Добавление сервера посредника подключений к удаленному рабочему столу в развертывание и настройка высокого уровня доступности

Скатерть-самобранка, или как развернуть службы удаленного рабочего стола на Windows Server 2012 R2 +6

• 20.07.16 07:41

•
Cloud4Y
•
#306002
•
Хабрахабр

•

•

4800

Виртуализация, ИТ-инфраструктура, Облачные вычисления, Блог компании Cloud4Y

Сегодня мы объясним, чем развертывание RDS Session Host на Windows Server 2012 R2 отличается от более ранних версий Windows Server и расскажем о доступных опциях развертывания. Remote Desktop Services на Windows Server значительно усовершенствовались за последнее время, но остается, тем не менее, много непонятного по причине множества вовлеченных в процесс компонентов. RD Session Host-ы выполняют всю грязную работу, обслуживая терминальные сессии пользователей. Однако даже при самом примитивном сценарии обязательно использование RD Connection Broker (посредника подключений к удаленному рабочему столу). Еще до того, как вы запланируете развертывание служб удаленного рабочего стола, стоит ознакомиться с его ролью.

Remote Desktop Gateway

Remote Desktop Gateway (RD Gateway) grants users on public networks access to Windows desktops and applications hosted in Microsoft Azure’s cloud services.

The RD Gateway component uses Secure Sockets Layer (SSL) to encrypt the communications channel between clients and the server. The RD Gateway virtual machine must be accessible through a public IP address that allows inbound TCP connections to port 443 and inbound UDP connections to port 3391. This lets users connect through the internet using the HTTPS communications transport protocol and the UDP protocol, respectively.

The digital certificates installed on the server and client have to match for this to work. When you’re developing or testing a network, you can use a self-generated and self-signed certificate. However, a released service requires a certificate from a trusted certification authority. The name of the certificate must match the FQDN used to access RD Gateway, whether the FQDN is the public IP address’ externally facing DNS name or the CNAME DNS record pointing to the public IP address.

For tenants with fewer users, the RD Web Access and RD Gateway roles can be combined on a single virtual machine to reduce cost. You can also add more RD Gateway virtual machines to an RD Gateway farm to increase service availability and scale out to more users. Virtual machines in larger RD Gateway farms should be configured in a load-balanced set. IP affinity isn’t required when you’re using RD Gateway on a Windows Server 2016 virtual machine, but it is when you’re running it on a Windows Server 2012 R2 virtual machine.

For more information, see the following articles:

• Add high availability to the RD Web and Gateway web front
• Remote Desktop Services — Access from anywhere
• Remote Desktop Services — Multi-factor authentication
• Set up the RD Gateway role

Remote Desktop Web Access

Remote Desktop Web Access (RD Web Access) lets users access desktops and applications through a web portal and launches them through the device’s native Microsoft Remote Desktop client application. You can use the web portal to publish Windows desktops and applications to Windows and non-Windows client devices, and you can also selectively publish desktops or apps to specific users or groups.

RD Web Access needs Internet Information Services (IIS) to work properly. A Hypertext Transfer Protocol Secure (HTTPS) connection provides an encrypted communications channel between the clients and the RD Web server. The RD Web Access virtual machine must be accessible through a public IP address that allows inbound TCP connections to port 443 to allow the tenant’s users to connect from the internet using the HTTPS communications transport protocol.

Matching digital certificates must be installed on the server and clients. For development and testing purposes, this can be a self-generated and self-signed certificate. For a released service, the digital certificate must be obtained from a trusted certification authority. The name of the certificate must match the Fully Qualified Domain Name (FQDN) used to access RD Web Access. Possible FQDNs include the externally facing DNS name for the public IP address and the CNAME DNS record pointing to the public IP address.

For tenants with fewer users, you can reduce costs by combining the RD Web Access and Remote Desktop Gateway workloads into a single virtual machine. You can also add additional RD Web virtual machines to an RD Web Access farm to increase service availability and scale out to more users. In an RD Web Access farm with multiple virtual machines, you’ll have to configure the virtual machines in a load-balanced set.

For more information about how to configure RD Web Access, see the following articles:

• Set up the Remote Desktop web client for your users
• Create and deploy a Remote Desktop Services collection
• Create a Remote Desktop Services collection for desktops and apps to run

Questions & Answers

Question: What happens, when the rd-sessionhost is offline? Then he couldn’t contact ste SB and therefore, alls initialconnections (RR) will not get connected.

Answer: Yes, what happens when the rd-sessionhost is offline, and it’s part of the DNS load balancing? I haven’t confirmed via WireShark or other networking tools, but I have done this test, and have one server which is part of DNS load balancing turned off. The RDP Client looks to do a retry and the only noticeable sign to the user is it takes a little longer before it eventually logs in. A Microsoft engineer can probably confirm how it works, but on the surface, it looks like it’s engineered to retry by re-connecting to the Computer name again. Then eventually it will resolve to the IP address of an online server.

Question: Did you know, I found that for the DNS alias to work you have to edit your Resource Allocation Policy to «allow all network resources»? Otherwise, very help guide.

Answer: If you click «allow all network resources», it will allow those users in the group to access every server and PC in the network. Perhaps you haven’t assigned a group of computers to be accessed in that policy? Also, I found on one network, when I assigned an AD group of computers, I had to use the computer name and not its FQDN i.e. COMPUTERNAME instead of COMPUTERNAME.domain.local, to connect to it.

Question: When trying to connect to a specific Remote Session Host by using the /admin parameter, a domain user (not admin) gets the message «requested access to the session was denied». Is there any way to connect to a specific host for standard users?

Answer: Not that I am aware of. The /admin mean does mean for users with administrator privileges.

Question: I have a question regarding taking a server offline using the «do not allow connections.» How do you ensure the user does not connect to the offline server with DNS round robin enabled?

Answer: When a user remote desktops to an RD server that is part of an RD Connection Broker farm, the RD server firstly checks with the RD Connection Broker server whether it’s allowed to continue the user login process on that RD Server or gets redirected to another server. If the server that the user first hits have the «do not allow connections» settings, it will be redirected to another server in the farm. The only exception is that if the user already has a disconnected or active session on an RD Server in the farm, then the Connection Broker will redirect it back to that server with the existing user connection, even if it has the «do not allow connections» settings.

2018 sengstar2005

Обновления и горячие фиксы для хостов сеансов удаленного рабочего стола

Примечание

См. условий перед установкой какого-либо обновления или hotfix для этой роли сервера.

Дата добавленного обновления	Связанные статьи Базы знаний	Заголовок	Компонент	Почему мы рекомендуем это обновление
Апрель 2016 г.		RDS перенаправил ресурсы, демонстрируя деградировавую производительность Windows 8.1 или Windows Server 2012 R2	Несколько	Это обновление устраняет медленные проблемы с производительностью RDP при использовании перенаправленных ресурсов (дисков, принтеров и портов).
Декабрь 2015 г.		Остановите 0x000000C2 или 0x0000003B при запуске служб удаленного рабочего стола в Windows Server 2012 R2	win32k.sys & dxgkrnl.sys	В этой статье описывается пакет hotfix, который устраняет проблему, из-за Windows Server 2012 R2 при запуске Удаленный рабочий стол (Майкрософт) services (RDS).
Октябрь 2015 г.		При переходе между окнами в Windows 8.1 или Windows Server 2012 R2 окна удаленного приложения исчезают и мерцают.	rdpshell.exe	Это обновление содержит последние побочные компоненты сервера RemoteApp (в основном Rdpinit.exe/Rdpshell.exe) и включает все другие исправления раздела RemoteApp, перечисленные в .Кроме того, могут быть исправлены проблемы с клиентской стороной для RemoteApp. Эти исправления снова перечислены в в разделе Удаленный клиент для настольных компьютеров.
Сентябрь 2015 г.		Профили UPD повреждены при проблеме подключения к сети в Windows Server 2012 R2	sessenv.dll	Последняя версия Sessenv.dll. Это обновление устраняет проблему, из-за которой upD-пользователи становятся поврежденными при проблеме подключения к сети.
Июль 2015 г.		Событие 1530 регистрируется, и ProfSvc утечек страницы памяти пула и ручки в Windows 8.1 или Windows Server 2012 R2	profsvc.dll	Последняя версия Profsvc.dll. В этой статье описывается проблема, из-за которой регистрируется событие 1530, а служба профилей пользователей (ProfSvc) утекла на страницу памяти пула и обрабатывает его.
Июль 2015 г.		Удаленный рабочий стол Easy Print выполняется медленно в Windows Server 2012 R2	Несколько	Устраняет проблему, из-за которой печать с помощью перенаправленного принтера с использованием удаленного рабочего стола простая печать занимает много времени.
Июль 2015 г.		Перенаправленные принтеры перенаправляются в автономный режим после перезапуска пулера печати на сервере хост-Windows Server 2012 R2 на основе R2	Несколько	Устраняется проблема, из-за которой перенаправленные принтеры перенаправляются в автономный режим после перезапуска пулера печати на сервере хост-Windows Server 2012 R2 на основе R2. Также включает .

Summary

When you create a standard deployment of Remote Desktop Services, the Remote Desktop Connection Broker role service provides access to the complete functionality of Remote Desktop Services. A configuration that does not use the RD Connection Broker role service provides desktop sessions to users based on the number of Remote Desktop Services client access licenses (RDS CALs) that are installed on the server. Such a configuration does not provide access to RemoteApp programs or the RDWeb website. Because a configuration without the RD Connection Broker role service does not provide access to all RDS functionality, you should use such a configuration only if there is no other option.

You can use the instructions in this article to configure RDS service by using a single server (either a member of a workgroup or a domain controller (DC)). If you have a separate DC, we recommend that you use the Standard Remote Desktop Services deployment wizard.

Important

Configuring RDS on a workgroup server creates the following additional restrictions:

• You must use per-device licensing instead of per-user licensing. For more information, see License your RDS deployment with client access licenses (CALs).
• You must use Windows PowerShell to manage the RDS role services. This is because the Server Manager tools for RDS do not work. For more about using PowerShell cmdlets together with RDS, see Using Powershell to Install, Configure and Maintain RDS in Windows Server 2012.

For more information about the RDS roles, see Remote Desktop Services roles.

Process of deploying RDS service roles

The process of deploying RDS service roles on a single workgroup server or DC differs from that of deploying a standard RDS configuration on multiple computers.

Unless otherwise noted, these steps apply to both workgroup computer and DC cases.

Important

If you are using a single computer as both the RDS server and as a DC, configure the computer as a DC before you begin installing the RDS roles. For more information about how to install Active Directory Domain Services (AD DS) and configure the computer as a DC in Windows Server 2016 or Windows Server 2012, see Install Active Directory Domain Services (Level 100).

1. On the workgroup computer or DC, install the Remote Desktop Licensing role service and the Remote Desktop Session Host role service. To do this, follow these steps:

   1. Open Server Manager.
   2. Click Manage and select Add Roles and Features.
   3. Select Role-based or Feature-based installation.
   4. Select the computer as the destination server.
   5. On the Select server roles page, select Remote Desktop Services.
   6. On the Select role services page, select the Remote Desktop Licensing and Remote Desktop Session Host role services.
   7. Continue the installation. Select default values for the remaining settings.

2. DC step: Open Remote Desktop Licensing Manager, right-click the server, and then select Review Configuration.

3. Select Add to group.

   Note

   If you have to manage group memberships manually, the Terminal Server License Servers group is located in the Built-in container in Active Directory Users and Computers.

4. Restart the Remote Desktop Services service.

5. Use one of the following methods to activate the RDS license server:

   • To activate a Windows Server 2012 RDS license server, see .
   • To activate a Windows Server 2016 RDS license server, see Activate the Remote Desktop Services license server.

6. Install the appropriate RDS CALs.

   Important

   If you are using a workgroup server, you must use per-device CALs. For more information, see License your RDS deployment with client access licenses (CALs). For more information about how to install RDS CALs, see Install Remote Desktop Services Client Access Licenses.

   

   

   

   

   

   

   

   

   

   

7. Add the users that you want to allow to connect to the Remote Desktop Users group. To do this, use the following tools:

   • To find the Remote Desktop Users group on a DC, open Active Directory Users and Computers and navigate to the Builtin container.
   • To find the Remote Desktop Users group on a workgroup server, open Computer Management and then navigate to Local Users and Groups\Groups.

8. Change the local policy of the computer to add your remote desktop users to the Allow logon through Remote Desktop Services local policy object. To do this, follow these steps:

   1. Open Local Security Policy.
   2. Navigate to Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment.
   3. Double-click Allow log on through Remote Desktop Services, and then select Add User or Group.
   4. Type Remote Desktop Users (or the user names of each user account that you want to add, separated by semicolons), and then select OK two times.

9. Configure the Remote Desktop Session Host role service to use the local RDS license server.

   Important

   Before you begin this procedure, make sure that the RDS license server is activated.

   To do this, follow these steps:

   1. Open an elevated Windows PowerShell Command Prompt window.

   2. Run the following command:

   3. To set the licensing mode, run the following command:

      Note

      In this command, <value> represents the licensing mode and is either 2 (if you are using per-device licensing) or 4 (if you are using per-user licensing). If you are using a workgroup server, you must use 2.

   4. Run the following command:

   5. To verify the settings, run the following command:

      You should see the RDS licensing server name in the output. After you finish this step, users can start remote desktop sessions by using any supported RDS client.

10. DC step: To enable printer redirection to function correctly on a DC that is acting as the RDSH host, follow these additional steps.

    1. Open an elevated Command Prompt window.

    2. Run the following commands:

    3. Restart the computer.

Step 1: Configure the database for the Connection Broker

1. Find the connection string for the database you created — you need it both to identify the version of ODBC driver you need and later, when you’re configuring the Connection Broker itself (step 3), so save the string someplace where you can reference it easily. Here’s how you find the connection string for Azure SQL:

   1. In the Azure portal, click Browse > Resource groups and click the resource group for the deployment.

   2. Select the SQL database you just created (for example, CB-DB1).

   3. Click Settings > Properties > Show database connection strings.

   4. Copy the connection string for ODBC (includes Node.js), which should look like this:

   5. Replace «your_password_here» with the actual password. You’ll use this entire string, with your included password, when connecting to the database.

      

      

      

      

      

      

      

      

      

      

2. Install the ODBC driver on the new Connection Broker:
   1. If you are using a VM for the Connection Broker, create a public IP address for the first RD Connection Broker. (You only have to do this if the RDMS virtual machine does not already have a public IP address to allow RDP connections.)
      1. In the Azure portal, click Browse > Resource groups, click the resource group for the deployment, and then click the first RD Connection Broker virtual machine (for example, Contoso-Cb1).
      2. Click Settings > Network interfaces, and then click the corresponding network interface.
      3. Click Settings > IP address.
      4. For Public IP address, select Enabled, and then click IP address.
      5. If you have an existing public IP address you want to use, select it from the list. Otherwise, click Create new, enter a name, and then click OK and then Save.
   2. Connect to the first RD Connection Broker:
      1. In the Azure portal, click Browse > Resource groups, click the resource group for the deployment, and then click the first RD Connection Broker virtual machine (for example, Contoso-Cb1).
      2. Click Connect > Open to open the Remote Desktop client.
      3. In the client, click Connect, and then click Use another user account. Enter the user name and password for a domain administrator account.
      4. Click Yes when warned about the certificate.
   3. Download the ODBC driver for SQL Server that matches the version in the ODBC connection string. For the example string above, we need to install the version 13 ODBC driver.
   4. Copy the sqlincli.msi file to the first RD Connection Broker server.
   5. Open the sqlincli.msi file and install the native client.
   6. Repeat steps 1-5 for each additional RD Connection Brokers (for example, Contoso-Cb2).
   7. Install the ODBC driver on each server that will run the connection broker.

Дополнительные причины ошибки «Выполняется оценка качества подключения»

Windows Registry Editor Version 5.00

«Image Dll»=»_schannel.dll» «Start»=dword:00000003

Далее перезагрузить сервер, это обязательно.

• Вторая проблема, это не работает или не отвечает ваш сервер лицензирования удаленных рабочих столов. В диспетчере сервера — ошибки службы лицензирования рабочих столов. Отсутствует сервер лицензирования. Устраняем проблему с лицензиями и радуемся
• Еще бывает, что помогает выбор транспортных протоколов, давайте подробнее.  При подключении по RDP используются два транспортных протокола TCP/UDP. Фишка в том, чтобы оставить только TCP. Для этого создайте групповую политику или отредактируйте локальную на серверах подключений, вот по такому пути:

Конфигурация компьютера — Административные шаблоны — Компоненты Windows — Службы удаленных рабочих столов — Узел сеансов удаленных рабочих столов — Подключения — Выбор транспортных протоколов — выбрать только TCP

Потребуется перезагрузка или перезапуск служб RDP.

Я часто встречал ситуацию, что человек работает удаленно с дачи или еще более удаленного места, со своим мобильным интернетом, в следствии проблем со скоростью получал ошибку «Выполняется оценка качества подключения», где сразу начинал говорить, что ваша RDS ферма плохая. Пока ты ему докажешь, что дело в его мобильном интернете, пройдет не один десяток минут. Хорошо, что после RDP клиента восьмой версии, диагностировать стало проще, там появился индикатор, о подключении к клиенту удаленного рабочего стола (RDC).

Вы найдете индикатор RDC вверху панели подключения, в верхней части любого полноэкранного подключения к удаленному рабочему столу. Индикатор отобразит от одной до четырех полос, которые суммируют задержку двустороннего соединения (RTT) и текущую полосу пропускания в простой для чтения иконке. Выглядит, это вот так.

Качество подключения к удаленному компьютеру хорошее

Например, полный набор из четырех полос указывает, что задержка составляет менее 50 мс, а полоса пропускания превышает 10 Мбит/с. Когда полосок меньше, пользователь подключается с более высокой задержкой или с меньшей пропускной способностью.

Пользователь также может щелкнуть значок индикатора, чтобы увидеть письменное описание качества своего соединения и узнать, пользуется ли он дополнительными преимуществами соединения на основе UDP.

Качество подключения к удаленному компьютеру хорошее, протокол UDP включен

На этом у меня все, надеюсь, что мне удалось помочь вам решить проблему с подключением к вашей RDS ферме. С вами был Иван Семин, автор и создатель IT портала Pyatilistnik.org.

Testing Remote Desktop Connection Broker on the Internal Network

To connect to the farm, use the DNS name of the farm for the computer name in the Remote Desktop client.

To test if the connection broker is doing its job, we can adjust the relative weight of the server that we have just connected to in the farm to 1.

In the above example, we have connected to the RDServices server. We will adjust the relative weight for it to 1. We can then remote desktop into the farm using a second user account and we should see it connect to the second server.

Use another account to log into the farm

A warning about the computer identity will pop up. Just connect anyway.

Check the name of the server to confirm that you have now logged into the second server

If you have a disconnected user session or even a non-disconnected user session on a server in the farm, the connection broker will redirect your connection to this session if you try to log in as that same account.

To test this, we can remote desktop to the farm as the account that’s currently logged into the RDServices server. Despite the relative weight being 1, the connection broker will redirect the user to the RDServices server.

Remote Desktop Licensing

Activated Remote Desktop Licensing (RD Licensing) servers let users connect to the RD Session Host servers hosting the tenant’s desktops and apps. Tenant environments usually come with the RD Licensing server already installed, but for hosted environments you’ll have to configure the server in per-user mode.

The service provider needs enough RDS Subscriber Access Licenses (SALs) to cover all authorized unique (not concurrent) users that sign in to the service each month. Service providers can purchase Microsoft Azure Infrastructure Services directly, and can purchase SALs through the Microsoft Service Provider Licensing Agreement (SPLA) program. Customers looking for a hosted desktop solution must purchase the complete hosted solution (Azure and RDS) from the service provider.

Small tenants can reduce costs by combining the file server and RD Licensing components onto a single virtual machine. To provide higher service availability, tenants can deploy two RD License server virtual machines in the same availability set. All RD servers in the tenant’s environment are associated with both RD License servers to keep users able to connect to new sessions even if one of the servers goes down.

For more information, see the following articles:

Configuring RD Gateway for RDCB HA

Once you have configured HA you will need to create a CAP and RAP for the HA configuration.

Add both connection brokers and the HA DNS Name.

Restart all RDS Servers once the configuration is complete.

Summary:

• Step 1 – Create Active Directory Group for Connection Brokers (Domain\”Connection Broker AD User Group”) Add Both Connection Broker 01/02/”03 in RDS2016″)
• Step 2 – Add the Connection broker group to the SQL Instance used for the RDCB DB – (Security/Logins/add-account) grant
• Step 3 – Add SQL permissions for the user Group ((Domain\”Connection Broker AD User Group”) dbcreator for the SQL Instance
• Step 4 – Install the SQL Native Client (ODBC-64 bit) on Connection Broker 01 and configure the SQL instance using (integrated Windows Authentication)
• Step 5 – Run the RDCB HA wizard – Dedicated instance option,  HA Name: “HAname.domain” –  use the following string: DRIVER=SQL Server Native Client 11.0;SERVER=”SQL_Instance_name”; Trusted_Connection=Yes;APP=Remote Desktop Services Connection Broker;Database=”Database Name”
• Step 6 – Add the SQL DB path “Drive:\DB_path”
• Step 7 – Complete the Wizard
• Step 8 – On the SQL Instance add dbo permission for the security group ((Domain\”Connection Broker AD User Group”) to the new database (Database Name)
• Step 9 – Run the HA wizard on the RDMS console for the Second Connection broker.
• Step 10 – reboot both connection brokers and test.
• Step 11 – open the RDCB Database and run the script SELECT TOP 10 ,, FROM .. to confirm the Connection Brokers are communicating with the SQL Instance. the timestamp should update every 30 seconds (estimate)

SQL Native client link: https://www.microsoft.com/en-gb/download/details.aspx?id=36434

Symptom 1: Limited Remote Desktop session or Remote Desktop Services session connections

When you try to make a Remote Desktop Connection (RDC) to a remote computer or to a Remote Desktop server (Terminal Server) that is running Windows Server 2008 R2, you receive one of the following error messages:

Also, you are limited in the number of users who can connect simultaneously to a Remote Desktop session or Remote Desktop Services session. A limited number of RDP connections can be caused by misconfigured Group Policy or RDP-TCP properties in Remote Desktop Services Configuration. By default, the connection is configured to allow an unlimited number of sessions to connect to the server.