Best configuration for RDP on single 2012 R2 box

I don't know what's infamous about using a single license on hardware with two VMs.... But honestly, I'm a little confused by what you have / think you want to setup.

For example:  Basically, the 2 server setup uses the host machine for licenses, and the other functions on the hyper-V machine.  

What does that mean?  The Host server IS the Hyper-V machine... so what exactly does that mean?

Bottom line, the most common, best practice way to set this up is:

Install Server 2012 R2 on the hardware directly.  The ONLY THING that that instance runs is Hyper-V.  No AD, No DNS, No DHCP, No file server, etc.  JUST HYPER-V

Then install TWO VMs.
VM1: DC, DNS, DHCP, File Server, Print Server.
VM2: RDS

DONE.

Brian,  
The goal is to use a business legacy applicaiton.  Not just remote administration.  This application uses MySql database, and is heavy on data entry.  It's a County Assessor primary assessing tool.

Lee,
I refer you to this link regarding the setup in question about 2 servers...on the same box (He calls it a single server solution, but since Hypver V is involved, it's "really 2 servers.")
https://msfreaks.wordpress.com/2013/12/09/windows-2012-r2-remote-desktop-services-part-1/

I followed this to the letter as far as I could take it.  didn't get a working connection from a client, not even calc.exe to work

The Hyper-V installed instance is Server 2012 R2 with no other services installed at the moment....
The above link suggests to split up the RDS services between host(hardware server) and Virtual(hyper-v server) ....as i mentioned above, I never got even Calc.exe to work because I ran into some issues with the part about SQL and the part about certificates...it just quite didn't make sense to me.

Does that help to clarify?

maybe I should say this...  

I'd like to use the Hyper-V installation of Server 2012 r2 to serve as a remote desktop application server for a program that uses Mysql.

Do I install ALL the RDP services directly on the hyperV machine ONLY?  (Server 2012 dashboard lets you split those all up during the installation if it sees other servers in the dashboard)

Does that help to clarify?

I'd like to use the Hyper-V installation of Server 2012 r2 to serve as a remote desktop application server for a program that uses Mysql.

The license does not permit this - the ONLY thing the Hyper-V install can run is Hyper-V.  Nothing else.  (It's also a violation of best practices, but more importantly, it's a violation of licensing!).

Regarding the link you posted, he states early on: "I will be using Hyper-V 3.0 on my Windows 8.1 laptop and I have prepared 2 servers:" This means he is using a Hyper-V system to illustrate that one piece of hardware can run this solution, but he is not installing ANYTHING on the host.]

The only way you can legally do this is with a SINGLE server license is to install Hyper-V on the host server and ONLY Hyper-V with NO OTHER ROLES and subsequently install two VMs, one as a DC/File/DNS/Print/DHCP Server, the other as your RDS server.

I have shared this exact scenario and was told there is no licensing issue in this setup.  

A license of hyper V only requires an additional Server 2012 CAL when there is a 3rd hyperV installation.   and a 2nd hyper V install causes the host machine to be "read only" but ONLY when a second Hyper V is installed.

My setup has only 1

p.s. I have the needed RDP and USER cals already.

Lee is absolutely correct on this, from both a technical and licensing perspective.

Don't trust everything you read on the internet. "I shared this on the internet and was told by some random guy that it is fine" is not a legal defense when you get caught and fined.

Read-only? Even that terminology is terrible. And referring to lab scenarios using 8.1? Not good at all. I'll ve blunt. You are in over your head here. Connections aren't working because you are doing things (like running ADDS on Hyper-V, which breaks virtual networking every time) and then ignoring good advice. If you are going to do what you want, why ask for help?!?

If you want things to work, follow lee's advice, or even better (given the evidence thus far) hire a consultant. The risk of data and fines isn't worth going it alone.

I have shared this exact scenario and was told there is no licensing issue in this setup.
With who?  Do you have it IN WRITING from an @microsoft.com person?

Honestly, I've heard mixed statements about that scenario, licensing wise.  For moment, if you want me to assume licensing is valid, then I'll rephrase:

No professional with proper training, skills, and an understanding of the benefits and drawbacks of the idea would EVER willingly configure the Hyper-V server to ALSO perform OTHER tasks on the network.  It's foolish.  Why would you?  Why WOULDN'T you just install a SECOND VM?  You HAVE the license.

Issues:
1. Portability - in the event the server hardware fails (OTHER than the Hard Drive or RAID Controller), you can EASILY move the DC to other hardware... If you setup RDS on the physical host, YOU CAN'T MOVE THEM.  Bullet one in the foot.
2. Security.  Your users are interacting DIRECTLY with the host running the DC!  Lets assume for a moment that you don't grant them Admin rights... They STILL have the potential to do something such as fill up a hard drive bringing the DC to a halt... or get the system infected with malicious software that might be able to bypass the admin rights needed through an unpatched - or worse, unknown - exploit that brings down the entire system.
3. Increased attack surface - with more things running on the server, you have to patch more often and potentially bring down the ENTIRE server INCLUDING the DC VM because now you've got to have .Net installed, SQL services, and who knows what else.
4. I'm probably missing some other reasons... but since I NEVER consider setting up a config like this, I'm not constantly thinking about them...

Bottom line, what you are suggesting you want to do is unprofessional at best and a license violation that could cause you serious lost productivity at worst.

I'll repeat, the PROPER way to do this - given my understanding of your situation and without the need for any additional licenses - is:

Install Server 2012 R2 on the hardware directly.  The ONLY THING that that instance runs is Hyper-V.  No AD, No DNS, No DHCP, No file server, etc.  JUST HYPER-V

Then install TWO VMs.
VM1: DC, DNS, DHCP, File Server, Print Server.
VM2: RDS

If you want to learn this, do things properly and by all means learn it.  If you enjoy technology and want to be the one responsible to improving things, GREAT!  Setup a test network first, learn about best practices and why just because you may be able to get certain settings, roles, and features working together, doesn't mean you SHOULD.

If this is all just a headache you've been asked to do, I would STRONGLY recommend hiring a professional.  Getting it right the FIRST time will save time and money and prevent lost productivity in the future.

Cliff,

Read Only Domain is the term Microsoft calls a server 2012 R2 with 2 hyper-V installs.

The person who told me the licensing was good was both a MS certified professional and mcse with 30 years experience in IT.

I think you misunderstood my posts,   I installed Server 2012 R2 on a hardware box.  call it an old school server....before virtual anything.

I have 16 users, not 1600.   I need 16 instances of a program that only one guy wrote.  it worked great in server 2008, but server 2012 seems to be a challenge both for this software developer, and I'm trying to help him get his product from 2008 to 2012 .....I handle the IT for the office, keep the server running, keep the clients operating.    OH and I do it quite well too for someone in over my head.

Now if you guys are so insistant that I spin up two vm's of server 2012 on the same box vs.  1 hardware "old fashioned server" running a hyper V of server 2012 then I'm willing to try it if you can give me a broader picture of the situation.  I understand the virtualization pros and am open to the idea, but to say a single vm running in a non vm system can't work?  It was designed to run 1 vm just fine.  or 30 vm's if I purchase the licenses for it.

But...  I've had that box running as I described in a semi-workloaded environment now for a month or 2 and it's never even popped off one error or hiccup with any network problems.  in fact the ONLY service not yet running is the RDP part.

You are free and welcome to insult me saying I'm incapable, ignorant, or in over my head all you like.  But that doesn't mean I can't accomplish the task.   You havn't offered any help, only criticism of my abilities at this point and suggest I'm doing it wrong....isn't that the point of this forum?  ASK for help?  Or have you forgotten what "Experts Exchange" was created for?

I've not rejected ANY ideas as suggested, but you seem to think I'm incapable of following instructions or you'd have provided some.

Lee,

The hardware server install is running my DC, AD , XYZ...   THEN... I have a hyper V running a CLEAN BLANK server 2012 R2....with no services on it.

If you say it will ONLY work if I wipe the server and start with ONLY 2 hyper V's then I'm willing to listen.  I can't understand why you would trust a virtual DC,AD....I trust my hardware over a virtual drive 10 to 1 but maybe I'm old fashioned.   I understand I could move my VM at any time, but guess what?....this office has ONLY ONE BOX.  There are no other servers to move anything to my friend....they don't have the money.

I'm going to answer you point by point.
1. portability....  no other hardware, mute point.
2. Security....  interacting with a DC directly?  What did you do before virtualization?  A domain controller's POINT is security sir!
3. increased attack surface.... not from outside, this entire thing is on a small LAN, and well protected behind a zywall.  Users don't use client email, they have a web based hosted email that's already pretty secure (if they use it at all)  They also have end point protection from Malwarebytes, and AVG
....and I monitor their machines actively.   They're no more vulnerable than any other business.
4. I realize this isn't your way of doing it, but you're here now....so think about it a little bit for me and offer some help?   or tell me there is just no way this will work and that I HAVE to setup 2 vm's....I'm willing to listen to why it's so much better. but items 1-3 aren't the reasons I need to hear.

Like I said, it's not a license violation.  I know you are concerned it is, but let's go with the option that if it were, I'd get the needed license to cover that end.

I'm willing to try two Vm's to satisfy this option....
But.... just answer me this:
If a single install of server 2012 DC AD XYZ with a hyper V running nothing but rds won't work, then why would 2 hyper v's    1 running dc Ad XYZ and a 2nd hyper v running nothing but rds work?

as far as I can tell the setup for rds would actually be the same only with VM's right?

I'm not trying to be a wanker here, I'm trying to honestly get an understanding of what you guys are saying.

"Read Only Domain is the term Microsoft calls a server 2012 R2 with 2 hyper-V installs." That is *PATENTLY* false. There is no such thing as a read only domain. There *is* such a thing as a "Read Only Domain Controller" (RODC) but that has *NOTHING* to do with Hyper-V.

You are correct that I offered no new instructions or advice. That wasn't the intent of my post. Have you ever seen someone, heard of someone, or gotten bad news from a doctor yourself and so there is an insistence on a second opinion? More often than not, the second doctor will simply say "you got good advice."

Yep.  I *started* my response with the basic paraphrase that Lee was right. One thing I *don't* like on Experts Exchange is when many experts jump in repeating the same advice just for points. So I watch threads to make sure things don't fall through the cracks, but when a good answer is given, I don't just bandwagon. But when I see advice being rejected or I see someone clearly choosing to argue, then I will back up an expert, just as a doctor will provide a second opinion. And that is what you did. My intent wasn't to give new instruction (none is needed) but was intended to further put weight behind Lee's already thorough and stellar advice. Sometimes it just takes a second voice to help someone see reason. I am saddened to see that didn't work in this instance. Lead a horse to water and all that.

You continue to misuse terminology (two hyper-v's, read only domains) and continue to try to argue Lee's points and somewhere deep down you know this true thus the "I'm not trying to be a wanker" defensiveness.

You can click on Lee's name and view his profile. Look at how many points he has and how many questions he's answered that have been accepted.  Then do the same for me. Look at "Server 2012" and see which experts are topping the lists for advice with these products.

I assure you I did not, for a moment, forget what Experts Exchange is about. But neither will I bother repeating other people (Lee) or try to argue with someone who is (not insulting, just observing) in way over their heads. Instead of learning from an expert, you chose to argue.  I will allow my reputation and Lee's to speak to how much, how often, and the quality of advice we each individually give on Experts Exchange. I think given that evidence, it is clear that we did and still do know what Experts Exchange was created for.

There is a difference between asking for help and arguing with help given. I'm sorry for you, but you crossed that line several posts back. Beyond explaining why I posted and providing some further background so you can make an informed decision, I don't feel compelled to further participate in this question. Beating my head against a brick wall isn't a great pastime for me.

Good Luck.

The hardware server install is running my DC, AD , XYZ...   THEN... I have a hyper V running a CLEAN BLANK server 2012 R2....with no services on it.

So you have TWO physical servers?  It was my understanding you wanted everything on one... though in re-reading over the question it's not clear to me one way or the other...

If you say it will ONLY work if I wipe the server and start with ONLY 2 hyper V's then I'm willing to listen.  I can't understand why you would trust a virtual DC,AD....I trust my hardware over a virtual drive 10 to 1 but maybe I'm old fashioned.   I understand I could move my VM at any time, but guess what?....this office has ONLY ONE BOX.  There are no other servers to move anything to my friend....they don't have the money.

Now you say there is only one server?!?!?!  Huh?  Very confusing.  Virtualization technology is NOT NEW.  It's been an integral part of Windows Server for 8 years.  It's been an integral part of data centers for several years before that thanks to VMWare.  It's a solid, proven technology and the only way I deploy systems these days for a variety of reasons.

I'm going to answer you point by point.

1. portability....  no other hardware, mute point.

You're right... if you don't think outside the box.  Hyper-V is included with Pro versions of Windows 8.1 and Windows 10.  In addition, there is a free version of Hyper-V - Hyper-V Server 2012 R2.  In the event of a hardware failure, you can EASILY and QUICKLY get the system running on an office workstation.  While I would NEVER do this for a client, for myself (I understand the risks and the recovery methods) I run a VM on my home office workstation that is a domain controller for the systems in my home and part of my office domain.  But if my office server failed, I could run out to Worst... errr.. Best Buy and get a cheap system, throw some extra RAM in it and run my entire network off that until I replaced the office server.  But if you build DIRECTLY on the hardware, YOU CAN'T DO THAT.  I can, I'm virtual.  You can't... you have a bullet in your foot.

2. Security....  interacting with a DC directly?  What did you do before virtualization?  A domain controller's POINT is security sir!

Exactly what I said:
Your users are interacting DIRECTLY with the host running the DC!  Lets assume for a moment that you don't grant them Admin rights... They STILL have the potential to do something such as fill up a hard drive bringing the DC to a halt... or get the system infected with malicious software that might be able to bypass the admin rights needed through an unpatched - or worse, unknown - exploit that brings down the entire system.
It's not secure when it can be easily brought down because of poor design -- like this.

3. increased attack surface.... not from outside, this entire thing is on a small LAN, and well protected behind a zywall.  Users don't use client email, they have a web based hosted email that's already pretty secure (if they use it at all)  They also have end point protection from Malwarebytes, and AVG
....and I monitor their machines actively.   They're no more vulnerable than any other business.

They don't access their own e-mail at Yahoo or Gmail, etc. No one walks in with flash drives and plugs them in... or charges their phones on their computer's USB ports?  How about the guy you hire in 2 months? If security were a sure thing, you wouldn't need it.  But I already outlined the increased attack surface.

You know, a IT Security professional took a bunch of USB drives and dropped them in a parking lot... he put "malicious" software that indicated they were run and on what computer on them... he found of 20 or so he dropped, more than 40% were used in office computers...  Had there been TRULY malicious software on them, it could have been a serious problem for the offices.  As for Malware Bytes and AVG... So what... I've not seen them stop all the variants of CryptoLocker yet... Most anti-malware software doesn't.

4. I realize this isn't your way of doing it, but you're here now....so think about it a little bit for me and offer some help?   or tell me there is just no way this will work and that I HAVE to setup 2 vm's....I'm willing to listen to why it's so much better. but items 1-3 aren't the reasons I need to hear.

You clearly don't understand IT Security.  You also don't understand virtualization and the benefits it offers.  Given your argumentative effort above and refusal to accept that following best practices is better than going off with a half-baked, limited insight solution (in my opinion) that you're proposing... not to mention your frequent misuse and misunderstanding of terminology, you are clearly not ready for this project.  Take some time and learn about the technologies and their benefits.  If you cannot, DISQUALIFY YOURSELF from the project and force management to get it done right.  Egos don't build reliable networks - honest people who know when they are over their heads can.

You can take this as an insult if you wish... Keep in mind, I'm not saying this is ULTIMATELY beyond your capability - with some time and instruction (far more than a web site and/or forum can give you) I'm sure you could handle this project just fine.  But the overall impression I'm getting from you is you are at best a nurse trying to perform a Heart Transplant... Most nurses understand they shouldn't and would get the appropriate help.

Like I said, it's not a license violation.  I know you are concerned it is, but let's go with the option that if it were, I'd get the needed license to cover that end.

You seem sensitive, so I have doubts you've continued reading... but if you have, I disagree.  I'm under NDA for some of my past work, but I can assure you MSCEs / MCPs are not necessarily licensing experts.  I've been to Redmond 10 times in the last 10 years and even the developers don't often understand how the product is licensed.  Licensing is a LEGAL thing... not a technical thing... LAWYERS wrote them and unless you're MCP / MCSE was a lawyer as well AND had an @microsoft.com e-mail address (to hold up in a civil lawsuit), I wouldn't take his word for it... TECHNICAL experience is not LEGAL experience.  And there's an entire legal system, in part, to deal with different ways of interpreting the law, so even if he's justified in his opinion, if it's not @microsoft.com, then your legal fees could one day add up.

I'm willing to try two Vm's to satisfy this option....
But.... just answer me this:
If a single install of server 2012 DC AD XYZ with a hyper V running nothing but rds won't work, then why would 2 hyper v's    1 running dc Ad XYZ and a 2nd hyper v running nothing but rds work?

I'm sorry, this is non-sense to me.  Why wouldn't it?  You're separating the services from the Hyper-V host.  Your minimizing the installed resources that need regular patching so the host's reboots are minimized.  You're not permitting access to the host directly by the end users so there is no risk there... you're running two servers that provide all the resources you need in VMs on one piece of physical hardware.

as far as I can tell the setup for rds would actually be the same only with VM's right?

Functionally, in the end, yes... just more secure, stable, and certainly licensed.

I'm not trying to be a wanker here, I'm trying to honestly get an understanding of what you guys are saying.

Haven't taken the time to look up your definition of Wanker, but in my opinion, you're being belligerent about doing what you want REGARDLESS of how wrong and potentially problematic it may be now or in the future, despite several experts telling you your plan is deeply flawed...

For the sake of your network and people's tax dollars, HIRE A PRO if this needs to be done soon or go to some classes if you have time before it's done.

I think I'll retire from the question as well - beating horses to death just doesn't seem a good use of my time.

OK,

The term "read only" was what the thread I had been reading said, it was a MS forum.  Clearly I assumed the guy knew what he was talking about.  ding for terminology.  I read about it to learn some of it in my massive 1500 page book about server 2012.....clearly a small office has no need of such a thing.

As for license,  It nagged at me all day so I just called MS pre sales and licensing and verified that
a hardware OSE with one hyper V install OSE for TS is not in violation of the MS license.  You may want to update your information on that since it appears there is no need to be concerned about the license issue.

As for my own little piece of heaven.  It appears my main issue is related to the self-signed certificate as my error message seems to be related to trust of the machine.   The software developer may have caused some issues too because the published software box shows nothing listed, but when I log on to a session I see calc.exe and wordpad even though the published software is showing as blank.   If I try and publish an app, then I see, for example calc.exe, 2 instances on the web access page when I log in.  One instance of calc says it can't connect at all, the other newer one created complains about the trust as mentioned above.

oh hey!  I just saw the "attach file" option here so maybe I can post a snippet in the future of some screens as pics are worth a thousand typed words, no?

Brian,

Thank you for the very interesting information on legacy apps....You are right on the money!

The developer is still actively updating and developing his product, and in fact has MANY county installations, but as far as I am aware, this is only the 2nd county to upgrade from using Server 2008 r2 to Server 2012....When the call came to get a new server, it just didn't seem right to stay with 2008 based on the amount of time there is left for it's life.  Plus 2012 is so far superior in stability ...in my humble opinion, it's one of the best server OS's I've ever seen (Next to SBS 2011...again, my opinion)

The concept of buying an SSL isn't a problem here as I'm willing to buy it without hesitation if I can feel it will resolve the issues, but my goal is to see it work and then buy the certificate...(unless that's the only way of course, but I'm reading everywhere I can get my hands, and now your article as well!!! to find a solution that at least gets us a working TS/RDP/RDS....I give up on what the proper term is....   "A shortcut with the .rdp file extension that has a lot of lines of code when looked at via notepad and opens a single application on the local client from the host server."

I actually did a RAW rdp session on 7 of the 16 users for kicks logging each user into their own instance on this machine and the cpu was still at 4% .....(this was before I installed a hyper V.)...and I might have just logged them all in as administrator too I can't remember, but I was dying to see how the machine ate connections and it did without swallowing.

I'll report back any developments I encounter after reading your article...thank you for posting

Ike

Hi Bryan!

This is all internal, just a lan with Server and 16 clients.  Nobody accesses from outside at all

it just needs to work inside the office lan.

Would that narrow anything down?

Did I install more RD services than I need based on that?

I did an experiment since I last posted.  

I used the standard remote desktop connection tool and logged 4 separate users into the hyper-V machine which has the install of the software in question (This software runs locally on the server)

I then just copied a shortcut from the admin desktop to each user account desktop as it was created upon login and spun up 4 different virtual desktops running the legacy application working as intended on each client pc I logged in.  (I've been told I don't explain things very well so I apologize if this is confusing)   I did a raw RDP connection to the server, and then ran the application in question and it worked.  Each user I logged in got their own instance of the server desktop and it worked once I copied the shortcut of the legacy app.

The downside to this type of connection is the 2 times having to log in, and running a FULL instance of the server....  Is there a way to create a .rdp icon that tells the connection to just launch that one application on the server and not have a full desktop running?   I might be closer to the solution than I had thought originally.

Another tech told me about a product called WSE remote.

Any thoughts or opinions on this?
link here...
http://www.theofficemaven.com/

It claims to do the job.

Brian shared a wealth of information to help me find a solution.