In Part 1 of the Remote Desktop Services 2016, Standard Deployment series, we installed RDS roles on 3 different servers. With Standard Deployment type we have to make our own collections which is not the case in Quick Start deployment type.
Let’s talk about the purpose of RD collections. They have 2 major functions.
- They allow us to separate out RD Session Hosts into separate farms
- The second thing they do is to allow admins to organize resources
We have 2 Collections: Collection 1 (Sales) and Collection 2 (Management)
If we have different types of users, some of them could work in Sales, some in Management. If somebody from Sales connects to the connection broker, then we want them to be directed to servers in Collection 1.
I have created 2 AD groups and 2 AD users
Groups: Sales & Managers
Users: Sales1 & Manager1
Let’s create our first RD Collection and explore Collection Properties.
Scroll right, go up under Tasks and click on Create Session Collection.
Before you begin page will pop-up. Click next
On Collection Name page, give you collection a name and click next
On Specify RD Session Host Servers page, select RDSH01 and click next
On Specify User Groups, type in Sales and remove Domain Users and click next
On User Profile Disk page, I will uncheck Enable user profile disks (I will configure this later) and click next and Create.
Once done, click close.
Now we have a collection but notice that we don’t have any Remote Apps. We will configure it a different part.
Let’s explore Collection Properties. Click on Tasks and click Edit Properties
Session Collection Wizard will pop-up.
On GENERAL we can change the name, description and choose if we would like to see collection in RD Web Access.
USER GROUPS – is used to limit connections to this collection to a specific group of users.
SESSION – The first 3 settings have to do with what happens when sessions are connected or during the session. For all of these 3 we need to know how users use the server.
End a disconnected session: If users disconnect from the session and don’t sign out, whaterver they were working on continues to run. We can see by default it’s set to Never.
Active session limit: is how long they can be active in a session.
Idle session limit: If we connect up, something’s downloading, I disconnect, sometimes the server will consider that I’am idle because I’m not using mouse. In that case we will leave this as default.
Area at the bottom talks about what’s going to happen when the session limit is reached, or the connection is broken. Default option is just to connect and leave everything on running
Last 2 settings deal with temporary folders.
SECURITY – Here we can decide which Security layer and which encryption level we are going to use.
Security Layer (Negotiate is the default option)
- RDP Security Layer – Does not use authentication to verify the identity of an RD Session Host and does not support Network Level Authentication -> came in with (Vista and Win Server 2008)
- SSL (TLS 1.0) – more secure than RDP Security Layer, SSL will be used for server authentication. (requires certificate)
- Negotiate – The most secure layer that is supported by the client will be used
Encryption Level (Client Compatible by default)
- Low – data send from the server is not encrypted. data sent from the client is encrypted using 56-bit encryption
- Client Compatible – It encrypts the client and the server communication at the maximum key strength supported by client
- High – It encrypts the client and the server communication using 128-bit encryption. User High when client also support 128-bit encryption. If they do not support they will not be able to connect
- FIPS – All client/server communication is encrypted and decrypted with FIPS encryption algorithms
LOAD BALANCING – if we have more than 1 RD Session Host, we can set up the relative wait between them. Right now I only have 1 so 100 % of the traffic is going to RDSH01. We will come back to this when we add second RD Session Host
CLIENT SETTINGS – specify to enable redirection for a bunch of things, audio/video playback, audio recording etc. What this means is that the client smart cards, clipboards, drive will be available inside of the remote desktop session. Everything is enabled by default.
USER PROFILE DISKS – They are used to store user and application data on a single virtual disk that is dedicated to one user’s profile. When we enable user profile disks, it creates a template called UVHD.template.vhdx file in the share. For every new users that logs on a new VHDX file is created based on the template. We will take a look on it and configure user profile disk in User Profile Disk part. It is disabled by default
In third part of Remote Desktop Services 2016, Standard Deployment series we will move forward and explore Deployment Properties.