Plan application servers and services
Planning Remote Desktop Infrastructure
Remote Desktop Services has the following benefits:
- User workstations run a minimal amount of software.
- Data is centralised i.e. may be at HQ rather at the branch office.
- The host operating system updates, anti-virus and anti-spyware updates are deployed at the Remote Desktop session host server.
- Application updates are performed centrally.
Depending on the number of users and the applications hosted you may need one or more RD session host servers in one or more locations e.g. a heavily utilised, high bandwidth application used by 20 branch office staff would more than likely warrant a RD session host server at the branch office, whereas 10 users running a word processing application would probably be accessed across the WAN.
Planning RD session host server software
Application compatibility is paramount if you’re to successfully deploy remote applications.
Applications should be installed using change usermode but most applications will auto detect they’re being installed on a RD session server.
Applications which are RD compatible have the following characteristics
- Multi user
- Application configuration should be saved to the users profile
- No users can write to the HKLM registry key
Licensing server scopes
- only available to workgroup computers, workgroup servers and clients can discover the licence server automatically
- Domain RD session host computers and clients can automatically acquire Client Access Licences.
- Forest RD session host computers and client can automatically acquire Client Access Licences; this is the recommended for central licence management.
licence server activation installs a digital certificate to validate the server ownership and identity. The methods of activation are:
- Automatic (requires SSL)
- Web browser (must browse to a web page) – cannot be used with deactivation
Temporary licenses are valid for 90 days
- Device – assigned to a device; can be reclaimed 52 to 89 days after being issued. 20% of licenses issued to a particular operating system can be revoked at any one time.
- User – assigned to a user; user CALs are not enforced by RD licensing.
When a licence server has been restored any unissued licenses will need re-validating.
A Windows Server 2008 R2 licence server is backwards compatible with Windows Server 2008, Windows Server 2003 and Windows 2000 Server Terminal Services session host servers.
RD Session Host Configuration
Configuration of the RD session host is performed within the RD session host configuration > RDP-TCP > Properties window.
The default security layer is negotiate; negotiate will use SSL if a certificate is installed, the default encryption level is client compatible; client compatible negotiates an encryption level that both the client and server support. High encryption uses 128 bit encryption and is supported by RDC 5.2 client software. Low encryption only encrypts data between client and server.
The no. of sessions and the network adapter which RDS will respond on is configured within the network adapter tab.
When performing maintenance the user logon mode should be changed to ‘prevent new logons’ within the RD session host configuration > edit settings.
One of the most important configurations is connection and session configuration as these directly affect the capacity of the RD session host. Session configuration determines when Active, Idle or disconnected sessions should be disconnected or ended respectively.
Group Policy objects
Computer Configuration/Policies/Administrative Templates/Windows Components/Remote Desktop Services/RD Session Host to configure Connections, device and resource redirection, licensing, printer redirection, profiles, remote session environment, security, session limits, temporary folders and RD connection broker.
RD Web Access
This role service allows client to connect to a RD session host via a browser. The role service requires IIS and the Windows Process Activation service.
Compatible clients are XP SP2 and later.
RD Connection broker
This role service maintains user sessions within a database, so if a user is disconnected they will be reconnected. RD connection broker is used in conjunction with DNS round robin, Microsoft NLB or hardware load balancers which support RD connection broker routing tokens. If you’re using a hardware load balancer then then RD connection broker should use token redirection not IP address redirection.
Connection broker can only load balance Windows Server 2008 or 2008 R2 Terminal / Remote Desktop session host servers. Connection broker requires clients be using at least RDC 5.2.
The RD session servers must be made a member of the Session Directory computers group.
RD Virtualisation Host
This role service allows you to present Hyper-V virtual machines as virtual desktops via Remote Desktop Services.
RDS can be monitored using either performance monitor (perfmon) or (WSRM) Windows System Resource Manager.
Performance monitor provides a number of counters to track memory and processor usage per session and active, inactive and total sessions.
WSRM provides a means of distribute the load evenly e.g
- Equal_Per_User ensures each user is allocated equal resources; useful when users can have more than one session.
- Weighted_Remote_Sessions allow processes to be grouped according to the priority assigned to the user account.
- Equal_Per_Session ensures each session is allocated equal resources; should be used in conjunction with limiting users to a single session.