PowerShell – Create a fully automated RDS Farm (2016) with HA and Gateway in 25 minutes

Im a big fan of Citrix XenApp/XenDesktop but for some small customers (20-30 user) the licensing costs are to high and there is definitely demand for application and desktop virtualization. Thats why I came up with the idea to automate the proccess to install a native Microsoft RDS Farm with High Availability and RDS Gateway to access the published resources when you are located outside the companys network. The complete procedure to create a Multi & HA site takes about 25 minutes in my lab environment.

Overview

With the PowerShell script you can create two different builds.

#Build 1  – Multi Server Deployment

  • 2x RDS Session Host
  • 1x RDS Broker
  • 1x RDS WebAccess
  • 1x RDS Gateway
  • 1x RDS Licensing

#Build 2 – HA Server Deployment

  • 2x RDS Session Host
  • 2x RDS Broker
  • 2x RDS WebAccess
  • 2x RDS Gateway
  • 1x RDS Licensing

Network Diagram

rdsoverview

Firewall Configuration

From

To

Port

Description

RDS Gateway

Domain Controller

TCP/UDP 53

DNS

RDS Gateway

Domain Controller

TCP/UDP 389

LDAP

RDS Gateway

Domain Controller

TCP 135

RPC

RDS Gateway

Domain Controller

TCP 88

Kerberos

RDS Gateway

Sesssion Host

TCP/UDP 3389

RDP

Internet

RDS Gateway

TCP 443

HTTP over SSL

Internet

RDS Gateway

UDP 3391

RDP

If you need a more detailed port usage please check this technet article.

How is it working?

You just need to download the script package and copy the stuff to “C:\rds”. This is necessary because the path to the configuration file is hardcoded in the script and some additonal files will be downloaded during the deployment.

https://github.com/citrixguyblog/PowerShellRDSDeployment

Here is a config file to create a #Build2 environment.

Important: The config file is based on json. For a “\” you always need to put “\\” for not breaking the syntax!

{
	MultiDeployment: "Yes",
	HADeployment: "Yes",
	ConnectionBroker01: "RDSBroker001.lab.local",
	ConnectionBroker02: "RDSBroker002.lab.local",
	WebAccessServer01: "RDSWebAccess001.lab.local",
	WebAccessServer02: "RDSWebAccess002.lab.local",
	RDGatewayServer01: "RDSGateway001.lab.local",
	RDGatewayServer02: "RDSGateway002.lab.local",
	RDSHost01: "RDSHost001.lab.local",
	RDSHost02: "RDSHost002.lab.local",
	LICserver: "RDSLic001.lab.local",
	LICmode: "PerUser",
	DomainController: "DC001.lab.local",
	DesktopCollectionName: "RDS Lab",
	DesktopDiscription: "Test Deployment with PowerShell",
	ProfileDiskPath: "\\\\DC001\\RDSFarm1$",
	RDSAccessGroup: "SG_RDP_Internal_Access@lab.local",
	GatewayAccessGroup: "SG_RDP_External_Access@lab.local",
	CertPath: "C:\\rds\\Wildcard_Flashmob.pfx",
	CertPassword: "Password",
	GatewayExternalFqdn: "gateway.flashmob-saulgau.de",
	RDBrokerDNSInternalName: "rdsbroker",
	RDBrokerDNSInternalZone: "flashmob-saulgau.de",
	RDWebAccessDNSInternalName: "remoteaccess",
	RDWebAccessDNSInternalZone: "flashmob-saulgau.de",
	SQLServer: "DB001.lab.local",
	SQLDatabase: "RDSFarm1",
	SQLFilePath: "C:\\Program Files\\Microsoft SQL Server\\MSSQL14.MSSQLSERVER\\MSSQL\\DATA"
}

What do I need to know before running the script?

  1. A Wildcard SSL certificate from a 3rd Party PKI is irreplaceable. You also can implement certificates from your enterprise PKI but this can come to unaesthetic warn messages for the users when accessing the infrastructure outside the LAN because the certification revocation list is not reachable.
  2.  The user which is running the script needs to have the right to create DNS Records and Security Groups in Active Directory. If the RSAT Tools are missing they will be installed by the script.
  3. Create two Security Groups in Active Directory for internal and external access.
  4. Determine the FQDNs you want to use: Broker, Gateway, WebAcces (The script will generate Split DNS records. My internal domain is “lab.local” and the wildcard certificate is issued for “*.flashmob-saulgau.de)
  5. Create an UNC-Share for the ProfileDisk. You only need to set “Read” access for “Everyone”. Everything else will be handled by the broker machines.
  6. Fill out the configuration file and rename it to “config.json”.
  7. Run the Script (Install_RDSFarm.ps1) as administrator.

HA Broker and SQL Database

When deploying #Build2 you need to interact during the script execution.  To create the database for the HA Broker  the computer accounts needs to have the permission to create a database on the SQL server.  The problem is that the command “Set-RDConnectionBrokerHighAvailability” will always create a new database. You can’t set the permission on an empty “RDSFarm1” database before running the script. You need to give the SecurityGroup “RDS_Connection_Brokers” temporary  the role “sysadmin” to complete the setup. Afterwards you should change the permission to “db_owner”. The script will instruct you to do this.

Load Balancing

This setup is based on DNS Round Robin. Its always better to use a hardware/software load balancer to check if the service is running properly. If you guys are interested how to load balance the components with Microsoft Network Load Balancing (NLB) and Citrix NetScaler drop me a message and I will write a blogpost about this.

How can I access the RDSFarm?

Method 1 – Native RDP Client
Connect to the RDSBroker FQDN and configure Gateway settings.

mstsc1

mstsc1_2

mstsc2

Method 2 – WebAccess (Browser)
Browse to the configured RemoteAccess FQDN. After succesfull login you can access your Desktop or Remote Apps.

web1

web2

Method 3 – WebAccess with URL or E-Mail
This will create shortcuts in the Windows Startmenu. Its also possible to set the connection URL via Group Policy. ( User –> Windows Components\Remote Desktop Services\RemoteApp and Desktop Connections –> “Specify default connection URL”)

remoteapp1

remoteapp2_1

remoteapp2

remoteapp5

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

Up ↑

%d bloggers like this: