I have a couple of questions related to the Windows Server 2012 R2 Remote Desktop Role:
1. User Profile Disk location on DFS:
In my home test lab, which includes one DC and one member server, both Windows 2012 R2, domain functional level 2012 R2, with only the default GPOs in place, I am able to store the User Profile Disks for a RDS Session Collection on a DFS path, with the DFS namespace being created with default values (win 2008 mode).
However, at client site, when attempting to use a DFS namespace (created also with same default options), I get:
"Could not create the template VHD. Error Message: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))"
I eliminated the possibility of it being an NTFS/share permission issue by granting "everyone" FULL access share and NTFS permissions. I am able to browse to the same DFS share location in Explorer, and manually create files in there with no problem.
A workaround is to use the direct UNC path that points to the share on the actual server itself rather than using the DFS path. This works fine.
Obviously there are many GPOs at client site and so I really wouldn't know where to start looking if it was a certain policy preventing the UPDs from being stored on DFS path. Can anyone provide any advice?
=============================================================================
2. I want to confirm where I need to apply certificates for the RDS solution in place. This is what we have:
2 RD Brokers working in HA mode with a SQL Database
4 Session Hosts, all part of one session collection
We are not using RD Gateway, nor are we using the RD Web Access (design choice by the TAs).
There are two DNS A Records set in DNS that points the Session Collection Name to the IP address of the primary broker and secondary broker, each being on a different subnet, which caters for users being connected to their site specific broker.
Users will have to open MSTSC, and connect to "SessionName", and this is where DNS will point them in the direction of the broker, which in turn will point them towards the next available session host. This works fine. Without any certificates in place, we see two certificate warnings:
1) From the broker server
2) From whichever session host server I've been redirected to.
There are plenty of blog posts online about which certificates to apply but they don't all match up as to what is required. If we want to eliminate both the above certificate warnings, what's the minimum we need to do? I believe we need to apply the right kind of certificate for both the "Enable Single Sign on" and the "Publishing". However under guidance we were told to apply only the "publishing" one. In addition, we have used Step 17 here: http://www.derekseaman.com/2013/01/creating-custom-remote-desktop-services.html to change the Remote Desktop Services certificate manually on the broker, to use our own CA issued cert.
The CA issued cert is issued to CN=*.domain.com with a SAN of "SessionName".
This eliminates warning 1) above but warning 2) still remains. Does this mean we have to also change the Remote Desktop cert manually for each session host, or is there a better way of doing it, perhaps by setting a cert for "Enable Single sign on" as above? PS we use no remote apps at all. Just MSTSC to the SessionName.
Thanks