Windows Server 2012: Active Directory e ruoli RDS

Su sistemi precedenti a Windows Server 2012 per best practices su un server col ruolo Domain Controller per motivi di sicurezza e performance non è consigliabile installare il ruolo Remote Desktop Session Host o Terminal Server, inoltre nel caso si disattenda la best practices occorre ricordare che sono necessarie alcune configurazioni particolari come indicato nei seguenti:

In Windows Server 2012 i ruoli Remote Desktop Services e i ruoli Active Directory Domain Services non sono supportati se installati sullo stesso computer come indicato nella KB 2799605 Remote Desktop Services role cannot co-exist with AD DS role on Windows Server 2012. In particolare la KB descrive lo scenario in cui l’installazione del ruolo RD Connection Broker fallisce se installato su di un computer con WS2012 e il ruolo Active Directory Domain Services oppure quello cui fallisce l’installazione del ruolo Active Directory Domain Services se installato su un di un computer con WS2012 e il ruolo RD Connection Broker. Di seguito le spiegazioni fornite nella KB:

Cause

It is not supported to combine Remote Desktop Services role services and Active Directory Domain Services role on Windows Server 2012.

Resolution

This behavior is by design. It is never recommended, but allowed to install Domain Controllers and Remote Desktop Services role services until Windows Server 2012. From Windows Server 2012, this configuration is no longer supported.

Nel caso in cui esista però un solo server nella rete che ha il ruolo Domain Controller è possibile installare il solo ruolo RD Session Host seguendo le indicazioni della KB2833839 Guidelines for installing the Remote Desktop Session Host role service on a computer running Windows Server 2012 without the Remote Desktop Connection Broker role service tenendo conto di quanto specificato nella KB:

“This article provides the guidelines to install and configure the Remote Desktop Session Host  role service on a computer running Windows Server 2012 without the Remote Desktop Connection Broker role service installed.

This configuration should only be used when it is the only option as the recommended configuration includes the Remote Desktop Connection Broker to provide access to the complete functionality with Remote Desktop Services. If a Domain Controller is available on a separate server, it is recommended to use the Standard Remote Desktop Services deployment wizard. This configuration is appropriate when there is only one server on the network. This server can be part of a workgroup or may be configured as a Domain Controller.

This configuration, will provide desktop sessions to users based on the number of Remote Desktop Services client access license (RDS CALs) installed on the server, but will not provide access to RemoteApp programs or the RDWeb site.”

Inoltre va detto che la KB si applica solo alle versioni:

  • Windows Server 2012 Foundation
  • Windows Server 2012 Standard
  • Windows Server 2012 Datacenter

Nel seguente post Install Remote Desktop Services Failed on Windows 2012 Server sui forum Microsoft dedicati a RDS un utente ha rimportato di essere riuscito ad eseguire il ruolo RD Connection Broker su un Domain Controller mediante la seguemte procedura che ovviamente non supportata e non dovrebbe essere utilizzata su server in produzione:

I have found a simple solution to this issue that I also believe to have no security implications for AD. If anyone thinks this is not the case, please tell.

The problem is that Network Service does not have access rights to WID. So why don’t we give it those rights?

Do the following:
1) Connect to \\.\pipe\MICROSOFT##WID\tsql\query using SQL Management Studio.
2) Under Security\Logins, add a new login.
    On the General page:
    Login name: NT AUTHORITY\NETWORK SERVICE
    Default database: RDCms
    On the User Mapping page:
    Check RDCms, select the entry and check db_owner.
That’s it. All services should start fine now.

Update:

After this step, create a new login for NT AUTHORITY\SYSTEM. You will see a message that the login already exists, however it will add NT AUTHORITY\SYSTEM to the list of users. Following a reboot of the machine, everything will work as expected.

If you omit this last step, you will run into said “Object reference is not set to an instance of an object” error. ResolutoR and I could both verify that these steps make a setup of RD Connection Broker on a Domain Controller possible.

WARNING: Please be aware that the setup of a DC and RDCB on one server is entirely unsupported. The above steps can make it work in some extend, but that’s it. Also be aware that RD Gateway won’t work this way.
YOU SHOULD NEVER RUN THIS ON A PRODUCTION SERVER.
USE THIS FOR EVALUATION PURPOSES ONLY.

Per quanto riguarda Windows Server 2012 Essentials vale quanto riportato nel documento Windows Server 2012 Licensing Data Sheet:

  • Remote Desktop Services Requires an incremental RDS CAL for access, with the exception of using the Remote Web Access feature of the Essentials edition.
  • Only the RD Gateway role service is installed and configured, other RDS role services including RD Session Host are not supported.

Ovvero non è supportato installare su un  computer con Windows Server 2012 Essentials alcun ruolo Remote Desktop services tranne l’RD Gateway, ma è possibile utilizzare la feature Remote Web Access senza la necessità di acquistare RDS CAL (a riguardo si veda Use Remote Web Access in Windows Server 2012 Essentials).

Se si desidera utilizzare i Remote Desktop Services in un’infrastruttura con Windows Server 2012 Essentials occorrerà installare un secondo server con Windows Server 2012 Standard e acquistare CAL e RDS CAL come descritto nel seguente Using Windows Server 2012 Essentials with more than 25 users dove viene in questo caso suggerito di acquistare un Windows Server 2012 Standard e sfruttare i diritti di downgrade implementando l’infrastruttura in virtuale per risparmiare il costo della licenza di Windows Server 2012 Essentials:

“The second scenario is new for Windows Server 2012 Essentials, but has been available in the Windows Server family for some time. The downgrade (sometimes referred to as “down edition”) rights for Windows Server 2012 Standard and Datacenter have been expanded to include the Essentials edition. This means that when you purchase, or receive as a Software Assurance (SA) grant, a Windows Server 2012 Standard license, you can choose to run Essentials as one of your two virtual instances—without having to purchase Essentials separately. Remember that Standard now allows virtual use rights for up to two instances. This provides you with the small business server experience in the first virtual instance and leaves the second instance available to run additional workloads, such as Exchange Server, SQL Server, Remote Desktop Services, SharePoint, and Windows Server Update Services (WSUS).

image

This right is documented in the Windows Server 2012 Licensing FAQ (see Q15) as well as in the latest Microsoft Product List. Because this right was added during a late stage of the product release cycle, we were not able to update the EULA that is incorporated as part of the Windows Server 2012 products; however, this downgrade right is available to all customers in all available channels (except for SPLA), including volume licensing (VL), OEM, and retail (FPP). Keep in mind that the ability to run downgrade bits does not change the licensing or support terms in which you can use the product you purchased. So if you purchase Windows Server 2012 Standard, you will need Windows Server 2012 CALs even if you choose to downgrade an instance to run Windows Server 2012 Essentials.

When you purchase Windows Server 2012 Standard through volume licensing (VL), you can also download a copy of Windows Server 2012 Essentials and a product key from the VLSC. If you purchase an OEM or retail copy of Standard, you can download Essentials and obtain a product key to use during installation from the TechNet Eval Center, and then perform an in-place license transition by using your Standard product key, which gives you a fully licensed and supported instance.”

Per altre informazioni su come gestire scenari con Windows Server 2012 Essentials che superano i 25 utenti si veda anche Growing Beyond 25 Users with Windows Server 2012 Essentials.