VMware Horizon 7.0.3 – Master RDS Host

Last Modified: Jan 7, 2017 @ 9:01 am

Navigation

Use this post to build a Windows Server Remote Desktop Session Host that will be used as the source image for additional cloned Remote Desktop Session Hosts. Or you can build each Remote Desktop Session Host manually using the steps detailed in this post.

Hardware

  • The session host pools will use the same hardware specs (e.g. vCPUs, memory size, network label) specified on the master session host. Adjust accordingly.
  • As of 7.0.3, Windows Server 2016 is supported for Horizon View Agents.
  • For 2012 R2 or newer, set the vCPUs to 8. For 2008 R2, set the vCPUs to 4. Two is the minimum. See VMware whitepaper for more information.
  • Typical memory for an 8 vCPU session host is 24 – 48 GB (e.g. 32 GB).
  • For New Hard disk, consider setting Thin provision. And increase the size so it can store the locally cached profiles (C:\Users).
  • The session host should be configured with a VMXNET 3 network adapter.
  • When building the master session host, you will probably boot from an ISO. When you are ready to create the pool (RDS farm), ensure the CD/DVD drive points to Client Device and is not Connected. The important part is to make sure ISO file is not configured.
  • There’s no need for the Floppy drive so remove it.
  • If you have any Serial ports, remove them.

NIC Hotplug – Disable

  1. Users could use the systray icon to Eject the Ethernet Controller. Obviously this is bad.
  2. To disable this functionality, power off the virtual machine.
  3. Once powered off, right-click the virtual machine and click Edit Settings.
  4. On the VM Options tab, expand Advanced and then click Edit Configuration.
  5. Click Add Row.
  6. On the left, enter devices.hotplug. On the right, enter false.
  7. Then click OK a couple times to close the windows.
  8. The VM can then be powered on.

VMware Tools

VMware Tools includes the Shared Folders feature, which prevents roaming profiles from being deleted properly. When installing VMware Tools, make sure you deselect Shared Folders so it is not installed.

After installing VMware Tools, open Registry Editor and go to HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order. Look in the ProviderOrder value on the right, and ensure that vmhgfs is not listed. If it is, remove it.

Windows

Disable Internet Explorer Enhanced Security Config

  1. In Server Manager, switch to the Local Server page.
  2. On the far right, click the link for On next to IE Enhanced Security Configuration.
  3. Click Off for both Administrators and Users. Click OK.

User Account Control and SmartScreen

This section is optional.

  1. If Windows 2012 R2, right-click the flag icon by the clock, and click Open Action Center. Or launch it from the Start Menu.
  2. Of if Windows Server 2016, go to Security and Maintenance in the Control Panel.
  3. On the left click Change User Account Control settings.
  4. To disable UAC, move the slider down to Never Notify and click OK. Or you can leave it enabled if your security standards require it.
  5. Back in Action Center (or Security and Maintenance), on the left, click Change Windows SmartScreen settings.
  6. Make your selection regarding SmartScreen, and click OK.

Windows Update

Whenever you deploy a virtual machine from a template and SysPrep is executed during the cloning process, all Windows Update settings are reset. You must reconfigure Windows Update on every new virtual machine (or use group policy).

  1. In Server Manager, click Local Server on the left. Then on the right, click the link for Last checked for updates.
  2. In Windows Server 2012 R2, on the left, click Change settings.
  3. If Windows Server 2016, click Advanced Options.
  4. If Windows Server 2012 R2, check the box next to Give me updates for other Microsoft products when I update Windows, and click OK.
  5. If Windows Server 2016, check the box next to Give me updates for other Microsoft products when I update Windows, and then click the back button. Then click Check for Updates.

  6. Windows Update will automatically start checking for updates.
  7. Install any updates it recommends.

Windows Server 2008 R2 Hotfixes

Local Administrators Group

If the Horizon Administrators and members of the Domain Admins group are the same people, then there is nothing to change. Otherwise, add your Horizon Admins group to the local Administrators group.

  1. In Server Manager, open the Tools menu, and click Computer Management. Or launch it by right-clicking the Start Button.
  2. Add the Horizon Admins group to the local Administrators group.

Remote Desktop Session Host

Role and Features – Windows Server 2012 and newer

If this session host is Windows Server 2008 R2 then skip to the next section.

  1. In Server Manager, open the Manage menu, and click Add Roles and Features.
  2. On the Installation Type page, leave it set to Role-based or feature-based installation.
  3. Click Next until you get to the Server Roles page.
  4. Check the box next to Remote Desktop Services, and click Next.
  5. If Windows Server 2012 R2, expand User Interfaces and Infrastructure and check the box next to Desktop Experience. This adds a bunch of features like Themes, Windows Media Player, Flash, etc. This feature is already installed in Windows Server 2016.
  6. To verify Remote Desktop Services licensing, expand Remote Server Administration Tools > Role Administration Tools > , expand Remote Desktop Services Tools, and check the box next to Remote Desktop Licensing Diagnoser Tool. Click Next when done.
  7. In the Select role services page, check the box next to Remote Desktop Session Host, and click Next.
  8. Then click Install. Restart is required.

Windows Roles – Windows Server 2008 R2

If this session host is running Windows 2008 R2 then the instructions are slightly different.

  1. In Server Manager, right-click Roles and click Add Roles.
  2. In the Before You Begin page, click Next.
  3. In the Select Server Roles page, check the box next to Remote Desktop Services and click Next.
  4. In the Introduction to Remote Desktop Services page, click Next.
  5. In the Select Role Services page, check the box next to Remote Desktop Session Host and click Next.
  6. In the Uninstall and Reinstall Applications for Compatibility page, click Next.
  7. In the Specify Authentication Method for Remote Desktop Session Host page, select Do not require Network Level Authentication and click Next.
  8. In the Specify Licensing Mode page, select Per User and click Next.
  9. In the Select User Groups Allowed Access to this RD Session Host Server page, click Add. Browse for Authenticated Users (on the local machine) and click Next.
  10. In the Configure Client Experience page, check the boxes for Audio and video playback and Desktop composition. This causes Desktop Experience to be installed. Click Next.
  11. In the Confirm Installation Selections page, click Install.
  12. In the Installation Results page, click Close.
  13. Click Yes when you are prompted to restart now.
  14. Login to the server. Then click Close.

Remote Desktop Licensing Configuration

The only way to configure Remote Desktop Licensing in Windows Server 2012 or newer is using group policy (local or domain). This also works for Windows Server 2008 R2.

  1. For local group policy, run gpedit.msc.
  2. Go to Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Licensing.
  3. Double-click Use the specified Remote Desktop license servers. Change it to Enabled and enter the names of the RD Licensing Servers. Click OK.
  4. Double-click Set the Remote Desktop licensing mode. Change it to Enabled and select Per User. Click OK.
  5. In Server Manager, open the Tools menu, expand Terminal Services (or Remote Desktop Services), and click RD Licensing Diagnoser.
  6. The Diagnoser should find the license server and indicate the licensing mode. It’s OK if there are no licenses installed on the Remote Desktop License Server.

C: Drive Permissions

The default permissions allow users to store files on the C: drive in places other than their profile.

  1. Open the Properties dialog box for C:\.
  2. On the Security tab, click Advanced.
  3. Highlight the line containing Users with Create Folders permission, and click Remove.
  4. Highlight the line containing Users with Create Files permission, and click Remove.
  5. Click OK to close the Advanced Security Settings window.
  6. Click Yes to confirm the permissions change.
  7. If you see any of these Error Applying Security windows, click Continue.
  8. Click OK to close the C: drive properties.

Installs

VMware Horizon Agent 7.0.3

View Agent for RDS Hosted Apps Desktops is missing a few features:

  • No Generic USB Redirection. USB Flash Drives and hard drives are supported.
  • No Real-Time Audio Video
  • No serial port redirection
  • No Persona. Instead use VMware User Environment Manager (Horizon Enterprise) or Microsoft’s roaming profiles
  • No Instant-Clones

To install View Agent on Remote Desktop Services, do the following:

  1. Go to the downloaded Horizon 7 Agent x64 7.0.3 and run VMware-viewagent-x86_64-7.0.3.exe.
  2. If you want the URL Content Redirection feature then you must run it from the command line and add the switches: /v URL_FILTERING_ENABLED=1
  3. In the Welcome to the Installation Wizard for VMware Horizon Agent page, click Next.
  4. In the License Agreement page, select I accept the terms and click Next.
  5. If you see a message about Desktop OS Configuration then you need to cancel the installer and install the Remote Desktop Session Host role.
  6. In the Network protocol configuration page, select IPv4, and click Next.
  7. In the Custom Setup page, several features are disabled by default. Feel free to enable them.
  8. If you are building a pool of Remote Desktop Session Hosts then install the VMware Horizon View Composer Agent feature. Note: if you are not building linked clones, then don’t select this option, or else you won’t be able to select the machine in a Manual RDS Farm in View Administrator.
  9. Click Next when done making selections.
  10. Click OK to acknowledge the USB redirection message.
  11. If you see the Register with Horizon 7 Connection Server page, enter the name of a Horizon Connection Server, and click Next. You only see this page if not installing the View Composer Agent feature.
  12. In the Ready to Install the Program page, click Install.
  13. In the Installer Completed page, click Finish.
  14. Click Yes to restart the server.
  15. To verify installation of the URL Content Redirection feature, check for the presence of C:\Program Files\VMware\VMware View\Agent\bin\UrlRedirection.
  16. There’s also a new IE add-on.
  17. URL Content Redirection is configured using group policy.

User Environment Manager Engine

If you are licensed for User Environment Manager (Horizon Enterprise Edition), install the User Environment Manager Engine. Note: UEM 9.1 can also work without Active Directory (Group Policy); see VMware 2148324 Configuring advanced UEM settings in NoAD mode for details.

  1. Make sure Prevent access to registry editing tools, is not enabled in any GPO. This setting prevents the FlexEngine from operating properly.
  2. Go to the extracted User Environment Manager 9.1 files, and run VMware User Environment Manager 9.1 x64.msi.
  3. In the Welcome to the VMware User Environment Manager Setup Wizard page, click Next.
  4. In the End-User License Agreement page, check the box next to I accept the terms, and click Next.
  5. In the Destination Folder page, click Next.
  6. The Choose Setup Type page appears. By default, the installer only installs the engine. You can click Custom or Complete to also install the console.

  7. In the Choose License File page, if installing on a View Agent, then no license file is needed. Click Next.
  8. Otherwise, Browse to the license file, and then click Next.
  9. In the Ready to install VMware User Environment Manager page, click Install.
  10. In the Completed the VMware User Environment Manager Setup Wizard page, click Finish.

Horizon Agent Load Balancing Script

If you have multiple identical Remote Desktop Services Hosts in a single RDS Farm, by default, VMware Horizon uses a least connections Load Balancing algorithm. You can change this to performance-based Load Balancing by configuring scripts on each RDS Host. See Configuring Load Balancing for RDS Hosts at pubs.vmware.com.

There are only three levels of load: HIGH, MED, and LOW. Within a load level, Horizon selects an RDS server at random.

Do the following to configure the Load Balancing script:

  1. The script must be placed at C:\Program Files\VMware\VMware View\Agent\scripts on every RDS Host. VMware provided a couple sample scripts that you can use. One script only looks at CPU and the other script only looks at Memory. If you write your own script, make sure it exists in this folder on every RDS Host in the RDS Farm.
  2. Open Services and configure the VMware Horizon View Script Host service to run automatically.

  3. Then start the service.
  4. In regedit, go to HKLM\Software\VMware, Inc.\VMware VDM\ScriptEvents\RdshLoad.
  5. Create a new String Value. It doesn’t matter what you name it but the script name is recommended.
  6. Modify the String Value and enter cscript.exe “PathToScript”. For example: cscript.exe "C:\Program Files\VMware\VMware View\Agent\scripts\cpuutilisation.vbs"
  7. After setting the registry value, restart the VMware Horizon View Agent service.
  8. After you later add this RDS Host to a farm, in View Administrator, click the Dashboard view.
  9. Expand RDS Farms, expand the farm and click the RDS Host.
  10. Make sure the Server load is reported.

Antivirus

Install antivirus using your normal procedure. Instructions vary for each Antivirus product.

Microsoft’s virus scanning recommendations (e.g. exclude group policy files) – http://support.microsoft.com/kb/822158.

Symantec

Symantec has a document at Citrix and terminal server best practices for Endpoint Protection detailing best practices when deploying Symantec Endpoint Protection to session hosts.

Virtualization best practices for Endpoint Protection 12.1.2 and later

Virtualization best practices for Endpoint Protection 12.1.1 (RU1) and earlier

Install Applications

Install applications that will be executed on these machines.

VMware OS Optimization Tool

  1. See VMware Windows Operating System Optimization Tool Guide Technical Paper for details on this tool.
  2. Download the VMware OS Optimization Tool VMware fling.
  3. Run the downloaded VMwareOSOptimizationTool_b1080.exe.
  4. On the Public Templates tab, update or download templates.
  5. On the Analyze tab, choose a template, and click Analyze.
  6. On the Analyze tab, review the optimizations and make changes as desired. Then on the bottom left click Optimize.
  7. Click the FAILED links for more information.
  8. The History tab lets you rollback the optimizations.
  9. The Templates tab lets you edit the optimizations. You can create your own template or edit an existing template.

Citrix has published a document with several registry modifications that are supposed to improve server performance. You can access it at http://support.citrix.com/article/CTX131577.

Another list of optimizations can be found at http://www.citrixtools.net/Resources/Articles/articleType/ArticleView/articleId/5610/Windows-2008-R2-Remote-Desktop-and-XenApp-6-Tuning-Tips-Update.aspx.

Seal and Snapshot

  1. Go to the properties of the C: drive, and run Disk Cleanup.
  2. On the Tools tab, click Optimize to defrag the drive.
  3. Run slmgr.vbs /dlv and make sure it is licensed with KMS and has at least one rearm remaining.
  4. Run Delprof2 to clean up local profiles. Get it from http://helgeklein.com/download/.
  5. Make sure the master session host is configured for DHCP.
  6. Session hosts commonly have DHCP reservations.

  7. Run antivirus sealing tasks:
    1. Symantec: Run a full scan and then run the Virtual Image Exception tool – http://www.symantec.com/business/support/index?page=content&id=TECH173650
    2. Symantec: run the ClientSideClonePrepTool –http://www.symantec.com/business/support/index?page=content&id=HOWTO54706
  8. Shutdown the master session host.
  9. Edit the Settings of the master virtual machine and disconnect the CD-ROM. Make sure no ISO is configured in the virtual machine.
  10. Take a snapshot of the master session host. View Composer requires a snapshot.

  11. Use can now use Horizon View Administrator to create RDS Farms.

Full Clone Post-Cloning Tasks

If you used vCenter to clone the machine instead of using Horizon Composer, then after the machine is cloned, do the following on the cloned machine:

  1. Static IP – Configure a static IP address (or DHCP reservation).
  2. Windows Update – Run Windows Update. SysPrep always disables Windows Update so you must run it at least once to re-enable it.
  3. Join domain – Join the machine to the domain if SysPrep didn’t do it for you.
  4. Active Directory OU – Move the Active Directory computer object to the correct OU.
  5. Horizon Agent – uninstall the Horizon Agent and reinstall it so it registers with a Horizon Connection Server.
  6. Antivirus – Re-configure antivirus. Instructions vary based for each product. Go to the antivirus vendor’s website and search for a cloning procedure.
  7. Firewall rules – Add the new machine to any firewall rules (PCoIP, Blast) between the Horizon Security Server and Horizon Agents.
  8. View Administrator – In View Administrator, add the new machine to a Remote Desktop Services farm.

 

3 thoughts on “VMware Horizon 7.0.3 – Master RDS Host”

  1. Carl,
    Great blog btw. It has been a lifesaver on many excursions. I am having an issue with the IE Enhanced Security Configuration setting not taking effect for users (non-administrators). I’m using Windows Server 2012 R2 Standard. I turned IE ESC “off” as you describe using Server Manager for both admins and users. When I log in as a regular user, the IE ESC is still enabled. Am I missing something?

Leave a Reply