Parallels RAS can be installed in both Workgroup and Active Directory (AD) environments where end users, RAS servers, and RDS servers belong to the same AD forest (domains with single root domain) or multiple forests with trust relationships. Domains and workgroups represent different methods for organizing computers in networks. The main difference among them is how the computers and other resources on the networks are managed. For better manageability and scalability, following Microsoft recommendations, Parallels recommends the use of domains where:
One or more computers are servers. Network administrators use servers to control security and permissions for all computers in the domain. This makes it easy to make changes because they are automatically made to all computers. Domain users must provide a password or other credentials each time they access the domain.
If you have a user account on the domain, you can log in to any computer in the domain without needing an account on that computer.
There can be thousands of computers in a domain.
The computers can be on different local networks.
File, folder, and user and group permissions can be assigned.
For a consistent visual display of personal data associated with a specific user and/or a customized desktop environment irrespective to which TS/RDSH or VDI machine user is connecting, Parallels recommends the use of FSLogix Profile Container as a complete profile management solution with Parallels RAS.
To administer FSLogix Profile Container, you must be signed in as a member of the Domain Administrators security group, the Enterprise Administrators security group, or the Group Policy Creator Owners security group.
Client computers must be running Windows 7 and newer, or Windows Server 2008 R2 and newer.
Client computers must be joined to the Active Directory Domain Services (AD DS) that you are managing.
A file server must be available to host roaming user profiles or User Profile Disks.
If the file share uses DFS Namespaces, the DFS folders (links) must have a single target to prevent users from making conflicting edits on different servers.
If the file share uses DFS Replication to replicate the contents with another server, users must be able to access only the source server to prevent users from making conflicting edits on different servers.
If the file share is clustered, disable continuous availability on the file share to avoid performance issues.
For more information about deploying FSLogix Profile Container, visit https://docs.microsoft.com/en-us/fslogix/configure-profile-container-tutorial.
For the information about migrating to FSLogix Profile Container, visit https://www.christiaanbrinkhoff.com/2020/02/14/youtube-how-to-migrate-from-upd-to-fslogix-profile-container-profiles-to-windows-virtual-desktop/.
To reach high availability for FSLogix Profile Container on-premises, Parallels recommends using multiple SMB locations with a single VHD path and Distributed File System Namespace in front of one or many SMB locations (note that only one SMB location can be active at one time) as active-passive HA. DFSR is applicable to NTFS based SMB locations but for ReFS, a third party synchronization tool is required, such as https://bvckup2.com/kb/beyond-robocopy.
For FSLogix Profile Container on Microsoft Azure, multiple storage solutions are available with the recommended ones being Azure Files or Azure NetApp Files. Additional best practices apply such as setting up the storage solution in the same datacenter location and excluding the VHD(X) files for Profile Container from antivirus scanning. For more information about FSLogix Profile Container and Azure deployment options, visit https://docs.microsoft.com/en-us/azure/architecture/example-scenario/wvd/windows-virtual-desktop-fslogix
More information on DFS and DFSR can be found at https://technet.microsoft.com/en-us/library/jj127250.aspx.
The Domain Name System (DNS) is a hierarchical distributed database that contains mappings of DNS domain names to various types of data, such as IP addresses. DNS allows you to use friendly names to easily locate computers and other resources on a TCP/IP network.
DNS is a key infrastructure component frequently used by various Parallels RAS components. While standard file-based storage, such as the hosts file, will provide proper DNS resolution in Proof of Concept (POC) environments, Parallels recommends implementing Active Directory integrated DNS in enterprise deployments.
Parallels recommends the use of the DNS zone integrated with Active Directory so that organizations can have the benefit of using secure dynamic updates, as well as the ability to use Access Control List (ACL) editing features to control which machines can update the DNS system.
Dynamic updates are a key feature of DNS, which allows domain computers to register their name and IP addresses with the DNS server automatically when they come online or change IP addresses through the DHCP server. The DNS Server service allows dynamic update to be enabled or disabled on a per-zone basis on each server that is configured to load either a standard primary or directory-integrated zone. By default, the DNS Client service dynamically updates host (A) resource records in DNS when the service is configured for TCP/IP. This form of update eliminates the need for manual entries of names and IP addresses into the DNS database.
There is a security concern when automatic update from a client to the DNS database could take place and thus create the possibly for a malicious entry. Therefore, secure dynamic updates will verify that the computer that is requesting the update to the DNS server also has an entry in the Active Directory database. This means that only computers that have joined the Active Directory domain can dynamically update the DNS database.
More information on how DNS works can be found at https://technet.microsoft.com/library/cc772774.aspx.
In most Domain Name System (DNS) lookups, clients typically perform a forward lookup, which is a search based on the DNS name of another computer as it is stored in a host (A) resource record. This type of query expects an IP address as the resource data for the answered response.
DNS also provides a reverse lookup process in which clients use a known IP address and look up a computer name based on its address.
Dynamic Host Configuration Protocol (DHCP) is a client/server protocol that automatically provides an Internet Protocol (IP) host with its IP address and other related configuration information such as the subnet mask and default gateway.
Parallels recommends the use of static or DHCP reserved IP addressing for Parallels RAS infrastructure servers.
With regards to VDI, to create a RAS template from an existing host, the guest operating system (Windows) must be configured to obtain an IP address via the DHCP server. With regards to a Provider Agent on hypervisors it is recommended to take note of the MAC address assigned to the appliance and add a DHCP reservation. If DHCP isn't available, a static IP address needs to be configured manually.
For Wyse clients, RAS Secure Gateway can act as a Wyse broker. Please ensure that DHCP option 188 on your DHCP server is set to the IP Address of this Gateway for thin clients that are going to boot via this gateway.
Note: Parallels RAS should not to be installed on a domain controller or any other server where a DHCP server is running.
Parallels recommends for consideration the usage of the following Active Directory abilities.
Note: More information on Active Directory Domain Services can be found at https://technet.microsoft.com/en-us/library/bb742424.aspx.
A particularly useful type of directory object contained within domains is an organizational unit (OU). OUs are Active Directory containers into which you can place users, groups, computers, and other organizational units. An organizational unit cannot contain objects from other domains.
An OU can be used to assign Group policy settings for centralized management and configuration of operating systems, applications, and user settings in an AD environment.
Parallels recommends the use of OUs for the following:
Terminal Servers/Remote Desktop Session Hosts (RDSH) hosting applications and desktops should be set in their own OUs. Usually TS/RDSH require various group policies applied to them. For example, in a multi-user environment, policies may be required to optimize user experience and/or add security.
Different OUs for different TS/RDSH groups identified from the Parallels RAS Console can also be used to organize different application groups.
Servers in the same Parallels RAS site should reside in the same domain or in different domains with a full trust relationship between domains.
More information on Domain trusts can be found at https://technet.microsoft.com/en-us/library/cc773178(v=ws.10).aspx.
All servers that load-balance applications/desktops must be in the same domain if a domain security group is authorized to use the application.
Note: For the information on how to design an OU structure which works for your organization, visit https://technet.microsoft.com/en-us/library/2008.05.oudesign.aspx.
Security Groups
Security groups are used to assign permissions to shared resources. Different resources (virtual applications, desktops, VDI machines) can be assigned to different users/groups. Parallels recommends the use of Active Directory Security groups for better manageability if filtering is done via user/groups.
Once security groups are created in Active Directory and members are added to them, group-based filtering can be carried out from the Parallels RAS Console. This will ensure that all members of that particular security group will have access to same published resources. For example, if a new user joins the company, they only need to be added to the Active Directory security group to have access to given published resources.
Examples of logical security group segregation can be based on the department user resides in or based on application/desktop that is to be delivered.
More details about Active Directory Security Groups can be found at https://technet.microsoft.com/en-us/library/dn579255(v=ws.11).aspx.
Note: By default, in RAS published resources are available to all users in the domain if not restricted by filtering (User/group, Client, IP Address, MAC or Gateway access).
Group Policy is an infrastructure that allows you to implement specific configurations for users and computers. Group Policy settings are contained in Group Policy objects (GPOs), which are linked to the following Active Directory service containers: sites, domains, organizational units (OUs). The settings within GPOs are then evaluated by the affected targets using the hierarchical nature of Active Directory. Consequently, Group Policy is one of the top reasons to deploy Active Directory because it allows you to manage user and computer objects.
Apart from the Parallels RAS policies, which allow IT administrators to manage Parallels Client policies for all users on the network who connect to a server in the farm, Parallels recommends the additional use of group policies to manage different users and computer objects accessing the infrastructure. Group policies relating to user experience and/or security are to be linked with their respective OUs mentioned in the previous sections.
Some recommended group policies include but not limited to listed below.
Logging in remotely requires users to have remote access rights to the remote server.
This can be carried out from Group Policy Management Console (GPMC), which is an administrative feature that can be installed via Server Manager or through PowerShell as described at https://technet.microsoft.com/en-us/library/cc725932(v=ws.11).aspx.
Once GPMC is opened, navigate to Computer Configuration / Policies / Windows Settings / Security Settings / Restricted Groups. Right-click on Restricted Groups and click on Add User Group that should have access to log in on to the remote machine (TS/RDSH/VDI).
More information on how to add Domain Users/Group to the Remote Desktop Users group via Group policy can be found at https://technet.microsoft.com/en-us/library/cc725932(v=ws.11).aspx.
You can use the Group Policy Loopback feature to apply Group Policy objects that depend only on which computer the user logs in to. This is ideal when users already reside in their respective OUs and new OUs have been created to handle Terminal Server/RDSH from where the applications and desktops are published. Essentially, we are applying user settings when they log in to those computer objects, in this case to the Terminal Servers/RDSH.
This can be carried out from Group Policy Management Console (GPMC). Navigate to Computer Configuration\Administrative Templates\System\Group Policy and then enable the Loopback Policy option (Merge or Replace).
More information on loopback processing can be found at https://support.microsoft.com/en-us/kb/231287.