going on, but so far that's looking like a false assumption.  Why would the RemoteApp list in one collection bleed into the RemoteApp list in the second collection?  Why would I want the users of one collection
  to see the applications of the other, even when they're not going to be able to launch them anyway?
  Does anyone have anything to add to the equation?  Is there something I'm missing?  Thanks ahead of time.

  This is now resolved.  There is obviously some additional configuration necessary in some relatively odd places when you want your RemoteApp collections to work as advertised.  I hope this thread can help others in that regard.
  The relevant (error) event generated for each "populate list of RemoteApps for Web Access" process (refreshing the web access portal was my test case), when my IIS application pool is provisioned by the new AD account is Event ID 10, Source: RDWebAccess. 
  In the body, it says "[...] unable to access rdcb1.[local]" and suggests that the RD Web Access server needs to be added to the TS Web Access Computers security group on the connection broker.  However, that was obviously already the case.
  Although not 100% correct in its suggested resolution, this error was helpful, because it shows that the break is occurring when Web Access tries to populate RemoteApps, and is shows that the break is occurring en-route to the CB server.  So, I added
  the new service account (for the Web Access application pool identity) to the Administrators group on the server with the CB role, and all is now resolved.  I now have two separate collections, the list of each appearing for the appropriate user scopes,
  but not for both user scopes like before. 
  Obviously, adding an account as an administrator fixes a lot of access related things very easily, but it is probably not the least-privileged way of doing things.  To that end, I'd like to know the least privileged way, but can certainly live with
  this much improved functionality as-is.
  Thanks for all your help, Razwer.

• RDS 2012 two Gateway

  I have RDS 2012 Setup with Two gateways in DNS RR and 2 Session Hosts and all woks fine
  GW1 -  Gateway 1
  GW2 – Gateway 2
  RDSH1 – Session Host 1
  RDSH2 – Session Host 2
  Connection Broker in HA
  I need the Below to be setup
  All Application hosted on RDSH1 should go via GW1 ( Gateway 1 )
  And
  All Application hosted on RDSH2 should go via GW2 ( Gateway 2 )

  Hi,
  Thank you for posting in Windows Server Forum.
  Please read below for clarification.
  When a user connects through the RD Gateway server, the gateway server will initially connect the user to one of the RD connection broker servers in order for the broker to determine what server or desktop the user will be connecting to. When HA is enabled
  for the farm, the gateway server will try to connect the user to the brokers using the DNS Round Robin name when HA was configured for the farm. By default, the DNS name used is not on the gateway’s allowable resource list for users to connect to. So for any
  user trying to connect to the farm through the RD Gateway, their access will be denied. To get around this, we will simply need to add a new resource authorization policy which will users to access resources through the gateway server using the designated
  DNS round robin name.
  We can do add the server\computer name under RD Gateway Managed Group. you can get ore information below.
  Configuring the RD Gateway Server for a 2012 RDS farm with HA enabled for the RD Connection Brokers
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  TechNet Community Support

• RDS 2012- connect to session collection trough mstsc.exe on XP SP3

  Hi!! i need to connect to a session collection based on rds 2012 directly trough mstsc.exe on xp sp3 clients... xp don't support remoteapp and desktop connection and my users can't use internet explorer to connect trough rd web Access..
  Thanks!

  Hi,
  What you could do is upgrade Windows XP with the latest Remote Desktop Client available for Windows XP (http://support.microsoft.com/kb/969084)
  Then extract the .RDP file you want from the RDS 2012 environment (or specify the properties manually in a .RDP) file.
  Recently I wrote on article on the distribution of Remote Apps and desktops in Windows Server 2012, that might be useful:
  http://virtualizationadmin.com/articles-tutorials/vdi-articles/general/distribution-of-remote-apps-and-desktops-in-windows-server-2012.html
  Also, more info on the .RDP properties specifically needed for RDS 2012:
  http://microsoftplatform.blogspot.nl/2012/04/rd-connection-broker-ha-and-rdp.html
  Kind regards,
  Freek Berson
  The Microsoft Platform
  Twitter
  Linked-in
  Wortell company website

• Users see all applications in RDS 2012 Web access in one-way trust domain environment

  Hello!
  We have RDS 2012 deployment in domainA.local. There is a one-way trust between domainA.local and domainB.local: A trusts B and B doesn't trust A.
  A user from domainB.local authenticates in Web-access interface (wa.domainA.local) and sees
  every published application in every collection in the deployment independently of UserGroups setting of collections and applications. This occurs for any domainB user.
  In the security log of wa.domainA.local we can find an event :
  An account failed to log on.
  Subject:
  Security ID:                IIS APPPOOL\RDWebAccess
  Account Name:                RDWebAccess
  Account Domain:                IIS APPPOOL
  Logon ID:                0x2C7B16
  Logon Type:                        3
  Account For Which Logon Failed:
  Security ID:                NULL SID
  Account Name:                
  Account Domain:                
  Failure Information:
  Failure Reason:                An error occurred during logon
  Status:                        0xC000005E
  Sub Status:                0x0
  Also in network trace on wa.domainA.local kerberos error could be found:
  On TGS-REQ for krbtgt/[email protected] there is an answer: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7), server name krbtgt/domainB.
  How to deal with this issue? The aim is to show only specified applications to domainB users.
  Any help would be appreciated.

  Hi,
  Thank you for your posting in Windows Server Forum.
  Please check below links might useful for your case.
  “After adding the RDS server’s computer account to the Builtin Windows Authorization Access Group domain group, the RemoteApp icons displayed perfectly.” (Quoted from
  this article)
  1. Remote APP list empty
  2. RD
  Web Access unable to access Source (RD Server)
  In respect to Kerberos Error, refer this link for troubleshooting.
  1. Troubleshooting Kerberos Authentication problems – Name resolution issues
  2. Kerberos Authentication problems – Service Principal Name (SPN) issues - Part 2
  Hope it helps! 
  Thanks,
  Dharmesh

• Two RD SH collections – RD CB load balancing 2012 R2

  I have created two RD SH collections, because some applications are only available through  on SH collections.
  How will that  effect RD CB load balancing of RD SH servers  regarding common applications, not specific  one, based on  RemotApp programs.
  I did not deploy any DNS RR for RD SH. But I did deploy NLB for  RD Web and RD CB. 

  Hi,
  Thank you for posting in Windows Server Forum.
  Can you specify some more description regarding your case as actually what you want to perform?
  From your description seems you have installed one application as RemoteApp on both RDSH collections and you want that how they can be differentiated. If misunderstood then please correct. If that’s the case as described then you can assign the specific app
  of particular collection to the user whom you want. There is facility to assign RemoteApp user assignment and by that way the user can access\see the RemoteApp on RD Web access page.
  More information.
  Introducing RemoteApp User Assignment
  http://blogs.msdn.com/b/rds/archive/2009/06/12/introducing-remoteapp-user-assignment.aspx
  In addition you can go through this article for configuring and load balancing session collections.
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  TechNet Community Support
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Installed the RDS 2012 Server License per user CAL (5pcs) after not allow over two users remote desktop connection problem

  I have successfully to installed the RDS 2012 Server R2 per user CAL (5pcs) Open License after is found not allow over two users to remote desktop connection on this Server problem, I try to uninstall the license and then (internet on-line & telephone
  call Microsoft Activate Center get the activate key) to reinstall is still same of the result on below problem.
  Select a user disconnect so that you can sign in.
  There are too many users signed in
  User1 Active
  User2 Active
  () Force disconnect of the user

  Hi,
  In addition you can also refer following article for RDL configuration.
  RD Licensing Configuration on Windows Server 2012
  http://blogs.technet.com/b/askperf/archive/2013/09/20/rd-licensing-configuration-on-windows-server-2012.aspx
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• RDS 2012 App-V 5 SP2, Applications are not pinned in the Metro Start Menu

  Hey All,
  I've been building a new App-V 5 Environment using server 2012 R2 for the App-V management\Publishing\Reporting servers.
  I've installed app-v 5 SP2 on the RDS 2012 R2 servers and installed the App-V 5.1 SP1 Hotfix (KB2897087) for the 2012 R2 support.
  I have run into the following issue; When triggering a app-v publishing sync the applications are only added in the classic start menu. The applications aren't pinned in the Metro Start menu like our App-V sp1 RDS 2012 clients.
  I have checked the App-V client eventlogs (including the debug logs) and I haven't been able to find any errors that point out the cause of my issue.
  Has anyone experienced the same issue or has anyone got any tips to get the app-v 5 sp2 client on RDS 2012 R2 to pin the sequences to the Metro Start Menu?
  Thanks.

  This is the default behaviour of Windows 8.1 and Windows Server 2012 R2 - there are no programmatic ways to pin shortcuts to the Start screen.
  Here's a way to customise the Start screen layout: http://stealthpuppy.com/customizing-the-windows-8-1-start-screen-dont-follow-microsofts-guidance/
  Here's how to go it with Group Policy: http://www.grouppolicy.biz/2013/06/customising-windows-8-1-start-screen-layout-with-group-policy/
  Note that neither approach will help you pin shortcuts to the Start screen for users that have already logged on, without overwriting their existing preferences.
  Please remember to click "Mark as Answer" or "Vote as Helpful" on the post that answers your question (or click "Unmark as Answer" if a marked post does not actually
  answer your question). This can be beneficial to other community members reading the thread.
  This forum post is my own opinion and does not necessarily reflect the opinion or view of my employer, Microsoft, its employees, or other MVPs.
  Twitter:
  @stealthpuppy | Blog:
  stealthpuppy.com |
  The Definitive Guide to Delivering Microsoft Office with App-V

• Listing RDS 2012 R2 collections from powershell remote fails

  I'm trying to list different informations of a RDS server farm => from a remote client PC <=
  I do following but when typing the last command - I get an error.
  Knowing that that same command runs correctly when launched from an RDS server
  enter-pssession RDS-SERVER-XYZ.contoso.net
  import-module remotedesktop
  get-command -module remotedesktop
   Get-RDSessionCollection -ConnectionBroker RDS-BRK-1.contoso.net
   => fails with message :
   Cannot index into a null array.
   At C:\Windows\system32\WindowsPowerShell\v1.0\Modules\remotedesktop\Utility.psm1:54 char:9
   +     if ($_script_resource[$Id])
   +         ~~~~~~~~~~~~~~~~~~~~~~
      + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
      + FullyQualifiedErrorId : NullArray
   Cannot index into a null array.
   At C:\Windows\system32\WindowsPowerShell\v1.0\Modules\remotedesktop\Utility.psm1:54 char:9
   +     if ($_script_resource[$Id])
   +         ~~~~~~~~~~~~~~~~~~~~~~
       + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
       + FullyQualifiedErrorId : NullArray
   Get-RDSessionCollection :
       + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
       + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Get-RDSessionCollection
  Listing RDS 2012 R2 collections from powershell remote fails / same commandlet from local RDS serevr works fine
  Am I missing something ?
  MCTS Windows Server Virtualization, Configuration

  Are the Windows Remote Management rules enabled on the inbound firewall of the RDSH server?
  If you are running multiple roles on the RDSH  server you may need to increase the size of the memory available for powershell remoting.
  Run Set-Item WSMan:\localhost\Shell\MaxMemoryPerShellMB 1000 with powershell as an admin and reboot.
  HTH,
  JB

• RDS 2012 Multiple Gateways

  Hi all,
  In a RDS 2012 R2 setup, is it possible to have two independant gateways (not HA)? One gateway would answer to gateway.xyz.com and the other would answer to gateway.abc.com.  This setup would require two different certificates. Is this possible?
  Thanks,
  Jesmat

  Hi Jesmat,
  Yes, you should be able to use multiple independent RD Gateways with a single RDS deployment, however, there are limitations and additional configuration steps.  For example, you cannot use Server Manager or the powershell commands to assign the certificate
  to the RD Gateways since you need to have different certs on each, instead use RD Gateway Manager.  Another thing is if you plan on using RDWeb or the Feed then you need to have each RDG serve separate collections, and on each collection you need
  to set a custom rdp property using powershell so that you can have a different FQDN for the RDG on each.
  I'm sure there are other considerations that are specific to your use case that will affect how you set things up.  Please keep in mind that your intended scenario is not one of the standard ones so you will need to plan things a bit more and you may
  notice different behavior than expected.
  -TP

• How do you configure a farm name in RDS 2012?

  I understand Remote Desktop Services has undergo some drastric changes.
  How do you configure a farm name in RDS 2012? Or is the concept around farm name changed in another concept?
  Although I have imported a certificate on the RDCH withe the farm name I want to use. When I click on a RemoteApp on the RD Web Access portal, it does not connect to the right farm name.
  Boudewijn Plomp, BPMi Infrastructure & Security

  You don't.  You create a collection.  A client connects to the Connection Broker and then is redirected to the collection it is connecting to.  The collection name is embedded in the connection file that the client downloads from RDWeb or
  the RDWeb feed. 
  A collection is basically at least one RDSH server (for session based desktops) or one virtual machine (virtual machine based desktops). 
  Don Geddes - SR Support Escalation Engineer - Remote Desktop Services - Printing and Imaging

• Best practice for RDGW placement in RDS 2012 R2 deployment

  Hi,
  I have been setting up a RDS 2012 R2 farm deployment and the time has come for setting up the RDGW servers. I have a farm with 4 SH servers, 2 WA servers, 2 CB servers and 1 LS.
  Farm works great for LAN and VPN users.
  Now i want to add two domain joined RDGW servers.
  The question is; I've read a lot on technet and different sites about how to set the thing up, but no one mentions any best practices for where to place them.
  Should i:
  - set up WAP in my DMZ with ADFS in LAN, then place the RDGW in the LAN and reverse proxy in
  - place RDGW in the DMZ, opening all those required ports into the LAN
  - place the RDGW in the LAN, then port forward port 443 into it from internet
  Any help is greatly appreciated.
  This posting is provided "AS IS" with no warranties or guarantees and confers no rights

  Hi,
  The deployment is totally depends on your & company requirements as many things to taken care such as Hardware, Network, Security and other related stuff. Personally to setup RD Gateway server I would not prefer you to select 1st option. But as per my research,
  for best result you can use option 2 (To place RDG server in DMZ and then allowed the required ports). Because by doing so outside network can’t directly connect to your internal server and it’s difficult to break the network by any attackers. A perimeter
  network (DMZ) is a small network that is set up separately from an organization's private network and the Internet. In a network, the hosts most vulnerable to attack are those that provide services to users outside of the LAN, such as e-mail, web, RD Gateway,
  RD Web Access and DNS servers. Because of the increased potential of these hosts being compromised, they are placed into their own sub-network called a perimeter network in order to protect the rest of the network if an intruder were to succeed. You can refer
  beneath article for more information.
  RD Gateway deployment in a perimeter network & Firewall rules
  http://blogs.msdn.com/b/rds/archive/2009/07/31/rd-gateway-deployment-in-a-perimeter-network-firewall-rules.aspx
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Load Balancing 2012 R2 Session Host Collection with External Network Load Balancer

  Hi,
  We are moving from a 2008 R2 Remote Desktop session host deployment to 2012 R2. Previously, we used our Kemp hardware load balancer to distribute load between RDSH servers. We had a connection broker deployed so that if an existing disconnected session was
  detected during the initial connection, the user was directed back to that session.  
  In 2012 R2, we planned to again used the Kemp load balancer to main high availability for our RDSH collection, but are experiencing strange issues. It seems that the RD Connection Broker is also performing load balancing--the result being that initial connections
  to the RDSH collection may go to one RDSH server with the least connections through the Kemp, but then be redirected to a different RDSH server by the broker, even when there is no existing session for the user on that second server.
  Our question is: Should we not be using the Kemp balancer at all (how would this work)? Or should we disable load balancing by the connection broker (if so...how)?
  Further complicating our redirection issue with that the RDSH servers have multiple interfaces--one with public addresses and others with private. The connection broker seems to abritrarily pick among the destination RDSH server's available IP addresses
  for the redirection and trying to redirect to a private address will fail. We think we have worked around this by connecting to each RDSH server from a 2008 R2 server's RDSH Configuration console and choosing just the public adapter under the Network Adapters
  tab--is there no way to access this setting in 2012 R2?
  Thanks in advance!   
  Matthew

  Hi Matthew,
   As you are most likely already aware, inn Remote Desktop Services 2012 / R2 the Connection broker uses round robin DNS to load balance.
  To simplify things I would recommend that you let the connection broker load balance the sessions and use the KEMP to Load balance the RDweb and Gateway servers.
  Have a look at the following articles:
  http://ryanmangansitblog.wordpress.com/2013/03/11/create-a-rdwa-farm-using-a-kemp-load-balancer/
  http://ryanmangansitblog.wordpress.com/2013/03/31/rds-2012-configuring-a-rd-gateway-farm/
  http://ryanmangansitblog.wordpress.com/2013/09/05/load-balance-rds2012-rdwa-and-rdgw-using-sub-interfaces-on-kemps-loadmaster/
  As you have mentioned that you are migrating from a 2008R2 configuration, have a look at the following article:
  http://ryanmangansitblog.wordpress.com/2014/01/05/publish-rds-2008r2-desktop-on-rds-2012/
  Ryan Mangan | [email protected] | Help keep the forums tidy, if this has helped please mark it as an answer

• RDS 2012 - Certificates

  Hi all,
  This is my setup :
  RDS 2012 R2
  Two connection brokers setup in HA:  FQDN = RDCB.Internaldomain.com
  Two Web Access servers for internal user setup with DSN Round Robin so I can have a basic HA: FQDN = InternalWA.internaldomain.com
  Two Gateway servers in HA:  FQDN:
   RemoteGW.InternalDomain.com
  Both Gateway server have RD Web Access installed and using DNS Round Robin to have a basic HA): FQDN 
  RemoteWA.ExternalDomain.com
  My company will not approve having a trusted wildcard certificate. So, in the “Edit Deployment Wizard”, I was thinking of deploying
  one public (and trusted) SAN certificate containing all the above FQDNs to all the Role Services (RD Connection Broker –Single Signon, RD Connection Broker -
   Publishing, RD Web Access and RD Gateway).
  Will this be ok or do I need to add other FQDNs to the certificate (for example the FQDN of all the Session Host servers)?
  Best regards,
  Jesmat.

  Hello,
  In your FQDN  did you forget to add a "." as : RDCB.Internaldomain.com
  and RemoteWA.ExternalDomain.com
  are 2 different domain names
  The SAN option i thiink will not be liable here . Except if you use self signed for your internal connection  ans
  the san for the external one.
  refer to :http://en.wikipedia.org/wiki/Wildcard_certificate
  But i cannot confirm that the san certificate will be allowed on the gateways.
  Hope it helps 
  Fred

• RDS 2012 Deployment guide

  Hi,
  I'm looking for a RDS 2012 Deployment Guide or best practices document but not finding it.  Basically I'm looking for the equivalent of the document below but for Server 2012 R2 instead of 2008 R2
  <won't let me add link to body yet>
  We are planning a new RDS implementation and want to make sure we get the environment and resources right from the beginning.  Initially I'm mainly curious about the recommendations on how many servers are needed and which roles can be combined
  on single servers and which need to be broken out onto their own boxes.  For example is it best to have the RD Gateway and the RD Web Access roles on their own individual servers or should/can they be combined on to one box in the DMZ? 
  If separate; can one of them also double as the connection broker?  That sort of thing. 
  Any help is appreciated.  Thanks

  Hi Col,
  Have a look at the following articles:
  http://ryanmangansitblog.com/2013/09/27/rds-2012-deployment-and-configuration-guides/ 
  I would recommend that you look at splitting the roles on a large environment or use a layer 7 load balancer so you can scale up the number of Gateway/RDweb servers if your connections grow.
  I would advise against configuring the connection broker on a server which has a connection to the public interface (web and remote access via gateway). I would advise against exceeding 400 connections per RD Gateway server.
  a example configuration:
  Server 1 : connection broker and Licensing role
  Server 2 : Session host
  Server 3 : RDWeb and RD Gateway.
  This may help you with regards to capacity planning:
  http://ryanmangansitblog.com/2014/06/24/capacity-planning-for-a-rds-2012-pooled-2000-seat-vdi-collection/
  Ryan Mangan | Ryanmangansitblog.wordpress.com | Help keep the forums tidy, if this has helped please mark it as an answer