Microsoft VDI 攻略

Microsoft 2012 R2 / 2016 VDI 攻略, 更新: 2016.11.18


  • Computer Account 與群組的檢查
  • 定義:
    • RD Member Servers: RDCB、RDWeb、RDGateway、RDSH、RDVH (不包括 RDL)
  • 檢查-群組:
    • 每一台 RD Member Servers 的 Local Group [RDS Management Servers]
      • 要加入 RDCB Computer Account
    • RDCB 的 Local Group [RDS Endpoint Servers]
      • 加入除了 RDWeb + RDGateway 以外每一台的 Computer Account (包括 RDCB、RDVH、RDSH)
      • 以及 [NT AUTHORITY\NETWORK SERVICE] (加入時 Location 選本機, 鍵入 [NETWORK SERVICE] 按 Check Names)
    • RDCB 的 Local Group [RDS Management Servers]
      • 加入每一台 RDCB 的 Computer Account
      • 以及
        1. [NT AUTHORITY\NETWORK SERVICE] (加入時 Location 選本機, 鍵入 [NETWORK SERVICE] 按 Check Names)
        2. [NT SERVICE\RDMS] (加入時 Location 選本機, 鍵入 [NT SERVICE\RDMS] 按 Check Names)
        3. [NT SERVICE\TScPubRPC] (加入時 Location 選本機, 鍵入 [NT SERVICE\TScPubRPC] 按 Check Names)
        4. [NT SERVICE\Tssdis] (加入時 Location 選本機, 鍵入 [NT SERVICE\Tssdis] 按 Check Names)
    • RDCB 的 Local Group [RDS Remote Access Servers]
      • 加入每一台 RDWeb、RDGateway 的 Computer Account
    • AD [RDS Endpoint Servers] Group
      • 加入每一台 RDCB、RDVH、RDSH 的 Computer Account
      • Servers in this group run virtual machines and host sessions where users RemoteApp programs and personal virtual desktops run. This group needs to be populated on servers running RD Connection Broker. RD Session Host servers and RD Virtualization Host servers used in the deployment need to be in this group.
    • AD [RDS Management Servers] Group
      • 加入每一台 RDCB 的 Computer Account
      • Servers in this group can perform routine administrative actions on servers running Remote Desktop Services. This group needs to be populated on all servers in a Remote Desktop Services deployment. The servers running the RDS Central Management service must be included in this group.
    • AD [RDS Remote Access Servers] Group
      • 加入每一台 RDCB、RDWeb、RDGateway 的 Computer Account
      • Servers in this group enable users of RemoteApp programs andpersonal virtual desktops access to these resources. In Internet-facing deployments, these servers are typically deployed in an edge network. This group needs to be populated on servers running RD Connection Broker. RD Gateway servers and RD Web Access servers used in the deployment need to be in this group.
    • AD [RAS and IAS Servers] Group
      • 加入 RDGateway (NPS)
      • Servers in this group can access remote access properties of users
    • AD [Terminal Server License Servers] Group
      • 加入 RDL
      • Members of this group can update user accounts in Active Directory
        with information about license issuance, for the purpose of tracking
        and reporting TS Per User CAL usage
  • 檢查- User Profile Disk 儲存空間
    • User Profile Disk File Sharing 使用 SMB3.0, 利用 Server Manager\File and Storage Services\Shares -> New Share
      並選擇 SMB Share - Applications 這個 File Share Profile 來建立共用資料夾
    • 不可以是隱藏式共用資料夾, 也就是不可以在後面加上 $ 符號
    • 必須在 Share / NTFS Permissions 裡面確認有加入 RDCB 及所有會儲存 User Profile Disk 到此位置的 RDSH、RDVH 之 Computer Account, 以及 Local Administrators, 權限皆給予 Full Control
    • 檢查- RD Gateway 設定:
      • 無 HA
        • RD Gateway -> Properties -> Server Farm -> 以 FQDN 加入所有 RD Gateway Server
        • RD Gateway -> Resource Authorization Policies
          1. Create Local Computer Group:
            Resource Authorization Policies -> 右鍵 -> Manage Local Computer Groups
            -> Create Local Computer Group: [RDCB_Members] (名稱自訂)
            -> 將 RDCB Server 的 FQDN 加入
          2. Create RAP Policy 允許 Domain Users 連接上述 [RDCB_Members] 這個 Local Computer Group Network Resource
          3. (選擇性) Create RAP Policy 允許 Domain Admins 連接 All Network Resources 便於管理使用
        • NPS Policy
          1. Connection Request Policy 不須異動
          2. Network Policy 不須異動
      • HA
        • NLB
          1. 一般建立方式, 無特殊設定
          2. 必須在 DNS 中加入 NLB IP 的 A Record 成為 RD Gateway 連線用的 FQDN
          3. RD Gateway 憑證也必須使用此 FQDN
        • RD Gateway -> Resource Authorization Policies
          • Create Local Computer Group:
            • Resource Authorization Policies -> 右鍵 -> Manage Local Computer Groups
              -> Create Local Computer Group: [RDCB_Members] (名稱自訂)
              -> 將所有 RDCB Server 的 FQDN 以及 HA Round Robin DNS FQDN 加入
      • Domain Trust
        • NPS Policy
          • Network Policy -> RDG_CAP_AllUsers -> Conditions -> User Group -> 加入 Trusted Domain [Domain Users]
        • RD Gateway -> Resource Authorization Policies
          • Connection Authorization Policies -> RDG_CAP_AllUsers -> Requirements -> User group -> 加入 Trusted Domain [Domain Users]
            (理論上應該會跟著 NPS RDG_CAP_AllUsers Policy 異動, 但需要確認)
          • -> Resource Authorization Policies -> RDG_AllDomainComputers ->  User groups -> 加入 Trusted Domain [Domain Users]
    • RDCB HA 的設定:
      • RDCB 必須先安裝好 SQL 2012 Native Client
      • AD Group: Create Global Group [RDCB Servers] and Join RDCB Servers to it then reboot
      • DNS: Create RDCB DNS Round Robin A Record as FQDN (一定要是 A Record 不能是 CNAME 或其他 Type)
        RDCB HA 憑證也必須使用此 FQDN
      • SQL Server 安裝項目:
        • Database Engine Services
        • Client Tools Connectivity
        • Client Tools Backwards Compatibility
        • Management Tools - Basic
          • Management Tools - Complete
        • SQL Client Connectivity
      • SQL Server 設定注意:
        • 開啟 TCP 1433 連線埠
        • SQL Server Configuration Manager -> SQL Native Client 11.0 Configuration -> Client Protocols -> TCP/IP
        • 防火牆允許接受 TCP 1433 連線
      • SQL 設定:
        • add AD Group [RDCB Servers] to SQL Security Login and give [dbcreator role] (Does not have to modify default settings)
        • add All RDCB Servers Computer Account to [RDS Menagement Servers] Group on SQL Server
        • reboot both RDCB Servers and SQL Server
        • mkdir D:\RDCB in SQL Server which will indicate the DB Files Location later
      • RDCB HA 設定
        • SQL Connection String (視實際情況修改 Server FQDN 與 Database Name):
          • DRIVER=SQL Server Native Client 11.0;SERVER=SQL.Contoso.com;Trusted_Connection=Yes;APP=Remote Desktop Services Connection Broker;Database=RDCB
        • Databse Store Path (視實際情況修改)
          • D:\RDCB
        • DNS Round Robin FQDN (視實際情況修改)
          • RDCB.Contoso.com
        • 第一台 RDCB 設定好 HA 後
          1. SQL Security 中將 Global Group [RDCB Servers] 移除 [dbcreator role], 給予 RDCB DB [Owner] 權限
          2. 再加入第二台 RDCB
    • 允許 Shadow in 的 Firewall 設定
      • File and Printer Sharing (Echo Request - ICMPv4-In)
      • File and Printer Sharing (Echo Request - ICMPv6-In)
      • File and Printer Sharing (NB-Name-In)
      • File and Printer Sharing (NB-Session-In)
    • 連線相關
      • GPO (Allow MsRdpClientShell Class (MsRdpWebAccess.dll)
        User Configuration -> Policies -> Administrative Template -> Windows Components
        -> Internet Explorer -> Security Features -> Add-on Management
        Add-on List:
        Value name: {6A5B0C7C-5CCB-4F10-A043-B8DE007E1952}
        Value: 1
      • GPO Computer Configuration -> Policies -> Administrative Template -> System -> Credentials Delegation
        Allow delegating default credentials -> Add servers to the list:
        [Select] Concatenate OS defaults with input above
      • GPO Both User Configuration & Computer Configuration
        -> Policies -> Administrative Template -> Windows Components -> Remote Desktop Services -> Remote Desktop Connection Client
        Specify SHA1 thumbprints of certificates representing trusted .rdp publishers
        Input the SHA1 certificate thumbprints of the RDCB Certificate
    • Remote Desktop Certificates:
      • https://blogs.technet.microsoft.com/enterprisemobility/2010/04/09/configuring-remote-desktop-certificates/
    • ubuntu
      • Enable RDP to ubuntu
        • http://www.tweaking4all.com/software/linux-software/use-xrdp-remote-access-ubuntu-14-04/
        • sudo apt-get update
        • sudo apt-get install xrdp
        • sudo apt-get install xfce4
          # Option Install XFCE4 terminal (way better than xterm)
        • sudo apt-get install xfce4-terminal
          # Option Install icon sets
        • sudo apt-get install gnome-icon-theme-full tango-icon-theme
        • echo xfce4-session >~/.xsession
        • sudo nano /etc/xrdp/startwm.sh
          if [ -r /etc/default/locale ]; then
          . /etc/default/locale
          export LANG LANGUAGE
        • sudo service xrdp restart
      • Install Remmina and FreeRDP to Connect to VDI Through RD Gateway
        • sudo apt-get update
        • sudo apt-get dist-upgrade
        • sudo apt-add-repository ppa:remmina-ppa-team/remmina-next
        • sudo apt-get update
        • sudo apt-get install freerdp-x11 remmina remmina-plugin-rdp
        • sudo apt-get upgrade
        • xfreerdp --version
    • CA:
      • CA CertSRV Web Site add to Trusted Sites, Custom: Enable Initialize and script ActiveX controls not marked as safe for scripting
      • CA 發行有效期限延長
        HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CertSvc\Configuration\<CAName> --> ValidityPeriod / ValidityPeriodUnits --> net stop/start certsvc
      • CA -> Properties -> Extensions,
      • CDP: 只保留 C:\Windows\oooxxx 項目 (有勾選 Publish CRLs & Delta CRLs), 其他全部都取消, ADD, 照抄範例並修改網址
      • 勾選 Include in CRLs. Clients use this to find Delta CRL locations. 跟 Include in the CDP extension of issued certificates
      • AIA: 除 C:\Windows\oooxxx 項目以外其他全部都取消, ADD, 照抄範例並修改網址, 勾選 Include in the AIA extension of issued certificates
      • 供檢查撤銷清單的網站如果是 IIS 7.0 會無法瀏覽 Delta CRLs 因為檔案有 + 符號 : EnterpriseCA 讀不到 Delta CRL: https://support.microsoft.com/en-us/kb/942076
      • C: CD %windir%\system32\inetsrv
      • Run one of the following commands:
      • Appcmd set config "Default Web Site" /section:system.webServer/Security/requestFiltering -allowDoubleEscaping:True
      • Add Certificate Publish Web URL to IE Trusted Site
      • https://thewolfblog.com/2014/02/02/configuring-ha-for-the-remote-desktop-connection-broker/
      • 匯出 SubCA 選 .p7b 格式, 確認連得到 Revocation 網站(用RootCA裝), include all ca chain
    • Debug:
      • 如果連線目標一直是 IP 沒辦法變成電腦名稱 FQDN, 先將 RDCB、RDGateway FlushDNS 再試試看, 如果還不行, 清理 DHCP 已租出的 IP Address, 清除 Pooled VM 的 DNS A Record, 再將 RDCB、Web 、DC 全部都關機, 先開 DC, 再開 RDCB、Web 試試看
        The user "Contoso\UserName", on client computer "", did not meet resource authorization policy requirements and was therefore not authorized to resource "". The following error occurred: "23002".
      • RD Gateway Manager Crashing adding a RAP
        Uninstalling .NET Framework  4.6.1 Update for Microsoft Windows (KB3102467) fix the issue.
      • RD Gateway Manager -> Manage Local Computer Group -> Create group -> Name: [RDCB Members] / Network Resources: RDCB.Contoso.com -> OK
      • NPS Manager -> Policies -> Network Policies -> RDG_CAP_AllUsers -> Conditions -> User Groups add trust domain\domain users
        RDG 的 NPS Join Domain, Reboot
      • RDWeb 設 NLB, 只重新導向 TCP 80 & 443 即可
        RDGateway 設 NLB, 只重新導向 TCP 443 & UDP 3391 即可
      • Remote Desktop Connection Broker Client failed to redirect the user Domain\UserName.
        Error: NULL
        Remote Desktop Connection Broker Client failed while getting redirection packet from Connection Broker.
        User : Domain\UserName
        Error: Element not found.
        => 可能原因: User Profile Disk 被咬住 (Open File)
        用 Sidder 檢查、Computer Manager -> Share Folders -> Open Files -> Close
      • Pooled VM 的 Computer Account Password 可能失效的問題:
        Domain Computer Lost Trust Powershell Command: [Reset-ComputerMachinePassword] Trust relationship has been lost with domain controller
        the trust relationship between this workstation and the primary domain failed
        Avoiding issues related to the machine account password change
        To avoid this issue, disable the automatic password change, as follows:
        On your gold image, open the Registry editor.
        Navigate to the following key:
        Change the value of DisablePasswordChange to 1.
      • 操作 Computer Account 之刪除或 Rename 之前, 必須先將該 Server 自 VDI 架構中移除所有相關腳色, 方能對該 Computer Account 進行異動, 否則整個 VDI 架構都會損毀
        • 相關操作最好於 Active 的 RDCB 上進行
        • 所有與 VDI 架構有關的腳色包括 RDCB、RDWeb、RDGateway、RDL、RDSH、RDVH 等
        • 如果移除 RDVH 腳色, 必須先將其上的 VM 全部 Delete, 再移除 RDVH 腳色
        • 如果移除 RDSH 腳色, 必須先將其自 Session Collection Member 中移除, 再移除 RDSH 腳色

    • User 由 RDWeb 進入 Resource Dashboard 後, 點選需要的資源, 在連線時卻跳出要求輸入帳號密碼視窗, 但輸入後仍無法登入
      • 檢查 User 帳號是否有密碼輸入錯誤次數過多遭 Lock 的情況 => 排除
      • 檢查 User Profile Disk 是否有 Open File 的情況, 若有, 到 RDCB 在 Connections List 中找到該 User 並將他 Log off
      • 若 Connections List 中找不到該 User, 則檢查 User Profile Disk 是被哪一台 RDVH Open
        • 找到該 RDVH 並找到是哪一個 VM, 將該 VM Shutdown 正常關機
        • 檢查 User Profile Disk 是否已被釋放
        • 若還沒有被釋放只好強制 Close Open Files, 再請 User 登入是是看

    連線時 Remote Desktop Connection 顯示以下資訊,無法連線:
    Remote Desktop can't find the computer 'RDCB.Contoso.com'. This might mean that "RDCB.Contoso.com" does not belone to the specified network. Verify the computer name and domain that you are typing to connect to.

    [RDCB] Event Log - TerminalServices-SessionBroker 出現 Level: Verbose 的 Event ID: 801
    RD Connection Broker successfully processed the connection request for user Contoso\UserName. Redirection info: 
    顯示 RDS 運作正常,配發一台 VM 給 User 使用

    [RDGateway] Event Log - TerminalService-Gateway 出現 Event ID: 304
    The user "Contoso\UserName", on client computer "", met connection authorization policy and resource authorization policy requirements, but could not connect to resource "". Connection protocol used: "HTTP". The following error occurred: "23005".
    顯示該連線通過 RAP而被允許連線,但結果最終並沒有連到目標機器


    • 為要連到 RDS 的 Client IP
    • 為 Pooled VM 其中一台 VM 的 IP (RDCB 配發的 VM)

    這個案例中找不到的其實不是 RDCB,而是配發的 VM,若連線目標 VM 的 IP 遺失,變成 169.254.x.x 的話,RDCB 與 RDGateway 仍會將 User 導向 VM 在 DNS 紀錄中  的 IP,此時就會發生找不到目標機器的問題。或是任何一種可能目標機器已經不在線上、找不到了,但 RDCB 與 RDGateway 並不知道這件事情,就會導致以上錯誤。



    GPO Reference