RDS Ad and local groups
Mike Leone
Mike. Leone, <mailto:tur...@mike-leone.com>
PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Photo Gallery: <http://www.flickr.com/photos/mikeleonephotos>
Philip Elder
The only manual group membership that’s needed is in Network Policy Services when right clicking on the root node IIRC. There will be a bang beside the security group NPS needs to register and work with AD related items.
That’s it.
We remove “Domain\Domain Users” from the default on the Broker for all collections and use a dedicated security group for each. Membership in the group means the user gets access or the RemoteApp RSS delivered to them.
The Session Host server(s) should be in its/their own OU. Group Policy settings would then be configured for the Computer Objects.
We drop a GPO into the user’s OU for specific needs that can be security group delimited.
It sounds like things are being a lot more complicated than they should be?
I have a suggestion for you. Lab a vanilla setup:
- Set up a Hyper-V Server with a Private Network
- Virtual Machines:
- Set up a vanilla DC for MyExperiment.Com
i. You can use HOSTS on your machine for:
- Remote.
- Set up a Broker/Gateway/Web server
- Set up a couple servers for Session Hosts
- Set up Untangle/NSv 270 Trial/pfSense
i. vNIC on Private
ii. vNIC on LAN for access
- Walk through the process in Server Manager
- That’s it
- Keep it simple
i. Broker/Gateway/Web Roles
ii. Add the Session Host(s) and they’ll be automagically configured
iii. Force a reboot of the Session Host(s) as they don’t do that on their own
- Tweak NPS for the Security Group membership requested
- Connect to https://Remote.MyExperiment.Com
- You should be able to log on and see the default .RDP Collection File
- Use a trusted certificate and you can use RD Gateway
That’s it. Once the above is done, have a look at how it is finally set up for the defaults.
You can use a self-issued certificate as a start. We have lots of registered lab domains with Admini...@MyLabDomain.Com configured so that we can buy SSL certificates for our testing purposes.
I have some comprehensive articles on Experts Exchange:
ADDS: https://www.experts-exchange.com/articles/26820/Working-With-Active-Directory-and-Group-Policy.html
Hyper-V: https://www.experts-exchange.com/articles/31442/Practical-Hyper-V-Performance-Expectations.html
Philip Elder MCTS
Senior Technical Architect
Microsoft High Availability MVP
MPECS Inc.
E-mail: Phili...@mpecsinc.ca
Phone: +1 (780) 458-2028
Web: www.mpecsinc.com
Blog: blog.mpecsinc.com
Twitter: Twitter.com/MPECSInc
Teams: Phili...@MPECSInc.Cloud
Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 8:00 AM - 5:00 PM, Monday thru Friday.
--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
ntsysadmin+...@googlegroups.com.
To view this discussion visit
https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2BggakZfgK8zwMH04F0PSt2gFGrb6D0mc0Acb%3D2hN5QZGw%40mail.gmail.com.
Mike Leone
We remove “Domain\Domain Users” from the default on the Broker for all collections and use a dedicated security group for each. Membership in the group means the user gets access or the RemoteApp RSS delivered to them
The Session Host server(s) should be in its/their own OU. Group Policy settings would then be configured for the Computer Objects.
We drop a GPO into the user’s OU for specific needs that can be security group delimited.
It sounds like things are being a lot more complicated than they should be?
I have a suggestion for you. Lab a vanilla setup:
- Set up a Hyper-V Server with a Private Network
- Virtual Machines:
- Set up a vanilla DC for MyExperiment.Com
i. You can use HOSTS on your machine for:
- Remote.
- Set up a Broker/Gateway/Web server
- Set up a couple servers for Session Hosts
- Set up Untangle/NSv 270 Trial/pfSense
i. vNIC on Private
ii. vNIC on LAN for access
- Walk through the process in Server Manager
- That’s it
- Keep it simple
i. Broker/Gateway/Web Roles
ii. Add the Session Host(s) and they’ll be automagically configured
iii. Force a reboot of the Session Host(s) as they don’t do that on their own
- Tweak NPS for the Security Group membership requested
- Connect to https://Remote.MyExperiment.Com
- You should be able to log on and see the default .RDP Collection File
- Use a trusted certificate and you can use RD Gateway
That’s it. Once the above is done, have a look at how it is finally set up for the defaults.
You can use a self-issued certificate as a start. We have lots of registered lab domains with Admini...@MyLabDomain.Com configured so that we can buy SSL certificates for our testing purposes.
I have some comprehensive articles on Experts Exchange:
To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/bae5d0045ddd4ddeb913d99bcbecb190%40MPECSInc.Ca.
Philip Elder
What’s the user count and session host server count?
To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2Bha8UccGLGZSEKHHhKWTfCYRec%2BBcz72D4%2BPpiEU7UvVg%40mail.gmail.com.
Mike Leone
What’s the user count and session host server count?
To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/5515b362bcca4e1092a196a83f0d5c9a%40MPECSInc.Ca.
Philip Elder
Okay got it.