Deploying and Configuring Azure RDS for Business

To deploy Azure RDS for Business, you'll need to create a database server in the Azure portal. This involves selecting a pricing tier and choosing a database edition.

Azure RDS for Business supports up to 100 databases per server, with each database limited to 32 terabytes. This is a significant increase from the 16 terabytes supported by the standard edition.

For high availability, you can configure Azure RDS for Business to use a failover group, which automatically switches to a standby server if the primary server becomes unavailable. This ensures minimal downtime and data loss.

To deploy Azure RDS, you'll need to create two resource groups in separate Azure regions. This will allow you to set up a geo-redundant multi-data center deployment.

You'll also need to create a highly-available Active Directory deployment in one of the resource groups, and a highly-available RDS deployment in the same group. This can be done using the New AD Domain with 2 Domain Controllers template and the RDS farm deployment using existing active directory template.

To ensure high availability, you'll need to configure the other RDS components, such as the RD Connection Broker, RD Gateway, and RD Session Host servers.

Here are the key steps to create a geo-redundant multi-data center RDS deployment:

Deployment steps can be a bit daunting, but breaking them down into smaller tasks makes it more manageable. To create a geo-redundant multi-data center RDS deployment, you'll need to create two resource groups in separate Azure regions.

One of these resource groups should be the active deployment, and the other should be the passive deployment. For example, you can name them RG A and RG B, respectively.

To create a highly-available Active Directory deployment, use the New AD Domain with 2 Domain Controllers template to create the deployment in RG A. This will give you a solid foundation for your RDS deployment.

Next, create a highly-available RDS deployment in RG A using the RDS farm deployment using existing active directory template. Then, follow the information in Remote Desktop Services - High availability to configure the other RDS components for high availability.

In RG B, create a VNet with an address space that doesn't overlap with the deployment in RG A. You'll also need to create a VNet-to-VNet connection between the two resource groups.

To set up the secondary deployment, create two AD virtual machines in an availability set in RG B. Make sure the VM names are different from the AD VMs in RG A, and deploy two Windows Server 2016 VMs in a single availability set.

Finally, promote the VMs to the domain controller in the domain you created in RG A, and create a second highly-available RDS deployment in RG B.

Here's a summary of the steps:

On-premises deployments can be a viable option, but they require manual implementation of infrastructure roles.

To speed up failover, consider using an active-active model, which is particularly useful when cost isn't a concern.

Azure Traffic Manager can be used with on-premises endpoints, but it necessitates an Azure subscription.

For a simpler approach, provide end users with a CNAME record that directs them to the primary deployment, and modify it to redirect to the secondary deployment in case of failover.

This way, end users can access the site using a single URL, similar to Azure Traffic Manager.

If you're interested in creating a hybrid model, consider using Azure Site Recovery for on-premises-to-Azure-site deployments.

After deployment, a PowerShell script can be used to automate various tasks, such as setting up user accounts and configuring network settings.

One of the key things to consider is the script's execution policy, which can be set to either Restricted, AllSigned, RemoteSigned, or Unrestricted, as mentioned in the "Script Execution Policy" section.

A well-designed script can save time and reduce errors, making the post-deployment process much smoother.

The script can also be used to install software updates and patches, which is crucial for maintaining system security and stability.

By automating these tasks, you can ensure that all systems are configured consistently and that users have a seamless experience.

In the "Deployment Strategies" section, it's mentioned that a post-deployment script can be used to verify system configurations and ensure that they meet the required standards.

This script can be run on a schedule, such as daily or weekly, to ensure that systems are always up-to-date and secure.

Configuring RDS in Azure requires creating a VM instead of purchasing a physical server. You still have to install all roles on all servers and do RDS configuration manually.

The traditional RDS setup process involves installing all roles on all servers, which can be time-consuming and complex. IT administrators had to know Azure on top of RDS, which added to the complexity and difficulty of managing RDS.

Microsoft has simplified the process by moving some RDS components from dedicated VMs to services in Azure, making IT admins more efficient and driving down cost. For example, initially, there was a need for an SQL server, but later Microsoft moved to using Azure SQL.

Post deployment configuration is a crucial step to ensure a smooth experience for users.

It normally takes just over an hour to complete the installation, depending on how many RDS Hosts were selected during the deployment.

First, confirm the deployment has completed successfully by navigating to the Resource Group the RDS 2019 farm was deployed to and clicking on 'deployments'.

The RDS web URL address can be found by clicking on cloud-infrastructure-services.rds-2019-basic-depl and then clicking on Output.

Your license server is now ready to start issuing and managing licenses for up to 120 days as part of Microsoft’s grace period.

Configuring RDS in Azure requires creating a VM instead of purchasing a physical server. You still need to install all roles on all servers and do RDS configuration manually.

The steps for setting up RDS in Azure are similar to on-premises, but with the added complexity of Azure. IT administrators must know both RDS and Azure.

Microsoft and the community built ARM templates and scripts to deploy a full RDS environment in Azure, but this solution was not elegant and added to the complexity of managing RDS.

Over time, Microsoft moved components of RDS from dedicated VMs to services in Azure, making IT admins more efficient and driving down cost and complexity.

To manage remote desktop users, you'll first need to create an AD group and add users to it who require access to the Azure RDS farm. This step is crucial in controlling who has access to your Remote Desktop collections.

It's essential to connect to the server running the Remote Desktop Connection Broker (RD Connection Broker) role to manage your Remote Desktop collections. This server plays a key role in managing access to your collections.

To add more granularity to access control, you'll need to add the other Remote Desktop servers to the RD Connection Broker's pool of managed servers, if they're not already included. This ensures that all servers are accounted for and can be managed together.

You'll then need to edit a collection to assign access to specific users or groups. This is where you can get granular with access control and decide who gets to access which collections.

To do this, you'll need to edit the collection properties and assign the relevant AD group to it. This will give the users in that group access to the collection.

To enable UPDs, you'll need to run the Set-RDSessionCollectionConfiguration cmdlet to enable user profile disks for the primary deployment. Provide a path to the file share on the source volume, which you created in Step 7 of the deployment steps.

You'll also need to reverse the Storage Replica direction, so the destination volume becomes the source volume. This can be done using the Set-SRPartnership cmdlet.

To do this, run the following command: Set-SRPartnership -NewSourceComputerName "cluster-b-s2d-c" -SourceRGName "cluster-b-s2d-c" -DestinationComputerName "cluster-a-s2d-c" -DestinationRGName "cluster-a-s2d-c".

Next, enable the user profile disks in the secondary deployment using the same steps as you did for the primary deployment. This involves running the Set-RDSessionCollectionConfiguration cmdlet again.

Finally, reverse the Storage Replica direction once more, so the original source volume is again the source volume in the SR Partnership. This will allow the primary deployment to access the file share. To do this, run the following command: Set-SRPartnership -NewSourceComputerName "cluster-a-s2d-c" -SourceRGName "cluster-a-s2d-c" -DestinationComputerName "cluster-b-s2d-c" -DestinationRGName "cluster-b-s2d-c".

Azure RDS provides a secure environment for your database, with a range of features to protect your data.

Azure RDS supports encryption at rest and in transit, using industry-standard protocols such as SSL/TLS and AES.

Data is automatically backed up and stored for 7 days, allowing for quick recovery in case of data loss.

This level of security and redundancy provides a high degree of protection for your database, giving you peace of mind.

Running a Remote Desktop Services farm in a production environment requires careful consideration of certificates. It's recommended to use an externally purchased SSL trusted root certificate or an internal PKI cert if you have a root certificate server.

Using a self-signed RD Gateway certificate generated during deployment is possible, but it's not recommended for production-sensitive environments. This method involves deploying certificates to users' local certificate stores via a GPO from your Active Directory domain.

Having a trusted cert in users' local computer store is essential for a secure Remote Desktop Services farm. This can be achieved by using an externally purchased SSL trusted root certificate or an internal PKI cert.

Certificates can be a crucial aspect of securing your Remote Desktop Services farm.

Firewall Ports are crucial for securing your Azure RDS deployment.

Azure RDS Firewall Ports include 443, which is the standard HTTPS port for secure web traffic.

An NSG (Network Security Group) is created as part of the Azure RDS deployment, and it allows access to the RDS Gateway server via an Azure Load Balancer.

The following ports are configured to allow access to the RDS Gateway server: 3391 and 3389.

High Availability is crucial for Azure RDS deployments, especially when it comes to ensuring users can access their resources without interruption. This is achieved through a logical architecture that includes multiple layers.

Azure services, such as the Azure portal and APIs, public networking services like DNS and public IP addressing, are the foundation of this architecture. Desktop hosting services, including virtual machines, networks, storage, and Windows Server role services, build upon this foundation.

The Azure Fabric layer is where Windows Server operating systems running the Hyper-V role come into play, allowing for the creation of VMs, networks, storage, and applications independent from underlying hardware. This provides a robust and flexible environment for RDS deployments.

In a single Azure region, the architecture consists of three layers, while in a multi-region setup, the RDS deployment is replicated in a second region to create a geo-redundant deployment. This setup uses an active-passive model, where only one RDS deployment is running at a time, and a VNet-to-VNet connection enables communication between the two environments.

The RDS deployments are based on a single Active Directory forest/domain, with AD servers replicating across the two deployments, allowing users to sign in using the same credentials.

High availability is all about ensuring your system stays up and running, even in the face of failures or outages. It's not just about having a single, reliable server, but about designing a system that can adapt and recover from disruptions.

A highly available deployment in a single Azure region consists of three layers: Azure services, Desktop hosting service, and Azure Fabric. Azure services include the Azure Management interfaces and public networking services.

In a highly available deployment, it's essential to have a robust architecture that can handle failures. A single point of failure can bring down the entire system, so it's crucial to design for redundancy.

Here are the three layers of a highly available deployment in a single Azure region:

In a geo-redundant deployment, the entire RDS deployment is replicated in a second Azure region. This creates an active-passive model, where only one RDS deployment is running at a time. A VNet-to-VNet connection lets the two environments communicate with each other.

User settings and data stored in User Profile Disks (UPD) are stored on a two-node cluster Storage Spaces Direct scale-out file server (SOFS). A second identical Storage Spaces Direct cluster is deployed in the second (passive) region, and Storage Replica is used to replicate the user profiles from the active to passive deployment.

To test the failover of your Storage Replica partnership, you'll want to switch the partnership direction and disable the endpoint of the secondary deployment in the Azure Traffic Manager profile. This will allow you to test the failover while keeping users connected to their UPDs.

Start by starting the infrastructure VMs and RDSH VMs in the secondary deployment (RG B). Then, switch the SR Partnership direction to make the secondary deployment the new source volume.

To do this, run the command `Set-SRPartnership -NewSourceComputerName "cluster-b-s2d-c" -SourceRGName "cluster-b-s2d-c" -DestinationComputerName "cluster-a-s2d-c" -DestinationRGName "cluster-a-s2d-c"`.

Disable the endpoint of the primary deployment (RG A) in the Azure Traffic Manager profile by running the command `Disable-AzureRmTrafficManagerEndpoint -Name publicIpA -Type AzureEndpoints -ProfileName MyTrafficManagerProfile -ResourceGroupName RGA -Force`. Alternatively, you can use the Azure portal to disable the endpoint.

RG B is now the active primary deployment. To switch back to RG A as the primary deployment, follow these steps: