In Part 1 of the Remote Desktop Services 2016, Standard Deployment series, we installed RDS roles on 3 different servers. With Standard Deployment type we have to make our own collections which is not the case in Quick Start deployment type.
Let’s talk about the purpose of RD collections. They have 2 major functions.
- They allow us to separate out RD Session Hosts into separate farms
- The second thing they do is to allow admins to organize resources
We have 2 Collections: Collection 1 (Sales) and Collection 2 (Management)
If we have different types of users, some of them could work in Sales, some in Management. If somebody from Sales connects to the connection broker, then we want them to be directed to servers in Collection 1.
I have created 2 AD groups and 2 AD users
Groups: Sales & Managers
Users: Sales1 & Manager1
Let’s create our first RD Collection and explore Collection Properties.
Scroll right, go up under Tasks and click on Create Session Collection.
Before you begin page will pop-up. Click next
On Collection Name page, give you collection a name and click next
On Specify RD Session Host Servers page, select RDSH01 and click next
On Specify User Groups, type in Sales and remove Domain Users and click next
On User Profile Disk page, I will uncheck Enable user profile disks (I will configure this later) and click next and Create.
Once done, click close.
Now we have a collection but notice that we don’t have any Remote Apps. We will configure it a different part.
Let’s explore Collection Properties. Click on Tasks and click Edit Properties
Session Collection Wizard will pop-up.
On GENERAL we can change the name, description and choose if we would like to see collection in RD Web Access.
USER GROUPS – is used to limit connections to this collection to a specific group of users.
SESSION – The first 3 settings have to do with what happens when sessions are connected or during the session. For all of these 3 we need to know how users use the server.
End a disconnected session: If users disconnect from the session and don’t sign out, whaterver they were working on continues to run. We can see by default it’s set to Never.
Active session limit: is how long they can be active in a session.
Idle session limit: If we connect up, something’s downloading, I disconnect, sometimes the server will consider that I’am idle because I’m not using mouse. In that case we will leave this as default.
Area at the bottom talks about what’s going to happen when the session limit is reached, or the connection is broken. Default option is just to connect and leave everything on running
Last 2 settings deal with temporary folders.
SECURITY – Here we can decide which Security layer and which encryption level we are going to use.
Security Layer (Negotiate is the default option)
- RDP Security Layer – Does not use authentication to verify the identity of an RD Session Host and does not support Network Level Authentication -> came in with (Vista and Win Server 2008)
- SSL (TLS 1.0) – more secure than RDP Security Layer, SSL will be used for server authentication. (requires certificate)
- Negotiate – The most secure layer that is supported by the client will be used
Encryption Level (Client Compatible by default)
- Low – data send from the server is not encrypted. data sent from the client is encrypted using 56-bit encryption
- Client Compatible – It encrypts the client and the server communication at the maximum key strength supported by client
- High – It encrypts the client and the server communication using 128-bit encryption. User High when client also support 128-bit encryption. If they do not support they will not be able to connect
- FIPS – All client/server communication is encrypted and decrypted with FIPS encryption algorithms
LOAD BALANCING – if we have more than 1 RD Session Host, we can set up the relative wait between them. Right now I only have 1 so 100 % of the traffic is going to RDSH01. We will come back to this when we add second RD Session Host
CLIENT SETTINGS – specify to enable redirection for a bunch of things, audio/video playback, audio recording etc. What this means is that the client smart cards, clipboards, drive will be available inside of the remote desktop session. Everything is enabled by default.
USER PROFILE DISKS – They are used to store user and application data on a single virtual disk that is dedicated to one user’s profile. When we enable user profile disks, it creates a template called UVHD.template.vhdx file in the share. For every new users that logs on a new VHDX file is created based on the template. We will take a look on it and configure user profile disk in User Profile Disk part. It is disabled by default
In third part of Remote Desktop Services 2016, Standard Deployment series we will move forward and explore Deployment Properties.
Hi, I really like your guide to installing remote desktop services. Some parts I just don’t understand why mines does not work like yours. I know I don’t have exact same configuration but similar.
I have 3 servers. ser1, ser2, ser3.
group1 – user1
group2 – user2
group3 – user3
ser1 – rd connection broker, rd gateway, rd web access, rd session host
ser2 – rd session host
ser3 – rd session host
we don’t have a lot of servers but we wanted rd session host to be different from each other depending on the groups.
so i created 3 collection for each group to be on different rd session host.
group1 to be on ser1 rd session host
group2 to be on ser2 rd session host
group3 to be on ser3 rd session host
but when user2 rdp it put them in the ser1 rd session host.
seems like every user is going to the ser1 rd session host.
I don’t know why. Please help. And I have another question going to post later on the certificate part.
just my 2 cent.
chali : when you create a collection by default the group Domain users is added .
have you checked that you deleted it AND added the right security group for each collection ?
I also get this error when i create a user profile disk. ” Could not create the template VHD. Error message – 2147024893″ and not sure by current user member should be the local administrator. When my user is. and does that mean everyone else has to be to use that disk?
It looks like that something is not good with the permissions on the share folder where you are trying to store UPD?