SupportingWindows

  • Icons of unpublished/old remote apps appearing on RDWEB Page in Server 2012/2012 R2

    Hello Askperf! This is Ishu Sharma from Microsoft Performance team. Today I am going to discuss a peculiar issue I came across in a couple of cases involving Server 2012 and 2012 R2. In these case, users were able to see icons for unpublished remote apps on the RDWEB page.

    The remote apps, which show as actually published in the collection, can be launched. However, when you click on the icons for the apps that are not published you receive an error. Hence it was very clear that these remote apps do not actually exist but their entries are being pulled from somewhere.

    In one case, I checked and confirmed that those extra remote app icons were not published in the collection. Which means, these remote app icons were being pushed from somewhere else. I used tools like procmon and RDWEB tracing while launching the app to figure out where those unpublished/old remoteapp icons are coming from. However, before doing that I checked the below registry key on the connection broker because every time a collection or remote application is published an entry for the same gets created in the below registry location:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\CentralPublishedResources\PublishedFarms\CollectionName

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\CentralPublishedResources\PublishedFarms\CollectionName\Applications

    clip_image001

    I found that there was a stale entry for an old collection on the connection broker which does not exist anymore and those extra remote app icons were published for the old collection. Hence, deleting the registry entry for the old collection from connection broker resolved the issue.

    In one of the cases we could also see the same thing in rdweb tracing logs (RemoteApps go missing from RDWeb page when any of the RDSH servers are rebooted) . It shows that icons for remote app were being written to cache from two different collections but one of the collection (ContosStandard) actually doesn’t exist anymore.

    w3wp.exe Information 0 2014/03/05 13:45:26 [Verbose] 7 Wrote icon CSMAGIC-ContosoRemoteApps-CmsRdsh into cache

    w3wp.exe Information 0 2014/03/05 13:45:26 [Info] 7 :App: MEDITECH WilMed Healthcare added, FileExtension: .rdp

    w3wp.exe Information 0 2014/03/05 13:45:26 [Verbose] 7 Wrote icon DWRCC-ContosoRemoteApps-CmsRdsh into cache

    w3wp.exe Information 0 2014/03/05 13:45:26 [Info] 7 :App: Dameware Remote Control added, FileExtension: .rdp

    w3wp.exe Information 0 2014/03/05 13:45:26 [Verbose] 7 Wrote icon EXCEL-ContosoRemoteApps-CmsRdsh into cache

    w3wp.exe Information 0 2014/03/05 13:45:26 [Info] 7 :App: Microsoft Excel 2010 added, FileExtension: .rdp

    w3wp.exe Information 0 2014/03/05 13:45:26 [Info] 7 :App: PreOP Blank added, FileExtension: .rdp

    w3wp.exe Information 0 2014/03/05 13:45:26 [Verbose] 7 Wrote icon mstsc-ContosoStandard-CmsRdsh into cache

    w3wp.exe Information 0 2014/03/05 13:45:26 [Info] 7 :App: Remote Desktop Connection added, FileExtension: .rdp

    w3wp.exe Information 0 2014/03/05 13:45:26 [Verbose] 7 Wrote icon powershell-ContosoStandard-CmsRdsh into cache

    w3wp.exe Information 0 2014/03/05 13:45:26 [Info] 7 :App: Windows PowerShell added, FileExtension: .rdp

    You may also come across cases where instead of a stale entry for old collection, you might find a stale entry for just an old remote app which is not supposed to be displayed on RDWEB page. So, in such scenarios you can verify the above registry Keys to check that no extra/stale entries for a non-existent collection or remote app is present.

    Reference Articles:

    -Ishu

  • Uncover the mystery of a bugcheck 0x24 (NTFS_FILE_SYSTEM)

      My name is Nan, I am an Escalation Engineer in Platforms Global Escalation Services in GCR. Today I’d like to share an interesting sample case with respect to filter manager to showcase the powerful debugging extension fltkd.dll (it is included ...read more
  • A Treatise on Group Policy Troubleshooting–now with GPSVC Log Analysis!

    Hi all, David Ani here from Romania. This guide outlines basic steps used to troubleshoot Group Policy application errors using the Group Policy Service Debug logs (gpsvc.log). A basic understanding of the logging discussed here will save time and may ...read more
  • Keeping Azure PowerShell Current

    I have been supporting Azure for 7 years now and one of the constants is the rapid pace of change of the services offered. This means that not only do you have to continually stay abreast of the most recent changes, but you also have to make sure that ...read more
  • Traffic Manager and Azure SLB - Better Together!

    This post was contributed by Pedro Perez Can Traffic Manager coexist with Azure Load Balancer? And how do we keep session affinity with them? Yes they can coexist, and in fact it is a good idea to use both together. That is because Traffic Manager ...read more
  • Remote Desktop Services (RDS) 2012 session deployment scenarios “Quick Start”

    Good morning AskPerf! Jason here to continue our mini-series on RDS Session Deployment.

    Please see RDS 2012 Session Host deployment scenarios for an overview of the different ways to deploy RDS on Windows 2012 for additional information.

    When would I use Quick Start? Typically you would not. It’s similar to a Standard Deployment which is the current best practice, except that it will only deploy the RDS components to a single server. All components (Connection Broker, RDWeb, and RDSH) will be installed with no option to modify. This would be good if setting up a quick POC, or maybe a lab environment, or if you are only going to deploy one server with all the components for example for a small office. If you want to split the components out to different machines, then chose Standard Deployment.

    DEPLOYING “QUICK START”:

    1. On the server that will become the Connection Broker, logon with a domain account that is an administrator and start Server Manager. From Manage menu item, select Add Roles and Features.

    clip_image002

    2. Select Remote Desktop Services installation.

    clip_image004

    3. Select Quick Start.

    clip_image006

    4. Select Session-based desktop deployment.

    clip_image008

    5. Add your local server to the Selected list for Specify RD Connection Broker server.

    clip_image010

    6. On the Confirm Selections dialog, check Restart the destination server automatically if required.

    clip_image012

    7. The RDS session deployment will now begin the install to all the servers and components selected. A progress dialog will be shown and the server will reboot.

    clip_image014

    8. After reboot, log in and the progress dialog will be shown again and installation will continue.

    9. After installation is complete, in the Server Manager Dashboard, there will be a Remote Desktop Services role listed in the left navigation pane.

    clip_image016

    10. Selecting Remote Desktop Services will display the Overview of the new deployment. From this page, the next steps would be to add / specify both the license server and RD Gateway if needed.

    clip_image018

    LICENSING:

    There are multiple ways to configure licensing in RDS 2012 and this can be confusing. Group Policy always takes precedence and will NOT show in the Connection Broker console if configured, however the settings will show in the RD Licensing Diagnoser console. Do not mix methods of setting licensing. For example, do not set in GPO and also in Server Manager Gui as this may result in errors. A more detailed post about licensing methods will be following this post series.

    1. To add a new license server through Gui, simply click on ‘RD Licensing’ node. The Add RD Licensing Servers dialog will be displayed. See next step to add an existing license server.

    clip_image020

    2. To add an existing license server, in Deployment Overview, click on TASKS, and select Edit Deployment Properties.

    clip_image022

    3. In Configure the deployment, select RD Licensing. Best practice is to use Per User mode as it provides better resiliency in case of a license server outage. Enter the license server and select Add.

    clip_image024

    Not covered in this post, but is the next step after deployment is to configure the QuickStart Session Collection. Simply right click on QuickStart in Deployment Overview to get started.

    Congratulations! You now have a new 2012 RDS session deployment.

    -Jason

  • Remote Desktop Services (RDS) 2012 session deployment scenarios "Server Role Deployment"

    Hello AskPerf! Jason here again to continue our RDS mini-series.

    Please see RDS 2012 Session Host deployment scenariosfor an overview of the different ways to deploy RDS on Windows 2012 before using this method, as this method is not the normal method of deployment.

    Ok, so why would I deploy just the Remote Desktop Services Server Role? There are a couple of scenarios for when deploying just the Server Role service makes sense. This would be for non-typical setups such as using RDS in a workgroup, using RDS on a non RDS server for example on a SQL server to allow more than 2 concurrent sessions. Another scenario would for deploying just the Server Role would be if you are deploying Citrix. Since Citrix has its own management and consoles. When just deploying the Server role, you do NOT get the centralized management, management consoles, or the RemoteApp published application functionality. All of these components are part of Collection and for these reasons, a Standard Deploymentis normally recommended.

    DEPLOYING “REMOTE DESKTOP SERVICES” SERVER ROLE:

    1. Start Server Manager, and from the Manage menu dropdown, select Add Roles and Features.

    clip_image002

    2. Select Role-based or feature-based installation.

    clip_image004

    3. Select server from Server Poolto install the RDS Role.

    clip_image006

    4. Select Remote Desktop Servicesfor the Role to install.

    clip_image008

    5. Select Next for Features.

    clip_image010

    6. Select Next.

    clip_image012

    7. For Role Services select Remote Desktop Session Host.

    clip_image014

    8. Upon selection of the Remote Desktop Session Host role, a popup will be displayed to install both Media Foundation and Remote Desktop Licensing Diagnoser Tools.

    clip_image016

    9. Check Restart the destination server automatically if required and Installto start the installation.

    clip_image018

    10. If prompted to allow automatic restarts, select Yes.

    clip_image020

    11. At this point installation will start and progress will be shown. After the selected components have been installed, the server will automatically reboot to complete the installation.

    clip_image022

    12. After reboot and logon, the Installation Progresswill be displayed again with final status of installation.

    clip_image024

    13. After closing the Add Roles and Features Wizard you are shown the Remote Desktop ServicesRole Management snapin.

    clip_image026

    Using this method, we kind of get dropped off in an unfriendly place. Nothing for the Remote Desktop Services Server Role can be viewed or managed from here. As you can see from above, there are no management consoles installed for RDS when selecting just the Server Role and therefore no easy way to directly manage this server. You can select Serversand see the events associated with RDS but that’s about it.

    As I mentioned previously, this method of install is NOT the preferred method and should only be used for certain specific use cases. Even though there are not any management consoles, most of the PowerShell commands for RDS except for the cmdlets for collections are still available for use if this is the method you choose to use for deploying RDS 2012 sessions.

    LICENSING:

    With no console for Licensing, how do I configure? Configuring Licensing in detail is described in another post. To configure for a server with only RDS role and not in a collection, you can either use Group Policy which takes precedence or use PowerShell / WMI. See the following KB for additional information on deploying RDS Rolewithout a Connection Broker.

    Guidelines for installing the Remote Desktop Session Host role service on a computer running Windows Server 2012 without the Remote Desktop Connection Broker role service

    Example way to configure license server in PowerShell from KB if not using Group Policy:

    1. Open an elevated Windows PowerShell prompt

    2. Type the following command on the PS prompt and press Enter:

        • $obj = gwmi -namespace "Root/CIMV2/TerminalServices" Win32_TerminalServiceSetting

    3. Run the following command to set the licensing mode. Best Practice is to use Per User for resiliency: 

        • Note: Value = 2 for Per device, Value = 4 for Per User
        • $obj.ChangeMode(value)

    4. Run the following command to replace the machine name with License Server:

        • $obj.SetSpecifiedLicenseServerList("LicServer")

    5. Run the following command to verify the settings that are configured using above mentioned steps:

        • $obj.GetSpecifiedLicenseServerList()

    -Jason

  • Remote Desktop Services (RDS) 2012 session deployment scenarios “Standard Deployment”

    Hello AskPerf! Jason here again to continue our mini-series. This a part of a complete post series for RDS 2012 session deployment scenarios.

    Please see RDS 2012 Session Host deployment scenarios for an overview of the different ways to deploy RDS on Windows 2012 for additional information.

    For Windows 2012 R2, the most typical scenario and best practice is to do a Standard Deployment. Why? As previously mentioned, it gives you all the consoles for management of your collections. It supports both all in one to multiple servers being deployed to. It allows each role (RDWeb, Connection Broker, RDSH) to be installed on the same or different servers. It has all the features required for RemoteApp, RDWeb, and Connection Broker. Unlike previous versions, all deployment, configuration, and management is performed from the Connection Broker. In summary, if you are deploying RDSH for production to multiple servers, then this your option.

    For Standard Deployment, all installation, configuration, and management of the RDS session deployment should be done from the Connection Broker. The Connection Broker maintains all of the static configuration and dynamic session information for the collections in a Windows Internal Database (WID) on the local server. HA for connection brokers can be setup as well using remote SQL instance but that is another topic.

    NOTE: At this time, only two connection brokers are supported in a deployment. More can be added without warning and will function under most scenarios but this is NOT supported.

    DEPLOYING ‘STANDARD DEPLOYMENT’:

    1. On the server that will become the Connection Broker, logon with a domain account that is an administrator. Start Server Manager, and from the Manage menu dropdown, select Add Servers.

    clip_image002

    2. In the Add Servers dialog, select and add all servers that will be in this deployment. This includes all Connection Brokers (up to 2), RDS session host servers, and RDWeb servers.

    NOTE: At this time, only two connection brokers are supported in a deployment. More can be added without warning and will function under most scenarios but this is NOT supported.

    clip_image004

    3. After adding all servers for this deployment, from the 'Manage' menu dropdown, select Add Roles and Features.

    clip_image006

    4. Select Remote Desktop Services installation.

    clip_image008

    5. Select Standard deployment

    clip_image010

    6. Select Session-based desktop deployment.

    clip_image012

    7. Select Next.

    clip_image014

    8. Add your local server to the Selected list for Specify RD Connection Broker server. Note: only one Connection Broker (your local server) can be added at this time. Configuration of a Connection Broker for HA is done after initial installation of first Connection Broker.

    clip_image016

    9. Next, select the server that will be used for RDWeb. RDWeb provides access to RemoteApps (published applications) through a web page or via RemoteApps and Desktop Connections applet in Control Panel. Again only one server can be selected at this time. Additional RDWeb servers can be added after initial deployment. You also have the choice to instead install RDWeb on the Connection Broker. The Connection Broker unless in very large environments can be used as the RDWeb server too.

    clip_image018

    10. The last selection is the selection of the RDSH servers. This selection can be used to specify one or more RDSH servers. In this example we will only use one.

    clip_image020

    11. On the Confirm Selections dialog, check Restart the destination server automatically if required. The RDSH servers will require a restart, but the Connection Broker and RDWeb servers will not.

    clip_image022

    12. The RDS session deployment will now begin the install to all the servers and components selected. A progress dialog will be shown.

    clip_image024

    13. When the deployment has finished, the View progress dialog will show the final status. Verify all component installations show Succeeded.

    clip_image026

    14. Now in the Server Manager Dashboard, there will be a Remote Desktop Services role listed in the left navigation pane.

    clip_image028

    15. Selecting Remote Desktop Services will display the ‘Overview’ of the new deployment. From this page, the next steps would be to add / specify both the license server(s) and RD Gateway(s). Additional servers for existing roles can be added and collections can be created.

    clip_image030

    LICENSING:

    There are multiple ways to configure licensing in RDS 2012 and this can be confusing. Group Policy always takes precedence and will NOT show in the Connection Broker console if configured, however the settings will show in the RD Licensing Diagnoser console if installed. Do not mix methods of setting licensing. For example, do not set in GPO and also in Server Manager Gui as this may result in errors. A more detailed post about licensing methods will be following this post series.

    1. To add a new license server through Gui, simply click on RD Licensing node. The Add RD Licensing Servers dialog will be displayed. See next step to add an existing license server.

    clip_image032

    2. To add an existing license server, in Deployment Overview, click on TASKS, and select Edit Deployment Properties.

    clip_image034

    3. In Configure the deployment, select RD Licensing. Best practice is to use Per User mode as it provides better resiliency in case of a license server outage. Enter the license server and select Add.

    clip_image036

    Not covered in this post, but is the next step after deployment is to create a Session Collection. Simply right click on RD Session Host in Deployment Overview to get started.

    Congratulations! You now have a new 2012 RDS session deployment. J

    -Jason

  • Server Hung/Becoming Unresponsive

    A server hang is typically defined as a condition where a machine is non-responsive locally or over the network.

    Hard Hang (Not necessary referring to hardware):

    • The server is not accessible using any remote functionalities - RDP, Citrix, etc…
    • Remote Console Access such as Drac, iLo, Rsa is possible but the Operating System is not responding to any command for example “Ctrl+Alt+Del”.
    • If the server is a Virtual Machine, the Hypervisor console doesn’t respond to CAD or the Hypervisor performance monitoring tools are not showing activity.
    • A test ping to the server will fail and we cannot access Administrative shares (\\ServerName\c$).

    Soft Hang:

    • The server is not accessible using any remote functionalities - RDP, Citrix, etc...
    • You are able to send “Ctrl+Alt+Del” command into the console access but the Credentials Box/Winlogon GINA never comes up or is slowly coming up.
    • The Ping Test response are fine, dropping, high network latency is observed.
    • Accessing an administrative Share is not working/working /slow (\\ServerName\c$).

    Reference: PRF: Server Hang (Pre-Windows Server 2008+)

    If you are currently experiencing a hang and are considering opening a support incident with Microsoft, please prepare for the following: Troubleshooting Server hangs, memory leaks or resource depletions can be a very difficult and time consuming process of involving multiple attempts to collect the RIGHT data. Ensuring that you have collected the data and that the data is valid before engaging support will greatly reduce the time spent by both you and the support engineer when it comes to identifying the source of the issue.

    • If the machine is in state, we will ask you to configure data collection based on the steps provided in this blog
    • If the machine is not instate but you anticipate an occurrence. We will again ask you to configure data collection based on the steps in this blog
    • Once you complete the data collection steps defined in this blog and have a dump file you would like Microsoft Support to review, please verify the data based on the validation steps listed in this blog.

    Note:  Server hang, memory leaks or resource depletions are often times related to 3rd party products. Support is able to, in some cases identify the third party but is unable to provide a resolution other than uninstalling the product or contacting the vendor. If you suspect that your issue might be related to a third party product, it is highly recommend that you contact them to ensure there are no known issues, that you have the latest updates and ensure availability for collaboration with Microsoft should the issue be identified with the product.

    You must restart the system after any change in the registry or the Pagefile except for VMware Snapshots of Suspend State.

    1. Pre-requisites for Memory Dump

    Applies to Physical machines and Virtual Machines.

    A- NMI or Keyboard Key Combination

    The Non Makeable Interruption is not enabled by default on a Windows Operating System, create the following registry entry to enable it.

    Location - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl
    Name – NMICrashDump
    Type – REG_DWORD
    Value – 1

    KeyBoard PS/2
    Location - HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\i8042prt\Parameters
    Name – CrashOnCtrlScrol
    Type - REG_DWORD
    Value – 1

    USB Keyboard
    Location - HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ kbdhid\Parameters
    Name – CrashOnCtrlScrol
    Type - REG_DWORD
    Value – 1

    Note: We recommend setting the 2 last Registry Entries in case you choose the Keyboard initiated crash as the Host may not recognize USB or PS/2.

    B- Type of Dump

    The Full memory dump option is not available on Windows Operating System Prior Windows 8/2012. In any Windows Operating System (including Windows 8/2012-8.1/2012R2), you can select the Full Memory dump option by modifying the following registry key. If there isn’t enough space on Local Drives then you may set the value to 2 (Kernel Memory Dump), however the user mode portion (Application) side will not be captured:

    Location - HKLM\SYSTEM\CurrentControlSet\Control\CrashControl
    Name – CrashDumpEnabled
    Value – 1

    Note: On Windows 8/2012 and above you can change the option using the User Interface (See Point 1-C)

    C- Pagefile

    The Pagefile should the size of the Physical RAM+100MB. If the Pagefile is setup equal to the amount of RAM there is a good chance the dump file gets corrupt.

    Setup the PageFile by going to Control Panel > System and Security > System. Click Advanced system settings. > Click on Settings under Performance > Click Advanced > Change. Select the Drive where you want the SwapFile/Pagefile to be hosted on, then, Select Custom Size. Once the size is correctly setup press the Set Button. Click OK and quit/exit the settings.

    Example Bellow: Pagefile is set on E Drive with 196608 MB (192 GB) as an initial Size and 196708 Mb as a maximal size.

    clip_image002

    In case there isn’t enough space on the C drive to host both the Pagefile and the Memory dump (2 times the size of RAM per total), you may want to change the memory dump location. To setup a different memory dump location use the Interface or the registry:

    User Interface:

    To change these settings, go to Control Panel > System and Security > System. Click Advanced system settings. Under Startup and Recovery, click Settings.

    clip_image003

    Registry:

    Location - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl
    Name – DumpFile
    Value – Change %SystemRoot% to a local Drive letter

    Important: In case the issue occur on a Physical Server, make sure the Automated System Recovery feature (if Applicable) is disabled in the BIOS. The recovery mechanism can restart the Server prematurely while the System is paging all the memory in the swapfile during the Crash/Bugcheck.

    2. How to trigger the dump collection.

    NMI Method

    Remote Console Access such as Drac, iLo, Rsa, etc… allow the interruption using the Console Access through an Option often time under ‘Diagnostics’. If the Button is not available you may also have a Physical Button on the Hardware.

    Keyboard (Ctrl+ScrLk) Method

    The keyboard crash can be initiated by using the following hotkey sequence: Hold down the rightmost CTRL key, and press the SCROLL LOCK key twice.

    Forcing a System Crash from the Keyboard

    Virtual Machines on Hyper-V 2012 R2 Only

    You can generate an NMI call using PowerShell directly on the host:

    PS C:\Windows\system32> Debug-VM -Name "VM Name" -InjectNonMaskableInterrupt -ComputerName Hostname

    Get a kernel dump of a 2012 R2 Hyper-V server with Powershell

    Virtual Machines (Vmware)

    Vmware snapshot or suspend states files are a copy of the Physical memory and are convertible into a Full Memory dump. If any issue is encountered while creating the snapshot or suspend state, then try the Steps above or contact Vmware support.

    ‘Vmss2core_win.exe’ tool will convert .vmsn/.vmss file extensions to memory dump: https://labs.vmware.com/flings/vmss2core

    For VMs OS until Windows7/2008R2 use: vmss2core_win –W snapshot.vmsn/Suspend.vmss

    For VMs OS Windows8/2012 and above use: Vmss2core_win –W8 snapshot.vmsn/Suspend.vmss

    Note: copy the ‘Vmss2core’ tool on a Windows Operating System OS along with the Snapshot/Suspend state file.

    3. Data Check/Sanity Check.

    A- Checking the memory.dmp output file

    Once the memory dump is generated, there is a chance the dump may be corrupted after reboot. In order to check if the dump is readable, a tool called ‘Dumpchk’ is available for download. This application will verify the data is readable. You can download Dumpchk from the Debugging tools for Windows from the Windows SDK:

    Windows Software Development Kit (SDK) for Windows 8.1

    clip_image005

    Usage:

    From an elevated Command prompt, change directory to the dumpchk folder location and run ‘Dumpcheck [Path to Dump]’

    clip_image006

    B- Data review and Analysis

    • Option 1

    Compress the memory dump using either the Windows built-in Compression tool (Right Click > Send to > Compressed (Zipped) Folder) or any third party compression solution. If the File size after compression is lower than 8 GB then you can obtain a preliminary analysis using our Free Memory Dump Diagnostic Website:

    Diagnostic Packages

    Please note the report analysis is automated and may not be accurate. If you are not satisfied with the report then a support case will need to be opened.

    • Option 2

    Reviewing the dump using the Windows Debugger included in the “Debugging Tools for Windows” (SDK):

    Windows Software Development Kit (SDK) for Windows 8.1

    Open the Debugger, go to File > Symbols File Path, input the path to the Symbol server and a local folder to save the symbols (Example Bellow).

    SRV*your local symbol folder*http://msdl.microsoft.com/download/symbols

    Where your local symbol folder is any drive or share that is used as a symbol destination.

    Source:  Use the Microsoft Symbol Server to obtain debug symbol files

    Important: The option 2 requires medium to advanced debugging skills.

  • Remote Desktop Services (RDS) 2012 Session Host deployment scenarios

    Hello AskPerf!  Jason here from the Windows Reliability team.  As more customers migrate from Remote Desktop Services (Session Host)  on Windows 2008 R2 to Windows 2012 R2, we occasionally get calls requesting assistance with either migrating to, or deploying a new 2012 R2 RDS environment.  Versions prior to 2008 R2 installing the RDS Server role was fairly straight forward.  Windows 2008 R2 changed this method with the addition of a Connection Broker though if not using RemoteApp or VDI, the Connection Broker was not needed.  Even when using a Connection Broker, to deploy the RDS Hosts in a collection, you would install the RDS role on each RDS server.  All the familiar consoles are there.  Publishing of Applications in the application were still done on each server.
     
    This is the first post in a multipart series to help Admins quickly determine which method to use for deploying RDS in 2012 R2.
     
    So, what changed?  Well, a lot, and for the good.  Comparing 2008 R2 to 2012 R2 RDS components, the biggest change is the Connection Broker and the role that it plays.  Prior to 2012, the concept of collections did not really exist.  With the release of 2012, the Connection Broker database now includes all of the management data as well as connection data.  This made configuration of any sizable farm in 2008 R2 more tedious.  To publish apps you went to each RDS Host and published.  It was made a little easier by being able to export and import, but still was not as manageable as it could be.  Configuring certs for the different components and setting up RDS Gateway was definitely more complicated.  To me Server 2012 R2 is as it should be, centralized configuration and management.  Deploying a collection is very easy once you figure out not to deploy as an RDS role except for certain scenarios. Missing and different consoles, and not having consoles at all on the RDS Hosts is a big change from 2008.

    Where did my Consoles go?!?  Good question!  I’ve heard the following statement more than once - “I deployed RDS role as I have always done.”  Along with changes to the Connection Broker, the consoles and their locations have changed as well.  The Connection Broker in Server Manager has all of the consoles now except for RDS Gateway and RDS Licensing which are still separate.  Deploying just the RDS role will actually not install any console at all except for the RD Licensing Diagnoser.
     
    Windows 2012 R2 has 3 deployment methods, or 4 counting PowerShell, which are actually pretty easy - see links section below.  Hint, if you are wanting the short answer then do a Standard Deployment and get your consoles back.  Do EVERYTHING from the Connection Broker.  Add all servers being deployed to the Connection Broker All Servers First.  There are multiple ways to configure licensing in RDS 2012 and this can be confusing.  Group policy always takes precedence and will NOT show in the Connection Broker console if configured.  Do not mix methods of setting licensing.  For example, do not set in Group Policy and also in Server Manager GUI, as this may result in errors.  A more detailed post about licensing methods will be following this post series.
     
    For Windows 2012 R2, the most typical scenario and best practice is to do a Standard Deployment.  Why? Well as previously mentioned, it gives you all the consoles for management of your collections.  It supports both all in one to multiple servers being deployed to.  It allows each role (RDWeb, Connection Broker, RDSH) to be installed on the same or different servers.  It has all the features required for RemoteApp, RDWeb, and Connection Broker.  Unlike previous versions, all deployment and management is performed from the Connection Broker.  In summary, if you are deploying RDSH for production to multiple servers, then this your option.
     
    So, when would I use Quick Start?  Typically you wouldn’t.  It’s similar to a Standard Deployment which is the current best practice, except that it will only deploy the RDS components to a single server.  All components (Connection Broker, RDWeb, and RDSH) will be installed with no option to modify.  This would be good if setting up a quick POC, or maybe a lab environment, or if you are only going to deploy one server with all the components; for example, a small office.  If you want to split the components out to different machines, then chose Standard Deployment.
     
    Ok, so why would I deploy just the Server Role?  There are a couple of scenarios for where deploying just the Server Role service makes sense.  This would be for non-typical setups such as using RDS in a workgroup, using RDS on a non RDS server, for example, on a SQL server to allow more than 2 concurrent sessions.  Another scenario would for deploying just the Server Role would be if you are deploying Citrix since it has its own management and consoles.  When just deploying the Server Role, you do not get the centralized management, management consoles, and the RemoteApp published application functionality.
     
    Hopefully this clears up some of the confusion around deciding which way to deploy RDS in 2012R2.  Check the following links for more detailed information on the different installation methods.
     
    RDS 2012 session deployment scenarios Server Role Deployment (coming soon)
    RDS 2012 session deployment scenarios Standard Deployment (coming soon)
    RDS 2012 session deployment scenarios Quick Start (coming soon)
    RDS 2012 session deployment Licensing Methods (coming soon)
     
    REFERENCE:
    RDS Step by Steps to install RDS Session Deployment using Powershell.docx

    -Jason

  • Migrating your Certification Authority Hashing Algorithm from SHA1 to SHA2

    Hey all, Rob Greene here again. Well it’s been a very long while since I have written anything for the AskDS blog. I’ve been heads down supporting all the new cool technology from Microsoft. I wanted to see if I could head off some cases ...read more
  • KB 3046555: End-to-end guide for Deploying MBAM 2.5 in a stand-alone configuration

    This guide provides step-by-step instructions for installing Microsoft BitLocker Administration and Monitoring (MBAM) 2.5 in a stand-alone configuration. In this guide we will use a two-server configuration. One of the two servers will be a database server that is running Microsoft SQL Server 2012. This server will host the MBAM databases and reports. The additional server will be a Windows Server 2012 web server and will host "Administration and Monitoring Server" and "Self-Service Portal."

    You can find the complete article here:

    Deploying MBAM 2.5 in a stand-alone configuration
    http://support.microsoft.com/en-us/kb/3046555

    If you experience any problems when you install MBAM 2.5, refer to our troubleshooting guide.

    e2e: Troubleshooting MBAM 2.5 installation problems
    http://support.microsoft.com/en-us/kb/3049652

    Kaushik Ainapure
    Solution Asset PM
    Windows Division

  • Tips & Tricks with MBAM 2.5 - Part 1: Domain Controller and Group Policy Management

    We have periodically received requests on some of the Tips and Tricks regarding Microsoft BitLocker Administration and Monitoring (MBAM).  So we will be posting a series of blogs and have them listed below.

    Part 1: Domain Controller and Group Policy Management

    This blog will be focused on Domain Controller and Group Policy Management.

    Tip 1:

    Before installing or adding MBAM web components, decide if you are going to use a custom name or a default hostname of your web server.

    If you are going to use custom name, create an A Record in DNS and register the SPN for the custom name you have decided on.

    setspn -s http/custom.contoso.com contoso\AppPoolName

    setspn -s http/custom contoso\AppPoolName

    Tip 2:

    If you plan on using SSL, issue the certificate to the hostname you are planning to use.

    For example, I like to use the custom host name such as MBAMRecovery.contoso.com and my web server name as server1.contoso.com.

    Issue the certificate to MBAMRecovery.contoso.com.

    Tip 3:

    Setting SPN and Delegation

    To set the SPN, use the below command:

    setspn -s http/server1.contoso.com contoso\AppPoolName

    If you have any preexisting SPN or duplicates, try deleting them and adding new ones.

    setspn -d http/server.contoso.com contoso\AppPoolName

    It is necessary to have set the SPN before proceeding with delegation. On the domain controller in the AD Users and Computers console, right mouse click on AppPoolName and on the Delegation Tab, select the below:

    Click on Add and select Users or computers. For example, my app pool account name is IISAdmin

    Once the user is selected, it should list the available services

    Select it and say OK, then OK again on the properties window.

    Tip 4:

    If you are using the MBAM CM integration topology, do not specify 'MBAM Status reporting service endpoint' and set the 'configure MBAM Status reporting service' to Disabled

    Tip 5:

    For Groups & Accounts, the complete list is documented here. To simplify things, here is all we need.

    Groups:

    MBAM-RW (MBAM Read Write group)

    MBAM-RO (MBAM ReadOnly group, can be used as Report users group as well)

    MBAMAdvHelpdesk (MBAM Advanced helpdesk group)

    MBAMHelpdesk (MBAM Helpdesk Group)

    Accounts:

    AppPoolName (Application pool account -member of MBAM-RW)

    CompUser (Compliance and Audit Database domain user account -member of MBAM-RO)

    Good Luck!

    Naziya Shaik
    Support Escalation Engineer
    Microsoft Enterprise Platforms Support

  • Manually modifying IIS bindings to use SSL for MBAM services

    Microsoft BitLocker Administration and Monitoring (MBAM) needs web services no matter what topology you are using. These MBAM web services can be installed with or without SSL Certificates. To install MBAM web features using SSL, it is required to have a certificate ready to use and issued to the web server or whatever the hostname you are planning to use for MBAM. We can manually modify the binding of the MBAM web services to use SSL if one of the below applies:

    1. you have already installed the MBAM web features without SSL and would like to add it later
    2. you don’t see the certificate
    3. you did not have the certificate ready by the time you were installing MBAM web features

    However, the suggested method is to remove MBAM web features and add the features back with SSL.

    It can be a tedious process, so stay with me. To modify the IIS binding:

    Step 1:

    Import the certificate to your web server using these steps.  My assumptions are that the certificate is valid and is verified.

    Step 2:

    Browse each of the MBAM subfolders on your web server with the default location being C:\inetpub\Microsoft BitLocker Management Solution\

    1. Administration Service - web.config

    Modify the Endpoint Binding and BindingConfiguration to the following:

    <endpoint address="" binding=" wsHttpBinding " bindingConfiguration= "TransportSecurity "

    2. Compliance Status service – web.config

    Modify the Endpoint Binding and BindingConfiguration to the following:

    <endpoint address="" binding=" wsHttpBinding " bindingConfiguration=" MaltaHttpsBinding"

    3. Helpdesk website –web.config

    Modify the endpoint address to use HTTPS and also Binding and Binding configuration to the following:

    <endpoint address=" https ://<hostname>/MBAMAdministrationService/AdministrationService.svc"

    behaviorConfiguration="AdministrationEndpointBehavior" binding=" wsHttpBinding "

    bindingConfiguration="Microsoft.Mbam.ApplicationSupportService. AdministrationService1 "

    4. Recovery and Hardware Service – web.config

    Modify Binding and bindingConfiguration to the following:

    <endpoint address="" binding=" wsHttpBinding " bindingConfiguration=" TransportSecurity "

    5. SelfService –web.config

    Modify Binding and bindingConfiguration to the following:

    binding=" wsHttpBinding " bindingConfiguration="Microsoft.Mbam.Server.UserSupportService. UserSupportService1"

    6. User Support Service -web.config

    Modify binding and bindingConfiguration to the following:

    <endpoint address="" binding=" wsHttpBinding " bindingConfiguration=" TransportSecurity "

    Once you have modified all the above web.config files, restart the MBAM web server from IIS Manager and verify you are able to browse all the URLs using HTTPS.

    Good Luck!

    Naziya Shaik
    Support Escalation Engineer
    Microsoft Enterprise Platforms Support

  • MBAM Configuration Manager reports data is repetitive

    Let us consider the following scenario of Microsoft BitLocker Administration and Monitoring (MBAM) 2.5 deployed with integrated topology. This means you have integrated MBAM with Configuration Manager. You have deployed the MBAM group policy and all the clients started to report in so we are ready to check out the compliance status of all these machines. You browse the Reports via Configuration Manager or browse via the SSRS Reports URL and you see the following chart with the legend that doesn’t really make sense.

    You do see some percentage information but do not really know what is what from the figure. Why or how did this happen? If you have modified the MBAM related RDLs using Report Builder, you would end up with this issue. When you modify the report using Report Builder, it modifies the schema causing the report to display erratic information.

    Now that I have explained what the issue is and why it happened, how do you fix the issue? There is no easy way to undo schema changes caused by Report Builder. Below are the steps we need to follow to change the MBAM reports. Using notepad or some other ASCII text editor is advisable.

    Step 1:

    You first need to delete the MBAM folder from CM Reports.

    Step 2:

    Under following registry key, modify the value of CMIntegration to 0

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MBAM Server\Enabled

    Step 3:

    Now Enable CM Integration Reports using Powershell.

    Enable-MbamCMIntegration -BitLockerProtectionBaselineLogicalName <String> -FixedDataDriveConfigurationItemLogicalName <String> -OperatingSystemDriveConfigurationItemLogicalName <String> -ReportsCollectionID <String> -ReportsOnly [-SsrsInstance <String> ] [-SsrsServer <String> ]

    You can obtain the logical name strings by viewing the BitLocker Protection baseline XML definition under \Assets and Compliance\Overview\Compliance Settings\Configuration Baselines\BitLocker Protection, right mouse click and choose View XML definition.

    Step 4:

    Once the Reports are enabled in Configuration Manager, verify if the MBAM reports are viewable and as expected.
    If you need to modify any MBAM CM integrated reports, avoid using Report Builder and use Notepad instead. That way, no schema changes are performed and reports will stay intact.

    Good Luck!

    Naziya Shaik
    Support Escalation Engineer
    Microsoft Enterprise Platforms Support

  • Troubleshooting Common Surface Pro 3 Issues Post Deployment

    With the launch of Surface Pro 3, enterprises have been testing/deploying them. Almost all deploy a customized image to Surface Pro 3 and sometimes they hit a roadblock. Today, I will talk about some of the basic things to check that can help narrow down the issues.

    Before we get to that, I would like to point out couple of articles/blogs that everyone should refer before deploying Surface Pro 3. One of my colleagues, Scott McArthur, has an excellent blogon deploying Surface Pro 3 using MDT. I would highly recommend reading through it.

    Deploy Windows to Surface Pro 3 using Microsoft Deployment Toolkit
    http://blogs.technet.com/b/askcore/archive/2014/07/15/deploy-windows-to-surface-pro-3-using-microsoft-deployment-toolkit.aspx

    We also have an updated Deployment Guide available for download.

    Deployment and Administration Guide for Surface Pro 3
    https://www.microsoft.com/en-us/download/details.aspx?id=45292

    Now, on to troubleshooting issues.  The first question we want to ask is:

    Can the issue be reproduced on a Windows tablet, PC or Virtual Machine?

    If the issue can be reproduced on any other Windows tablet, PC or VM, then most likely it is a software issue and we treat it as a regular Windows 8.1 case.  As such, we would troubleshoot it as if you would any other Windows issue.

    However, if the issue presents itself only on the Surface Pro 3, we need to narrow it down to the factory image or the customized image that is being deployed. If the issue happens with the factory image, it would be good idea to engage Microsoft.

    When it happens only with customized image, we need to narrow it down further if its application, driver or OS related.

    It starts with a supported Operating System. Based on KB2858199below chart represents supported Operating System. Please refer to the KB for any updates to this policy.

    image

    Make sure the device is up to date with the latest drivers and firmware. Driver and firmware updates are available via Windows Updates. They are also available for download from the following link.

    Surface software, firmware, and drivers
    https://www.microsoft.com/en-us/download/details.aspx?id=38826

    In addition, the following link lists the fixes that are included with these updates.

    Surface Pro 3 update history
    http://www.microsoft.com/surface/en-us/support/install-update-activate/pro-3-update-history

    clip_image002 Note:

    Generic versions of drivers should not be included and avoided for Surface Pro 3 deployments. The reason is Surface Pro 3 drivers are specifically written for the device and other drivers are not optimized for the power management technology we use in the Surface. So, using a generic driver can cause all sorts of issues like crashes, reduced battery life, unstable system and others.

    Once we know the OS that is being deployed is correct and we have the latest drivers and firmware, we would want to ask some of additional questions:

    Can the issue be reproduced if we simply deploy the OS imported from an .iso and no other applications installed?

    In other words, if we install Windows using a USB which has a Windows 8.1 Enterprise .iso and try to reproduce the issue, do we have it?

    If not, we know it is one of the applications being deployed.  The next step is to install one application at a time to narrow down further.

    For example, we have three applications that are installed as part of post install task sequence. Let us call them:

    Application 1
    Application 2
    Application 3

    We install Application 1 and test the behavior. If we do not see the issue, we proceed with Application 2 and so on. If the issue reproduces after we install Application 2, then it is certain that there is some compatibility issue with Application 2. At that point, contact the application vendor for an update or check if it is compatible with Windows 8.1.

    A good practice would be to check and make sure that all the applications that are being included are compatible with Windows 8.1. Also, obtain updates for them if they are available.

    The issue can be reproduced with only OS installed along with drivers.

    In this scenario if using MDT/ConfigMan, does the driver package contain only the drivers for Surface Pro 3 or it has drivers for other hardware too.

    As I have already mentioned above, Surface Pro 3 drivers are specifically written and optimized for the Surface Pro 3 device. We often see cases where during deployment a wrong driver is picked and then there are issues post deployment. To make sure it’s not driver related, create a new driver package (if using MDT/ConfigMan) with only Surface Pro 3 drivers and test deployment. The blog I mentioned above gives you an idea on how the folder structure should be for drivers. If you used the blog above to setup your environment then the chances of having issue with drivers are slim.

    In case you do not have the structure as mentioned above then, as part of troubleshooting this is what you can do. It is similar to what has be already talked about in the blog above.

    Here, I am using MDT 2013 with ADK 8.1 Update installed on Windows Server 2012 R2 Update with WDS.

    Create a folder for Surface Pro 3 drivers called “SP Drivers”. You can download the latest driver here.

    image

    Next is to create a Selection Profile for the drivers.

    image

    Create a new task sequence for deploying Windows 8.1 and modify it to point to the selection profile created above.

    image

    Deploy this task sequence and test the behavior.

    Device unexpectedly reboots to UEFI screen or hangs are UEFI screen during startup when undocked.

    One of the common causes is the incorrect storage driver in use. The correct driver as of writing this is STORAHCI.SYS.

    image

    It is also available to download in the Surface Pro 3 driver pack here and is located under folder "..\Surface Pro 3 - January 2015\Intel\SATA_AHCI\9.4.0.1023".

    If you do have machines that do not have the correct controller driver, download the driver mentioned above and update.

    Device unexpectedly reboots to UEFI screen or hangs at UEFI screen during startup when docked.

    In this case, we undock the machine and see if the issue can be reproduced. If it can, then check the above point for a possible cause.

    We also want to remove any external devices connected to docking stating and see if the issue exists.

    Is the issue related to Power Management?

    When you deploy a customized image, Surface Pro 3 is not configured to hibernate after four hours. This issue is documented in KB2998588 and there is a blogon how to incorporate the commands in MDT.

    Surface enters connected standby after 1 minute when PC is locked.

    The above scenario is true irrespective of whether device is connected to AC power. Some organizations do not want the device to be entering connected standby or sleep state when Surface is docked. To work around this behavior, configure the device with the Powercfg.exe commands mentioned in KB2835052.

    The below commands can be run as part of task sequence.

    powercfg.exe /setacvalueindex SCHEME_CURRENT SUB_VIDEO VIDEOIDLE <time in seconds>
    powercfg.exe /setacvalueindex SCHEME_CURRENT SUB_VIDEO VIDEOCONLOCK <time in seconds>
    powercfg.exe /setactive SCHEME_CURRENT
     

    The VIDEOIDLE timeout is used when the PC is unlocked and the VIDEOCONLOCK timeout is used when the PC is at a locked screen.

    clip_image002 Note:

    These commands set the timeout used when the system is plugged in and using AC power. To set the timeouts used when on DC (battery) power, use the /setdcvalueindex switch instead of /setacvalueindex.

    Then we can change the connected standby / sleep timeout value using Group Policy preferences.

    That can be configured using Computer Configuration -- > Preference -- > Power Options.

    Use the Power Plan to control when the device goes to Connected Standby / Sleep using “Turn Off display after” setting:

    image

    I hope that this information helps working through deploying Surface Pro 3.

    Thank you,
    Saurabh Koshta
    Support Escalation Engineer

  • The Four Stages of NTFS File Growth, Part 2

    A few years ago I wrote a blog entry entitled, “The Four Stages of NTFS File Growth”.

    This attempted to explain what happens to a file as it gains complexity. Complexity being akin to fragmentation.

    If you have not read the above mentioned blog entry, please do so now. This information will not make the slightest bit of sense unless you read my earlier post. I’ll wait.

    http://blogs.technet.com/b/askcore/archive/2009/10/16/the-four-stages-of-ntfs-file-growth.aspx

    Welcome back.

    Since its posting, I have answered a number of questions, mostly about the structure called the attribute list. So today I want to cover this a little more in-depth to hopefully address some of these said questions.

    In the previous blog entry, I explained how very complex files had the potential of creating an attribute list (shown below).

    image

    The base record and all the child records are each 1kb in size. Each child record keeps track of a portion of the file’s data stream. The more fragmented the data stream, the more mapping pairs are required to track the fragments, and thus the more child records will be created. Each child record must be tracked in the attribute list.

    Keep in mind that the child records can hold much more than just two mapping pairs. This is just simplified to keep the diagram from being completely unreadable.

    The problem with this is that the attribute list itself. It is NOT a child record, it is created using free space outside the Master File Table (MFT). A file’s attribute list has a hard limit of how large it can grow. This cannot be changed. If it were, it would break backwards compatibility with older versions of NTFS that wouldn’t know how to deal with a larger attribute list.

    NOTE: The diagram shows the attribute list as being smaller than the 1kb file record. And while it is true that it starts out that way, the upper limitation of the attribute list is 256kb.

    image

    So it is possible to hit a point where a file cannot add on any additional fragments. This is often the case when the following error messages are encountered.

    • Insufficient system resources exist to complete the requested service
    • The requested operation could not be completed due to a file system limitation

    What these messages are trying to tell us is that the attribute list has grown to its maximum size and additional file fragments cannot be created.

    To put this into perspective, this isn’t simply about file SIZE. It has to do with how fragmented the file is. In fact it is very hard to MAKE happen. There are really only two scenarios where it is somewhat common.

    • Compressing very large files, like virtual hard disks (VHD)
    • Very large SQL snapshots, which are sparse

    Both compressed and sparse files introduce high levels of fragmentation because of how they are stored. So very large files that are also sparse or compressed run the risk of hitting this limitation. To add to the problem, you cannot clear this up by running defragmentation/optimization. Sparse and compressed files are going to be fragmented.

    The good news is that we figured out a way around this. The bad news is that it isn’t really well understood.

    It really starts with this hotfix.

    http://support.microsoft.com/kb/967351/

    Installing the hotfix doesn’t resolve the issue by itself. What this hotfix does is that it gives us the ability to create instances of NTFS that use file records that are 4kb in size, rather than the 1kb that NTFS has used for the longest time.

    How is this possible? If we can’t change the size of the attribute list, how can we change the size of file records?

    The attribute list is a hard coded limitation. Microsoft made the decision, for performance reasons, that we really should keep a lid on how big the attribute list should grow. On the other hand, file record size is self-defined. By default, the size is defined as 1kb, but records could be other sizes, as long as all the records in a volume are the same size.

    This was put to the test when 4kb sector hard drives started to become popular. Since you wouldn’t want a file record to be smaller than a sector, these 4kb sector drives were formatted to utilize a file record size of 4kb. That’s where the hotfix comes into the picture. In addition to being able to use 4kb file records on 4kb sector hard drives, an option was added to the FORMAT.EXE command to force it to create an instance of NTFS with 4kb file records, regardless of sector size.

    So why should we care about the size of the file records? Look at the diagram again.

    image

    If the records are bigger, they can store more mapping pairs, and thus track more fragments. In theory, a file could have FOUR TIMES the number of fragments before running into the same issue.

    The catch is that the size of file records is set at the time of formatting. So if you have a volume that is running into this issue, you will need to do the following.

    1. Copy off your files
    2. Reformat the drive using the switch (Format /L)
    3. Copy the files back

    You can’t change the size of file records after the fact. It has to be set when formatting. But without an understanding of just what it is that we are changing.

    This solves the problem in the short term. For the long term, other solutions were implemented to prevent fragmentation past a certain point. In the newer versions of Windows, NTFS will stop fragmenting compressed and sparse files before the attribute list reaches 100% of its maximum size.

    This should put the issue to rest once and for all. However, until everyone gets to Windows 8.1 or Windows Server 2012 R2, we will still run into this issue from time to time.

    For more information about 4kb sector drives, check out my article on Windows IT Pro.

    http://windowsitpro.com/windows/promise-advanced-format-hard-drives

    Robert Mitchell
    Senior Support Escalation Engineer
    Microsoft Enterprise Platforms Support

  • DST Reminder for this weekend…

    Hello Folks!  This mornings post is a friendly reminder that DST (Spring forward) is kicking in this weekend (March 8th at 2:00AM – US).  Hopefully by now you are prepared and have the latest DST cumulative patch installed:

    December 2014 cumulative time zone update for Windows operating systems

    This particular update includes changes for Russia time zones, Fiji Standard time, and Cape Verde Standard time.  Per the More information section, “This is a cumulative update rollup that includes all previous Windows time zone changes.”

    when-is-daylight-savings-time-spring-ahead-1

    Additional Resources

    -Blake

  • Step by Step instructions for installing RDS Session Deployment using PowerShell in Windows Server 2012 R2

    Hello AskPerf Readers! Dhiraj here from the Windows Performance team to talk about deploying RDS using Windows PowerShell on Windows Server 2012 R2.

    As you know, PowerShell has been around for quite a few years now (November 2006 to be exact). Over the past 8 years, we have seen PowerShell become an integral part of Windows. One such example is deploying RDS within your environment. In this blog, we are going to walk you through setting this up. With that, let’s get rolling!

    Before we begin though, we need to import the RDS module using the Import-Module cmdlet:

    Import-Module RemoteDesktop

    clip_image001

    We will use the New-SessionDeployment cmdlet to begin with the installation. Below is the syntax for this cmdlet:

    New-SessionDeployment [-ConnectionBroker] <string> [-WebAccessServer] <string> [-SessionHost] <string[]>

    Note If you are installing the Session Host on the Connection Broker, then you need to run this cmdlet on a remote server, as running it on the connection Broker will give you the following error:

    clip_image003

    The Session Host role needs a reboot after the install, and we received the above error as PowerShell cannot resume the deployment after a reboot. However, this will work in the GUI if you do the same process.

    In this deployment, we will use 3 servers for the deployment:

    • RDCBWA.spike.com – RD Connection Broker, RD Web Access, and RD Session Host
    • RDSH01.spike.com – Second RD Session Host
    • DC01.spike.com – RD license server

    We will need to add RDSH01 and DC01 to All Servers pool on RDCBWA before we start the deployment.

    clip_image005

    Now we run the below cmdlet on RDSH01 to install RD Connection Broker, RD Web Access and RD Session Host on RDCBWA:

    New-SessionDeployment –ConnectionBroker RDCBWA.spike.com –WebAccessServer RDCBWA.spike.com –SessionHost RDCBWA.spike.com

    During the install, we’ll see the following progress meters:

    1. Validation begins:

    clip_image007

    2. Deployment begins:

    clip_image009

    3. Connection Broker is installed:

    clip_image011

    4. RD Web Access role is installed:

    clip_image013

    5. RD Session Host role is installed:

    clip_image015

    6. After all roles are installed, the RDCBWA.spike.com server is restarted:

    clip_image017

    Once the PowerShell setup finishes, we now go to RDCBWA.spike.com and verify the installation. As you can see from the screenshot below, everything except the RD Gateway and Licensing server have been installed. We will now add another session host and a Licensing server.

    clip_image019clip_image021

    First, let’s add the second RD Session Host server to our deployment. We will use the Add-RDServer cmdlet and run it on the Connection Broker this time.

    Add-RDServer -Server RDSH01.spike.com -Role RDS-RD-SERVER -ConnectionBroker RDCBWA.spike.com

    When you run the above command, you will see the following progress:

    clip_image023

    clip_image025

    clip_image027

    clip_image029

    RDSH01.spike.com is now rebooted:

    clip_image031

    We can now verify the addition of the second Session Host server in Server Manager:

    clip_image032

    We are now ready to add our Before proceeding, let’s configure RD Licensing server.for our deployment. To install RD licensing role, we use the below cmdlet:

    Add-RDServer -Server DC01.spike.com -Role RDS-LICENSING -ConnectionBroker RDCBWA.spike.com

    You will now see the below progress messages:

    clip_image034

    clip_image036

    clip_image038

    clip_image040

    We now need to activate our License server and install CALs via the Licensing Manager GUI on the License server. I have activated the License Server and installed PerUser CALs.

    Let’s configure our deployment for licensing. We use the below cmdlet for this:

    Set-RDLicenseConfiguration -LicenseServer DC01.spike.com -Mode PerUser -ConnectionBroker RDCBWA.spike.com

    Running the above cmdlet requires confirmation:

    clip_image042

    Select yes and continue.

    When finished, it will return to the next line:

    clip_image044

    To confirm that licensing is configured, run the following cmdlet:

    Get-RDLicenseConfiguration

    clip_image046

    We can now confirm everything in Server manager:

    clip_image048

    clip_image050

    We are halfway done here and have completed the installation of our roles. We now need to configure RDS to make Desktop Sessions and RemoteApps available to users.

    This takes us to the next step: creating a new collection using PowerShell.

    We will create two collections here consisting each of the RDSH servers, with one for Desktop Sessions and the other for RemoteApps.

    To create a new collection, we use the below cmdlet:

    New-RDSessionCollection –CollectionName SessionCollection –SessionHost RDCBWA.spike.com –CollectionDescription “This Collection is for Desktop Sessions” –ConnectionBroker RDCBWA.spike.com

    This also shows a progress bar and summary when it finishes:

    clip_image052

    clip_image054

    We can verify this set up in Server Manager. As this collection is for Desktop Sessions, nothing else needs to be done.

    clip_image055

    Let’s go ahead with creating the second collection for RemoteApps:

    New-RDSessionCollection –CollectionName RemoteAppCollection –SessionHost RDCBWA.spike.com –CollectionDescription “This Collection is for RemoteApps” –ConnectionBroker RDCBWA.spike.com

    When it completes, we see the summary and collection in Server Manager:

    clip_image056

    clip_image057

    As we will use this collection for publishing RemoteApps, Let’s go ahead with adding RemoteApp’s to it:

    New-RDRemoteapp -Alias Wordpad -DisplayName WordPad -FilePath "C:\Program Files\Windows NT\Accessories\wordpad.exe" -ShowInWebAccess 1 -CollectionName "RemoteAppCollection" -ConnectionBroker RDCBWA.spike.com

    Summary progress below:

    clip_image059

    clip_image061

    Server Manager shows the RemoteApp added:

    clip_image062

    And with that, you are done! Users can now access the Desktop Session and Remote App Collections.

    clip_image064

    Windows Server 2012 R2 comes with enormous amount of PowerShell cmdlets. In this article we’ve only seen a few of them. We may dive deeper into the power of PowerShell for managing RDS for Server 2012 R2 in future posts.

    If you are interested in setting up a VDI deployment using PowerShell, please check the link below:

    Setting up a new Remote Desktop Services deployment using Windows PowerShell

    -Dhiraj

  • KMS Activation High Level Overview

    Hello, folks!

    This blog is aimed to provide a high level overview of the Key Management Server (KMS) technology.

    You may have found a lot of dispersed activation information available elsewhere on the Internet, but I’m going to try and pull it all together for you in a concise format that I hope you’ll find is easy to digest.

    First, make sure you can meet the initial KMS requirements for deployment:

    1. By default, the following ports are required for activation:

    • 80
    • 443
    • 1688

    2. Activation requests are fulfilled after meeting the corresponding product count minimum.

    • Workstation OS: 25
    • Server OS: 5
    • Office: 5

    3. Activated products require a connection to the corporate network at least once every 180 days.

    Next, let’s take a look at the basic KMS infrastructure:

    image

    KMS host machines distribute activation signals, whereas KMS clients are machines that needs to be activated (they can be either servers or workstations).

    KMS host or client machine roles can be distinguished through the type of keys used. KMS Host Key directs host machine to create a SRV record (_VLMCS) in DNS. To obtain a host key, visit here. KMS Client Key directs client machines to look for a SRV record in DNS which points to the KMS host machine. Obtain a client setup key here.

     

    Office Volume Activation:

    The Microsoft Office Volume License Pack is required on Office KMS host. Obtain the license packs here:

    Microsoft Office 2013 Volume License Pack
    Microsoft Office 2010 KMS Host License Pack

    After installing the license pack, it will prompt you to install Office KMS host key. If nothing goes wrong with that process, your Office KMS should be all set.

    image

    For your reference, here are TechNet guides for setting up Office KMS activation.

    Prepare and set up the Office 2013 KMS host
    Set Up an Office 2010 KMS Host

     

    Additional Tool:

    Volume Activation Management Tool (VAMT) is a free utility that is very helpful to apply product keys and manage activation status.

    Download and Installation

    • This tool is part of the Windows Assessment and Deployment Kit (ADK), available here.
    • The latest version of VAMT is 3.1 as of this writing, and supports OS’s up to Windows 8.1 and Server 2012 R2.
    • VAMT Requirements:
    • The .NET Framework is required and is installed automatically with the ADK.
    • SQL Server Express is required and you should choose to install it as a feature when going through the ADK setup wizard.
    • More Information:

    There are a couple of best practices to keep in mind when using KMS, and a few common mistakes you’ll want to avoid.

     

    Best Practices

    1. KMS OS host and KMS office host can be the same server
    2. Keep roaming users on MAK key (roaming users are those who would not be connected to the company domain at least once every 180 days)

     

    Common KMS Mistakes

    1. Installing a KMS host key on clients.
    2. The KMS host key does not match the host machine OS
    3. The latest patches have not been applied to the host machine.

     

    And now on to some common KMS commands you’ll want to keep on tap.

    Install a product key on the KMS Host

    • slmgr /ipk <KMS Host Key>

    Activate a product key:

    • slmgr /ato

    Display OS License Information:

    • slmgr /dlv

    Display All License Information (including office activation status):

    • slmgr /dlv all

    Note: The popup window for this command doesn’t scroll, so run the following command to write the output to a text file.

    cscript.exe c:\windows\system32\slmgr.vbs /dlv all > c:\temp\dlv.txt

    I hope this has been a helpful high-level overview of our KMS technology and wish you all the best!

    Kind regards,
    Sophie Fei Xu
    Support Escalation Engineer
    Microsoft Global Business Support

  • Highly Available RDS 2008 R2 License Servers

    Hello AskPerf! My name is Matt Graham and today I want to address some questions surrounding the setup of highly available licensing servers. Anyone setting up a RDS infrastructure wants to ensure that it will keep working if a license server goes down. In Termial Services (2003) the recommended way of setting up highly available license servers was as follows:

    1. Deploy two activated license servers
    2. Either place all active licenses on single server or split between two servers. Typically you would install all licenses on a single license server in the case of a user-mode license scenario.
    3. Ensure that both license servers are discoverable

    In the scenario where you place all licenses on a single license server, when that license server goes down, the secondary server will hand out temporary licenses until you are able to build another license server or install licenses on the secondary server. This, however could be complicated depending how you have your session hosts discover your license servers.

    Server 2008 R2

    Server 2008 R2 is similar, but there are some features that work differently. For example, the Auto Discovery feature that helped TS servers find the license server is no longer available in 2008 R2 (https://technet.microsoft.com/en-us/library/cc731605.aspx). By design, you tell your session hosts how to find your license server via RD Licensing Manager, GPO, or the registry (https://technet.microsoft.com/en-us/library/cc770585.aspx).

    It's important to keep in mind that the session host checks to see if a license is even needed before making a request to the license server for a CAL. So in most cases, even if your license server fails, most clients should still be able to connect to your session hosts. A new license will not be requested unless a new client tries to connect or a license has expired on a specific client. What that means is that in most environments, the failure of a license server does not mean that all of your clients that try to connect will be unable to connect.

    With that in mind, some people will still want to setup a backup license server in case their main license server fails.

    Configuration for Multiple License Servers (Per User Licensing)

    clip_image002

    As before, you setup two license servers. In most cases, you would install some of your CAL's on one license server and install the rest of them on another license server. You then configure half of your session hosts to point first to license server 1 and secondarily to license server 2. The other half of your session hosts should point to license server 2 as the primary license server and to license server 1 as the secondary server.

    In this scenario, RDSH01 will first try to pull licenses from RDSL01. If it doesn't have licenses, it will pull from RDSH02. Likewise, RDSH01 will first try to get licenses from RDSL02 and if there aren't any available licenses, it will pull licenses from RDSL01. So you should be able to utilize all of your licenses even though different session hosts are pointed to different primary license servers.

    NOTE: You will need take into consideration how many users / computers will be connecting to which session hosts. For example, if RDSH02 is going to have twice as many users connecting to it, you will want to install more CAL's on RDSL02 as it is serving as the primary licensing server for that session host.

    Configuring Session Hosts to Point to License Servers

    If you configure your session hosts through GPO, you go to the following:

    Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Licensing

    clip_image004

    In this case, the session host will first look to RDSL01 for licenses and if it can't find a license it will look to RDSL02 for a license. You can also set this via the session host configuration manager. This can be done in the following way.

    1. On the RD Session Host server, open Remote Desktop Session Host Configuration. To open Remote Desktop Session Host Configuration, click Start, point to Administrative Tools, point to Remote Desktop Services, and then click Remote Desktop Session Host Configuration.
    2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.
    3. In the Edit settings area, under Licensing, double-click Remote Desktop license servers.
    4. On the Licensing tab of the Properties dialog box, click Add.
    5. In the Add License Server dialog box, select a license server from the list of known license servers, and then click Add. If the license server that you want to add is not listed, in the License server name or IP address box, type the name or IP address of the license server that you want to add, and then click Add.
      You can add more than one license server for the RD Session Host server to use. The RD Session Host server contacts the license servers in the order in which they appear in the Specified license servers box.
    6. Click OK to close the Add License Server dialog box, and then click OK to save your changes to the licensing settings.

    This is a basic setup for a highly available license server in Server 2008 R2.

    -Matt

  • MS15-010 causing font/text issues…

    Hello Folks.  Wanted to send out a quick note on an emerging issue we are seeing in Support after installing MS15-010.  If your fonts/text are distorted on the following Operating Systems…

    • Windows Server 2008 Service Pack 2 (SP2)
    • Windows Server 2003 SP2
    • Windows Vista SP2

    …then you can download/install the following fix:

    Fix for text quality degradation after security update 3013455 (MS15-010) is installed

    Please see this link for more information.

    Additionally, this fix will be including in March’s patch cycle.

    -Krishnan Ayyer & Susan Buchanan

  • Help! My Scheduled Task does not run…

    Good morning/afternoon/evening AskPerf! Blake here with a post I’ve been meaning to write/publish for a year or so now. Here in on the Performance Team, we support a wide range of technologies, with Task Scheduler being one of them. More often than not, the number one Scheduled Task issue we encounter is as follows:

    “In Windows 2003/XP, my scheduled tasks ran with no problems. Since we’ve upgraded to Windows 2008/2008-R2/Win7/Win8/2012/2012-R2, our tasks no longer run.”

    With that, we explain that Task Scheduler was completely re-written in 2008/Vista, with one of the main changes being in Security. Here is a snippet from a Technet Article published back on March 3, 2006:

    Windows Vista Task Scheduler

    Security. In the Windows Vista Task Scheduler, security is vastly improved. Task Scheduler supports a security isolation model in which each set of tasks running in a specific security context starts in a separate session. Tasks executed for different users are launched in separate window sessions, in complete isolation from one other and from tasks running in the machine (system) context. Passwords are stored (when needed) in the Credentials Manager (CredMan) service using encryption interfaces. Using CredMan prevents malware from retrieving the stored password, tightening security further.

    In Windows Vista, the burden of credentials management in Task Scheduler has lessened. Credentials are no longer stored locally for the majority of scenarios, so tasks do not "break" when a password changes. Administrators can configure security services such as Service for Users (S4U) and CredMan, depending on whether the task requires remote or local resources. S4U relieves the need to store passwords locally on the computer, and CredMan, though it requires that passwords be updated once per computer, automatically updates scheduled tasks configured to run for the specific user with the new password.

    Enter the new world of Session 0 Isolation.

    Prior to Vista/2008 Server, all services ran in the same session as the first user who logged onto the console - this is Session 0. Well, running user apps and services in this session posed a security risk because services run at elevated privileges and can be targets for malicious code.

    Enter the new and improved Task Scheduler that uses Session 0 isolation. In Vista/2008 and higher, we mitigate this security risk by isolating services in Session 0, and making it non-interactive. Only system processes and services now run in Session 0. The first user who logs onto a machine does so in Session 1. Subsequent users log into Session 2, 3, 4, etc. Doing this isolation protects services and system processes from tasks ran in this session.

    So, how does this isolation prevent my task from running?

    • There is no active Shell (explorer.exe)
    • If a process/service tries to display a message box, the task will not complete
    • Non-interactive
    • Apps creating globally named objects
    • Possible network communication failures

    For more information about Session 0 Isolation, please see the link above.

    At this point, we need to determine if there is a simple workaround to get your task to run, or determine if the application vendor needs to be engaged.

    Typically, I start with making the following Security changes to my Scheduled Task:

    “Run only when user is logged on”

    clip_image001

    With this option selected, my task will only run if I am logged on with my WillyP account. I can now test and confirm to see that Task Scheduler properly launches/runs my task. Selecting this option also runs my task interactively in my session.

    You will see notepad.exe running in the same session as my logged on user – Session ID 2.

    clip_image002

    Now, let’s look at the behavior when I have the other Security option selected.

    “Run whether user is logged on or not”

    With this option selected, I am telling Task Scheduler to run my task whether I am logged on or not – aka Session 0 isolated. Let’s see how this looks when my Willyp user is logged off and I schedule a task to run.

    clip_image003

    As you can see, notepad.exe is running in Session 0. The other process, taskeng.exe, is the Task Scheduler Engine process that started my task.

    So, you may be asking yourself, would if I am logged on with this account, and the “Run whether user is logged on or not” is selected - will it be interactive? No, as Session 0 is a non-interactive session, therefore you will not see your Action even if you are logged on as the running user account.

    Now, how do we troubleshoot this and get your task to run? Well, in troubleshooting these issues, I’ve come across multiple ways to fix them. You may have to experiment to see which of the following works for you in your scenario.

    • If your Task requires UAC Elevation, select the “Run with highest privileges” option under Security on the General tab
    • If you are launching a Batch script (.vbs/.cmd/.bat/.ps1), modify your script to add some type of logging to see where it may be failing – see the following blog for examples: Two Minute Drill: Quickly test Task Scheduler
    • Try creating a new task, but select the Configure for: option to be “Windows Server 2003, Windows XP, or Windows 2000” – this will create an XP/2003 fashioned task
    • If running a .vbs / .ps1 script, try launching it from a .cmd / .bat script – for example: “cscript.exe myscript.vbs” would be in my .cmd/.bat script, and I would then launch it from my Scheduled Task
    • Check your scripts for environmental issues – when we run a script, we default to the “%SystemRoot%\System32” folder unless specified in the script (i.e. CD C:\Scripts\Test)
    • If you are running nested scripts/programs within one script, try breaking them out as multiple Actions – for example:

    clip_image004

    So, when script1.cmd finishes, script2.cmd will be launched. Then when script2.cmd completes, script3.cmd will run.

    • If running a 3rd party app/script, engage the app vendor to check if their app/process will run correctly in a non-interactive session
    • Try running your script with the SYSTEM account
    • Check the History tab for clues as to why your task is not running
    • If all else fails, your only choice may be to “Run only when user is logged on”

    As we come across different issues/fixes, I will add them to the bulleted list above.

    Play around with the options above and see if you can get your Scheduled Task to run. If you come across a different fix not mentioned above, let us know in the comments below.

    -Blake

  • DFSR: Limiting the Number of Imported Replicated Folders when using DB cloning

    Hello! Warren here to talk about a very specific scenario involving the new DB cloning feature added to DFSR in Windows Server 2012 R2. The topic is how to limit or control which RFs you import on the import server in a DB cloning scenario. Ned Pyle has ...read more
  • Loss of "ssh" via VIP following the assignment of IP addresses to Linux VM's with multi-nic

    Problem: When creating a VM with multi nic and multiple subnets the Guests "Defualt Gateway" is not automatically set. This can cause loss of "ssh" connectivity as the "Default Gateway" is not assigned to the correct NIC ...read more