Saturday, January 31, 2015

Install-RDPCert - Remotely install RDP certificate

I have uploaded my first submission to the TechNet Script Gallery!

I'm in the middle of deploying a large RDS 2012 farm - we're currently sitting at around 80+ Session Host servers. One of the things we noticed was that when connecting to the RDS farm from external computers via RD Gateway, you receive a certificate warning because the Session Host servers utilize self-signed certificates. We wanted to eliminate these certificate warnings by purchasing a wildcard certificate and install on all of the Session Host servers. But how to go about deploying it?

Ryan Mangan, RDS MVP, had written a PowerShell script to replace the self-signed certificate with a certificate from a trusted third-party certificate authority. The problem with his script was that the script only worked on the local machine. So in my scenario, I would have to copy the script and certificate to 80+ individual servers, and run the script 80+ times. No way I'm doing that.

Instead of that, I used his script as inspiration and wrote my own version that allows you to install the the certificate remotely against multiple computers simultaneously. This allows you to install your wildcard certificate across your entire RDS farm with a single command!

Check out the script on the TechNet Script Gallery -

As always, I'm always looking for feedback, so if you have any questions or comments about the script, don't hesitate to ask!

Monday, January 12, 2015

RDS 2012 Pooled VDI Machine Account Password Change

Coming into work late last week, I was greeted by a nice surprise: about a dozen pooled VDI had fallen out of the domain and users were receiving trust relationship errors when trying to log in. How about spending half your morning removing and rejoining VDI to the domain?

Every computer account in Active Directory has a password, the same as user accounts have passwords. Typically these machine account passwords are handled automatically in the background, as a function of the domain and the client operating system. However in the case of pooled VDI, which are clones built from a master template, the RD connection brokers handle updating the machine account password for pooled VDI.

By default, the RD connection broker will update the pooled VDI's machine account password every 31 days. This value is not customizable when creating VDI's pools through Server Manager. But you can change the value with PowerShell. In order to create a new pooled VDI collection, you use the New-RDVirtualDesktopCollection cmdlet and the VirtualDesktopPasswordAge parameter. See below for an example:
New-RDVirtualDesktopCollection -CollectionName "VDIPool" -PooledManaged -VirtualDesktopTemplateName "VDITemplate" -VirtualDesktopTemplateHostServer "" -VirtualDesktopAllocation @{""=1} -StorageType LocalStorage -UserGroups "contoso\domain users" -ConnectionBroker "" -VirtualDesktopNamePrefix "PVM" -VirtualDesktopPasswordAge 31
It's worth mentioning that 31 days is the default value for the VirtualDesktopPasswordAge parameter, and it's also the minimum value you can set. If you try to set a value lower than 31, PowerShell will throw a validation error.

Validation error on New-RDVirtualDesktopCollection cmdlet

This was a problem for us because our IT Security team had setup Group Policy to set the maximum machine account password age to be 30 days. So our VDI were hitting this limit, and the trust relationship between the VDI and domain were breaking a mere day before the RD connection brokers would have updated the password. I tried creating a test pool with a lower password age, such as 7 days, when I discovered the 31 day minimum.

Maximum machine account password age GPO setting

I hope this helps other to be careful when changing the default maximum machine password age in your domain. If can easily cause problems if you set the value too low, especially in RDS VDI where the value cannot be lowered.

Friday, January 2, 2015

KB3000850 breaks access to RDS on Windows 8.1

Just wanted to post a heads up for an issue I came across this week. If you use Windows 8.1 to connect to an RDS 2008 R2/2012/2012 R2 environment, you'll want to stay clear of KB3000850 as it breaks access to your RDS environment. We experienced the following behavior:

  1. When launching a RemoteApp, we receive an additional credentials prompt asking us to authenticate to our RD Connection Broker address, almost like the single sign-on certificate is not working properly.
  2. As the RemoteApp begins launching, it appears to hang. If you click the details drop-down, it will show nothing but a black screen. Approximately two minutes later, the RemoteApp will close.
Uninstalling KB3000850 resolved the issues I was having trying to launch RemoteApps. I also found a thread on the TechNet forums with others experiencing the same issue -