WEBINAR Leveraging Azure Services for a Scalable Windows Remote Desktop Deployment May 16 2018
About Me 18+ years in IT Blog at www.ciraltos.com, Twitter @ciraltos Work at Bowman and Brooke LLP as IT Infrastructure Manager Litigation law firm specializing in product liability 13 offices across the continental US
Problem Natural disaster could create a need for a high number of remote workers On-premises RDS environment would not meet demand and will not scale Firm directive to move to cloud based services RDS has low usage most of the time, but needs to scale out as demand increases
Solution Create the RDS deployment in Azure Think beyond lift and shift to move and improve Utilize multiple Azure products and services to support the deployment
Solution Auto Scaling RDS Auto Scaling Script Script Available at the TechNet Gallery Runs on the RDS Connection Broker Starts and stops Session Hosts based on session count per CPU Runs on the Domain, starts servers in Azure
Solution Auto Scaling Use Azure AD Application and Service Principle object to start the VM s Two ways for the script to Login to Azure Azure Application and Service Principal with password Azure Application and Service Principal with certificate
Remote Desktop Services Overview Components Implemented: RD Web RD Gateway Connection Broker Session Host Servers Remote App Servers
Deploy Servers - JSON JSON template deployment for servers Rapid Deployment Repeatable, Scalable Self Documenting
Deploy Servers - JSON Copy element in the JSON Used to create one or more instances of an object Server and Data Drives Fast, objects are created in parallel Works for ARM Resource and properties Concatenate CopyIndex() for object names
Deploy Servers Key Vault Azure Key Vault Avoid adding passwords to deployments Resource ID and Secret Name used to retrieve secret during deployment
Step 1 Domain Join Domain Join Extension Adds the VM to an AD Domain Input domain, OU, Username, Password Copy used to add all VM s in the deployment Key Vault used to store the domain join account password
Deploy Servers At this point: Multiple servers with multiple data disks Most recent OS image used Domain joined Have not logged into a VM Demo
Server Configuration - DSC PowerShell Desired State Configuration (DSC) Azure DSC Part of Azure Automation Built-in Pull Server Manages resources, configurations and nodes
Server Configuration - Branding Branding and Time Zone Registry keys to set owner information and user access control Enable and configure SNMP community string Set time zone
Server Configuration -.Net 3.5.Net 3.5 Requires source cab Azure Automation Credential Asset DSC.Net 3.5 install
Server Configuration - Features Add RDS Features Disable SMBv1 Add Remote Desktop Services Add RDS Tools
Server Configuration Disk Setup Configure Storage Space Direct Use DSC Script Blocks to: Create disk pool from available disks Create virtual disk Format virtual disk
Server Configuration Servers customized to company specifications All required Roles and Features installed Data Drives configured in S2D Pool, virtual disk formatted Have not logged into the VM Ready for SCCM Demo
RDWeb and RDGateway Azure Load Balancer and Availability Set for HA Azure AD Application Proxy Application Proxy Connector inside the network connects to the AD Application Proxy service, creating a two-way tunnel Clients must first connect to the AD Application Proxy for Azure AD authentication (ADFS) Enforce MFA Dynamic Group based Authentication
Connection Broker Azure SQL HA with Availably Set and Load Balancer Azure SQL to support the CB cluster Inexpensive Easy to setup HA built-in
Misc. Tasks - Patching Patching when servers are offline Use Azure Automation Runbook to start servers 2 hours prior to patch window (10 PM on the 2 nd Thursday after the 2 nd Tuesday) Runbook runs every day at 8 PM Logic identifies patch day Starts all deallocated VM s if patch day Logs in with an Azure Application Service Principal run as account
Miscellaneous Tasks Azure Disk Encryption Azure AD Enterprise Application to manage keys Key Vault to store keys Backup with Recovery Services Vault
Future Changes Use OMS to monitor environment Move the startup script from the Connection Broker to a Hybrid Runbook HTML5 Client Azure RDS PaaS offering (RDmi)
Thank You Questions?