There are many different settings and configurations, but you can manage your VDI environment much more directly with Windows Server 2012.
Once your server farm is up and running, it’s a lot easier than it used to be to configure and maintain. This is because of a fundamental shift in the management paradigm. With Windows Server 2008 R2, you had to maintain your environment tactically. You had to stitch the farm together using multiple tools on each server, and the tools were more focused on tasks than the desired end results.
In Windows Server 2012, you maintain your virtual desktop infrastructure (VDI) environment strategically. You make changes based on what you want to have happen. You deploy changes from one location using one tool. You could use Group Policy or Windows PowerShell to configure some settings, but you can now centralize Remote Desktop Services (RDS) management without being either a Group Policy administrator or Windows PowerShell whiz.
Here we’ll describe the main sections of Remote Desktop Management Services (RDMS) and explore how RDMS categorizes server properties. Then we’ll walk through several examples of how to use RDMS to manage your VDI session-based deployment. We’ll cover using RDMS to manage VDI virtual machine (VM)-based deployments in a later article.
There are three main sections to RDMS:
The Overview section serves two primary functions. First, it gives you a picture of your VDI deployment based on the role services you deployed. Right-click each icon and you get a corresponding menu of tasks you can perform, such as adding or removing role services, configuring the RD Connection Broker for high availability (HA), or creating new session collections. Second, you can adjust deployment-level properties by clicking the Tasks dropdown menu and choosing Edit Deployment Properties.
The Server section gives you an overview of each of your servers, including online status, IP address, activation status and when it was last updated. You can also manage each of your servers by accessing Computer Management (which includes Event Viewer, Device Manager and Services). From this section, you can also configure NIC teaming, diagnose VDI licensing issues, run Windows PowerShell commands, start performance counters, add or remove roles and features, and restart the server.
The Collections section gives you details about your deployment’s collections and an interface to manage session collection properties, host servers and user sessions running on host servers. The Collections main page is broken into three subsections: Collections, Host Servers and Connections.
Each collection is listed under the Collections main link in the left-hand pane. When you select a collection, the main panel displays more management subsections that apply only to that collection. In addition to the Host Server and Connections subsections, there are also two new subsections:
Now, let’s talk about why RDMS is structured this way. RDMS splits properties into two categories (see Figure 1):
Figure 1 VDI settings are configured on a deployment- or session-collection basis.
If it’s still not clear why this matters, consider this example. In Windows Server 2008 R2, if you wanted to give a new group access to one of your RD Session Host server farms, you’d have to make the change to each RD Session Host server in the farm. You’d add the new user group to the Remote tab of System Properties. In a multi-farm scenario, this could take a while—and let’s hope you don’t make a mistake or forget a server.
In Windows Server 2012, you make this change at the session-collection level. From your deployment server, open RDMS and add the new user group to the User Groups tab of the Session Collection Properties section. All servers that are part of the session collection will receive the new setting faster, and the process is much less error-prone.
To modify properties on a deployment level, choose Edit Deployment Properties from the Tasks dropdown menu of the Overview Section (see Figure 2).
Figure 2 Choose Edit Deployment Properties to open the Deployment Properties dialog box.
The Deployment Properties dialog box will appear with properties grouped on the following tabs (see Figure 3):
Figure 3 Deployment properties are grouped into five tabbed sections.
To show you how this works, here are a few examples of how you’d use RDMS to configure deployment-level properties.
Adding a new license server: The RD Licensing role will not be installed through the Quick Start or standard scenario deployment. You need to install and add it after the initial deployment. From the Deployment Overview in RDMS, you can deploy the RD Licensing role and add the new licensing server to the deployment.
You can view and change options related to RD Licensing from the RD Licensing tab of the Deployment properties. You can configure the type of licensing (user or device) and change the order of RD Licensing servers (if you’re using multiple RD Licensing servers).
Configuring certificates: VDI deployments use SSL certificates to authenticate servers, sign RDP files, encrypt RDP traffic and enable SSO. It’s relatively easy to install these certificates across a deployment in order to:
If you install RD Gateway and RD Web Access on the same server, you can use one SSL certificate to accomplish all these tasks without needing a wildcard or SAN certificate. The certificate name needs to represent the external name of your deployment. This must be resolvable on the Internet to the external IP address of the RD Gateway or RD Web Access server. For this example, your certificate name is vdi.virtualkristin.com. You’ve obtained this certificate from a public certificate authority (CA) and have the certificate file stored on your deployment server.
To distribute the certificate, open RDMS Deployment Properties and select the Certificates tab. Select the RD Connection Broker – Single Sign-On entry. Then click Select Existing Certificate. Choose the option Choose a Different Certificate. Then browse to your certificate file, enter the required password to access the file, check the box next to the option “Allow the certificate to be added to the Trusted Root Certification Authorities store on the destination computers” and click Apply. Do this for the next three role entries, clicking Apply after each configuration.
Each role service entry should show its level as Trusted. The certificate subject name will appear directly below the role services listing (see Figure 4). Windows 7 clients need to have the RDP 8 update installed and enabled in the local Group Policy for SSO to work.
Figure 4 Successfully deployed certificates will show their Level as Trusted and Status as OK.
To modify collection properties, choose Edit Properties from the Tasks dropdown menu of the Collection Properties subsection (see Figure 5).
Figure 5 Choose Edit Properties to adjust collection-level properties.
The Collection Properties dialog box will appear with properties grouped on the following tabs:
Here are a few examples of how you could use RDMS to configure session-collection-level properties for your VDI environment.
Adjust RD Session Host server load balancing: In most environments, the RD Session Host servers will have the same resources and can handle the same number of sessions. If there are servers in your collections that have different physical or virtual resources, you’ll need to assign a weight to each server relative to the amount of sessions it can handle. To do this, open the RDMS session collection Properties dialog box. Select Load Balancing. For each server choose a relative weight (0-100). The larger the weight means the more sessions it can handle. To set a maximum limit of concurrent sessions each server will handle, adjust the Session Limit.
Drain an RD Session Host server: At some point, you’ll need to perform maintenance on session collection RD Session Host servers (such as patching the server and rebooting). To prepare for this, put the server in drain mode so it won’t accept any new connections. Do this by selecting its collection in RDMS. In the Host Servers section, right-click the server and choose “Do not allow new connections.”
Adjusting encryption: One step in configuring your RD Session Host servers to work with a WAN accelerator is to set RDP encryption on the RD Session Host servers to Low. Do this for each collection that will use the WAN accelerator by opening the session collection Properties dialog box, selecting Security, and then selecting Low from the Encryption Level dropdown menu.
We’ve discussed how to use RDMS to strategically manage your deployment. We explained how VDI properties are categorized and how deployment-level and collection-level properties affect your servers. We also gave you some examples of how to use RDMS to accomplish common management tasks such as securing your deployment with SSL certificates and adding a new license server.
In our next article, we’ll show you how to deploy RD Gateway to provide secure access to your deployment over the Internet.
Freek Berson is a Remote Desktop Services MVP. He’s an infrastructure specialist at Wortell, where one of his focus areas is desktop virtualization. Berson blogs at themicrosoftplatform.net. He also moderates and answers questions on Microsoft TechNet Forums and creates new content for TechNet Wiki.