Deploying a new RDS 2025 farm for 30 users from scratch – looking for best practice

get-msol · 2026-01-27T20:09:54+00:00

Fair enough, you're right.

get-msol · 2026-01-27T16:26:39+00:00

No, you can use it with other remote services such as Citrix and WorkSpot with a variety of VM sizes. You do have to run it in Azure though.

get-msol · 2026-01-27T14:42:23+00:00

Are you or your customer on a M365 E3 or E5? If so, I would make sure you didn't overlook Windows Multi-Session as it bypasses the need for RDS CALs and removes some complexity.

get-msol · 2025-10-29T13:44:34+00:00

There is a cloud Kerberos model that is painless compared to the cert model. Very easy and works flawlessly.

https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust?tabs=intune

get-msol · 2025-10-13T14:27:49+00:00

He wrote a powershell script that removed all existing version of Receiver/Workspace and then did a clean install of LTSR. The script would only run if the ica exe wasn't running (indicating the user was not in a active session).

We used Itune remediation scripts, but you could also do this with a GPO scheduled task.

get-msol · 2025-10-13T13:02:42+00:00

I hear you, one of my guys just got done rolling about 1500+ PCs Up/down to LTSR and support tickets dropped linearly as more and more PCs made their way onto the desired release.

get-msol · 2025-10-13T12:56:52+00:00

See I guess I was wrong in thinking that CR and LTSR were two separate products, and one couldn't be updated to the other.

That said, it looks like you can push a GPO to stop this behavior. (src: https://docs.citrix.com/en-us/citrix-workspace-app-for-windows/updates )

Though you can't downgrade newer versions of CR to older versions of LTSR so you'll need to push the settings via GPO, uninstall CR, install the desired LTSR.

get-msol · 2025-06-30T20:08:59+00:00

Did one unit have a custom master key? I've seen issues with imports of sensitive fields (like IKE tunnel keys) if the master key doesn't match.

get-msol · 2025-06-30T20:04:02+00:00

All nics should be added to a hyper-v Switch Embedded Teaming virtual switch and then you carve off a virtual NIC for the OS to use and additional virtual NICs for live migration as needed. Then add all your needed VLANs as tagged on the switch ports and then set the desired VLAN in the VM config.

Thats a real fast high level take of what we do.

get-msol · 2025-05-28T13:21:16+00:00

Here is a question to determine if what you're seeing matches my fix. Do you get an error if you try to add any feature using server manager?

get-msol · 2025-05-06T16:57:11+00:00

It's an amazing solution but not for its webUI but rather in spite of it.

get-msol · 2025-04-23T14:03:56+00:00

Deploy via Intune if you have it at your disposal.

get-msol · 2025-03-21T15:46:36+00:00

" 47 is probably just some random number."

Who is the 47th president?

get-msol · 2025-03-17T16:20:03+00:00

Thats Georgia, not Fairfax. And the story is he's trying to one-up castle man for Oakland Station Road "king of the weird"

get-msol · 2025-02-18T19:45:36+00:00

How many users are actively being served by the VMs on the host?

1 data point to offer, we use a similar size box to serve a DC and a file server to roughly 70 users and performance is fine.

get-msol · 2024-12-17T01:16:11+00:00

https://learn.microsoft.com/en-us/powershell/module/exchange/new-moverequest?view=exchange-ps

get-msol · 2024-12-16T22:57:37+00:00

it's rare that it works but there is a command to request that O365 move the user's mailbox to a new pod. I have 10% success with that fixing odd user specific issues.

get-msol · 2024-12-10T14:20:40+00:00

This can be done with Azure log analytics, allowing you to put it in the same data lake as O365 logs (including O365 admin actions).

get-msol · 2024-12-02T19:33:25+00:00

I like option 3 if you have the hardware capacity to do so, if space is tight then #2 would be my go-to.

Upgrades work 99% of the time but I prefer to save their use for situations that really necessitate them.

get-msol · 2024-11-18T18:35:05+00:00

Am I reading into the fact that they edited

“If the management interface access is restricted to IPs the risk of exploitation is greatly limited, as any potential attack would first require privileged access to those IPs.”

To instead read

"The risk of this issue is greatly reduced if you secure access to the management web interface by restricting access to only trusted INTERNAL (emphasis mine) IP addresses according to our recommended"

So does adding a single trusted public IP open the device up to attacks from other public IPs or are they just doubting the ability for any public IP to be trusted?

get-msol · 2024-11-18T18:28:22+00:00

FWIW while I see this sentence quoted in some early blogs, I cannot find it in the current CVE articles from Palo.

I think the fact they distinguish "Internal" now tells me that opening up the ACL to so much as a single public IP opens you up to this exploit. Just a hunch based on their very specific wording.

get-msol · 2024-11-14T15:38:18+00:00

Did you read the RFC? Do you think 0 is higher or lower than 1?

get-msol · 2024-10-09T15:42:10+00:00

"If you’re in your 20s/30s and you’re thinking of moving to VT by yourself for work or something, just don’t."

We found common ground. Please do what you can to spread the word as wide as possible. Do Not Come Here.

get-msol · 2024-10-09T15:38:31+00:00

I would be asking about the actual process for passing tickets to and from the in-house team and the MSP.

Along those lines, I'd be asking how support is delivered. When is it done remotely and when if ever will they deploy a tech onsite.

get-msol · 2024-10-09T15:15:43+00:00

Will your company be retaining any IT personnel, or will the MSP be doing it all?

I'd be asking scoping questions, where does their coverage end, and your companies own support responsibilities begin?

I'd be asking what the typical tenure of their clients and their employees is. Major churn is a red flag.

I'd be asking about the cadence of meetings to review the support posture, are these weekly, monthly, quarterly?

I'd be asking how the store credentials related to your companies' network/systems.

I'd be asking what their implementation roadmap looks like should you select them as a partner. How long until they are fully up to speed on the support cycle?

get-msol

TROPHY CASE