Virtual Desktops in a Box: Four Role Services, One Server
The inclusion of virtual desktops in Windows Server 2008 R2 makes their installation compelling from a budgetary perspective. If you have a Windows Server license lying around, you’ve already got what you need to get started.In this example, I’ll show you how to use that license to create a kind of “virtual-desktops-in-a-box.” You can use this single-server environment for evaluating the technology, or even for small-environment production use. Users who connect to their virtual desktops in this environment will do so via a Web page automatically generated by Remote Desktop Web Access. From that single Web page, users can select their Personal Virtual Desktop, a virtual desktop that has been specifically linked to their user account.
Creating such an environment requires the installation of the RDS role along with four of its role services, all to this single server:
- RD Session Host. This role service handles the session-based functionality that’s traditionally associated with RDS or TS. In this example, the RD Session Host will be used in “redirection mode” to transfer the virtual desktop’s screen, keyboard and mouse commands using the Remote Desktop Protocol.
- RD Connection Broker. In this environment, the connection broker’s primary job is to connect users to their correct virtual desktop.
- RD Web Access. This role service, which also installs components of IIS, creates and manages the Web page end users will access to connect to their virtual desktops.
- RD Virtualization Host. This role service adds functionality to Hyper-V, enabling it to serve virtual desktops to users. Installing this role service also installs the Hyper-V role if it is not yet installed. Remember in creating this “in-a-box” environment that the hardware of the selected server must support the minimum requirements of Hyper-V.
Creating Your First Virtual Desktop
Once these services are installed, you’ll have a number of different configurations to complete in order to interconnect them. You’ll also need to build and specially configure a Windows 7 desktop computer that will eventually become your first virtual desktop. It’s best to start this process by installing and configuring that desktop’s virtual machine and OS, because you’ll need its information in a later step.The process of creating a Windows 7 virtual desktop is much like any new virtual machine creation. You begin by navigating to the Hyper-V Manager and creating the virtual machine just like any other virtual machine. Assign the virtual machine an appropriate amount of RAM and hard disk space, as well as the correct network. Connect its physical CD/DVD drive to your Windows 7 ISO file and proceed with the installation. Remember the unique name you assign to this virtual machine, because the RD Connection Broker will need this information to connect the user to his virtual desktop.
Give the new virtual desktop a name and IP address, and connect it to your domain. Next, you’ll need to complete a few special configurations to prepare the OS to become a remotely accessible virtual desktop. Those special configurations are detailed here (each should be completed within the virtual desktop’s virtual machine OS):
- Enable Remote Desktop. To allow remote connection to this computer, you’ll obviously need to enable it for Remote Desktop Services. Do this by viewing Computer | Properties , selecting the Remote settings tab, and clicking the radio button for Allow connections only from computers running Remote Desktop with Network Level Authentication.
- Add the user to the Remote Desktop Users group. Users that aren’t administrators must be specifically added to the computer’s local Remote Desktop Users group. Do this in Local Users and Groups by adding the user’s domain user account to the Remote Desktop Users group.
- Allow remote RPC for RDS. You will need to make a registry change to enable remote RPC for the desktop. In the virtual desktop’s registry path HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer, change the REG_DWORD value for AllowRemoteRPC to 1.
- Enable a firewall exception. If your environment uses Windows Firewall, you’ll need to add a program exception for Remote Service Management.
- Modify RDP protocol permissions. This final configuration requires you to enter a series of commands into an elevated command prompt on the virtual desktop. Those commands are listed here in order. In each, replace {domain} with your domain’s NetBIOS name, and {rdv_host} with the name of the Hyper-V server:
wmic /node:localhost RDPERMISSIONS where TerminalName="RDP-Tcp" CALL AddAccount "
{domain}\{rdv_host}$",1
wmic /node:localhost RDACCOUNT where "(TerminalName='RDP-Tcp' or TerminalName='
Console') and AccountName='{domain}\\{rdv_host}$'" CALL ModifyPermissions 0,1
wmic /node:localhost RDACCOUNT where "(TerminalName='RDP-Tcp' or TerminalName='
Console') and AccountName='{domain}\\{rdv_host}$'" CALL ModifyPermissions 2,1
wmic /node:localhost RDACCOUNT where "(TerminalName='RDP-Tcp' or TerminalName='
Console') and AccountName='{domain}\\{rdv_host}$'" CALL ModifyPermissions 9,1
When you’ve completed these configurations, reboot the computer and ensure that it remains powered on but logged off. With the computer logged off, your user will be able to log into her virtual desktop once the final configurations are complete.
Connecting the Four Role Services
Now that you’ve created and prepared your first virtual desktop, you’ve got a few final steps to interconnect the four role services. These steps involve making the RD Connection Broker and RD Web Access servers aware of each other, setting up the connection to the personal virtual desktop and, finally, assigning a user to it.Step one entails telling the RD Connection Broker which computer you intend to use as your RD Web Access server. Do this by navigating to your server’s Local Users and Computers and adding its computer account to the TS Web Access Computers group.
Figure 1 Configuring RD Web Access
In step two, you configure an RD Connection Broker source within RD Web Access. This process completes the connection between these two role services. You can accomplish this by navigating to Administrative Tools | Remote Desktop Services | Remote Desktop Web Access Configuration. This link will launch Internet Explorer and connect it to the local computer’s RD Web Access management page. After logging in with your administrator credentials, you should see a screen similar to Figure 1. There, ensure that the radio button next to An RD Connection Broker server is selected. Because the two roles are on the same computer, you can safely leave “localhost” in the Source name box.
Completing this second task creates the necessary connections so that your users can navigate to this server’s Web page to later find their virtual desktop.
Step three involves actually configuring the connection to your virtual desktop. This is accomplished in the new administrative tool named Remote Desktop Connection Manager (see Figure 2). As you can see, a number of settings have not yet been configured. We’ll configure those settings now.
Figure 2 Remote Desktop Connection Manager
This console comes equipped with a wizard that starts the process for connecting to virtual desktops. Click the link in the Actions pane titled Configure Virtual Desktops Wizard. The wizard first asks for the name of the RD Virtualization Host server. This server corresponds to the Hyper-V host that powers your virtual desktops’ virtual machines.
Figure 3 Configure Virtual Desktops Wizard
In the next screen, you’ll be asked for the fully qualified domain name of your RD Session Host server (see Figure 3). You’ll also see configurations for redirecting down-level clients—those that are not running version 6.1 of the Remote Desktop Connection client—to an alternate server. In the case of this “in-a-box” example, both this and the previous screen should be configured to point to the single server where all four of the role services have been installed.
Next up is configuring the RD Web Access server. This server may already be specified as part of previous configurations. Clicking Next and Apply will complete the configuration; however, one more setting is required to link the virtual desktop with the user. This console can be automatically launched in the final page of the wizard by ensuring the box marked Assign personal virtual desktop is checked.
Figure 4 The Personal Virtual Desktop Wizard
Personal virtual desktops are linked specifically to individual users on a one-to-one basis. This means that any particular user will have exactly one personal virtual desktop, and each personal virtual desktop will have just one user. This link is created using the Assign Personal Virtual Desktop Wizard, shown in Figure 4. There, a user name is associated with a virtual machine. In the figure, you can see how the administrator user has been linked with the virtual machine named w7-vdesktop.contoso.com.
Figure 5 Accessing a Personal Virtual Desktop via RD Web Access
Once the wizard is complete, your user can connect to the RD Web Access Web site
(https://localhost/RDWeb)
to access his personal virtual desktop. That virtual desktop will appear as an icon labeled My Desktop on the Web page after the user logs in (see Figure 5).
Personal Virtual Desktops Are Only the Start
Microsoft’s solution for virtual desktops only begins with this “in-a-box” configuration. With extra effort, you can expand your environment to multiple Hyper-V servers as well as build different configurations that are better suited for certain needs.One such configuration might eliminate the direct link between a virtual desktop and its user. With the same equipment, you can also create pooled virtual desktops, which are similarly configured desktops to which users are randomly assigned when they initiate a connection. These pooled virtual desktops are great solutions for applications that are problematic for RDS; however, they require special care as users are never guaranteed to connect to the same virtual desktop every time.