RDS Ad and local groups

[Mike Leone]

I'm confused about something. In AD, there are groups for "RDS management Servers" and "RDS Endpoint Servers". I have populated them with the respective servers for my environment.

I see the same group names in the *local* groups on the RDS servers. However, they are not populated. 

(well, on the Connection Broker/License Manager/Web Access host, they are populated, I presume automatically, because I don't recall adding the entries to those groups. From what I've been able to find out, these groups *MUST* be populated, and they are. It's the session hosts that are not ...).

But on the session hosts, they are unpopulated (local groups). Not Endpoints, no Manager Servers.

Should I be populating them, with the same values that are in AD? It all seems to work just fine as it is ...

Thanks

--

Mike. Leone, <mailto:tur...@mike-leone.com>

PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Photo Gallery: <http://www.flickr.com/photos/mikeleonephotos>

[Philip Elder]

The only manual group membership that’s needed is in Network Policy Services when right clicking on the root node IIRC. There will be a bang beside the security group NPS needs to register and work with AD related items.

 

That’s it.

 

We remove “Domain\Domain Users” from the default on the Broker for all collections and use a dedicated security group for each. Membership in the group means the user gets access or the RemoteApp RSS delivered to them.

 

The Session Host server(s) should be in its/their own OU. Group Policy settings would then be configured for the Computer Objects.

 

We drop a GPO into the user’s OU for specific needs that can be security group delimited.

 

It sounds like things are being a lot more complicated than they should be?

 

I have a suggestion for you. Lab a vanilla setup:

1. Set up a Hyper-V Server with a Private Network
2. Virtual Machines:
   1. Set up a vanilla DC for MyExperiment.Com

                                          i.    You can use HOSTS on your machine for:

1. Remote.
1. Set up a Broker/Gateway/Web server
2. Set up a couple servers for Session Hosts
3. Set up Untangle/NSv 270 Trial/pfSense

                                          i.    vNIC on Private

                                        ii.    vNIC on LAN for access

3. Walk through the process in Server Manager
   1. That’s it
   2. Keep it simple

                                          i.    Broker/Gateway/Web Roles

                                        ii.    Add the Session Host(s) and they’ll be automagically configured

                                       iii.    Force a reboot of the Session Host(s) as they don’t do that on their own

4. Tweak NPS for the Security Group membership requested
5. Connect to https://Remote.MyExperiment.Com
   1. You should be able to log on and see the default .RDP Collection File
   2. Use a trusted certificate and you can use RD Gateway

 

That’s it. Once the above is done, have a look at how it is finally set up for the defaults.

 

You can use a self-issued certificate as a start. We have lots of registered lab domains with Admini...@MyLabDomain.Com configured so that we can buy SSL certificates for our testing purposes.

 

I have some comprehensive articles on Experts Exchange:

ADDS: https://www.experts-exchange.com/articles/26820/Working-With-Active-Directory-and-Group-Policy.html

 

RDS: https://www.experts-exchange.com/articles/34109/Remote-Desktop-Services-RDS-Setup-Guide-Best-Practices.html

 

Hyper-V: https://www.experts-exchange.com/articles/31442/Practical-Hyper-V-Performance-Expectations.html

https://www.experts-exchange.com/articles/13256/Some-Hyper-V-Hardware-and-Software-Best-Practices.html

 

Philip Elder MCTS

Senior Technical Architect

Microsoft High Availability MVP

MPECS Inc.

E-mail: Phili...@mpecsinc.ca

Phone: +1 (780) 458-2028

Web: www.mpecsinc.com

Blog: blog.mpecsinc.com

Twitter: Twitter.com/MPECSInc

Teams: Phili...@MPECSInc.Cloud

 

Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 8:00 AM - 5:00 PM, Monday thru Friday.

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2BggakZfgK8zwMH04F0PSt2gFGrb6D0mc0Acb%3D2hN5QZGw%40mail.gmail.com.

[Mike Leone]

The only manual group membership that’s needed is in Network Policy Services when right clicking on the root node IIRC. There will be a bang beside the security group NPS needs to register and work with AD related items.

We don't use Network Policy Services.

 We remove “Domain\Domain Users” from the default on the Broker for all collections and use a dedicated security group for each. Membership in the group means the user gets access or the RemoteApp RSS delivered to them

We do dedicated security groups.

The Session Host server(s) should be in its/their own OU. Group Policy settings would then be configured for the Computer Objects.

They are.

 We drop a GPO into the user’s OU for specific needs that can be security group delimited.

We set a user GPO for loopback processing to the computer OU, and don't redirect user folders, like we do elsewhere in the domain.

 It sounds like things are being a lot more complicated than they should be?

I wouldn't have said that, but I could be wrong. LOL

 

I have a suggestion for you. Lab a vanilla setup:

1. Set up a Hyper-V Server with a Private Network
2. Virtual Machines:
   1. Set up a vanilla DC for MyExperiment.Com

                                          i.    You can use HOSTS on your machine for:

1. Remote.
1. Set up a Broker/Gateway/Web server
2. Set up a couple servers for Session Hosts
3. Set up Untangle/NSv 270 Trial/pfSense

                                          i.    vNIC on Private

                                        ii.    vNIC on LAN for access

3. Walk through the process in Server Manager
   1. That’s it
   2. Keep it simple

                                          i.    Broker/Gateway/Web Roles

                                        ii.    Add the Session Host(s) and they’ll be automagically configured

                                       iii.    Force a reboot of the Session Host(s) as they don’t do that on their own

4. Tweak NPS for the Security Group membership requested
5. Connect to https://Remote.MyExperiment.Com
   1. You should be able to log on and see the default .RDP Collection File
   2. Use a trusted certificate and you can use RD Gateway

 

That’s it. Once the above is done, have a look at how it is finally set up for the defaults.

 

You can use a self-issued certificate as a start. We have lots of registered lab domains with Admini...@MyLabDomain.Com configured so that we can buy SSL certificates for our testing purposes.

I am using our internal CA to issue the certs, that's all done.

 

I have some comprehensive articles on Experts Exchange:

We don't use Hyper-V but I'll take a look, thanks.

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/bae5d0045ddd4ddeb913d99bcbecb190%40MPECSInc.Ca.

[Philip Elder]

What’s the user count and session host server count?

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2Bha8UccGLGZSEKHHhKWTfCYRec%2BBcz72D4%2BPpiEU7UvVg%40mail.gmail.com.

[Mike Leone]

On Fri, Dec 5, 2025 at 12:26 PM Philip Elder <Phili...@mpecsinc.ca> wrote:

What’s the user count and session host server count?

66 active users, 8 session hosts (the vendor told us that was the number we needed for that many users).

Remote app only, no VDI.

1 host as License Manager/Connection Broker/Web Access.

 

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/5515b362bcca4e1092a196a83f0d5c9a%40MPECSInc.Ca.

[Philip Elder]

Okay got it.

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2BiJ4r%2BJ7x-DSZ3%3DDp%3Dtkgw3dE_8YMRXWWpORPPRyB9U%3Dw%40mail.gmail.com.