When installing an Remote Desktop farm with a RD Gateway on Windows Server 2012, you install a certificate for the Broker, Web Access and Gateway roles using Server Manager. However, this does not add the certificate to the Remote Desktop Session Host (RDSH) servers. This means that you get a warning when connecting to a RemoteApp or desktop, because the RDSH severs will have a self-signed certificate. You can replace this certificate using a valid certificate. You will continue to get warnings for the following reasons:
The name on the certificate does not match the RDSH server name
The certificate is not from a trusted root certificate authority
The best way to resolve this is to purchase a single wilcard certificate e.g. *.domain.com that covers both the RDWeb URL, as well as the server names. This also requires that your internal domain is a subdomain of your external domain. So you might use domain.com on the web, and internal.domain.com as your AD domain. Your RDSH server is then e.g. rdsh01.internal.domain.com. You could also use a SAN certificate.
If you are just connecting internally from clients in the same domain, you should be able to use an internal Enterprise CA to create a SAN or wildcard certificate which you can use on your servers. So, only replace the certificates on the RDSH servers if:
Clients are all in the same domain and you are using internal certificates
Clients are outside the domain, but you have purchased commercial certificates
It is necessary to install the certificate on all of the RD Session Host servers manually. This is because there is no way to do this using the Server Manager GUI, and the certificate is not applied to session host servers automatically when configuring the certificates on the other roles.
Open the MMC and open the Certificates snapin
Add the Local Computer
Import the certificate into Computer\Personal
Open the certificate and find the thumbprint on the details tab. Copy the thumbprint to notepad and delete all the spaces.
Open up an elevated PowerShell prompt and write:
wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash=”PASTE_THUMBPRINT_STRING”
This outlines the customisation options with the default RDWeb page in Microsoft Server 2012, when using Remote Desktop Services with RDWeb. You can easily replace the logon and text at the top of the page.
As an example, you can change the default:
To something like this:
Replaceable Company Logo Image
Add the new Icon into the image folder
Add the new icon into the images folder located in:
Modify the site.xsl file
Backup this file:
To e.g. C:\Windows\Web\RDWeb\Pages\Site.xsl.bak
The word Replaceable appears 3 times in this file. Do a find for this word to find the sections below:
Run notepad as admin and open. I find the easiest way to do this is to run Powershell as admin, and then launch notepad from there. That way if you close down notepad, you quickly launch as admin again without finding notepad.
Automatic Virtual Machine Activation (AVMA) is a new feature in Windows Server 2012 R2 which allows you to activate guest virtual machines automatically, when you have a Hyper-V host that is running Windows Server 2012 R2 Datacenter. This is a pretty awesome feature, especially in a test lab environment when you may have a Technet (RIP) or MSDN Datacenter product key, and don’t want to use up all of your activations on temporary guests. This is how I manage my lab at home, which consists of 2 HP Microservers with 16GB of RAM in each:
Install your Hyper-V hosts with Windows Server 2012 R2 Datacenter and activate using a valid key
Add the Hyper-V role
Install guests running one of the following Operating Systems:
Windows Server 2012 R2 Datacenter
Windows Server 2012 R2 Standard
Windows Server 2012 R2 Essentials
During setup, either paste in the key below or add it to your unattend files
When you logon, you will find that Windows is already activated!
Note that you could also do this after installation, if you skipped entering a key during setup (see this post on how to do that), either entering it manually when activating, or use slmgr /ipk <AVMA_key>
These are the keys that Microsoft provide for use with AVMA:
In my lab setup, I run sysprep on the first VM that I create, generalise and shut it down, and then create further VMs using a differencing disk with this as the master. This saves a lot of disk space. All the VMs using this template are then activated automatically with no further configuration required.
This is how I create VHDX files during Windows setup, first formatting a blank disk, creating a VHDX virtual hard disk, and then installing Windows on the disk.
Insert the Windows Server 2012, 8.1, or 7 DVD or bootable USB key. I always use a USB key as it is so much faster.
Press SHIFT-F10 to get to a command prompt when setup is loaded.
Type in diskpart
list disk (note the disk ID)
select disk 0 (assuming that it was listed as disk 0)
create partition primary
select partition 1
create vdisk file=”C:\disk1.vhdx” maximum=50000
No go back to setup and click through to the disk selection screen, or refresh if you were already there, and you will see the virtual disk. Windows will say that it cannot be installed onto this disk but just press next and it should install and boot with no issues.
Windows 8 and Server 2012 have an annoying default installation process which forces you to enter a product key during installation. Often you may want to paste this in later, or just not enter one if you are installing a demo or test system, having to type one in manually is a massive pain. Luckily, you can easily modify the installation so that it lets you skip the requirement for entering the product key. The easiest way to do this is by creating the ei.cfg file in Sources folder in your ISO or USB media.
For Windows 8 or Server 2012 – this is the file that I normally create using notepad and save as ei.cfg in the Sources folder.
This works using MSDN or Technet (RIP) keys and media. I don’t bother entering the version, since I often may want to choose that during installation. By not entering the version you can choose if you want Standard, Datacentre etc.The format of the ei.cfg is as follows:
[EditionID]: This is the version of Windows that you want to install. This varies by OS. You can use Dism /Get-ImageInfo and specify the image file to get the editions available from the wim file e.g. Dism /Get-ImageInfo /imagefile:I:\sources\install.wimValid options are:
Windows Server 2012:
Note that there others, e.g. Foundation and Essentials for Server 2012.
[Channel]: This can be OEM or RETAIL depending on the type of media that you have.
[VL]: This can be 1 for Volume License, or 0 for Retail
There are several ways to create bootable USB media if you have an ISO. You can also do this using an SD card if you have a USB adapter for the memory card. For windows 7 a 4GB drive is fine, for later you will need more than 4GB.
If you don’t have the ISO or want to do this manually, you can also use diskpart to prepare the drive and then copy the contents over. This is the way I normally end up doing it for some reason, the advantage being that you don’t need any other tools if you are running a Windows OS. Risk of formatting the wrong drive if you don’t know what you are doing with diskpart, so be careful.
Format the Drive
Run cmd.exe as Administrator and type the following:
list disk (Note which one is your USB disk – make sure you get the right one!)
select disk 2 (assuming that it was listed as disk 2)
create partition primary
select partition 1
format fs=fat32 (Note: Quick format does not work)
Copy the files
Mount the ISO or insert the DVD, and then copy the Windows files to your drive.
Modify the below example depending on your drive letters: