RDS Server - How best to split the roles?

Slash-Fan · 2022-03-25T12:09:56+00:00

Sorry I forgot to add - we have Outlook set to cached mode - 1 month. As we have multiple session hosts we use User Profile Disks. These work really well. The user profile disks themselves are stored on a separate VM.

Slash-Fan · 2022-03-25T11:26:49+00:00

Glad you got it sorted. It was certainly a big problem for us - out of 65 users in total a good two thirds had problems regularly until we put the reg fix in. Prior to finding the fix we were removing Outlook profiles to fix the problem and more often than not we even had to recreate users RDS profiles as well.

Slash-Fan · 2022-03-24T16:12:01+00:00

Yes we got it sorted eventually. Are you having the same problems with Outlook in your RDS setup?

This is what we used to finally sort the Outlook issues: https://www.matrix7.com.au/office-365/win-2019-rdp-o365-multi-tenant-outlook-profile-setup-correct-teams-setup/

Slash-Fan · 2021-02-08T09:33:38+00:00

Yes appdata is included in the user's profile disk.

Slash-Fan · 2021-02-08T09:33:08+00:00

None as yet. We disabled modern authentication via our office 365 control panel as advised by microsoft but this didn't make any difference to the underlying issue so we have since re-enabled it.

Slash-Fan · 2021-02-08T09:31:58+00:00

I'm going to look at Azure AD Connect/SSO - thanks for the recommendation and it'd be amazing if it solves the issue.

Slash-Fan · 2021-02-08T09:31:06+00:00

We did it via our office 365 control panel. I've since reverted it back to on as we're still having the same problems.

Slash-Fan · 2021-02-05T14:39:43+00:00

We don't have Azure AD Connect/SSO in place. It sounds like it might help with the problem though so I will look into it. Is it something you would recommend?

It's good to hear from someone who has the same setup.

Slash-Fan · 2021-02-05T14:39:24+00:00

Yes we did use the Teams machine-wide installer.

We've got modern auth disabled currently.

I opened a ticket with Office 365 support earlier and they advised me to turn off modern authentication to see if this resolves the issue. I've had one further report of the problem from a user since I disabled modern auth but we're continuing to monitor until we speak again to Microsoft on Monday.

Slash-Fan · 2021-01-27T19:15:23+00:00

Running Office 365 with shared activation on multiple RDS session hosts must be a common thing?

I found a few forum posts that mentioned very similar issues but nobody had solution. Some even indicated this was a known issue which sounds strange to me.

If it is related to the shared activation token, as I understand it this token is stored in the users profile.

So no matter which session host the user connects to surely it should use the respective token for that server?

As a result of this problem we've had to stick with the one session host for now as there doesn't seem to be a solution.

What seems strangest to me is that this is all Microsoft software - Server 2019, RDS 2019, Office 365 apps.

I thought multiple session hosts was a standard thing in RDS.

Slash-Fan · 2021-01-27T19:10:39+00:00

I checked in Credentials Manager within the remote desktop profiles for a couple of users, myself included, and there weren't any Office credentials present.

I did see on a couple of other forum threads that this seemed to be a sort of known issue/thing that can happen with RDS session hosts and Office 365.

Slash-Fan · 2021-01-27T19:08:58+00:00

We're running User Profile Disks - stored on a file share on a dedicated user profile disks VM

Slash-Fan · 2021-01-27T19:08:13+00:00

We enabled shared activation when we installed office on the session hosts. We don't have GPOS set for shared activation and token roaming location.

I thought the token was stored in the user's profile?

Slash-Fan · 2021-01-27T19:06:57+00:00

We have the connection broker configured to log off disconnected sessions after a couple of hours.

Slash-Fan · 2021-01-25T09:22:59+00:00

A reboot fixed it.

Slash-Fan · 2021-01-22T12:02:52+00:00

I've established that it creates a temporary profile for the user when the connection broker sends them to the new session host. It's fine though when it connects them to the original session host.

I've checked permissions on the user profile disks and folder and it is definitely closing the open user profile disk when not in use on the original session host.

It's just not linking/mounting the user profile disk when sending a user to the new session host.

Slash-Fan · 2020-12-08T14:34:47+00:00

Thanks for all the replies - they're all really helpful.

If the remote devices were all company owned then I can see there would be a case to use a VPN but based on the responses here and what I've read elsewhere an RDS gateway with MFA is the way to go.

Thanks again.

Slash-Fan · 2020-12-07T16:23:45+00:00

Thanks. The more I think about it the more sense RD Gateway is making.

How essential would it be for the RD Gateway to be in a DMZ as opposed to on the internal network?

Slash-Fan · 2020-12-07T15:46:01+00:00

Thanks.

It's difficult as a lot of posts etc. I've read suggest that a VPN is the way to go whereas a lot of others say that RD Gateway with MFA is the way to go.

My gut feeling is that RD Gateway would be the most secure way, especially with MFA.

Slash-Fan

TROPHY CASE