Planning and Deploying Session-based Virtual Desktops
- 5/23/2015
- Understanding RDS
- Planning infrastructure for session-based desktops
- Deploying session-based virtual desktops
- Understanding high availability for RDS
Deploying session-based virtual desktops
RDS includes multiple role services. If you use Server Manager for RDS deployment, you should be aware that if you use role-based or feature-based installation, you can install individual RDS role services. However, if you install an RDS role service in this way, you can’t manage it. If you want to manage RDS, a deployment must have at least three role services: RD Connection Broker, RD Web Access, and either RD Session Host or RD Virtualization Host. Individual RDS role services can’t be managed if they are not part of an RDS deployment.
Understanding the session-based desktop deployment process
You can deploy RDS by using Server Manager or Windows PowerShell. Server Manager has the ability to install the necessary server roles, role services, and features on multiple servers that are part of an RDS deployment. All management of RDS also can be done from Server Manager.
The high-level steps for deploying session-based virtual desktops are as follows:
Start the RDS installation In Server Manager, use the Add Roles And Features Wizard to select the Remote Desktop Services Installation option, shown in Figure 8-8. This option configures the wizard to collect the information necessary to perform a deployment of RDS across multiple servers.
Figure 8-8 Add Roles And Features Wizard, Select Installation Type page
Select the RDS deployment type On the Select Deployment Type page, shown in Figure 8-9, select the appropriate deployment type. The Quick Start option installs the required role services on a single server and creates a session collection with several sample RemoteApp programs (Calculator, Paint, and WordPad). You only should use the Quick Start option for testing. In most cases, you want to select the Standard Deployment option because this allows you to customize the deployment for your environment.
Figure 8-9 Add Roles And Features Wizard, Select Deployment Type page
Select the RD deployment scenario On the Select Deployment Scenario page, shown in Figure 8-10, select the Virtual Machine–Based Desktop Deployment option or the Session-Based Desktop Deployment option. A VM-based desktop deployment is used to deploy personal and pooled virtual desktops on computers running Hyper-V. A session-based desktop deployment uses RD Session Hosts.
Figure 8-10 Add Roles And Features Wizard, Select Deployment Scenario page
- Select servers for RDS role services In the Add Roles And Features Wizard, select the servers on which you want to install the RD Connection Broker, RD Web Access, and RD Session Host role services. As part of making RDS highly available, you can install each role service on multiple servers. In most RDS deployments, the RD Session Host role service isn’t combined with other role services. The RD Connection Broker and RD Web Access role services can be combined in smaller RDS deployments.
During the deployment, the servers on which you installed the RD Session Host role are restarted. After the installation, you can perform initial configuration of the RDS deployment. You also can add servers to the deployment. At minimum, you should add RD Licensing, because you can’t connect to an RD Session Host without valid RDS CALs after the initial grace period of 120 days expires. You also should consider installing multiple instances of the RDS role services for high availability.
To install a session-based deployment of RDS, perform the following steps:
- In Server Manager, click Manage and then click Add Roles And Features.
- In the Add Roles And Features Wizard, on the Before You Begin page, click Next.
- On the Select Installation Type page, click Remote Desktop Services Installation and click Next.
- On the Select Deployment Type page, click Standard Deployment and click Next.
- On the Select Deployment Scenario page, click Session-Based Desktop Deployment and click Next.
- On the Review Role Services page, click Next. This page provides a brief description of each role service, but there is nothing to configure. The currently logged-on account is being used to create the deployment and is displayed here as a reminder.
On the Specify RD Connection Broker Server page, shown in Figure 8-11, in the Server Pool box, double-click the server on which you wish to install the RD Connection Broker role service and click Next.
Figure 8-11 Add Roles And Features Wizard, Specify RD Connection Broker Server page
On the Specify RD Web Access Server page, shown in Figure 8-12, select the Install The RD Web Access Role Service On The RD Connection Broker Server check box and click Next. Alternatively, you can select another server on which to install the RD Web Access role service.
Figure 8-12 Add Roles And Features Wizard, Specify RD Web Access Server page
On the Specify RD Session Host Servers page, shown in Figure 8-13, double-click the server on which you wish to install the RD Session Host role service and click Next.
Figure 8-13 Add Roles And Features Wizard, Specify RD Session Host Servers page
- On the Confirmation page, review the selected servers, select the Restart Destination Server Automatically If Required check box, and click Deploy.
- On the Completion page, wait for the installation of the RDS role services to complete and click Close. If you are installing roles on the server from which you started the installation, the server may restart and require you to sign in again.
Understanding session collections
Session collections enable you to organize and control user connectivity to RDS. Each session collection contains either RD Session Host servers for session-based virtual desktops or VMs on Hyper-V for pooled or personal virtual desktops.
Collections simplify the administration process by enabling you to manage all collection members as a unit instead of managing them individually. For example, after you configure a collection with session settings, those settings automatically apply to all the servers in the collection. If you add a server to a collection, session settings also automatically apply to the added server.
When you add multiple RD Session Host servers to a collection, connections automatically are load balanced among them. The RD Connection Broker server uses the collection configuration information to identify that there are multiple RD Session Host servers and connects an equal number of clients to each. If an RD Session Host server in a collection fails, the RD Connection Broker connects all users to the remaining RD Session Host servers in the collection.
When there are multiple RD Session Host servers in a collection, they need to be configured with identical applications. Users expect the same applications to be available each time they sign in. If RD Session Host servers have different applications installed, it will appear to users that applications are randomly appearing and disappearing with each connection.
To create a session collection, perform the following steps:
- In Server Manager, in the navigation pane, click Remote Desktop Services.
- In Remote Desktop Services > Overview, click Create Session Collections.
- In the Create Collection Wizard, on the Before You Begin page, click Next.
- On the Name The Collection page, in the Name box, type the name of the collection and click Next. Make the name something that accurately describes how the collection will be used. You also can type in a more detailed description.
On the Specify RD Session Host Servers page, shown in Figure 8-14, double-click the RD Session Host server you want to add to the collection and click Next. Only RD Session Host servers already added to the RDS deployment appear in the Server Pool box. An RD Session Host server can be added to only one collection.
Figure 8-14 Create Collection Wizard, Specify RD Session Host Servers page
On the Specify User Groups page, shown in Figure 8-15, remove the Domain Users group, add the groups you want to have access to the collection, and then click Next. The Domain Users group is listed by default and would allow any user in your organization to access the collection. In most cases, you want to restrict collection access to a specific group of users.
Figure 8-15 Create Collection wizard, Specify User Groups page
On the Specify User Profile Disks page, shown in Figure 8-16, select the Enable User Profile Disks check box if you have decided to implement user profile disks for users. If you select this option, you need to enter the UNC path where the user profile disks will be stored in the Location Of User Profile Disks box. You also need to specify a size in the Maximum Size (In GB) box.
Figure 8-16 Create Collection Wizard, Specify User Profile Disks page
- On the Confirm Selections page, click Create.
- On the View Progress page, wait until all tasks are complete and then click Close.
Configuring session collections
The user interface for creating a session collection allows you to configure only a few of the configuration options for a session collection. After the session collection is created, you can edit the session collection and configure many more options.
To edit a session collection, perform the following steps:
- In Server Manager, in the navigation pane, click Remote Desktop Services.
- In Remote Desktop Services, in the navigation pane, click the collection you want to edit.
- While viewing the collection, next to the Properties box, click Tasks and click Edit Properties.
- In the CollectionName Properties window, edit the properties as required and click OK.
When you are editing the properties of a session collection, the editing window is divided into pages with groups of related options. The General page, shown in Figure 8-17, has the Name and Description that you entered during creation. The Show The Session Collection In RD Web Access check box was not available during creation. It is selected by default. Consider disabling this option during scheduled outages when you are performing maintenance on a session collection, for example, when you are upgrading an application on the RD Session Hosts in the collection.
Figure 8-17 Properties of a session collection, General page
The User Groups page in the properties of a session collection allows you to configure which groups of users can connect to the session collection. This is the same as the user groups configured during creation.
The Session page, shown in Figure 8-18, has a number of settings that control session limits and temporary folders.
Figure 8-18 Properties of a session collection, Session page
Table 8-3 describes the session settings available on the Session page.
Table 8-3 Session settings for a session collection
Session setting |
Description |
End A Disconnected Session |
Controls when a session is ended after a user disconnects. You can select to never end disconnected sessions or select a value ranging from one minute to five days. The default value is Never. A session is disconnected when there is a network connectivity issue or when a user closes the Remote Desktop Connection window without signing out. A disconnected session keeps all of the applications open and continues to use memory on the RD Session Host. Users can reconnect to the session and resume working where they left off, but if there are too many disconnected sessions, the RD Session Host may not have enough memory. |
Active Session Limit |
Controls how long an active session can be before it is disconnected or ended. To allow active sessions with no limit, select Never. To limit active sessions, select a time value ranging from one minute to five days. The default value is Never. Users receive a warning two minutes before the active session limit is reached. This provides users with time to save their work. An active session is one in which the user is performing a task. An active session is identified by mouse movement or keyboard input. There is seldom a need to limit active sessions, but you could limit them if you are concerned that unauthorized users are accessing a session. This will force the user to reconnect and provide authentication credentials when the limit is reached. |
Idle Session Limit |
Controls how long an idle session can be idle before it is disconnected or ended. To allow idle sessions with no limit, select Never. To limit idle sessions, select a time value ranging from one minute to five days. The default value is Never. Users receive a warning two minutes before the idle session limit is reached. This provides users with an opportunity to move the mouse or press a key to make the session active and avoid the idle session limit. An idle session is one in which the user isn’t performing a task. An idle session is identified by a lack of mouse movement or keyboard input. Most organizations configure an idle session limit. This has a similar effect on security as having the screen lock on a desktop computer. If a session is connected but unused, it may mean that the user has left his or her connection unattended. |
When A Session Limit Is Reached Or A Connection Is Broken |
Controls the action that is taken when the active session limit is reached, the idle session limit is reached, or a network problem disconnects a client. You can choose Disconnect From The Session or End The Session. In most cases, you will select Disconnect From The Session to prevent users from losing their work when they are disconnected. When you select this option, you also can select Enable Automatic Reconnection. This allows the RDC client to reconnect automatically after short network interruptions. If you do not select this option, the users must provide authentication credentials to reconnect to their disconnected session. By default, Disconnect From The Session and Enable Automatic Reconnection are selected. |
Delete Temporary Folders On Exit |
Configures temporary folders to be deleted when a session ends. This ensures that temporary files do not consume unnecessary disk space. This option is enabled by default. |
Use Temporary Folders Per Session |
Configures each session for a user to have separate temporary folders on RD Session Host servers where a single user account is allowed to have multiple simultaneous sessions. This option is enabled by default to ensure that multiple sessions on an RD Session Host server do not conflict. However, it isn’t relevant in most deployments because users typically are limited to a single session. |
The Configure Security Settings page, shown in Figure 8-19, allows you to configure the Security Layer and the Encryption Level to use for the session. The Security Layer defines encryption methods that are used to encrypt communication between the RDC client and the RD Session Host. The available options for security layer are as follows:
- RDP Security Layer This is the weakest option for the security layer. It is available to support older RDP clients. This security layer does not support the use of Network Level Authentication.
- SSL (TLS 1.0) This is the strongest security layer. This security layer supports the use of network-level authentication. When this security layer is used, a certificate on the RD Session Host is used to establish the encryption channel. If the name on the certificate does not match the name used when connecting to the RD Session Host, then a warning is displayed on the client. This is supported by Windows XP SP3 and newer operating systems.
- Negotiate This is the default selection for security layer. SSL (TLS 1.0) is used if available on the server and client. If SSL (TLS 1.0) can’t be used, then RDP Security Layer is used.
Figure 8-19 Properties of a session collection, Configure Security Settings page
Network Level Authentication is an authentication method that requires clients to enter authentication credentials before they are connected to the RD Session Host server. The credentials are passed by the RDC client to the RD Session Host server, and if the credentials are valid, the sign-in process is performed. When Network Level Authentication isn’t used, clients can connect to the RD Session Host server and interact with the sign-in screen on the RD Session Host before they are authenticated. This is a security risk because it is possible for unauthenticated clients that have access to RD Session Host servers to see recently used user names and the operating system version.
You can force all clients to use Network Level Authentication by selecting the Allow Connections Only From Computers Running Remote Desktop With Network Level Authentication check box. This is enabled by default.
The Encryption Level setting allows you to configure the number of bits used for encryption. This setting applies for both security layers, and more bits provide stronger encryption. The options for Encryption Level are as follows:
- Low Uses 56-bit encryption for data sent from the client to the server. Data sent from the server to the client isn’t encrypted. This option is provided to support older clients and typically isn’t required.
- High Uses 128-bit encryption for all data sent between the client and server. This option can be used by Windows XP and newer operating systems. This is the preferred option.
- FIPS Compliant Uses encryption algorithms that are FIPS 140-1 or FIPS 140-2 compliant for all data sent between the client and server. Federal Information Processing Standards (FIPS) is a United States government standard for data encryption. This option typically isn’t used unless requested specifically by an organization that needs to meet FIPS requirements.
- Client Compatible Negotiates the highest level of encryption supported by the client and uses that. This is the default configuration, but it can be considered a security risk because it allows 56-bit encryption for clients that request it. Use this option only if you need to support clients that can’t use 128-bit encryption.
- The Configure Load Balancing Settings page in the properties of a session collection is covered later in this chapter in the section titled “High availability for RD Session Host servers.”
The Configure Client Settings page has settings for device redirection and monitors. By default, redirection is enabled for all available options. If desired, you can select to enable or disable redirection for the following:
- Audio And Video Playback
- Audio Recording
- Smart Cards
- Plug And Play Devices
- Drives
- Clipboard
- Printers
- You can find more information about the client settings in Chapter 9.
The User Profile Disks page, shown in Figure 8-20, allows you to configure all of the information entered during collection creation and to define what data is stored on the user profile disks. There are two options for user profile disks data settings:
- Store All User Settings And Data On The User Profile Disk Specifies that the complete user profile is stored on the user profile disk. You can add specific folders and files within the profile to exclude.
- Store Only The Following Folders On The User Profile Disk Specifies that only selected folders in the user profile are stored on the user profile disk. The folders available for selection are Contacts, Desktop, Documents, Downloads, Links, Music, Pictures, Roaming User Profile Data, and User Registry Data. You also can add specific files and folders within the profile to include.
Figure 8-20 Properties of a session collection, User Profile Disks page
Configuring RD Licensing servers
The initial configuration of RDS doesn’t configure licensing. However, a functional RDS deployment in production must have licensing properly configured to ensure that users can connect. To configure licensing for RDS, you need to complete the following tasks:
- Set the licensing mode
- Install an RD Licensing server
- Activate an RD Licensing server
- Install and activate CALs
To install an RD Licensing server, perform the following steps:
- In Server Manager, in the navigation pane, click Remote Desktop Services.
- On the Overview page, in the Deployment Overview area, click RD Licensing.
- In the Add RD Licensing Servers Wizard, on the Select A Server page, double-click the server you want to configure as an RD Licensing server and click Next.
- On the Confirmation page, click Add.
- Wait until the installation is complete and click Close.
To set the licensing mode for an RDS deployment, perform the following steps:
- In Server Manager, in the navigation pane, click Remote Desktop Services.
- On the Overview page, in the Deployment Overview area, click Tasks and click Edit Deployment Properties.
- In the Deployment Properties window, in the navigation pane, click RD Licensing.
- On the RD Licensing page, select Per Device or Per User and click OK.
The Microsoft Clearinghouse is the service that is used to activate RD Licensing servers and RDS CALs. When you install an RD Licensing server, you need to activate it before it can be begin servicing clients. To do this, you use Remote Desktop Licensing Manager (RD Licensing Manager), shown in Figure 8-21. RD Licensing Manager is installed on each RD Licensing server.
Figure 8-21 RD Licensing Manager
When you activate an RD Licensing server, you need to exchange information with the Microsoft Clearinghouse. You can choose from the following connection methods:
- Automatic Connection (Recommended) Transfers the necessary information between the RD Licensing server and the Microsoft Clearinghouse over the Internet. The RD Licensing server must have connectivity to the Internet.
- Web Browser Requires you to enter a Product ID at the website https://activate.microsoft.com. Then, you type the license server ID provided by the website into the Activate Server Wizard. Use this connection method if the RD Licensing server does not have access to the Internet.
- Telephone Requires you to phone the Microsoft Clearinghouse and provide the Product ID for your server. You are then give a license server ID, which you need to enter into the Activate Server Wizard. Use this connection method if you have no access to the Internet.
Installing RDS CALs is a similar process to activating an RD Licensing server. The same connectivity methods to the Microsoft Clearinghouse are supported. The installation process automatically uses the method that you used when activating the server. You can change the connectivity method in the Properties of the server if required.
To activate an RD Licensing server over the Internet, perform the following steps:
- In Server Manager, click Tools, point to Terminal Services, and click Remote Desktop Licensing Manager.
- Right-click the licensing server and click Activate Server.
- In the Activate Server Wizard, on the Welcome To The Activate Server Wizard page, click Next.
- On the Connection Method page, in the Connection Method box, select Automatic Connection (Recommended) and click Next.
- If you have not already configured the company information for your server, you are prompted to do so. On the Company Information page, enter the required company information and click Next.
- On the next Company Information page, if desired, enter the optional information and click Next.
- On the Completing The Activate Server Wizard page, deselect the Start Install Licenses Wizard Now check box and click Finish.
- Right-click the server and click Review Configuration.
In the Server Configuration window, shown in Figure 8-22, click Add To Group.
Figure 8-22 License server configuration
- In the RD Licensing Manager window, click Continue to acknowledge the warning about requiring Domain Admin privileges.
- In the RD Licensing Manager dialog box, click OK to acknowledge that the server has been added to the Terminal Server License Servers Group.
- In the Server Configuration window, click OK.
To install RDS CALs over the Internet, perform the following steps:
- In Server Manager, click Tools, point to Terminal Services, and click Remote Desktop Licensing Manager.
- Right-click the license server and click Install Licenses.
- In the Install Licenses Wizard, on the Welcome To The Install Licenses Wizard page, click Next.
- On the License Program page, select the license program used to purchase your RDS CALs and click Next. Available license programs include Open License, Enterprise Agreement, Campus Agreement, and more.
- Enter the information requested and click Next. The information requested varies depending on the licensing program used, but it will include either a license code or an agreement number.
- On the Product Version And License Type page, enter the product version, license type, and number of RDS CALs based on your license and click Next.
- Wait while the Microsoft Clearinghouse processes the request and the RDS CALs are installed and then click Finish.