Server 2016 RDS via Azure AD Application Proxy end-to-end guide

remote_desktop_blueOne of our priorities for this year was to improve our remote access offering to staff to enable more flexible working whilst outside of college. Office 365 helps greatly and has already improved functionality in many ways but there’s still some legacy applications and classic file shares that need to be provided remotely too. If at all possible we prefer the files not to leave the network so some form of virtual desktop looked the way to go.

After discounting VMware and Citrix offerings on cost grounds the improvements to Microsoft’s RDS offering in Server 2016 seemed to come at a perfect time.

Even more so now we’ve implemented Azure AD Application Proxy (more on that shortly!) We’ve also recently decommissioned some services that freed up a bit of physical hardware resource to “play” with so away we went!

Server installation

The physical hardware for now is running on some reclaimed Dell PowerEdge R610 servers; 64GB RAM, dual CPU and 6 x 15k disks in RAID10. Should be plenty to get us up and running with the RDS roles eventually split across two hosts. For now we’re running on just the one but even that’s plenty to get up and running with.

We installed Server 2016 Core running the Hyper-V role, which was simple enough. The Core role looks to be a tad more polished in Server 2016, although not new the sconfig tool got the main settings entered with fairly minimal fuss.

yes it will go back in the rack once we’re done with it!

Getting the OS to update correctly wasn’t so simple due to Microsoft doing something silly to the update mechanism in the initial release of Windows 10 1607 and its equivalent Server 2016 release. Update status was stuck on “Downloading” showing no signs of progressing. In the end manually installing the latest Cumulative update release from the Microsoft Update Catalog did the trick e.g.

wusa.exe windows10.0-kb3213986-x64_a1f5adacc28b56d7728c92e318d6596d9072aec4.msu /quiet /norestart

Server roles

With Hyper-V up and running the next stage was to install our guests. We went with 3 VMs set up as follows:

  • Connection Broker \ RD Licensing
  • RD Web Access \ RD Gateway
  • RD Session Host

The original plan was to try and embrace the Server Core concept and only install the GUI where absolutely necessary. With that in mind we made the first two servers with Core and only the Session Host with a GUI. More on that soon… (!)

RDS deployment wizard Role Services

Running the deployment through Server Manager on my desktop was easy going, Microsoft have done good work with this and the deployment doesn’t seem too far removed from the 2012 R2 guides I’ve been looking at online. We added each server to the roles as per above, got to the final screen and hit the magic Deploy button then…

"Unable to install RD Web Access role service on server"

Role service... Failed
Deployment... Cancelled

Well that didn’t go to plan! We had a look online, trying to find reasons for the failures and went through some initial troubleshooting to make sure all recent updates were installed and each server’s patches matched exactly, also enabled Powershell remoting…

Enable-PSRemoting -force

…still no joy until we found this little nugget of information…


So it appears the RD Gateway \ RD Web Access role isn’t supported on Server Core. Of course we wouldn’t want the web-facing part of the deployment running on a server with reduced attack surface would we Microsoft… not impressed!


To confirm the hypothesis running Get-WindowsFeature on Server 2016 Core gives this…

Server Core

and on Server 2016 with GUI gives this…

Server with GUI

Published names & certificate fun and games

After begrudgingly re-installing one of the VMs with a GUI (seemed quicker than trying to convert the Core install) we managed to get past the final Deploy page with 3 success bars 🙂

The first key setting we were asked for was the external FQDN for the RD Gateway, which was added to our ISP-hosted DNS records. We use a wildcard certificate to cover our external facing SSL needs, nothing out the ordinary there and went on to apply it to each of the four roles specified by the RDS Deployment wizard. A Session Collection was created for a test group and pointed at the new Session Host. All looking promising.

The RD Gateway FQDN naming in itself wasn’t a problem but led us to an interesting part of the setup relating to SSL certificates and domains. Once we had the RDS services accessible from outside the network (see below) I fired up my 4G tethering to give it a test.

The connection worked but threw up a certificate warning and it was obvious to see why. Our wildcard certificate is for * but the Connection Broker’s published FQDN is and therefore isn’t covered.

Fortunately a Powershell script called Set-RDPublishedName exists to change this published name and works a treat! Grab it from

You’ll also need to ensure that you can access the new published name internally, depending on what form your internal domain is vs. your external you may need to do a bit of DNS trickery with zones to get the records you need. More on that can be found at:


Set-RDPublishedName script in action

External access via Azure AD Application Proxy

We published the RD Gateway and RD Web Access via our new shiny Azure AD Application Proxy for a few reasons…

  • simplicity, no firewall rules or DMZ required
  • security, leverages Azure to provide the secure tunnel
  • SSO, use Kerberos Delegation to sign into RD Web Access as part of the user’s Office 365 login

I followed the excellent guides from Arjan Vroege’s blog for this, in particular the section regarding how to edit the RD Web Access webpage files… nice work Arjan!

Publish your RDS Environment with Azure and AD Proxy – Part 1 –
Publish your RDS Environment with Azure and AD Proxy – Part 2 –
Publish your RDS Environment with Azure and AD Proxy – Part 3 –

As per my previous post on Azure AD Application Proxy & Kerberos delegation use the command below to add the SPN record (replace the FQDN and server name as appropriate)

setspn -s HTTP/ servername

When done the end result is a seamless login to RD Web Access via the Azure AD login page. In our case the link will eventually end up as a button on our Office 365-based Staff Intranet, therefore not requiring any further logins to get to the RDWeb app selection screen.

I particularly wanted to avoid the RDWeb login screen, which I’m amazed in 2017 still requires DIY hacks to avoid the requirement to login with the DOMAIN\username format. Thought Microsoft would’ve improved that in the Server 2016 release but evidently not.

One more gotcha

So having done all the hard work above preparing the login all that was left was to click the Remote Desktop icon and enjoy, right? Wrong.

After running the Set-RDPublishedName script the certificate warning went away and I could see the change to the new wildcard-friendly name, however the connection attempt now failed with the error “Remote Desktop can’t connect to the remote computer *connectionbrokername* for one of these reasons”

connection failure after changing Published Name

Neither explanation made any sense as the connection was working perfectly fine until changing the Published Name. Indeed changing it back to the original FQDN of the Connection Broker restored service so it had to be something to do with that. After being stumped initially I came back after food (always helps!) then after a bit more research found this very helpful post:


It turns out the new FQDN we added when changing the Published Name needs to be added to RDG_RDAllConnectionBrokers Local Computer Group.

This group is used to approve connections in the Resource Authorization Policies (RD-RAP) section of RD Gateway Manager. By default only the server’s domain FQDN is present in the list (as you’d expect) so it appears unless you add the new Published Name in there the connection attempt gets denied.

To add your external published name follow these steps:

  • Server Manager > Tools > Remote Desktop Services > Remote Desktop Gateway Manager
  • expand your RD Gateway server > Policies > Resource Authorization Policies
  • Click Manage Local Computer Groups on the right hand pane
  • Select RDG_RDConnectionBrokers > Properties
  • Click the Network Resources tab
  • type the FQDN of the Published Name you supplied to the Powershell script earlier then click Add
  • OK all the way out then try your connection again

RD Gateway Manager

The example below replaces the real server names with dummy entries but should illustrate the concept. The same scenario applies if your servers exist in a .local Active Directory domain (which will be the top entry) and your external domain is something different (again remember to sort out internal DNS zone entries to suit)

Manage RDG_RDCBComputers group

Finishing touches

Once all the above is done you should then get a connection, there is one seemingly unavoidable credential prompt due to Microsoft persisting with using an ActiveX control to start the RDP session but perhaps one day they’ll update it (we live in hope). It seems you can use the UPN style format here which is handy as it keeps things consistent. In a way it’s a bit of a security measure so not the end of the world.

Now the connection itself is sorted out all that’s left is to tweak the Session Host to our requirements. This guide gives some nice pointers on locking down the server via GPO:


We also push out a custom Start Menu using the newer Windows 10 1607 GPO settings along with the Export-StartLayout command. Finally install any programs required, remember to change the mode of the server first:


change user /install

Then once done

change user /execute

Now enjoy 🙂

Connection to Server 2016 RDS Session Based desktop via RD Web Access \ RD Gateway


Attack of the Chromes: a Google Apps adventure begins

I’ve been watching the growth of Google’s Chrome OS for some time now – scarily about 4 years have gone by since they first appeared on the radar.

Recently I had the chance to get some in to work with first-hand as part of our STEM Centre project. It’s a new modern learning space and part of that vision involves the effective use of mobile devices.

Dell Chromebook 11 ready for action

Why Chromebooks?

There’s no denying the price point and simplicity of the Chromebook model so even though we’re an Office 365 site at present it would be foolish not to try the Google platform, especially with many of our courses already using online resources via Moodle and similar web platforms. This post covers our first steps along the way and a couple of tips and tricks to get you started if you’re in a similar position 🙂

The Chromebook is an interesting product for education and one that’s been discussed at length over at the Edugeek forums. First revisions of the platform weren’t quite there but looking at Chrome OS now it’s a lot more mature in terms of both concept and implementation. The hardware available has also moved up a level in terms of performance and quality as manufacturers have perhaps shown more faith in the Chrome OS platform.

One interesting point from the past that still hasn’t quite been resolved is Android vs Chrome OS, as it stands still two separate products but with some interesting convergence ideas showing through. On one head there’s ARC Welder allowing Android apps to run in Chrome and then there’s the Microsoft Surface-inspired Pixel C hybrid that could be an effective vehicle for either platform. Just to add another option into the mix you can also now get touch-screen Chromebooks (!)

Which device?

After a video conference with our Google Account Manager to discuss the platform in more detail we decided to get a couple of different devices in on trial. This included the HP Chromebook 11 and 14, plus the Dell Chromebook 11. The latter is particularly interesting as it’s built with the education market in mind and should be a bit more robust in the long term, as proven by this teardown article that pitches the Dell device against the equivalent Acer model:


One word of advice that we were given is to pay the little bit extra for a 4GB RAM model to avoid performance issues when browsing media-rich sites and \ or using multiple tabs. Thus far the Dell Chromebook 11’s haven’t skipped a beat in use thus far so I’d agree with this recommendation.


The HP G3 14″ is an interesting device for its larger screen size, although from reading around I had some performance doubts related to the ARM Tegra processor. We’re not yet sure if 11″ is enough screen estate for students to work comfortably but the pilot projects will give us some feedback on that front. A 13″ device would be ideal, Dell are launching one but it looks somewhat more expensive than the 11″ version and aimed more at business customers.

In the end we bought in 6 Dell Chromebook 11’s from Haptic Networks to use in the STEM centre alongside a parallel trial of Microsoft Surface 3 tablets (more on that another time).

Thus far the people I’ve shown them to have been impressed by their lightweight sturdy build and solid keyboard (something that’s not quite up to the same standard on the HP devices). Battery life also looks very promising.

The only gripe I have with the Dell units is the fact someone, in their infinite wisdom decided to place a grinning lizard as a non-configurable logon screen wallpaper. There’s currently no way to change it from the Chrome admin console and it seems Dell aren’t too bothered about providing a solution either. I’m just glad the logon box covers up most of the image but even so… a lizard… why?!

Getting started tips and tricks

Although Chromebooks are pretty simple to get up and running using the online management portal there’s a couple of tips I’ll share from my initial experiences

Update in Guest Mode before doing anything else

Although our batch of Dells arrived in one shipment they all had different versions of Chrome OS installed where they’d been produced at different times. The visual differences are subtle but noticeable when all running side by side.

The quickest way I’ve found to get them up to date is to log in using the Guest mode option, preferably on a direct Internet connection then navigate to this URL in the browser:


Of course you can do this through the menu but this is so much quicker than pointing and clicking 😉
On two of our devices with the oldest out-the-box OS versions the first update run didn’t get them up to the newest Chrome OS so you may need to repeat the process.

Retrieving device MAC addresses

You may need to retrieve the MAC address of the devices for your Wi-Fi system or asset management records. The GUI way of doing this is a bit click-heavy and requires you to be connected to a network first. Alternatively you can do it a quicker way:

  1. in the browser navigate to chrome://system
  2. do a CTRL+F on the page and search for ifconfig
  3. the MAC address is listed under HWaddr

Resetting a device ready for enrolment

If you receive your Chromebooks before having completed your Google Apps registration it can be tempting to sign into the Chromebook with a consumer Google Account to try them out. This works OK until you then try to enrol the Chromebook as a managed device, at which point it promptly fails as per Google’s documentation below. The KB article also explains how to completely wipe the device using Developer Mode so you can repeat the out-of-box setup process.


Enrolling a device is simple using a keyboard shortcut that will soon become muscle memory CTRL + ALT + E


Proxy problems

unnamedA page about cloud services wouldn’t be complete without a proxy-related caveat and the Chromebooks are no exception. Initially none of them connected after they switched networks from the direct-connected (NAT) temporary SSID I’d used for setup to the proxied one defined in the policy manager.

My first thought was to switch from Auto Detection using WPAD to a manually-specified proxy address. That change worked wonders almost immediately and I soon had login screens instead of connection failed errors… apart from two devices…

After putting all 6 Chromebooks in a line and rebooting them at the same time I soon found the same two devices failed every time. As far as I knew everything had been updated so it didn’t initially make sense why two were behaving differently from the rest.

After double-checking the Chrome OS versions it then became apparent two hadn’t fully updated and were sitting on Chrome OS 45.x instead of the new 46.x release. After moving them back onto the direct connection for another round of updates they then started behaving.

Moral of the story comes back to my first bit of advice: update, update, update!

It’s also worth running the Chrome Connectivity Diagnostics app on your devices if you suspect any network-related issues:


Next steps

Now the devices are up and running we need to start provisioning users into the Google Apps tenancy. For that we’ll need to install and configure GADS and GAPS to sync users and passwords from Active Directory. For now Gmail has been turned off until a decision is made about where email lives in future (as it’s not something we’d change part-way through an academic year).

Now just a matter of waiting for some initial user feedback to see how they get on with the Chromebooks and in what contexts they become an effective learning tool 🙂

Dell Venue Pro 11 – hands on review

11proAs part of our Microsoft Dynamics CRM project we needed to spec up some suitable tablets for staff to use when visiting customers off-site for filling in details, checking documents and so on.

One of the requirements from the team who asked for the devices was that they run Microsoft Office; immediately that rules out iPads (without upgrading staff to the paid A3 plan at least, more on that another time) and Android devices so we looked at the selection of Windows 8 devices on the market to find something suitable.

The 8″ tablets such as Dell Venue 8 Pro, Toshiba Encore and Lenovo Tablet 8 are very portable, which ticks one box but aren’t really suitable as they can’t have a keyboard attached and also don’t come with the nice extras such as a full-size USB port, which can come in handy from time to time. On top of that using an 8″ screen for large amounts of text entry isn’t going to be an enjoyable experience for many people so we needed to look at something larger.

Moving onto 11″ devices and the obvious choice was the Surface range. However, Windows RT is too restrictive if we need to run classic “Desktop”software (more than likely) which includes simple yet important applications such as VPN clients. In addition the ARM-based OS seems to be on a one-way trip to oblivion anyway so it didn’t seem a sound investment at full-price rather than the bargain-basement £199 RT giveaway Microsoft made last year to clear their unsold stocks.

The original Surface Pro is currently on offer at a good price for students \ education but it’s a bit too bulky and battery life not really that great. The Pro 2 addresses some of those issues but comes at a price; the i5 CPU is really overpowered for most of the tasks we have in mind for it so doesn’t make sense to pay for power we won’t use.

Lenovo impressed me with their Thinkpad 8 but right now a 10\11″ version is nowhere to be found, with that in mind we have to pass them by for now although will definitely revisit in the coming months if \ when they launch a suitable product.

Finally step forward the Dell Venue 11 Pro, a tablet I first saw at the BETT show after mistaking it for a Surface, such is the similarity of design when viewed from a distance. Microsoft don’t seem to like people keep referring back to the Surface range when talking about “Windows 8 tablets” but until something else comes out with that same “wow” factor in terms of design and build quality it’s still the point of reference (imo). When up close the curved edges on the Venue Pro give it away, as does the soft-touch rear cover vs the Surface’s magnesium case.

side by side small
Imitation is the sincerest form of flattery: Surface RT (left) and Dell Venue 11 Pro (right)

What’s so interesting about the Venue Pro 11?

What sets the Dell apart from Microsoft’s range is the offer of what I feel is the sweet spot of an 11″ device, running the full version of Windows 8.1 but at a more affordable price point thanks to the offering of Atom and i3 CPUs alongside the flagship i5. It’s something I’ve been going on about ever since the first Surfaces were released so good to see an OEM stepping up to the mark to cover the ground Microsoft didn’t want to. I’ve heard good things about the Bay Trail Quad Core Atom so didn’t have any reservations about its suitability, unlike previous devices from last year where the last-gen Atoms weren’t really up to task.

Dell also offer two different keyboard options that give the option of turning the device into a pseudo-laptop, along with Office and classic “Desktop” software it means users can get real work done out on the road. The Venue Pro also comes with a built-in digitiser and thus supports an active stylus for those who need the additional accuracy such a peripheral offers.

After much to-ing and fro-ing with Dell we eventually got hold of an evaluation unit. At the time no keyboards were in stock (I believe due to a recall and re-design of the keyboard magnets which caused early units to lose their connection to the device). We’ve since received 4 sets of keyboard and stylus as part of a further order and all seem to be working OK.

Our units as reviewed feature the quad-core atom Z3770, WiFi only, 64GB storage, 2GB RAM, Dell Slim Tablet keyboard and Dell Active Stylus

Design and practicality

I regularly use a Surface RT for note-taking (OneNote) and general Internet browsing so many of my observations are based on comparing the two. Weight-wise the Venue Pro is slightly heavier, sitting somewhere between the RT and Pro. In an ideal world it’d be the same weight as the RT but battery life and full Windows 8 make that extra bit of weight worthwhile, although hopefully something that will be addressed in time.

The charger port uses a standard Micro-USB lead rather than the more funky (some might say awkward?) magnetic arrangement on the Surface range, other than that expansion is standard fare. That aforementioned USB port means additional storage is just a USB stick away. We’ve added a memory card to our devices as a cheap and easy way to extend the on-board capacity in case photos etc. need to be stored on a regular basis. Yes it won’t be as fast as the built-in SSD but for storing data it doesn’t need to be and works out much cheaper than buying the larger capacity models.

The removable battery sits behind the soft touch plastic rear cover, which can be a bit fiddly to open (my ID card works well for popping it open!) but means servicing a worn-out battery will be a simple task if it needs to be done in the future.

Keyboard cover \ stand

Unlike the Surface the Venue Pro has no way of standing up on its own so you’ll need either a 3rd party cover or the Dell keyboard cover to use it in “laptop” mode. We opted for the Slim keyboard as we needed to keep the overall size / weight of the device down, again comparisons with the Surface crop up.

The keyboard also doubles up as a cover, with a fabric front embossed with the Dell logo and a holder for the stylus at the rear. Time will tell how well the latter stays there but initially it seems OK, the only thing to watch out for is the pen buttons getting pressed when you put the device down, probably won’t do it any harm but better to just twist it round for safety’s sake. It would be nice to have the pen recessed into the side of the device like Lenovo did with their Tablet 2 but space constraints may prevent this I suspect.

The keyboard attaches in a similar way to the Surface, using magnets to hold securely in place. Putting the cover into stand most requires a few moments’ thought and a bit of origami, you fold part of the stand around to make a triangular support then a hidden magnetic fixing holds it in place. Depending on which way you fold the stand you get two different screen angles. Once set the stand is steady and held in place securely for touch input etc. It’s not quite as slick as the kickstand design Microsoft use but still perfectly usable and is the price you pay for the removable battery (given the choice which would you prefer, comment below!)

Standing tall – Venue 11 Pro keyboard cover and Surface RT kickstand in action

Whereas the Surface keyboard uses keys that have a mechanical travel to them the Venue Pro is more reminiscent of the ZX Spectrum-esque membrane keyboards from back in the day. For some of you that reference may fill you with dread and horror but fear not, it’s not that bad! The initial sensation is a bit strange as you realise there’s no real key travel but after slightly adjusting your typing style you can hit with decent accuracy and surprisingly quickly. One thing I did notice is that the hardware keyboard doesn’t deactivate when the cover is flipped back, hopefully that’ll be fixed in a BIOS update so the on-screen keyboard takes over as per the Surface’s default behaviour.

The touchpad is much larger and easier to use than that on the Surface, definitely a plus point for the Venue Pro when using older, non-touch oriented software.

In an ideal world I’d mix the two designs to make the ultimate slim keyboard; Surface keys with the Venue Pro’s touchpad but as it is the design is an acceptable compromise. Initial feedback from the users was good which is promising.

Stylus and Windows 8.1

We also took up the optional stylus as it could help with taking digital signatures, which could help avoid a bit more paperwork when out and about. The stylus needs 1xAAA battery to operate but being part of a proper digitiser is recognised immediately by the OS and as such works slickly in apps such as OneNote. Reaction time is impressively quick, although I remember old Windows XP tablets (OK huge 15″ laptops with a touchscreen!) that worked similarly well but it’s good to see the technology finally getting a platform where it feels more at home.

As with other active stylii you can hover over the device without pressing on it but for general Windows 8 navigation I actually prefer a standard capacitative pen then use the stylus for more fine grained input. The reason for that some of the Windows 8 gestures don’t seem to work when using an active stylus, in this case it seems to be treated more like a mouse, hence for 99p or thereabouts on eBay mix and match the two depending on application.

On a related note I find that when navigating Windows 8 by touch I very rarely use my finger; having the extra reach via a stylus feels more natural and avoids stretching to interact with the device, which may be an RSI time-bomb waiting to happen.

Although they’re a love \ hate thing for many people the gestures used in 8.1 do become quite natural after a while on a touchscreen device, particularly the ones that manipulate windows into split screen mode and pulling out the Charms bar to share information to OneNote and suchlike.  On a desktop \ laptop I don’t use them at all and rely much more on keyboard shortcuts to avoid dragging my mouse right across the screen to activate hot corners.

Screen quality & performance

The screen itself is a quality 1920×1080 IPS panel, when running at full brightness it’s definitely a match for that on the Surface. Colours look bright and vivid, text is easily readable and so on. The Venue 11 does seem to dim its display more often than the Surface though, something which could do with tweaking as it’s not so impressive at lower brightness levels.

When Windows tablets are reviewed many people often suggest that the Atom based models can be sluggish but our units seemed to run well during testing. OK it’s not going to cope well if you hammer it with Photoshop and video editing but using a tablet for those sort of tasks seems to be the wrong answer to the wrong question for all but the most niche use cases in my opinion.

Boot times felt suitably slick, something Windows 8.1 does very well generally and opening Office applications, web browsers and so on all zip along without any noticeable lag.

The verdict…

The Venue 11 Pro offers a viable alternative to the Surface range whilst providing a choice for potential buyers to match CPU, memory, storage and accessory options to their needs.

The Asus Transformer T100 is probably the closest competitor in the full Windows segment of the market and which one you go for probably comes down to whether you’re willing to pay a bit extra for the higher resolution screen, slightly faster Atom chip and option of having a slim keyboard to save weight rather than netbook-sized one on the Asus.

At the time we paid £329 (ex VAT) for the  tablet itself which, for the Atom model is pretty competitive. The prices seem to be changing quite regularly, although there’s still a sub-£350 offer on Dell’s site here but educational users should be able to get a chunk of £££ off via the Shape the Future programme.

Overall then, a solid effort from Dell and along with Windows 8.1 (and recent updates) makes this Windows tablet a viable proposition for students and staff alike.


Improvements for the next revision

If Dell continue with the Venue Pro branding I’d like to see a few improvements for the next version. Fingers crossed they’ll take them into account…

  1. shave 200-300g off the product to bring the product into Surface RT weight range (or lower).
  2. revise the slim keyboard to give a bit more key travel, basically Surface key action with the Venue Pro’s large touchpad would be ideal
  3. reduce the price of the keyboard accessory, the markup on these items (Microsoft guilty of it too) must be obscene!
  4. find enough room to make the stylus fit inside the tablet’s chassis aka Lenovo Tablet 2 rather than sitting on the outside of the keyboard cover

If Dell can do that they’ve pretty much made my ultimate Windows 8 device, challenge accepted?