(RDS) Tip of the Day: New RDS Capabilities in Windows Server 2016 for Service Providers
Remote Desktop Services (RDS) were significantly improved with a release of Windows Server 2016. Service Providers now can build more functional and reliable Desktop-as-a-Service (DaaS) solutions for their customers, including VDI scenarios with GPU acceleration.
- Here is the list of RDS 2016 new features and improvements, that can be interesting for service providers:
- Windows10-like experience
- New GPU acceleration capabilities – RemoteFX improvements and Discrete Device Assignment feature
- Personal Session Desktops – VDI, based on Windows Server 2016 inside the guest
- New traffic protocol – RDP v10
- Remote Credential Guard – protects credentials from being stolen during the logon process into RDS
- New RDS clients for Windows, MacOS, iOS and Android
- Optimized Connection Broker – handles much more requests and can store its DB in Azure SQL Database
- Simplified deployment of RDS in Azure
- Integrated MultiPoint Services
Official documentation page “What’s new in RDS 2016” is available here. Now let’s dig into the details.
From the end-user perspective RDS 2012 R2 looked very similar to Windows 8.1. A lot of regular office workers didn’t like that tablet-oriented UI on the terminal server. They wanted back an experience of Windows 7, but that required Windows Server 2008 R2 to be installed as a Session Host.
RDS 2016 looks exactly like Windows 10, which works great on the tablet and on the desktop. Most applications, that support Windows 10, will work the same inside the terminal session on RDS 2016. If end-users already know how to work inside Windows 10, they will adopt terminal sessions on RDS 2016 as well.
Some of you may wonder where is Edge Browser in Windows Server 2016 RTM. It was available in Technical Previews, but was removed in the release version. If happened because Windows Server 2016 is based on top of Long-Term Servicing Branch (LTSB) version of Windows, so it offers Internet Explorer 11 instead. Here is the explanation. But it doesn’t mean that you can’t install any other browser for end-users.
RDS 2016 also natively support Pen input. Customers now can use pen-enabled devices like Surface Pro or Surface Book and work with their application using multi-touch and pen input inside RDS 2016.
GPU acceleration in Windows Server 2016
Windows Server 2016 offers you 2 options to provide GPU acceleration for virtual desktops:
- RemoteFX – virtual GPU adapter, that makes API redirection from the guest VM to physical GPU on the host.
- Discrete Device Assignment (DDA) – allows you to pass the physical GPU on the Hyper-V host into the guest VM.
RemoteFX was introduced in Windows Server 2008 R2 SP1 as a solution to provide virtual GPU acceleration for VDI scenarios. Windows Server 2012 also added RemoteFX support for Session Host scenarios (regular Terminal Server). In Windows Server 2016 RemoteFX was significantly improved again:
- RemoteFX now supports Windows Server 2016 as a guest. It means that service providers can build VDI solutions using Windows Server 2016 inside tenant VMs and license it through SPLA (remember: Windows 10 license is not available in SPLA).
- RemoteFX in Windows Server 2012 R2 could leverage only DirectX 11.1 and OpenGL 1.1. RemoteFX in Windows Server 2016 now also supports OpenGL 4.4 and OpenCL 1.1, which are required by modern graphics and 3D applications.
- RemoteFX GPU video RAM limit was extended from 256Mb to 1024Mb. Dedicated Video Memory now can be set directly without playing with monitor number and resolution. Depending on the amount of system memory assigned to the VM, this can provide up to a total of 2GB of video RAM (1Gb dedicated and 1Gb shared).
In real life it means that service providers can offer flexible VDI solutions to their customers:
- Physical GPU is shared among several users (RemoteFX). Can be used for high-density VDI scenarios with up to 2Gb of video RAM per user. It will be enough for regular office workers and employees, that need to work in Photoshop, AutoCAD, Solidworks and similar middle-weight GPU-powered solutions.
- Dedicated GPU for every user (DDA). Can be used for heavy graphics scenarios, where RemoteFX capabilities are not enough – CATIA, NX, Maya etc. DDA allows to install graphics drivers inside the guest VM and leverage GPU proprietary technologies (e.g. CUDA). Keep in mind, then modern GPU cards have several GPUs. For example, NVidia Tesla M10 has 4 GPUs onboard, and you can install several cards in the same server. So you can easily get 8+ users per server density, and every user will get his/her own dedicated GPU.
Here is the example of such solution from NVidia. It leverages RemoteFX and DDA on Windows Server 2016 to provide NVidia-powered GPU acceleration, and can be extended to the cloud with Azure N-series VMs.
Personal Session Desktops
Personal Session Desktops functionality allows service providers to assign personal desktops to end-users, but based on Windows Server 2016 in the Guest VM instead of Windows Client OS (7/8/10).
The personal session desktop capability extends the session-based desktop deployment scenario in Remote Desktop Services to create a new type of session collection where each user is assigned to their own personal session host with administrative rights.
Personal Session Desktops in a combination with RemoteFX and DDA, supported on Windows Server 2016 as a guest OS, allow service providers to build VDI solutions based on Windows Server 2016 on both levels – on the host and inside the gust. Such environment can be licenses using Windows Server 2016 SKUs in SPLA. No need to ask “How can we buy Windows 10 for VDI scenario in SPLA” because you don’t need it anymore. Windows Server 2016, dedicated for a user, will provide the same functionality as client Windows OS in a VDI scenario.
For example, Service Provider can deploy Desktop-as-a-Service solution on ten hosts with Hyper-V 2016 and discrete GPUs. Those hosts are used by 1000 end-users. Some of them don’t need graphics acceleration, for some of them RemoteFX will be enough, and DDA will be implemented for those who really need it. In such case service provider don’t need to buy 1000 Windows 10 VDA licenses, because Windows Server 2016 Datacenter per-core licensing can be used instead, which is much cheaper at such end-user density.
Windows Server 2016 and Windows 10 (build 1511 or newer) now use the new version of RDP v10 (traffic protocol, used for RDS). New protocol now supports up to 4K resolution and introduces a new mode – AVC 444.
The main challenge to use AVC/H.264 as the one and only Codec in Remote Desktop scenarios is that text shows a halo effect with typical implementations of AVC/H.264. This is caused by the color conversion process that happens as part of the compression which throws away some of the chrominance information, as represented in the 4:2:0 format. To the human eye the lack of chrominance information is not as apparent with video content, however with Remote Desktop scenarios, where mostly text is used, it is something that is noticeable and users will perceive this as blurry. The AVC/H.264 standard defines the capability to use 4:4:4 format which doesn’t lose the chrominance during conversion, however typically this isn’t part of most AVC/H.264 hardware encoder and decoder implementations and thus provides a challenge. To show the difference between 4:4:4 and 4:2:0 please see the following image which shows easily noticeable differences:
AVC 444 mode in RDP 10 solved the challenge to get 4:4:4 quality text with 4:2:0 hardware encoders/decoders. In addition, AVC 444 mode FPS also improves on high resolutions comparing to older versions of RDP.
New protocol also adds a new feature called Remote Credentials Guard. It protects end-user credentials from being stolen during the RDS logon process. By using Remote Credential Guard to connect, end-users can be assured that their credentials are not passed over the network to the target Session Host server. Remote Credentials Guard enables secure Single Sign On to RDS environment from the domain-joined device and protects from Pass-the-hash attacks.
New RDS Clients
RDS clients were updated to support new capabilities of RDS 2016. End-users can enjoy RDS 2016 experience on Windows, MacOS, iOS and Android devices. Currently AVC 444 works only on Windows 10 devices, but it will be fixed in the future.
Optimized Connection Broker
Connection Broker is the brain of the RDS environment. It is responsible for routing the end-users to correct Session Hosts and VDI machines. It manages all session collections and published RemoteApps. It distributes the RDS configuration among the farm members.
First, with improved connection handling, the Connection Broker is now able to handle over 10,000 concurrent logon requests, sometimes seen during “logon storms”. It means that Service Providers can build large Desktop-as-a-Service solutions, that will be used by thousands of end-users.
Second, now you can deploy the Connection Broker in a highly available mode much easier. Because Connection Broker is the brain of you RDS environment, it should always be online. Before RDS 2016, service providers were used to deploy a highly available cluster of SQL Servers. Now you can easily deploy a highly available Connection Broker configuration using Azure SQL Database as a backend.
Just imagine how easy it is comparing to previous versions of RDS:
- Create 2 VMs with Windows Server 2016 to make a pair of Connection Brokers in a cluster.
- Configure load balancing between them. You can use Azure Load Balancer if you want to deploy DaaS in Azure, or Windows Server 2016 Software Load Balancer if you are deploying it in your DC. Also you can use DNS Round Robin as an alternative.
3. Create a new Azure SQL Database. Start with the Basic plan. You will be able to switch to more expensive plans (S0-S3) in the future without a downtime. Copy the connection string to the database.
4. Install Microsoft ODBC Driver 13 for SQL Server on both VMs
5. Create a new RDS 2016 environment with a single connection broker. Click on the Connection Broker in a topology and choose “Configure High Availability”.
6. Choose Shared database server, enter the Connection Broker cluster FQDN and paste Azure SQL Database connection string.
7. Click on the Connection Broker in a topology and choose “Add RD Connection Broker Server” to add a second Connection Broker into your topology.
With seven easy steps, we’ve built a highly available Connection Broker cluster backed by Azure SQL Database. It is a great simplification comparing to RDS 2012 R2.
RDS 2016 deployment in Azure
If you want to deploy a scalable high available Desktop-as-a-Service solution in Azure, you can start just with 4 VMs and scale as you grow.
Cloud-optimized RDS 2016 farm will look like this:
- 2 VMs for RDS 2016 highly available “core”
- Every VM collocates Connection Broker, RD Gateway, RDWeb, RD Licensing Server and a File Server to store User Profile Disks.
- Azure Load Balancer will distribute RDP and HTTPS traffic among 2 servers
- Azure SQL Database will be used store Connection Broker DB (described earlier)
- 2 VMs for RDS 2016 Session Hosts
- Add more VMs with RD Session Host roles to the same Availability Set when you’ll need more resources for end-users.
- Deploy additional VMs for Personal Session Desktops
- Highly available Connection Broker will distribute the load among all Session Hosts.
- Azure AD Application Gateway to publish RDS environment to the Internet
- Use Azure AD Application Gateway to securely publish RDS 2016 farm to the internet. It can require end-users to make Azure AD pre-authentication with Azure Multifactor Authentication.
- Use can also use Azure Site-to-Site VPN or Client-to-Site VPN capabilities instead of publishing RDS environment to the Internet.
- Azure AD Domain Services can be used instead of traditional Domain Controllers.
With Azure Resource Manager capabilities, you can prepare a Resource Manager template and deploy standardized dedicated highly-available Desktop-as-a-Service environments in less than an hour.
Integrated Windows MultiPoint Services
Windows MultiPoint Server, that was available as a separate product before, now included into regular Windows Server 2016 Standard and Windows Server 2016 Datacenter editions.
MultiPoint Services in Windows Server 2016 allows customers to build labs and education classes quickly, using inexpensive USB hubs and zero clients as endpoints. MultiPoint Services are much more simple comparing to “full” RDS solution. It includes its own management tools like MultiPoint Dashboard, that can be used by the lab admin to control which pupil is doing what.
As you saw, Remote Desktop Services in Windows Server 2016 have been significantly improved. Service Providers can use them for different scenarios:
- Build larger and more reliable Desktop-as-a-Service solutions, that can be delivered to any device even through unstable network connection (RDP v10, new RDP Clients, Connection Broker enhancements)
- Build GPU-powered VDI solutions on top of Windows Server 2016 and license them through SPLA (RemoteFX, DDA, Personal Session Desktops)
- Provide MultiPoint Services to customers which need to build a lab environment or education class quickly.
- Deploy those solutions in a local service provider datacenter or in Azure.
- “New RDS Capabilities in Windows Server 2016 for Service Providers” - https://blogs.technet.microsoft.com/hybridcloudbp/2016/11/15/new-rds-capabilities-in-windows-server-2016-for-service-providers/
- “Windows Server 2016 – What’s new for Service Providers” - https://blogs.technet.microsoft.com/hybridcloudbp/2016/10/17/windows-server-2016-whats-new-for-service-providers/
- “What's new in Remote Desktop Services” - https://technet.microsoft.com/en-us/windows-server-docs/compute/remote-desktop-services/rds-whats-new/
- “Appreciating the Windows Server 2016 Desktop Experience - https://blogs.technet.microsoft.com/nanoserver/2016/10/04/appreciating-the-windows-server-2016-desktop-experience/
- “RemoteFX vGPU Updates in Windows Server Next” - https://blogs.technet.microsoft.com/enterprisemobility/2014/11/05/remotefx-vgpu-updates-in-windows-server-next/
- “Discrete Device Assignment — GPUs” - https://blogs.technet.microsoft.com/virtualization/2015/11/23/discrete-device-assignment-gpus/
- “NVIDIA AND MICROSOFT - GRAPHICSACCELERATED PRODUCTIVITY - FOR EVERY USER, ANY APPLICATION” - http://images.nvidia.com/content/grid/pdf/microsoft-server-solution.pdf
- “Use personal session desktops with Remote Desktop Services” - https://technet.microsoft.com/en-us/windows-server-docs/compute/remote-desktop-services/rds-personal-session-desktops
- “Remote Desktop Protocol (RDP) 10 AVC/H.264 improvements in Windows 10 and Windows Server 2016 Technical Preview” - https://blogs.technet.microsoft.com/enterprisemobility/2016/01/11/remote-desktop-protocol-rdp-10-avch-264-improvements-in-windows-10-and-windows-server-2016-technical-preview/
- “Protect Remote Desktop credentials with Remote Credential Guard” - https://technet.microsoft.com/en-us/itpro/windows/keep-secure/remote-credential-guard
- “Microsoft Remote Desktop Clients” - https://technet.microsoft.com/en-us/library/dn473009.aspx
- “Improved Remote Desktop Connection Broker Performance with Windows Server 2016 and Windows Server 2012 R2 Hotfix (KB3091411)” - https://blogs.technet.microsoft.com/enterprisemobility/2015/12/15/improved-remote-desktop-connection-broker-performance-with-windows-server-2016-and-windows-server-2012-r2-hotfix-kb3091411/
- “Microsoft Azure SQL” - https://azure.microsoft.com/en-us/services/sql-database/
- “Create an Azure internal load balancer for Remote Desktop deployment” - https://technet.microsoft.com/en-us/windows-server-docs/compute/remote-desktop-services/create-an-azure-internal-load-balancer-for-remote-desktop-deployment
- “Microsoft® ODBC Driver 13 for SQL Server® - Windows + Linux” - https://www.microsoft.com/en-us/download/details.aspx?id=50420
- “Desktop hosting logical architecture” - https://technet.microsoft.com/en-us/windows-server-docs/compute/remote-desktop-services/desktop-hosting-logical-architecture
- “Publishing Remote Desktop with Azure Active Directory Application Proxy” - https://blogs.technet.microsoft.com/applicationproxyblog/2015/10/14/publishing-remote-desktop-with-azure-active-directory-application-proxy/
- “Hybrid Cloud Identity Part 1: AD and Azure AD” - https://blogs.technet.microsoft.com/hybridcloudbp/2016/07/12/hybrid-cloud-identity-ad-and-azuread/
- “Hybrid Cloud Identity Part 3: Multi-factor Authentication” - https://blogs.technet.microsoft.com/hybridcloudbp/2016/08/19/hybrid-cloud-identity-part-3-multi-factor-authentication/
- “Building a hybrid LAN: On-premise + Azure Pack + Azure” - https://blogs.technet.microsoft.com/hybridcloudbp/2016/07/06/building-a-hybrid-lan-on-premise-azure-pack-azure/
- “Azure Active Directory Domain Services” - https://azure.microsoft.com/en-us/services/active-directory-ds/
- “Introducing MultiPoint Services” - https://technet.microsoft.com/en-us/windows-server-docs/compute/remote-desktop-services/multipoint-services/introducing-multipoint-services
- “MultiPoint Stations” - https://technet.microsoft.com/en-us/windows-server-docs/compute/remote-desktop-services/multipoint-services/multipoint-services-stations