Server Labs

How to install and configure remote desktop server(terminal server) in windows server 2008- part 1

Understanding the concept

The Remote desktop service(RDS) in windows server 2008 R2 is the renamed and advanced version of terminal server service that is available in windows server 2003. This feature enable users to access Windows-based programs that are installed on a terminal server or to access the full Windows desktop. Users can access a remote desktop server within the corporate network or from the Internet. When a user accesses a program on a terminal server, the program execution occurs on the server and only keyboard, mouse and display information are transmitted over the network. Each users sees only their individual session and the session is managed transparently by the server operating system, it is independent of any other client session. Remote desktop service is useful especially when you have programs that are frequently updated, infrequently used, or difficult to manage. Let us consider the scenario that, your organization has got its own application which is private and you need to access it from outside the organization, or deployment of multiple versions of an application, especially if installing multiple versions locally would cause conflicts and many other cases. The more details are described here in MS tech center,

http://technet.microsoft.com/en-US/library/dd736539(v=ws.10).aspx

When you are planning to implement remote desktop service, there are few terms that you must understand.

1. Remote Desktop Session Host(Terminal server)

Remote desktop session host is the server where we hosts the application that are required for TS clients. Users can connect to a terminal server to run programs, to save files, and to use network resources on that server. So the servers that have this feature installed will act as your remote desktop server.

2. Remote Desktop Licensing(TS Licensing)

The RD licensing will manages the Remote Desktop Services client access licenses (RDS CALs) that are required for each device or user to connect to a Remote Desktop Session Host or Remote Desktop Virtualization Host server. You use RD Licensing to install, issue and track the availability of RDS CALs on a Remote Desktop license server. The grace period of this service is 120 days and a permanent RDS CAL should be purchased. There are several methods to purchase the license and those are mentioned on MS article(http://technet.microsoft.com/en-us/library/cc771547.aspx). The License Server role can be installed on your Session Host server or in a dedicated server. If we install Remote Desktop Licensing role on a dedicated server any additional RD Session Hosts that we add in the future can share this service. However this roles is not required to be configured with initial stages as we have a trial license for 120 days.

3. RD Web Access(TS web access)

RD Web Access allows the users to get access with the applications and server desktop that are allowed to the clients. In order to achieve this, users can visit the web site that are configured by remote desktop administrators through their web browsers(IE, chrome, Firefox etc.). When the users starts a RemoteApp program, a terminal Services session is started on the terminal server that hosts the RemoteApp program. When you deploy RD Web Access, you can specify which terminal server to use as the data source to populate the list of RemoteApp programs that appears on the Web page.

4. Remote Desktop Gateway(TS gateway)

This role enables authorized remote users to connect to resources on an internal corporate network from any Internet-connected device that can run the Remote Desktop Connection (RDC) client. RD gateway improves the security by establishing an encrypted connection between remote users on the Internet and the internal network resources(hosted on Remote desktop server). Note that, RD Gateway role service require other roles to be installed for its functionalities(Ex: Network policy and access service ,Web Server (IIS)) and those will be installed automatically during the role installation.

5. RD Connection Broker(TS session broker)

RD Connection Broker have one of the vital role in remote desktop service. It keeps track of user sessions in a load-balanced terminal server farm. You can make use of Windows failover clustering feature to achieve this. The RD connection broker saves session state information, associated user of particular session and server where each session exists. When a user who has existing session connects back to terminal server the RD connection broker identifies it and redirects to the server where its session exists. This prevents the user from being connected to a different server in the farm and starting a new session.

6. Remote Desktop Virtualization Host

RD Virtualization Host integrates with Hyper-V to provide virtual machines that can be used as personal virtual desktops or virtual desktop pools. If a user is assigned and requests a personal virtual desktop, RD Connection Broker redirects the user to this virtual machine. If the virtual machine is not turned on, RD Virtualization Host turns on the virtual machine and then connects the user.

I hope the above information is good enough to understand the various roles that comes under remote desktop service. Now let us see how to install and configure these roles,

Installation and configuration

In my environment I am going to install the roles Remote Desktop Licensing, Remote Desktop Gateway, RD Connection Broker, RD Web Access and Remote Desktop Session Host on the same server and I don't want the service remote Desktop Virtualization Host as I don't have Hyper V installed.

Note: It is not recommended to install and configure RDS on an active directory server as it can reduce the security and decrease performance of server, however you can do it if required.

It is recommended to install remote desktop session host before you install any applications that you want to make available to users. Else the application may not work as expected for clients.

1. Log on to the server where you want to install RDS as the user who has administrator and enterprise admin rights.

2. Open Server Manager, click Start-> Administrative Tools->Server Manager.

3. Under the Roles Summary heading, click Add Roles.

4. In the Add Roles Wizard, if the Before You Begin page appears, click Next.

5. On the Select Server Roles page, select the Remote Desktop Services check box, and then click Next.

6. On the Remote Desktop Services page, click Next. This is just a brief idea about remote desktop services.

7. On the Select Role Services page, select Remote Desktop Licensing, Remote Desktop Gateway, RD Connection Broker, RD Web Access and Remote Desktop Session Host. If you are installing Remote Desktop Session Host on the active directory server you will have the warning message as it is not recommended, Click install Remote Desktop Session Host (not recommended) and select the other features. As described earlier, You may need to install additional features to support Remote Desktop Gateway so select Add required role services when it prompts. Click Next to continue,

8. On the Uninstall and Reinstall Applications for Compatibility page, click Next. Hopes you have got the message.

9. Next step describes you about the level of authentication that you require for RDS(remote desktop service). It is recommended to enable network level authentication and you can select the option as required. If you have Windows XP clients to access RDS you should not enable Network level authentication as it is not having the upgraded version of remote desktop connection client. You can select network level authentication if your clients are at lease windows 7 or later. Click Next,

10. You need to specify the licensing mode that you want to use for using RDS. It can be purchased either for per user or per computer. Else you can install the license later as we have 120 days trial period. I am selecting as trial and continue where as you can install the license now or later.

11. Select the user groups that can access the remote desktop server and its services. I am selecting all the users of my domain and you can achieve the same by clicking on Add button. If you have a specific set of users that have to access terminal server you can create a group in active directory and add the groups to this list later as well.

Note: Administrator users are default in this operation and cannot be removed.

12. Now you can specify the client experience, this settings are optional and select as required. Please note that, when we enable more functionalities that can lead to high system and bandwidth usage which may affect the performance RD session host server. So reduce the feature if it is really not required.

13. Next you need to specify the discovery scope for RD licensing. It is used by RD session host servers to automatically identify and discover the licensing server. Leave the selection as default and you can the RD licensing database location if required. It would be really worth if you can click on the link More about licensing directory to get much better experience on this.

14. You must have a certificate for SSL communication. It is recommended to get the certificate from a trusted certificate authority(CA) especially when you have to access the RD session from outside network. In my case I have one self signed certificate installed on my server and it is list automatically here. If you do not have any certificate installed on server it will not list and you can import that now by clicking Import button. If you want to create a SSL certificate now, you must select the second option create a self-signed certificate for SSL encryption or you can select the third option choose a certificate for SSL encryption. Make sure that the SSL certificate is attached to HTTPS binding on your IIS.

If you have any doubt about creating SSL certificate. I believe this link will be useful http://serverlabs.blogspot.in/2014/03/how-to-create-self-signed-certificate.html

I will continue with my existing SSL certificate. Click Next to continue,

15. Now on you need to specify the authorization policies that will control the RD session host clients with the way it is allowed to connect. There are two important terms to understand in this concept, that are Remote desktop connection authorization policy(RD CAP) and Remote desktop resource authorization policy(RD RAP). In simple words, RD CAP describes the users that can connect to this RD gateway server and RD RAP allows us to specify which terminal server is allowed for users to connect from network. Until we configure RD RAP and RD CAP users will not be able to connect to RD server, so I will configure this policies now. Select Now under create authorization policies and click Next.

16. Under User group membership (required), click Add button, and then specify a user group whose members can connect to the TS Gateway server. You must specify at least one user group and I have allowed it for all my domain users. In this session you might be little confused as we have already configured the user groups that can access the RD server at step 11. All you want to understand is, step 11 is defined for RD session host server and as you know RD gateway is an additional security feature for RD server here you are specifying the users that are allowed to connect through RD gateway. Hence the same user group is mentioned here as well, Click Next to continue.

17. In the above step we have specified the user group that can connect. Here you must specify a name for RD CAP and specify at lease one way of authentication that are required for users. You will have a default name and it can be edited if required, for example, if you are allowed users of a particular group to access the RD server it would be worth to customize the RD CAP name which will help us to identify the policies easily in future. Windows authentication can be either password or smartcard which determines how the users are authenticated to get the access to RD server. In my case I am setting the RD CAP name as default and authentication method only Password. Click Next,

18. Here you want to specify the details for RD RAP. The RD RAP can be either the default or customized one as per your choice. Here you must specify the network resources that the RD users can connect through, When a RD user connects and we need to set him the limitation of accessing the computers you can specify this settings here. For example, When the user 'Livin' connects through RD gateway and he needs to access only a group of computers, you can select the second option Allow user to connect only to computers in the following groups and set the group. In my scenario I have allowed all of my domain users to use RD service and I am not settings the limitation for this so selecting Allow users to connect to any computer on the network. Define the settings as required for you and click Next.

19. As discussed above, for RD gateway to function properly we need to have certain features to be installed. That are Network policy and access service ,Web Server (IIS). Now you will have the introduction and confirmation to install these features, simply click Next to get it done.

20. Now we will have the summary of the configurations that we done so far. Review those and click install to start the installation.

21. Once the installation is completed you can close the window and you must restart the server to complete this operation.

22. Once the server is rebooted, you must login and the installation will continue which will end up in below window, Click Close.

This completes the installation and basic configuration of Remote desktop server. The advanced level of configuration can be viewed on this link.

How to install and configure windows failover clustering in windows server 2008/R2

Understanding the concept

A failover cluster is a group of independent computers that work together to increase the availability of applications and services. The clustered servers (called as nodes) are connected by physical cables and by software. If one of the cluster nodes fails, another node begins to provide service so that users experience a minimum of disruptions in service. In an organization they put a lot of value on mission-critical servers and rely on them heavily to run their businesses. As a result, server downtime can be very costly. For example, Unexpected down time of a heavily used e-mail, database server or any other service can easily lost productivity or lost business for every hour that it is unavailable. In this case clustering can be used as a way to achieve high availability of these services.

Before configuring windows clustering we must make sure that you meets the below requirement,

1. The failover cluster feature is not available in Windows Web Server 2008 or Windows Server 2008 Standard.

2. It is recommended to have a dedicated network interface for failover clustering. So in a clustered server it is will have its existing NIC and an additional one that we are adding for now. Its not necessary to have additional NIC card but MS highly recommend this.

3. Since we are adding additional NIC card it is necessary to assign IP address to those and make sure that these addresses are static(Do not assign IP address through DHCP).

4. It is necessary to assign an IP address for clustering as well. So make sure that you have an IP address which can be assigned to it. Please note that if you have different networks in your server, we need to assign each network with its own IP address.

5. Make sure that each servers which are going to take part in clustering is same edition. Means either all the servers should be either Enterprise or Datacenter edition.

6. The user which are going to perform this action should have proper privilege on active directory(Delegated control to add and remove computers and users in AD) or administrative privilege.

Refer the below link for more information http://technet.microsoft.com/en-us/library/cc771404.aspx .

Installation and Configuring Windows failover clustering

We must make sure that you have added the relevant storage disks to server. If you are mapping the storage through iSCSI, you must map it using iSCSI initiator. Once the disks are attached through it, open disk management and newly added disks will be listed. These disks will be in the state of offline. Right click on the disk and select Online and convert those disk into New spanned volume. Performing this steps will allow you to list the storages are available for cluster. You need to do the same on all the servers which are going to take part in clustering. Those steps are required only if you are adding the storage disk to failover clustering now and note necessary for cluster basic configuration.

1. Now make sure that the feature Failover clustering and multipath I/O is installed on all the nodes that are going to be the part of failover clustering.

Open Server manager->Features->Add feature. Now on the window Select features tick the check boxes for Failover clustering and multipath I/O, click Next.

2. Click on the button Install and wait for this to complete. Once it is succeeded close the windows.

3. I would recommend you to reboot the servers which are installed with these features.

4. Please note that here I am configuring two servers as part of failover clustering(Server-1 and Server-2). There are 3 storage disk attached to my both the servers using iSCSI initiator.

Once the servers are up, Open Failover cluster manager from Administrative tools. Before the cluster configuration, we can check whether the current configurations on the servers(Which are going to be the part of cluster) are suitable for failover clustering. It is highly recommended to perform this test so that we can avoid the failures during the configuration or the issues that may arise after configuration. Validating cluster configuration wizard performs the tests in mainly 4 areas that are,

a) Inventory b) Network c)Storage d) System configuration

Inventory tests- Provide an inventory of the hardware, software, and settings (such as network settings) on the servers, and information about the storage.

Network tests- Validate that your networks are set up correctly for clustering.

Storage tests- Validate that the storage on which the failover cluster depends is behaving correctly and supports the required functions of the cluster.

System Configuration tests- Validate that system software and configuration settings are compatible across servers.

Refer the this link for more details http://technet.microsoft.com/en-in/library/cc772055.aspx .

In order to perform the test, Right click on Failover cluster manager and select Validate a configuration wizard. Click Next on before you begin window which is explained about the tests that we are going to do now.

5. Now you need to specify the servers which are going to be the part of clustering. Type the host name or IP address of each servers and press ENTER. Once the servers are added click Next to continue.

6. Here we have to select which and all the tests that we need to perform now. These tests are as described in step 4 and its sub parts. If this is the first time that you are running the test I would recommend to select Run all test, and click Next. Where as you can select and run only the test that are required, this is mainly used when you find any error after the initial test and you need to check whether the corrections that you made has made any changes.

7. Click Next on confirm window and it will start the test.

8. Once the tests are completed you will have the below window and you must review the test results. If the test results reports any errors you will not be able to configure the cluster and you must resolve those issues. You may have suggestions as well to resolve the issue. The test results will also contain warning messages as well, review the messages and try to resolve as much.

9. Assuming everything is well for you as well. Now you can start the cluster configuration, right click on Failover cluster manager and select create cluster wizard. Click Next on Before you begin.

10. Add the servers which are all going to be the part of clustering. Enter the host name or IP address of the server and press ENTER else you can browse the servers, Click Next.

11. Now you need to specify the cluster name that you would like to. You can specify the name as your wish and note that the NetBIOS name is limited to 15 characters and if it exceeds it will automatically reduce and get first 15 characters of specified name also there should not be any spaces in cluster name. Also as described in the requirements of clustering we should specify a IP address which will be referred as cluster IP. If you have more than one networks defined in your server, you must specify different cluster IP for each network.

Click on Network address and type the IP address, make sure that the IP is not provided by DHCP and it should be static, Click Next.

12. Click Next on confirmation window to start the cluster configuration and wait for some time to complete this operation.

13. Once the cluster is configured you will have the below window which indicates that the cluster configuration is successfully completed. You can review the reports or click Finish to close the window.

14. Performing the above steps will complete the cluster configuration which defines which are all the servers are going to act as failover servers. I hope the step 1 has helped you to add the shared disk to your server(Using iSCSI). Now those disks are to be added to cluster so that it can act as failover.

Expand the newly created cluster and right click on the folder structure Storage. Select Add storage and If the disk are configured properly as cluster storage then those will list out automatically without any other change. Here I have 3 disks created so it will list and I am selecting all those as the part of clustering, click OK.

Now you can see the disks that are available and they are part of cluster.

15. Now we need to configure quorum of the cluster. Quorum configuration of a cluster defines the number of failure that the cluster can sustain. It is essential that the cluster stop running if too many failures occur or if there is a problem with communication between the cluster nodes. Quorum can be defined in four way depending on your configurations. We will discuss about it in below steps.

To start with quorum configuration right click on the cluster that you have created now->More actions->Configure cluster quorum settings. Click Next on before you begin window.

16. As described above here we need to specify which quorum configuration is required for you and its based on your nodes that are defined as part of failover clustering. I hoe you are clear with why do we need quorum in clustering. Now let us see its configuration types. There are four ways to achieve this,

Node Majority - This configurations are recommended only when you have odd number of nodes(servers) . That is, when you have configured your failover clustering with odd number of servers you must go for this option. The number of failures that can sustain for clusters under this configuration is half the number of nodes minus one. For example, If you have seven servers in cluster it can have maximum of three node failures.

Node and Disk Majority- It is recommended when you have an even number of nodes(servers). The number of failures that this cluster can opt is based on disk witness.

If the disk witness remains online it can sustain failures of half the nodes. For example, an eight node cluster in which the disk witness is online could sustain four(8/2=4) node failures.

If the disk witness goes offline the cluster can sustain failures of half the nodes minus one. For example, a six node cluster with a failed disk witness could sustain two (3-1=2) node failures.

Node and File Share Majority- It works in a similar way to Node and Disk Majority, but instead of a disk witness, this cluster uses a file share witness. Note that if you use Node and File Share Majority, at least one of the available cluster nodes must contain a current copy of the cluster configuration before you can start the cluster. Otherwise, you must force the starting of the cluster through a particular node.

No Majority: Disk Only- This is the least considered configuration and not recommended. It can sustain failures of all nodes except one (if the disk is online). However, this configuration is not recommended because the disk might be a single point of failure.

In my case I have two nodes so I will select the second option and click Next. You must decide the selection based on your cluster configuration.

17. Now you need to specify the storage which will contains a copy of the cluster configuration, called as disk witness. Select the node which is required to act as your witness disk and click Next(Here the disk will be listed that are added to our cluster storage as per step 14). Note that if you have select Node and File Share Majority you need to specify the shared location.

18. Now you will have the window to confirm the actions. Review the details and click Next.

19. The quorum configuration will start and you will have the below windows. Once it is completed you can review the details and click Finish to close window.

So that completes the Windows failover clustering installation and configuration. You can confirm whether the clustering has completed successfully by taking one node as offline(Shutdown/restart) or right click the active node and from more actions Stop cluster service and on another node login and check if the disks are available.

How to do an in-place upgrade of Windows server 2008 R2 to Windows server 2012/2012R2

1. Make sure that your current hardware supports Windows server 2012 as per the MS recommendation.

http://technet.microsoft.com/en-us/library/dn383626.aspx

Important: Make sure that the replication between all your DC are working properly, else you will fails to complete the below operations.

2. Before performing the upgrade, you must prepare your forest and domain for the changes. It can be achieved by using the command 'ADPREP'. ADPREP is a command line utility which will extends the Active Directory schema, and updates permissions as necessary to prepare a forest and domain for a domain controller. In order to run the commands you must locate it from your server installation CD. Insert your Windows server 2012 installation CD and locate the directory using command prompt. In my case the installation CD is located in D drive and command will be cd D:\support\adprep press ENTER or open the directory and drag and drop the tool adprep from the location(D:\support\adprep) into command prompt.

a) Now run this command in your forest root server and prepare the forest for upgrade.

adprep /forestprep press ENTER. You will have warning message before this operation, type C and press ENTER to continue with the operation( You must be a member Schema Admins and Enterprise Admins groups to perform this action)

Once the operation is completed you will have the below screen.

b) Now prepare your domain for upgrade. On the same command prompt type adprep /domainprep and press ENTER. This operation will complete comparatively faster than the forest preparation.

More information of using the ADPREP is available in http://technet.microsoft.com/en-in/library/dd464018(v=ws.10).aspx

3. Replicate these changes to your additional domain controllers as well. On command prompt type RepAdmin /SyncAll /AdeP and press ENTER. Wait few seconds to complete and make sure succeeds.

4. Completing the above steps makes your server to be capable for upgrade. Now reboot your server from Windows server 2012 installation CD or open the CD drive and double click on SETUP.EXE to start with OS installation/upgrade.

5. Click on Install now and continue.

6. Here you need to specify either you want to perform a windows update before upgrade process or not. It is

recommended to perform windows update before upgrade process, else you can skip this. I have my latest update installed so skipping this operation by selecting No Thanks.

7. Enter the product key and click Next to continue.

8. Select the operating system that you want to install and click Next. Note that you will not be able to upgrade from a lower edition to higher edition of OS. Means, if you have windows server 2008 R2 standard edition installed then you will not be able to upgrade to Datacenter edition of 2012. Here my existing server is datacenter edition so I will select as Windows server 2012 datacenter(Server with GUI).

9. Accept the License terms and click Next.

10. Next step actually determines whether it’s an installation or Upgrade. Click Upgrade: Install windows and keep files, settings and application.

11. Now it will perform a compatibility check and this must be passed in order to continue. If it detects any applications to be uninstalled or any other changes requires it will show and you need to exit and make the necessary changes.

Note: Upgrade process will fail if we need to make any changes before upgrade and it can be viewed on Compatibility report window. Also the report will be saved automatically on your desktop for you reference.

Assuming everything is OK and click Next to continue,

12. The upgrade process will start and we need to wait until the operation completes. The server will restart multiple times during this process.

13. Now that’s it the upgrade process. Please note that this may take few hours to complete based on the features and application that is already existing on your server. For me it has taken about 1.5 hours to complete this operation but again it depends on your hardware efficiency. Please note that during the automatic reboot of your server it will prompt with Windows boot manager, you do not want to interrupt the operation and it will continue automatically.