Best configuration for RDP on single 2012 R2 box

Faxxer
Faxxer used Ask the Experts™
on
Hello friends,

I need advice.

I've got a nice new server for a government agency with Server 2012 R2.

The box is serving as DC, DNS, DHCP, AD,....it's running great.

This office also has a need for RDP to utilize a legacy application that works GREAT on server 2008 R2.

.......... .....   here comes the first issue.....

I've been told that remote desktop services won't run on Server 2012 R2 that is also a DC, and AD.

I "sortof" verified this via MS TechNet sites, and so created a hyper-V of Server 2012 R2 on the same box.
 
(This box can handle the cpu need; it's twin AMD 6378 cpu's with 256Gig of RAM)

So now I've got a HOST hardware box serving as AD, DC, etc...

and a clean Hypver-V of Server 2012 R2 with nothing on it, except to use for RDP and this legacy application (16 users is all that it's needed for)

........................Here is the advice part........................

I need to know if I should put ALL the RDP funcitons on the Hyper-V instance, or use the now infamous "2 server" option to setup RDP.
Basically, the 2 server setup uses the host machine for licenses, and the other functions on the hyper-V machine.

............................I've tried a rough draft of both versions and run into issues.............This server is not in production yet.........................

The legacy program creator can make his product work all day long on server 2008 R2, but on Server 2012 he's completely stumped.

He and I are going to have to figure this out, but it needs to start with working RDP and that's my responsibility first.

I've used and tried several links and pages on the net that get me partially there, but I run into issues with certificates, or communications....  I'm going to remove all RDP services, and start fresh again, based on the advice here.

EE has NEVER let me down ....EVER.

Help me Obi-Wan Kenobe.

And thank you in advance my fellow technoexpertartists.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Brian MurphySenior Information Technology Consultant
Commented:
When you refer to RDS as Remote Desktop Services it cannot run on AD controller.

However, remote administration using RDP is not RDS.

Remote Desktop Services is for hosting business applications.  It changes the way server 2012 manages memory.  It is the new name for Terminal Services.

If you just looking to RDP then just enable remote administration.
Lee W, MVPTechnology and Business Process Advisor
Most Valuable Expert 2013

Commented:
I don't know what's infamous about using a single license on hardware with two VMs.... But honestly, I'm a little confused by what you have / think you want to setup.

For example:  Basically, the 2 server setup uses the host machine for licenses, and the other functions on the hyper-V machine.  

What does that mean?  The Host server IS the Hyper-V machine... so what exactly does that mean?

Bottom line, the most common, best practice way to set this up is:

Install Server 2012 R2 on the hardware directly.  The ONLY THING that that instance runs is Hyper-V.  No AD, No DNS, No DHCP, No file server, etc.  JUST HYPER-V

Then install TWO VMs.
VM1: DC, DNS, DHCP, File Server, Print Server.
VM2: RDS

DONE.
Brian MurphySenior Information Technology Consultant
Commented:
Also, maybe this was done but with 2012 R2 you must add the "Role" for RDS.

It is now one of the first options when you click on add server roles:

2012-r2-rds-enabled.png
But, it should be standalone RDS server.  Other than business apps it should have no other roles.  And it cannot be Active Directory and RDS role.
Why Diversity in Tech Matters

Kesha Williams, certified professional and software developer, explores the imbalance of diversity in the world of technology -- especially when it comes to hiring women. She showcases ways she's making a difference through the Colors of STEM program.

Author

Commented:
Brian,  
The goal is to use a business legacy applicaiton.  Not just remote administration.  This application uses MySql database, and is heavy on data entry.  It's a County Assessor primary assessing tool.

Lee,
I refer you to this link regarding the setup in question about 2 servers...on the same box (He calls it a single server solution, but since Hypver V is involved, it's "really 2 servers.")
https://msfreaks.wordpress.com/2013/12/09/windows-2012-r2-remote-desktop-services-part-1/

I followed this to the letter as far as I could take it.  didn't get a working connection from a client, not even calc.exe to work

The Hyper-V installed instance is Server 2012 R2 with no other services installed at the moment....
The above link suggests to split up the RDS services between host(hardware server) and Virtual(hyper-v server) ....as i mentioned above, I never got even Calc.exe to work because I ran into some issues with the part about SQL and the part about certificates...it just quite didn't make sense to me.

Does that help to clarify?

Author

Commented:
maybe I should say this...  

I'd like to use the Hyper-V installation of Server 2012 r2 to serve as a remote desktop application server for a program that uses Mysql.

Do I install ALL the RDP services directly on the hyperV machine ONLY?  (Server 2012 dashboard lets you split those all up during the installation if it sees other servers in the dashboard)

Does that help to clarify?
Lee W, MVPTechnology and Business Process Advisor
Most Valuable Expert 2013

Commented:
I'd like to use the Hyper-V installation of Server 2012 r2 to serve as a remote desktop application server for a program that uses Mysql.

The license does not permit this - the ONLY thing the Hyper-V install can run is Hyper-V.  Nothing else.  (It's also a violation of best practices, but more importantly, it's a violation of licensing!).

Regarding the link you posted, he states early on: "I will be using Hyper-V 3.0 on my Windows 8.1 laptop and I have prepared 2 servers:" This means he is using a Hyper-V system to illustrate that one piece of hardware can run this solution, but he is not installing ANYTHING on the host.]

The only way you can legally do this is with a SINGLE server license is to install Hyper-V on the host server and ONLY Hyper-V with NO OTHER ROLES and subsequently install two VMs, one as a DC/File/DNS/Print/DHCP Server, the other as your RDS server.

Author

Commented:
I have shared this exact scenario and was told there is no licensing issue in this setup.  

A license of hyper V only requires an additional Server 2012 CAL when there is a 3rd hyperV installation.   and a 2nd hyper V install causes the host machine to be "read only" but ONLY when a second Hyper V is installed.

My setup has only 1

Author

Commented:
p.s. I have the needed RDP and USER cals already.
Distinguished Expert 2018

Commented:
Lee is absolutely correct on this, from both a technical and licensing perspective.

Don't trust everything you read on the internet. "I shared this on the internet and was told by some random guy that it is fine" is not a legal defense when you get caught and fined.

Read-only? Even that terminology is terrible. And referring to lab scenarios using 8.1? Not good at all. I'll ve blunt. You are in over your head here. Connections aren't working because you are doing things (like running ADDS on Hyper-V, which breaks virtual networking every time) and then ignoring good advice. If you are going to do what you want, why ask for help?!?

If you want things to work, follow lee's advice, or even better (given the evidence thus far) hire a consultant. The risk of data and fines isn't worth going it alone.
Lee W, MVPTechnology and Business Process Advisor
Most Valuable Expert 2013

Commented:
I have shared this exact scenario and was told there is no licensing issue in this setup.
With who?  Do you have it IN WRITING from an @microsoft.com person?

Honestly, I've heard mixed statements about that scenario, licensing wise.  For moment, if you want me to assume licensing is valid, then I'll rephrase:

No professional with proper training, skills, and an understanding of the benefits and drawbacks of the idea would EVER willingly configure the Hyper-V server to ALSO perform OTHER tasks on the network.  It's foolish.  Why would you?  Why WOULDN'T you just install a SECOND VM?  You HAVE the license.

Issues:
1. Portability - in the event the server hardware fails (OTHER than the Hard Drive or RAID Controller), you can EASILY move the DC to other hardware... If you setup RDS on the physical host, YOU CAN'T MOVE THEM.  Bullet one in the foot.
2. Security.  Your users are interacting DIRECTLY with the host running the DC!  Lets assume for a moment that you don't grant them Admin rights... They STILL have the potential to do something such as fill up a hard drive bringing the DC to a halt... or get the system infected with malicious software that might be able to bypass the admin rights needed through an unpatched - or worse, unknown - exploit that brings down the entire system.
3. Increased attack surface - with more things running on the server, you have to patch more often and potentially bring down the ENTIRE server INCLUDING the DC VM because now you've got to have .Net installed, SQL services, and who knows what else.
4. I'm probably missing some other reasons... but since I NEVER consider setting up a config like this, I'm not constantly thinking about them...

Bottom line, what you are suggesting you want to do is unprofessional at best and a license violation that could cause you serious lost productivity at worst.

I'll repeat, the PROPER way to do this - given my understanding of your situation and without the need for any additional licenses - is:

Install Server 2012 R2 on the hardware directly.  The ONLY THING that that instance runs is Hyper-V.  No AD, No DNS, No DHCP, No file server, etc.  JUST HYPER-V

Then install TWO VMs.
VM1: DC, DNS, DHCP, File Server, Print Server.
VM2: RDS

If you want to learn this, do things properly and by all means learn it.  If you enjoy technology and want to be the one responsible to improving things, GREAT!  Setup a test network first, learn about best practices and why just because you may be able to get certain settings, roles, and features working together, doesn't mean you SHOULD.

If this is all just a headache you've been asked to do, I would STRONGLY recommend hiring a professional.  Getting it right the FIRST time will save time and money and prevent lost productivity in the future.

Author

Commented:
Cliff,

Read Only Domain is the term Microsoft calls a server 2012 R2 with 2 hyper-V installs.

The person who told me the licensing was good was both a MS certified professional and mcse with 30 years experience in IT.

I think you misunderstood my posts,   I installed Server 2012 R2 on a hardware box.  call it an old school server....before virtual anything.

I have 16 users, not 1600.   I need 16 instances of a program that only one guy wrote.  it worked great in server 2008, but server 2012 seems to be a challenge both for this software developer, and I'm trying to help him get his product from 2008 to 2012 .....I handle the IT for the office, keep the server running, keep the clients operating.    OH and I do it quite well too for someone in over my head.

Now if you guys are so insistant that I spin up two vm's of server 2012 on the same box vs.  1 hardware "old fashioned server" running a hyper V of server 2012 then I'm willing to try it if you can give me a broader picture of the situation.  I understand the virtualization pros and am open to the idea, but to say a single vm running in a non vm system can't work?  It was designed to run 1 vm just fine.  or 30 vm's if I purchase the licenses for it.

But...  I've had that box running as I described in a semi-workloaded environment now for a month or 2 and it's never even popped off one error or hiccup with any network problems.  in fact the ONLY service not yet running is the RDP part.

You are free and welcome to insult me saying I'm incapable, ignorant, or in over my head all you like.  But that doesn't mean I can't accomplish the task.   You havn't offered any help, only criticism of my abilities at this point and suggest I'm doing it wrong....isn't that the point of this forum?  ASK for help?  Or have you forgotten what "Experts Exchange" was created for?

I've not rejected ANY ideas as suggested, but you seem to think I'm incapable of following instructions or you'd have provided some.

Lee,

The hardware server install is running my DC, AD , XYZ...   THEN... I have a hyper V running a CLEAN BLANK server 2012 R2....with no services on it.

If you say it will ONLY work if I wipe the server and start with ONLY 2 hyper V's then I'm willing to listen.  I can't understand why you would trust a virtual DC,AD....I trust my hardware over a virtual drive 10 to 1 but maybe I'm old fashioned.   I understand I could move my VM at any time, but guess what?....this office has ONLY ONE BOX.  There are no other servers to move anything to my friend....they don't have the money.

I'm going to answer you point by point.
1. portability....  no other hardware, mute point.
2. Security....  interacting with a DC directly?  What did you do before virtualization?  A domain controller's POINT is security sir!
3. increased attack surface.... not from outside, this entire thing is on a small LAN, and well protected behind a zywall.  Users don't use client email, they have a web based hosted email that's already pretty secure (if they use it at all)  They also have end point protection from Malwarebytes, and AVG
....and I monitor their machines actively.   They're no more vulnerable than any other business.
4. I realize this isn't your way of doing it, but you're here now....so think about it a little bit for me and offer some help?   or tell me there is just no way this will work and that I HAVE to setup 2 vm's....I'm willing to listen to why it's so much better. but items 1-3 aren't the reasons I need to hear.

Like I said, it's not a license violation.  I know you are concerned it is, but let's go with the option that if it were, I'd get the needed license to cover that end.

I'm willing to try two Vm's to satisfy this option....
But.... just answer me this:
If a single install of server 2012 DC AD XYZ with a hyper V running nothing but rds won't work, then why would 2 hyper v's    1 running dc Ad XYZ and a 2nd hyper v running nothing but rds work?

as far as I can tell the setup for rds would actually be the same only with VM's right?

I'm not trying to be a wanker here, I'm trying to honestly get an understanding of what you guys are saying.
Distinguished Expert 2018

Commented:
"Read Only Domain is the term Microsoft calls a server 2012 R2 with 2 hyper-V installs." That is *PATENTLY* false. There is no such thing as a read only domain. There *is* such a thing as a "Read Only Domain Controller" (RODC) but that has *NOTHING* to do with Hyper-V.

You are correct that I offered no new instructions or advice. That wasn't the intent of my post. Have you ever seen someone, heard of someone, or gotten bad news from a doctor yourself and so there is an insistence on a second opinion? More often than not, the second doctor will simply say "you got good advice."

Yep.  I *started* my response with the basic paraphrase that Lee was right. One thing I *don't* like on Experts Exchange is when many experts jump in repeating the same advice just for points. So I watch threads to make sure things don't fall through the cracks, but when a good answer is given, I don't just bandwagon. But when I see advice being rejected or I see someone clearly choosing to argue, then I will back up an expert, just as a doctor will provide a second opinion. And that is what you did. My intent wasn't to give new instruction (none is needed) but was intended to further put weight behind Lee's already thorough and stellar advice. Sometimes it just takes a second voice to help someone see reason. I am saddened to see that didn't work in this instance. Lead a horse to water and all that.

You continue to misuse terminology (two hyper-v's, read only domains) and continue to try to argue Lee's points and somewhere deep down you know this true thus the "I'm not trying to be a wanker" defensiveness.

You can click on Lee's name and view his profile. Look at how many points he has and how many questions he's answered that have been accepted.  Then do the same for me. Look at "Server 2012" and see which experts are topping the lists for advice with these products.

I assure you I did not, for a moment, forget what Experts Exchange is about. But neither will I bother repeating other people (Lee) or try to argue with someone who is (not insulting, just observing) in way over their heads. Instead of learning from an expert, you chose to argue.  I will allow my reputation and Lee's to speak to how much, how often, and the quality of advice we each individually give on Experts Exchange. I think given that evidence, it is clear that we did and still do know what Experts Exchange was created for.

There is a difference between asking for help and arguing with help given. I'm sorry for you, but you crossed that line several posts back. Beyond explaining why I posted and providing some further background so you can make an informed decision, I don't feel compelled to further participate in this question. Beating my head against a brick wall isn't a great pastime for me.

Good Luck.
Lee W, MVPTechnology and Business Process Advisor
Most Valuable Expert 2013

Commented:
The hardware server install is running my DC, AD , XYZ...   THEN... I have a hyper V running a CLEAN BLANK server 2012 R2....with no services on it.

So you have TWO physical servers?  It was my understanding you wanted everything on one... though in re-reading over the question it's not clear to me one way or the other...

If you say it will ONLY work if I wipe the server and start with ONLY 2 hyper V's then I'm willing to listen.  I can't understand why you would trust a virtual DC,AD....I trust my hardware over a virtual drive 10 to 1 but maybe I'm old fashioned.   I understand I could move my VM at any time, but guess what?....this office has ONLY ONE BOX.  There are no other servers to move anything to my friend....they don't have the money.

Now you say there is only one server?!?!?!  Huh?  Very confusing.  Virtualization technology is NOT NEW.  It's been an integral part of Windows Server for 8 years.  It's been an integral part of data centers for several years before that thanks to VMWare.  It's a solid, proven technology and the only way I deploy systems these days for a variety of reasons.

I'm going to answer you point by point.
1. portability....  no other hardware, mute point.
You're right... if you don't think outside the box.  Hyper-V is included with Pro versions of Windows 8.1 and Windows 10.  In addition, there is a free version of Hyper-V - Hyper-V Server 2012 R2.  In the event of a hardware failure, you can EASILY and QUICKLY get the system running on an office workstation.  While I would NEVER do this for a client, for myself (I understand the risks and the recovery methods) I run a VM on my home office workstation that is a domain controller for the systems in my home and part of my office domain.  But if my office server failed, I could run out to Worst... errr.. Best Buy and get a cheap system, throw some extra RAM in it and run my entire network off that until I replaced the office server.  But if you build DIRECTLY on the hardware, YOU CAN'T DO THAT.  I can, I'm virtual.  You can't... you have a bullet in your foot.

2. Security....  interacting with a DC directly?  What did you do before virtualization?  A domain controller's POINT is security sir!

Exactly what I said:
Your users are interacting DIRECTLY with the host running the DC!  Lets assume for a moment that you don't grant them Admin rights... They STILL have the potential to do something such as fill up a hard drive bringing the DC to a halt... or get the system infected with malicious software that might be able to bypass the admin rights needed through an unpatched - or worse, unknown - exploit that brings down the entire system.
It's not secure when it can be easily brought down because of poor design -- like this.

3. increased attack surface.... not from outside, this entire thing is on a small LAN, and well protected behind a zywall.  Users don't use client email, they have a web based hosted email that's already pretty secure (if they use it at all)  They also have end point protection from Malwarebytes, and AVG
....and I monitor their machines actively.   They're no more vulnerable than any other business.

They don't access their own e-mail at Yahoo or Gmail, etc. No one walks in with flash drives and plugs them in... or charges their phones on their computer's USB ports?  How about the guy you hire in 2 months? If security were a sure thing, you wouldn't need it.  But I already outlined the increased attack surface.

You know, a IT Security professional took a bunch of USB drives and dropped them in a parking lot... he put "malicious" software that indicated they were run and on what computer on them... he found of 20 or so he dropped, more than 40% were used in office computers...  Had there been TRULY malicious software on them, it could have been a serious problem for the offices.  As for Malware Bytes and AVG... So what... I've not seen them stop all the variants of CryptoLocker yet... Most anti-malware software doesn't.

4. I realize this isn't your way of doing it, but you're here now....so think about it a little bit for me and offer some help?   or tell me there is just no way this will work and that I HAVE to setup 2 vm's....I'm willing to listen to why it's so much better. but items 1-3 aren't the reasons I need to hear.

You clearly don't understand IT Security.  You also don't understand virtualization and the benefits it offers.  Given your argumentative effort above and refusal to accept that following best practices is better than going off with a half-baked, limited insight solution (in my opinion) that you're proposing... not to mention your frequent misuse and misunderstanding of terminology, you are clearly not ready for this project.  Take some time and learn about the technologies and their benefits.  If you cannot, DISQUALIFY YOURSELF from the project and force management to get it done right.  Egos don't build reliable networks - honest people who know when they are over their heads can.

You can take this as an insult if you wish... Keep in mind, I'm not saying this is ULTIMATELY beyond your capability - with some time and instruction (far more than a web site and/or forum can give you) I'm sure you could handle this project just fine.  But the overall impression I'm getting from you is you are at best a nurse trying to perform a Heart Transplant... Most nurses understand they shouldn't and would get the appropriate help.

Like I said, it's not a license violation.  I know you are concerned it is, but let's go with the option that if it were, I'd get the needed license to cover that end.

You seem sensitive, so I have doubts you've continued reading... but if you have, I disagree.  I'm under NDA for some of my past work, but I can assure you MSCEs / MCPs are not necessarily licensing experts.  I've been to Redmond 10 times in the last 10 years and even the developers don't often understand how the product is licensed.  Licensing is a LEGAL thing... not a technical thing... LAWYERS wrote them and unless you're MCP / MCSE was a lawyer as well AND had an @microsoft.com e-mail address (to hold up in a civil lawsuit), I wouldn't take his word for it... TECHNICAL experience is not LEGAL experience.  And there's an entire legal system, in part, to deal with different ways of interpreting the law, so even if he's justified in his opinion, if it's not @microsoft.com, then your legal fees could one day add up.

I'm willing to try two Vm's to satisfy this option....
But.... just answer me this:
If a single install of server 2012 DC AD XYZ with a hyper V running nothing but rds won't work, then why would 2 hyper v's    1 running dc Ad XYZ and a 2nd hyper v running nothing but rds work?
I'm sorry, this is non-sense to me.  Why wouldn't it?  You're separating the services from the Hyper-V host.  Your minimizing the installed resources that need regular patching so the host's reboots are minimized.  You're not permitting access to the host directly by the end users so there is no risk there... you're running two servers that provide all the resources you need in VMs on one piece of physical hardware.
as far as I can tell the setup for rds would actually be the same only with VM's right?
Functionally, in the end, yes... just more secure, stable, and certainly licensed.

I'm not trying to be a wanker here, I'm trying to honestly get an understanding of what you guys are saying.
Haven't taken the time to look up your definition of Wanker, but in my opinion, you're being belligerent about doing what you want REGARDLESS of how wrong and potentially problematic it may be now or in the future, despite several experts telling you your plan is deeply flawed...

For the sake of your network and people's tax dollars, HIRE A PRO if this needs to be done soon or go to some classes if you have time before it's done.

I think I'll retire from the question as well - beating horses to death just doesn't seem a good use of my time.

Author

Commented:
OK,

The term "read only" was what the thread I had been reading said, it was a MS forum.  Clearly I assumed the guy knew what he was talking about.  ding for terminology.  I read about it to learn some of it in my massive 1500 page book about server 2012.....clearly a small office has no need of such a thing.

As for license,  It nagged at me all day so I just called MS pre sales and licensing and verified that
a hardware OSE with one hyper V install OSE for TS is not in violation of the MS license.  You may want to update your information on that since it appears there is no need to be concerned about the license issue.

As for my own little piece of heaven.  It appears my main issue is related to the self-signed certificate as my error message seems to be related to trust of the machine.   The software developer may have caused some issues too because the published software box shows nothing listed, but when I log on to a session I see calc.exe and wordpad even though the published software is showing as blank.   If I try and publish an app, then I see, for example calc.exe, 2 instances on the web access page when I log in.  One instance of calc says it can't connect at all, the other newer one created complains about the trust as mentioned above.

oh hey!  I just saw the "attach file" option here so maybe I can post a snippet in the future of some screens as pics are worth a thousand typed words, no?
Brian MurphySenior Information Technology Consultant
Commented:
Faxxer-
On your earlier comment "Brian,  
The goal is to use a business legacy applicaiton.  Not just remote administration.  This application uses MySql database, and is heavy on data entry.  It's a County Assessor primary assessing tool."

[Response]
I get this part.  With that said it opens a whole other can of worms.  I'm not going to speak to the other topics being there is plenty of accurate information.

I have extensive experience migrating applications.  "Legacy applications".  In some cases I have migrated applications that originally ran on Windows XP and the business failed or refused to upgrade the application.

I would just caution this approach.  I always cover myself by putting something in writing that the application may not be supported in a 64-bit server environment running in a RDS mode.  This changes the server to run what would normally be background processes in foreground and memory management.  Formerly Terminal Services.  Beginning with NT 3.51 then NT 4.0 Terminal Services.

If the application is internal developed I approach those developers and give them a 2012 R2 server they can use to hopefully port the application correctly.

If it is COTS or third-party that vendor might not support 2012.  I know this doesn't always matter from the business perspective - "just get it done".

Unfortunately, Citrix and RDS have been a dumping ground for bad applications because we fail to push back on the business.

Failure to push back or say no never ends well for you (us).

That application might be a disaster in 2012.  You may get 5 users and peg the memory or processor at 100%.  Adding memory won't help.  You could add flash storage and it won't make a difference.

There are still companies, today, running Widows 2003 32-Bit because they have 16 bit applications developed 25 years ago and refuse to update them.  

Microsoft drops support, then they drop extended support.  Windows 2003 won't run on the latest hardware so you cannot install it and migrate the application to new hardware.  

This is a fundamental issue that needs to be addressed.

Just a caution flag, something to consider.
Brian MurphySenior Information Technology Consultant
Commented:
It appears my main issue is related to the self-signed certificate as

[Response]

Self signed certificates cause many problems.  If not now, compliance issues are coming.

I have a publication that touches on this in that self-signed certificates usually come with a list of issues:
1. SSL 2.0, 3.0
2. SHA1
3. RC4 ciphers

I published an article on this topic.  You might be interested
http://www.experts-exchange.com/articles/25021/Citrix-SSL-TLS-Vulnerabilities-and-Operating-System-Hardening.html

If you have self-signed certificates I recommend reading this article.

Author

Commented:
Brian,

Thank you for the very interesting information on legacy apps....You are right on the money!

The developer is still actively updating and developing his product, and in fact has MANY county installations, but as far as I am aware, this is only the 2nd county to upgrade from using Server 2008 r2 to Server 2012....When the call came to get a new server, it just didn't seem right to stay with 2008 based on the amount of time there is left for it's life.  Plus 2012 is so far superior in stability ...in my humble opinion, it's one of the best server OS's I've ever seen (Next to SBS 2011...again, my opinion)

The concept of buying an SSL isn't a problem here as I'm willing to buy it without hesitation if I can feel it will resolve the issues, but my goal is to see it work and then buy the certificate...(unless that's the only way of course, but I'm reading everywhere I can get my hands, and now your article as well!!! to find a solution that at least gets us a working TS/RDP/RDS....I give up on what the proper term is....   "A shortcut with the .rdp file extension that has a lot of lines of code when looked at via notepad and opens a single application on the local client from the host server."

I actually did a RAW rdp session on 7 of the 16 users for kicks logging each user into their own instance on this machine and the cpu was still at 4% .....(this was before I installed a hyper V.)...and I might have just logged them all in as administrator too I can't remember, but I was dying to see how the machine ate connections and it did without swallowing.

I'll report back any developments I encounter after reading your article...thank you for posting

Ike
Brian MurphySenior Information Technology Consultant
Commented:
Faxxer-
I remembered something else during the reading of your last comment.

I have another article yet unpublished that walks through the steps of using a single SSL Certificate (Verisign) on RDP connection.  

Now, something else comes to mind you might want to explore.

I've used it several times in 2008 R2 and it still available in 2012.

It is a Feature of Remote Desktop Services named Remote Desktop Gateway.
remote-desktop-gateway.png
I like it because you can obtain one SSL certificate and bind it to one or more Remote Desktop Gateway servers.  These would be stand-alone servers IMO.

They act as reverse proxy servers for RDP.   RDP/HTTPS servers.


Basically, if you run MSTSC from Run (mstsc.exe) brings up the RDP client.

So, the difference being click on Options (bottom left)

Click on Advanced Tab.
rdesktop-gateway-mstsc-client.png
This would be the FQDN matching the SSL cert.

Example: rdpgateway.mycompany.com

You need an external facing IP - Load Balancer for example.

You bind the same certificate to the LB VIP and to the Remote Desktop Gateway Service.

You can use the same SSL certificate on several servers and the VIP providing HA.

OR

AND

Internal.  This works very well when you have subnets behind a firewall and only want to open port TCP 443 for SSL/HTTPS.

Basically, you can point all RDP clients internal or external to that FQDN on the advanced tab and RDS Gateway takes care of the rest.

And all it costs is a couple of other Virtual machines and SSL Certificate.

It allows you to assign policies, control access to specific machines, use AD groups.

If your just publishing a Desktop to users for RDP or if you need access to internal workstations it works for servers and workstations.

Once it connects to the Gateway it uses internal DNS so split-dns problems are not an issue.

I have other comments but will keep them separate.  I've been meaning to publish something on this because it is a great cost save.

Particularly for Citrix deployments were we might consume a Citrix license to publish RDP Client.

RDS Gateway is a free feature and on server would leverage the same RDS licensing in place.

For workstation, you get a client access license for one user to connect remote.

So your Windows workstations users can use RDS Gateway to connect over HTTPS/RDP port 443.

Something to consider.

Author

Commented:
Hi Bryan!

This is all internal, just a lan with Server and 16 clients.  Nobody accesses from outside at all

it just needs to work inside the office lan.

Would that narrow anything down?

Author

Commented:
Did I install more RD services than I need based on that?
Brian MurphySenior Information Technology Consultant
Commented:
Plus 2012 is so far superior in stability ...in my humble opinion, it's one of the best server OS's I've ever seen (Next to SBS 2011...again, my opinion)

[Response]

I agree.  I've been using Amazon Web Services free tier program since they created it years ago.

I have several 2012 R2 servers, 2008R2, Ubuntu, and others spun up on Amazon Web as my lab.

I had a physical lab as consultant but moved to AWS.

You probably already do this but if not just make sure your Developer has a test 2012 R2 server to play with.  Give them a test bed to port the application from 2008 R2.

I get the legacy application thing - I really do.

Yet, it won't come down to 2012 R2 stability.  An application designed to work on a workstation 32 bit platform that may already have issues will still crash 2012 server.  I've had to hold off migrations where we manage to get 100 applications installed and 101 consumes all the processor after 5 users.

I realize end of day you don't have much choice.  But there are things you can do to plant seeds and help assure better chances for the developer and you.

Sometimes all you can do is provide the developer the right tools.

I have worked with developers that "inherited" applications.  They have had to work with them after the original creator left the company.

There are some great tools you can provide them, free - that make a big difference.

Tools that monitor the application memory use is a big one.

Microsoft System Internals

RAMMAP
https://technet.microsoft.com/en-us/sysinternals/rammap.aspx
Webinar: https://channel9.msdn.com/shows/defrag-tools/defrag-tools-6-rammap 

VMMap
https://technet.microsoft.com/en-us/sysinternals/vmmap
Webinar: https://channel9.msdn.com/shows/defrag-tools/defrag-tools-7-vmmap


Process Explorer
https://technet.microsoft.com/en-us/sysinternals/processexplorer

Process Monitor
https://technet.microsoft.com/en-us/sysinternals/processmonitor

Those are the big ones and at least you cover your bases.  You provided the right environment and suggested some tools to help port the application.

The developer of the tools, Mark, has a series of free webcasts.  Some developers find this information priceless where it pertains to fixing Windows applications.
https://technet.microsoft.com/en-us/sysinternals/bb963887 

Hope this helps with the application migration piece.
Brian MurphySenior Information Technology Consultant
Commented:
Well.  16 users and all Internal does not call for RDS Gateway.  Something to consider down the line though because of some of the other reasons I stated.  It is just a great tool.  Like the aforementioned tools for developers and troubleshooting.

One of the biggest obstacles you have, IMO, is porting applications from Workstation to server.  Then once those are in 2008R2 now you have to port them again to 2012 R2.

Unfortunately, it is not that easy.  I've yet to have an application go from 2008R2 to 2012R2 without work from the vendor or internal development team.
Senior Information Technology Consultant
Commented:
I would not say you "installed too many" servers.

I would just reiterate one of my earlier points to keep the application hosting server (RDS/TS) separate from your Domain Controller, DNS, DHCP and so forth.

It should be a member of the domain and run Remote Desktop Services Role only.  However many servers you need beyond that is a bigger design decision.

rds-role.png
I prefer minimum of two forest level controllers and two domain level controllers.

This splits the FSMO roles up and gives some redundancy.

This would be two roots and two childs.

For 16 users you can easily go with two roots aka a single forest and no child domains.

mydomain.com

Assuming you want to use AD Integrated DNS you would run those on your DC's regardless.

Basically what you already stated but I would not be comfortable having all those eggs in one basket.

I would have at least two DC's running DHCP, DNS

It sounds like you have a good server to work with so I would install just 2012 R2 on the physical server.

That physical server runs 2012R2 and Hyper-V.  Nothing else.

Then spin up two virtual servers, install AD role, run AD wizard, create forest, configure DNS, DHCP, repeat.

Then a third virtual server running RDS role only and a member of your new forest.

If you want redundancy then two RDS servers and split your users amongst them.

This way you can at least do maintenance/patching.

Disable logins on RDS1, patch, reboot, enable logons - repeat for RDS2

And if one goes down users can reconnect to the other.

This might not have value for you but once you and the developer have done all this work to get the applications working - at least have a good backup of that Virtual Machine.

Regular backups.

If you have two RDS servers that means everytime you update the application it must be done on two servers.  

Stated another way, consider having only one RDS server and you patch that server and it breaks the application or the application itself breaks the server.  That is where the other server makes you sleep better at night.

Food for thought.

Author

Commented:
I did an experiment since I last posted.  

I used the standard remote desktop connection tool and logged 4 separate users into the hyper-V machine which has the install of the software in question (This software runs locally on the server)

I then just copied a shortcut from the admin desktop to each user account desktop as it was created upon login and spun up 4 different virtual desktops running the legacy application working as intended on each client pc I logged in.  (I've been told I don't explain things very well so I apologize if this is confusing)   I did a raw RDP connection to the server, and then ran the application in question and it worked.  Each user I logged in got their own instance of the server desktop and it worked once I copied the shortcut of the legacy app.

The downside to this type of connection is the 2 times having to log in, and running a FULL instance of the server....  Is there a way to create a .rdp icon that tells the connection to just launch that one application on the server and not have a full desktop running?   I might be closer to the solution than I had thought originally.

Author

Commented:
Another tech told me about a product called WSE remote.

Any thoughts or opinions on this?
link here...
http://www.theofficemaven.com/

It claims to do the job.

Author

Commented:
Brian shared a wealth of information to help me find a solution.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial