Windows Server 2012: Manage your RDS with RDMS
There are many different settings and configurations, but you can manage your VDI environment much more directly with Windows Server 2012.
Kristin Griffin and Freek Berson
Once your server farm is up and running, it’s a lot easier than it used to be to configure and maintain. This is because of a fundamental shift in the management paradigm. With Windows Server 2008 R2, you had to maintain your environment tactically. You had to stitch the farm together using multiple tools on each server, and the tools were more focused on tasks than the desired end results.
In Windows Server 2012, you maintain your virtual desktop infrastructure (VDI) environment strategically. You make changes based on what you want to have happen. You deploy changes from one location using one tool. You could use Group Policy or Windows PowerShell to configure some settings, but you can now centralize Remote Desktop Services (RDS) management without being either a Group Policy administrator or Windows PowerShell whiz.
Here we’ll describe the main sections of Remote Desktop Management Services (RDMS) and explore how RDMS categorizes server properties. Then we’ll walk through several examples of how to use RDMS to manage your VDI session-based deployment. We’ll cover using RDMS to manage VDI virtual machine (VM)-based deployments in a later article.
There are three main sections to RDMS:
- Overview is for adding and removing role services on servers and managing deployment-level properties.
- Servers provides some details of each server in the environment and one interface with which to perform common computer-management tasks for each server.
- Collections is for configuring properties specific to a collection.
The Overview section serves two primary functions. First, it gives you a picture of your VDI deployment based on the role services you deployed. Right-click each icon and you get a corresponding menu of tasks you can perform, such as adding or removing role services, configuring the RD Connection Broker for high availability (HA), or creating new session collections. Second, you can adjust deployment-level properties by clicking the Tasks dropdown menu and choosing Edit Deployment Properties.
The Server section gives you an overview of each of your servers, including online status, IP address, activation status and when it was last updated. You can also manage each of your servers by accessing Computer Management (which includes Event Viewer, Device Manager and Services). From this section, you can also configure NIC teaming, diagnose VDI licensing issues, run Windows PowerShell commands, start performance counters, add or remove roles and features, and restart the server.
The Collections section gives you details about your deployment’s collections and an interface to manage session collection properties, host servers and user sessions running on host servers. The Collections main page is broken into three subsections: Collections, Host Servers and Connections.
- From Collections, you can create or remove session collections and view the properties of existing session collections, including the type of VDI being offered (sessions or VMs) and the resource type (Remote Apps or full desktop sessions) each collection supplies.
- Host Servers lists all RD Session Host servers from all collections. Right-click any server to put it in drain mode, which will prevent it from accepting new connections.
- Connections lists all user sessions running on any session collection host server. Interact with the user sessions (send a message, disconnect or log off the user) by right-clicking a user session and choosing the action from the dropdown menu.
Each collection is listed under the Collections main link in the left-hand pane. When you select a collection, the main panel displays more management subsections that apply only to that collection. In addition to the Host Server and Connections subsections, there are also two new subsections:
- The Properties subsection lets you manage session-collection-level properties from the Tasks dropdown menu.
- RemoteApp Programs lets you publish or unpublish RemoteApp programs and configure RemoteApp program properties by right-clicking each RemoteApp.
RDMS property categories
Now, let’s talk about why RDMS is structured this way. RDMS splits properties into two categories (see Figure 1):
- Deployment-Level Properties affect all applicable servers in the deployment (and therefore in all collections).
- Collection-Level Properties affect servers in a particular collection.
Figure 1 VDI settings are configured on a deployment- or session-collection basis.
If it’s still not clear why this matters, consider this example. In Windows Server 2008 R2, if you wanted to give a new group access to one of your RD Session Host server farms, you’d have to make the change to each RD Session Host server in the farm. You’d add the new user group to the Remote tab of System Properties. In a multi-farm scenario, this could take a while—and let’s hope you don’t make a mistake or forget a server.
In Windows Server 2012, you make this change at the session-collection level. From your deployment server, open RDMS and add the new user group to the User Groups tab of the Session Collection Properties section. All servers that are part of the session collection will receive the new setting faster, and the process is much less error-prone.
To modify properties on a deployment level, choose Edit Deployment Properties from the Tasks dropdown menu of the Overview Section (see Figure 2).
Figure 2 Choose Edit Deployment Properties to open the Deployment Properties dialog box.
The Deployment Properties dialog box will appear with properties grouped on the following tabs (see Figure 3):
Figure 3 Deployment properties are grouped into five tabbed sections.
- High Availability: You can see this read-only section only if your RD Connection Broker is configured for High Availability (or at least prepared for HA). This lists the values (database connection string, database storage location and DNS round-robin name) specified during the HA setup.
- RD Gateway: Configure the RD Gateway settings that will be specified in RemoteApps and full desktops published in RD Web Access and Remote Area Data Collector (RADC).
- RD Licensing: Configure the Remote Desktop licensing mode (per server or per device) and add or remove RD Licensing servers for deployment.
- RD Web Access: This section has a read-only view of the internal DNS names of the RD Web Access servers and links to the Web page for RD Web Access.
- Certificates: Here you can centrally configure SSL certificates. Three RDS role services use a certificate: RD Connection Broker to perform single sign-on (SSO) and signing, RD Web Access to provide an SSL-encrypted Web page and RD Gateway to safely encrypt and proxy Remote Desktop Protocol (RDP) sessions over the Internet. Certificate management used to be complicated and required a lot of tools, but it’s much simpler in Windows Server 2012. You can centrally configure all of these SSL certificates; you can even create self-signed certificates here or select existing certificates.
To show you how this works, here are a few examples of how you’d use RDMS to configure deployment-level properties.
Adding a new license server: The RD Licensing role will not be installed through the Quick Start or standard scenario deployment. You need to install and add it after the initial deployment. From the Deployment Overview in RDMS, you can deploy the RD Licensing role and add the new licensing server to the deployment.
You can view and change options related to RD Licensing from the RD Licensing tab of the Deployment properties. You can configure the type of licensing (user or device) and change the order of RD Licensing servers (if you’re using multiple RD Licensing servers).
Configuring certificates: VDI deployments use SSL certificates to authenticate servers, sign RDP files, encrypt RDP traffic and enable SSO. It’s relatively easy to install these certificates across a deployment in order to:
- Provide server authentication
- Digitally sign RDP files (for RemoteApps and full desktops published via RADC and RD Web Access)
- Create a secure connection to the RD Web Access Web site
- Verify the identity of the RD Gateway server
- Encrypt traffic to and from the RD Gateway server over the Internet
- Enable SSO
If you install RD Gateway and RD Web Access on the same server, you can use one SSL certificate to accomplish all these tasks without needing a wildcard or SAN certificate. The certificate name needs to represent the external name of your deployment. This must be resolvable on the Internet to the external IP address of the RD Gateway or RD Web Access server. For this example, your certificate name is vdi.virtualkristin.com. You’ve obtained this certificate from a public certificate authority (CA) and have the certificate file stored on your deployment server.
To distribute the certificate, open RDMS Deployment Properties and select the Certificates tab. Select the RD Connection Broker – Single Sign-On entry. Then click Select Existing Certificate. Choose the option Choose a Different Certificate. Then browse to your certificate file, enter the required password to access the file, check the box next to the option “Allow the certificate to be added to the Trusted Root Certification Authorities store on the destination computers” and click Apply. Do this for the next three role entries, clicking Apply after each configuration.
Each role service entry should show its level as Trusted. The certificate subject name will appear directly below the role services listing (see Figure 4). Windows 7 clients need to have the RDP 8 update installed and enabled in the local Group Policy for SSO to work.
Figure 4 Successfully deployed certificates will show their Level as Trusted and Status as OK.
To modify collection properties, choose Edit Properties from the Tasks dropdown menu of the Collection Properties subsection (see Figure 5).
Figure 5 Choose Edit Properties to adjust collection-level properties.
The Collection Properties dialog box will appear with properties grouped on the following tabs:
- General: Modify the collection name and description and whether to display the full desktop icon in RD Web Access.
- User Groups: Select the user groups allowed to connect to the collection.
- Session: Set session time limits for disconnected, active, and idle sessions, and what will happen when each limit is reached.
- Security: Configure the security layer and encryption level for the collection and whether to allow connections only from Network Level Authentication (NLA)-enabled clients.
- Load Balancing: Configure how many consecutive sessions each session collection server will handle based on physical hardware or virtual resources.
- Client Settings: Configure which client devices (hard drive, printers, clipboard and so on) will be redirected in remote sessions, and set the maximum number of redirected monitors.
- User Profile Disks: Configure User Profile Disk (UPD) location, maximum size, and file and folder exclusions. For now, think of UPD as a new way to customize the UX in a VDI environment.
Here are a few examples of how you could use RDMS to configure session-collection-level properties for your VDI environment.
Adjust RD Session Host server load balancing: In most environments, the RD Session Host servers will have the same resources and can handle the same number of sessions. If there are servers in your collections that have different physical or virtual resources, you’ll need to assign a weight to each server relative to the amount of sessions it can handle. To do this, open the RDMS session collection Properties dialog box. Select Load Balancing. For each server choose a relative weight (0-100). The larger the weight means the more sessions it can handle. To set a maximum limit of concurrent sessions each server will handle, adjust the Session Limit.
Drain an RD Session Host server: At some point, you’ll need to perform maintenance on session collection RD Session Host servers (such as patching the server and rebooting). To prepare for this, put the server in drain mode so it won’t accept any new connections. Do this by selecting its collection in RDMS. In the Host Servers section, right-click the server and choose “Do not allow new connections.”
Adjusting encryption: One step in configuring your RD Session Host servers to work with a WAN accelerator is to set RDP encryption on the RD Session Host servers to Low. Do this for each collection that will use the WAN accelerator by opening the session collection Properties dialog box, selecting Security, and then selecting Low from the Encryption Level dropdown menu.
We’ve discussed how to use RDMS to strategically manage your deployment. We explained how VDI properties are categorized and how deployment-level and collection-level properties affect your servers. We also gave you some examples of how to use RDMS to accomplish common management tasks such as securing your deployment with SSL certificates and adding a new license server.
In our next article, we’ll show you how to deploy RD Gateway to provide secure access to your deployment over the Internet.
Freek Berson is a Remote Desktop Services MVP. He’s an infrastructure specialist at Wortell, where one of his focus areas is desktop virtualization. Berson blogs at themicrosoftplatform.net. He also moderates and answers questions on Microsoft TechNet Forums and creates new content for TechNet Wiki.