Remote Desktop Services 2012 R2 Deployment Part 2

In the last post we setup the two RDS server that will be used for RD web access, connection broker and sessions hosts. In this post we will go through setting up RD connection broker HA to give more resilience to the RDS deployment.

To add connection broker HA we need to have server with SQL 2008 R2 or above and have a load balancer or DNS round robin to redirect traffic. I am using SQL 2014 with just the database engine and management tools selected. I have used a separate SQL server / RDS licensing for this as I don’t want the database on either of the current RDS servers.

I am going to use DNS round robin for redirecting traffic to both brokers as I don’t have a load balancer setup so I setup the below 4 DNS records on my internal DNS serverrdsbrokerha12

Once the database server is setup we need to create a security group and add the two RDS server that will be used as connection brokers. rdsbrokerha20

Once this group has been created we can set up the SQL permissions. Open SQL management studio on the database server and create a new login for the group

rdsbrokerhardsbrokerha1

Give dbcreator access as this will be required when setting up the HA deploymentrdsbrokerha2

To connect to the database SQL Server Native client is require on both the RD connection brokers. The latest version of this client is from SQL 2012 and can be downloaded from Microsoft : https://www.microsoft.com/en-us/download/details.aspx?id=50402

Once the client is installed go to Control Panel\All Control Panel Items\Administrative Tools and go to ODBC Data Sources (64-bit). Click Add and select SQL Server Native Client 11.0rdsbrokerha3

Enter in a Name, Description and SQL server that the permission where setup for the security group aboverdsbrokerha4

Leave as integrated windows authenticationrdsbrokerha5

Make sure that the application intent is readwrite the rest of the setting can be left as defaultrdsbrokerha6rdsbrokerha7

Once completed run a test to make sure that the database can be accessedrdsbrokerha8rdsbrokerha9

Once this is completed on both RD connection brokers we can start to set up the HA deployment.

Go back to the RDS deployment page and right-click on RD connection broker and click Configure High Availabilityrdsbrokerha10

Database connection string: (We need to put in SQL server name & the database name that will be created during the deployment.)

DRIVER=SQL Server Native Client 11.0;SERVER=<name of SQL server>;Trusted_Connection=Yes;APP=Remote Desktop Services Connection Broker;DATABASE=<name of database>

Folder to store database files: (I used the default SQL location)

Add in DNS Name: HARDSBroker.Lab.local

rdsbrokerha13

Next page is just to confirm all the settings are correctrdsbrokerha14rdsbrokerha15

Once HA has been configure we can now add the additional connection broker. Right click on RD connection broker and click Add RD Connection Broker Serverrdsbrokerha16

Select the required serverrdsbrokerha17

Click Add rdsbrokerha18

Once completed both server should now show the RD Connection Broker role as installed.rdsbrokerha19

In part 3, we will go over creating  and configure RDS collections

 

 

Remote Desktop Services 2012 R2 Deployment Part 1

I recently had a request to build a new Windows Server 2012 R2 RDS farm as the existing single Windows server 2012 RDS deployment as it was crashing and users where getting a bit angry. So I decided to build out the deployment on my test domain to make sure it would work out as expected.

I will be using three servers for this deployment as I want to co-locate some roles as to keep the number of servers to a minimum as this is a small 20 users setup.

I have two servers that will be RDS session host, connection brokers and RDS web access and one that will be used later as the licensing and SQL server for RDS broker HA setup.

To start we need add all servers to server manager on one of the RDS servers. rds1rds3

Once all servers are added to server manager and showing as online we can start to install the RDS roles.

Go to mange on the top right of server manager and click add roles and features

On the Installation type select Remote Desktops Services installation. rds4

Next select standard deployment rds5

Select session-based desktop deploymentrds6

Only one RD connection broker can be select during initial setup HA will be setup after intial setuprds7

Select Install the RD web access role on RD connection broker. We can add the RD web access to the second server afterrds8

Select both servers that will be used for sessions hosts. rds9

Next confirm if all servers have been selected for the correct roles and deployrds10

The deployment progress screen should then show it can take a while for this to complete rds13

Once the deployment has completed there will be the RDS icon on server manager. All servers need to be added to server manager or you be able to mange the deploymentrds14

To finish the current deployment I will add the second RD web access server to do this click on task above deployment servers and add RD Web Access Servers and select second server that will have the role addedrds18rdsc19

Last step I want to do was to use a wild card cert that I have from my internal CA so that I don’t get any cert errors when access the RD web access URL.

I wont go through generating the cert here but once you have the cert you can go to Deployment overview and click on edit deployment properties. rds15

Go to certificates. Select the roles you want to assign the cert to in my case it was the two RD connection broker and RD web access. click select existing certificate and select the cert that will be used. You can also create a new certificate on this windows aswell. rds16

Once cert is applied and all status say ok you should no longer get a cert error when access the RD web access URLrds17

We will use DNS round robin to load balance between the two RD web access servers and this will create a single URL for users to access.

rds19

We can now access the RDS web page using: HTTPS://RDS.Lab.Local/RDWeb

Instead of having to go to each individual serversrdsc11

In part 2, we will go through setting up a second connection broker for high availability deployment.

Azure Network Security Groups (NSG) to Restrict Management Access

For security reasons it is good practice to lock down access to Azure resources and not leave management ports open to the internet.

One way to restrict access to remote access protocols like RDS / SSH is to create a Network Security Groups (NSG) and apply this to either virtual machines or virtual network subnets.

To create a NSG

Logon on to the Azure portal: https://portal.azure.com

Once logged on go to All Services > Network security groups

If you have created VM’s or other resources there might already be some pre-existing NSG’s.NSG1

To create a new NSG click on Add

Give the NSG a name, assign subscription, resource group and locationNSG2

Once the deployment has completed, click on the NSG this will bring up the configuration page.

First part is to configure the inbound security rules. NSG4

Go to settings > Inbound security rules

Once in Inbound security rules. To add a rule click add.

I want to restrict access to a specific Public IP for RDP access. Set the source as IP Addresses and add in the IP that will be allowed this can be a full range or a single IP depending on network subnet bit. I am only going to add one address so I used /32 below is an example 10.10.10.92/32.

I left source port ranges and destination as default as I don’t want to restrict these.  Choose the required port in this case its 3389, set protocol to Any if you require both TCP/UDP I only need TCP.  Set action to allow, set priority value and last step is give the port a name / description. NSG5

Below is the updated rule I have marked out my public IPNSG6

The outbound rule is set to allow any/any by default so if there is a requirement to lock down certain ports then create a new rule here to block the required ports.

Last step once all rule have been configured is to apply the NSG against resources. I am going to apply the policy to both my subnet and NIC’s assigned to both my test VM’s.

The policy should only need to be applied to either the subnet or VM’s,  I just want to show how to apply to both. If you apply a rule to both VM and subnet they need to match or any port that is not allowed on both wont be work.

To assign to subnet: go to settings > SubnetsNSG7

Select virtual network and subnet. NSG8NSG9

To apply to each VM Nic: Go to settings > network interfaces

As I already had NSG’s associated from the VM deployments I need to re-associate to the new NSG.

Select the NSG of the VM you want to move and go to network interfacesNSG10NSG11

Chose the required NSG

NSG12

Once applied I can now only access the VM’s from my own network.

 

 

 

 

Azure VM Backup using Azure Recovery Service Vault

In this post I am going to go through setting up a weekly backup for VM’s using Azure Recovery Service Vault.

Recovery Services vaults protect:

  • Azure Resource Manager-deployed VMs
  • Classic VMs
  • Standard storage VMs
  • Premium storage VMs
  • VMs running on Managed Disks
  • VMs encrypted using Azure Disk Encryption
  • Application consistent backup of Windows VMs using VSS and Linux VMs using custom pre-snapshot and post-snapshot scripts

To backup a single VM we can click on the VM and go to backup and configure the Recovery Vault. I want to add all my servers at one time so I will create Recovery Vault first.

Logon on to the Azure portal: https://portal.azure.com

Once logged on go to All Services > Recovery Services vaults

Once in Recovery Services vaults click createRSV1

Give the Recovery Vault a Name, assign a subscription, resource group and location.

RSV2

Once the deployment has finished,  click on the newly create object. RSV3

First thing I am going to set the backup configuration to locally-redundant as this is just for my Lab VM’s and it will save on cost.

Go to Manage > Backup Infrastructure and set to Locally-redundant.RSV4-1

I am going to create a custom policy as I only want to backup my test VM’s once a week. go to Manage > Backup policies and click Add.RSV3-2

Once in the new backup policy configure settings as required. I have set frequency to every sunday at 22:00 and set retention to 4 weeks backups. Click create once all settings are configured. RSV3-1

The policy should now be available to assign to backup jobs. Next step is to setup the backup. Go to Getting started > backup

Select where the work load is running (Azure or on prem), I only want to backup my Azure Lab VM so I selected Azure. Next select backup type

  • VM
  • Azure File Share (in preview at the time of the post)
  • SQL server in Azure VM (in preview at the time of the post)

Select the backup policy, I am using the policy created above. RSV5

Next select the VM’s that will be backed up. RSV6

Click enable backup to finish the config.

I will kick off a manual backup job to get an initial backup.

Click on backup Item > Azure Virtual Machine > Backup nowRSV8RSV9

To view backup jobs go to Monitoring > Backup JobsRSV7

Once the backup is complete, the option to run VM restore or file level recovery becomes available.RSV10

Azure Automation “Run Login-AzureAccount to login”

When I was creating my Azure Automation account and tried to run a runbook that needed to logon to Azure,  to start my VM’s I was getting an error:

Run Login-AzureAccount to login.AZAUError2

After looking on technet there where a few different recommendations but none worked.

In the end I just decided to try update the Azure modules. This fixed the issue.

Below is how to update the modules.

Go to Automation Accounts > select account > Modules

AZAUError1

There will be a prompt to update all Azure modules click yes to continue. AZAUError3

To view the progress click on below. AZAUError4

Click on all logs or output to view what is currently running. AZAUError5

Once completed the below will show. AZAUError6

After this I was successfully able to run my runbooks.

 

Azure Automation PowerShell Runbook

In this post I am going to go through setting up an Azure automation account and creating a runbook to PowerShell.

Azure Automation allows for process automation, configuration management, update management and PowerShell script execution on both Azure / Office 365. I like using Azure Automation as it allows me to save credentials in Azure for running task opposed to having them called in my script which is less secure.

I am going to setup a runbook to power on and off my LAB servers so that they only run during the day.

To start using Azure Automation

Go to All services > Automation Accounts

Once in Automation Accounts we need to create a new account.AZAU2

Give the Automation account a name, assign to a subscription, resource group and location.  Leave create as yes and click crate. 

AZAU3

Once the task has completed there will now be Automation account showing. AZAU10

Next step is to create a runbook to run the PowerShell command. Click on the Automation account and go to process automation and click on runbooks.AZAU4

Once in runbooks there will be some pre-configure runbooks that can be used as references. 

To create a new runbook click Add a runbookAZAU11

Once in the runbook give a name and select the runbook type in this case it will be PowerShell. Then click create. AZAU5

Click on edit to modify the PowerShell script. AZAU6

The connection commands is generic and is copied from AzureAutomationTutorialScript runbook.

$connectionName = “AzureRunAsConnection”
try
{
# Get the connection “AzureRunAsConnection “
$servicePrincipalConnection=Get-AutomationConnection -Name $connectionName

 

“Logging in to Azure…”
Add-AzureRmAccount -ServicePrincipal `
-TenantId $servicePrincipalConnection.TenantId `
-ApplicationId $servicePrincipalConnection.ApplicationId `
-CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint
}
catch {
if (!$servicePrincipalConnection)
{
$ErrorMessage = “Connection $connectionName not found.”
throw$ErrorMessage
} else{
Write-Error -Message $_.Exception
throw$_.Exception
}
}
 

I have added the command I want to run at the bottom. Once finished, the runbook needs to be saved and published. 

AZAU7

To test if the script will work as expected there is a test pane icon 
AZAU12
 
Once in test click start and the script will be executed the output of the command will be returned to the console. 
AZAU13
 
Once the runbook is saved, the start icon will become available so the runbook can be executed. 
AZAU8
 
Last step is to schedule when the runbook will execute, click schedule.
 
Add a name, description, start time/date, time zone and if the task is a once of or a recurring task. 
 
AZAU14
 
Once the schedule has been created it will show under schedules. 
AZAU15
 

Azure VM deployment

In this post I am going to go through setting up an Azure resource group, VNet and deployment of a basic VM. There are many different VM version that can be deployed.

Below is a table with the current VM types, sizes and description:

Type Sizes Description
General purpose B, Dsv3, Dv3,
DSv2, Dv2,
Av2, DC
Balanced CPU-to-memory ratio. Ideal for testing and development,
small to medium databases, and low to medium traffic web servers.
Compute optimized Fsv2, Fs, F High CPU-to-memory ratio.
Good for medium traffic web servers,
network appliances, batch processes, and application servers.
Memory optimized Esv3, Ev3, M,
GS, G, DSv2,
Dv2
High memory-to-CPU ratio.
Great for relational database servers,
medium to large caches, and in-memory analytics.
Storage optimized Ls High disk throughput and IO.
Ideal for Big Data, SQL, and NoSQL databases.
GPU NV, NVv2, NC,
NCv2, NCv3,
ND
Specialized virtual machines targeted for heavy graphic rendering and video editing,
as well as model training and inferencing (ND)
with deep learning. Available with single or multiple GPUs.
High performance
compute
H Our fastest and most powerful CPU virtual machines
with optional high-throughput network interfaces (RDMA).

First step for deploying a VM is to create a resource group, a resource group is basically a container object that will hold Azure objects like VNet’s, VM and any other Azure serivces that will be added to the RG . A RG can be created while deploying a VM but I prefer to create them before hand.

Logon to the Azure portal, once in the Azure portal if the resource groups tab is not showing.

Go to All services > Resource GroupsAZ1

Once on resource groups click on Add

AZ2

Give the resource group a name, select a subscription and set the location.AZ3

The resource group should only take a few seconds to create. Once created you should get an alert.

AZ4

Now that there is a resource group, we can move to the next step which is to create a new VNet. all services > Virtual networksAZ5

Once in Virtual network’s go to create virtual network. Give the Network a name, IP address space /Subnet mask, select subscription, location,  added to a resource group and set the IP range that will be available for use.

AZ6

Once completed the new VNet will show under virtual networks.AZ7

Final step is to start creating VM’s go to all services > Virtual machinesAZ8

Click on create new Virtual machine

Set the subscriptions that will be used, resource group, VM name & image type. We can also do availability options  for high availability and resilience.AZ9

Select VM size, user name and allowed ports.AZ10

Next page allows you to change the disks used for the VM (premiere SSD, standard SSD or standard HHD) if the disk is change this may reset the VM type so I would usually leave this as is, unless there is a specific reason to change.

Next step is to select the VNet / subnet that will be used for the VM.AZ11

There is auto shutdown feature in Azure. I like to use this on my Lab as it saves credit as this is only a lab server, I want the VM to shut down at 12AM. I can start the VM up again when I want to do any further testing.AZ12

I wont add any guest config, tags so the last step is to review and validate the VMAZ13

The VM should now deploy it will take a while to deploy once completed the VM will now show under Virtual Machines.AZ14

If we check the resource group, we can now see all the object contained in the resource group.AZ15

SCCM 1806 Software Center Customisation

Since SCCM 1710 there was the addition to device settings to allow customisation of software center 1806 added an additional customisation to add a custom web page as an additional tab. As above you need to be at 1710 or above to have these customisation options.

by default the below would be the basic colour and appearance for the software center:

soft1

To start I usually create a new policy to test before pushing out to all users.

  • Open SCCM console
  • Go to Administration > Client settings

Right click and create a new policy (I called mine Custom Software Center)soft2

Click the Software Center check box in the policysoft3

Under device settings set select these new settings to specify company information to yes. soft4

Then go to customize. Edit company name, set color scheme and add a company picture. Below is the default settings. The logo image file needs to be a maximum size is 400×100 and 750kbsoft5

Here is the updated settingssoft6

To add a custom tab with URL to a support site or blog post. Go to tabs and put a check box on: Specify a custom tab for Software Center. (This is only available if SCCM is 1806 or above.)

  • Add a custom tab name
  • Add a URL

soft7

Once finished editing the policy it then needs to be deployed to the require collection. Right click on the custom policy and go to deploy.soft8

Then select the device collection to deploy tosoft10

Once the policy is deployed, go to a device in the collection to update the machine policy. Go to Control Panel > Configuration Manager > Actions > Machine policy retrieval & Evaluation cycle and click run now. soft11

Once the policy is updated the Software Center should be updated with the new color scheme, company logo and custom URLsoft12.png

 

Using VMware PowerCli Part 1

Since VMware 6.0 I have started to use VMware PowerCli module to automate task and checks that I do daily or for large task that would take a long time to do manually. I am going to go through installing PowerCli and some of the useful command and script that can be use to check VMware.

To install PowerCli there are some pre-req’s

OS Type
64-Bit
Server
  • Windows Server 2012 R2
  • Windows Server 2008 R2 Service Pack 1
Workstation
  • Windows 10
  • Windows 8.1
  • Windows 7 Service Pack 1
  • Windows PowerShell 3.0, 4.0, 5.0, or 5.1
  • .NET Framework 4.5, 4.5.x, 4.6, or 4.6.x

I would recommend installing the latest version of PowerShell which is currently 5.1

To check current version of PowerShell run $PSVersionTablePcli

To install the latest version install the latest Windows Management Framework 5.1 link to download page is below.

https://www.microsoft.com/en-us/download/details.aspx?id=54616

Step 1 is to install PowerCli

The old PowerCli was a PowerShell snap in and required downloading an exe to install, the new version is module based and can be installed directly from the PowerShell console. To install run the below command.

Install-Module VMware.PowerCliPcli1

If you need to update the module to a new release run

Update-Module VMWare.PowerCliPcli2

If a path is not specified the default location that the module files will be placed in is

C:\Program Files\WindowsPowerShell\Modules

Once the install has finished to verify that PowerCli is installed run the below commandPcli3

Step 2 is to connect to vCenter

To connect to vCenter open an elevated PowerShell console and import the VMware Module

Import-Module VMware.PowerCliPcli4

Connect-VIServer lab-VC vCenterServerPcli5

Once connected we can now start to run command against vCenter.

To get host information run

Get-VMHost

Pcli6

To find all VM’s that have snapshots over a certain date. I want to get all snapshots older than 1 day to change this just edit the $date variable.

$date = (Get-Date).AddDays(-1)
$Snapshot = get-vm | get-snapshot
$Snapshot | where {$_.Created -lt $date}Pcli7

To check datastores you can run

Get-Datastore

Pcli8

To get additional info you can do some math’s and use arrays to get % free space of the datastores. The below will get all datastores that have less than 25% free space.

Get-Datastore | select Name,@{N=”UsedSpaceGB”;E={[math]::Round(($_.CapacityGB),2)}},
@{N=”FreeSpaceGB”;E={[math]::Round(($_.FreeSpaceGB),2)}},
@{N=”%Free”;E={[math]::Round(($_.FreeSpaceGB)/($_.CapacityGB)*100,2)}} |
where %Free -lt “25”
Pcli9

Add secondary IP to Network Adapter Windows

A web developer was adding IP’s to some existing web server and once these were added we started having routing issue on the servers where the sites would not respond and the server could not talk back to the production network from the DMZ.

I checked the server and I was getting inconsistent results as I could ping a device sometimes but not others so it looked like a network issue.

I ran the below command to check what traffic was being sent and I saw that there where multiple IP’s being used as local address for traffic.

Get-NetTCPConnection -LocalAddress 192.168.0.*

I decided to check the skipasSource on the interface as this was the cause of a similar issue that happened before.

This command’s will return all IP’s the interface name and whether the IP is set to skipassource the new IP should have this set to true.

CMD:                                                                                                                                                Netsh int ipv4 show ipaddresses level=verbose

PowerShell:                                                                                                                                       Get-NetIPAddress | Select-Object IPAddress, InterfaceAlias, SkipAsSource

When I checked the new IP was set to false which meant both the orignal and new IP where being used. To set the IP to false I either need to remove the IP and set it using cmd or PowerShell  to set skip as source to true or Set to true using PowerShell.

If you don’t want to remove and re-add the address use the below command

Set-NetIPAddress -IPAddress “192.168.0.200” -InterfaceAlias “LAN” -SkipAsSource $false

IP3

second option is to remove the IP from the network settings and  re-add the IP using command line below is using CMD and PowerShell.

CMD:                                                                                                                                                Netsh int ipv4 add address “Interface Name” “IP Address” “Netmask” skipassource=True

Below is a full example:

Netsh int ipv4 add address “LAN” 192.168.0.200 255.255.255.0 skipassource=true

IP2

PowerShell:                                                                                                                                     New-NetIPAddress –IPAddress “IPAddress”  –InterfaceAlias “Interface Name” –SkipAsSource $True

Below is a full example:

New-NetIPAddress –IPAddress 192.168.0.200 -PrefixLength 24 -InterfaceAlias “LAN” –SkipAsSource $True

IP1

Once skip as source was set to true there was no connection issues.