Creating a RDS Session based deployment - RDS SH Tier-2 , RDS Broker Tier-1
Posted by ExamIll635@reddit | sysadmin | View on Reddit | 11 comments
Hello,
We are deploying a new environment where we got AD tiering in place, T2, T1 and T0.
95% of the users will have their daily work done on the RDS Farm/Collection , so the RDS Session hosts is placed in tier2, we wants the RDS Broker(s) to be placed in Tier1, because its somewhat the "management" of the RDS farm.
The issue is that when deploying this collection, the user that is deploy it from the RDS broker needs to be local admin on the RDS SessionHosts, so we need a T1 user be admin on T2 systems, that contradicts the AD tiering policy, where a T1 user should'nt login or be Admin on a t2 system.
Anybody got a solution for this? Other than move the RDS broker(s) to T2
poro_8015@reddit
are you doing user profile disks or fslogix for the session hosts
ExamIll635@reddit (OP)
No, users profile being just saved to the local C drive of the session host
wtf_com@reddit
I’d seriously recommend using FSLogix; you’re going to run into issues where you need to replace servers and FSLogix makes it a snap.
ExamIll635@reddit (OP)
Thanks, I'll check it out Fslogix, I have only used it in AVD environments, but I see it's working on onprem RDS too.
wtf_com@reddit
you can use it in desktop environments as well but either way make sure you use cloud cache
ExamIll635@reddit (OP)
No can't do. This is in an On-prem OT environment, where no cloud is allowed. 🙂
wtf_com@reddit
Cloud Cache is FSLogix‘s HA mode
https://learn.microsoft.com/en-us/fslogix/concepts-fslogix-cloud-cache
wtf_com@reddit
cloud cache is not cloud hosted; it’s FSLogix’s HA mode.
https://learn.microsoft.com/en-us/fslogix/concepts-fslogix-cloud-cache
FishermanCivil8770@reddit
This is a common AD tiering conflict with RDS design. Best practice is to avoid using Tier 1 admin accounts for deployment. Use delegated service accounts, Just Enough Administration (JEA), or automation tools with scoped permissions instead of granting broad local admin rights across Tier 2 session hosts.
ExamIll635@reddit (OP)
The issue is, that you cant really define credentials when deploying and managing a RDS farm, in the gui it's the logged on user, I guess you could start a powershell window as a service account and deploy it like that, but it's not very flexible.
SoftPeanut5916@reddit
Your tier conflict is usually a classification problem, not an RDS problem. An RDS session host is still a server OS doing server work even when users sit on it, and most tiering writeups put that in T1 with the broker, not T2 with laptops. If reclassifying is off the table, JEA on the session hosts is the usual fix: a constrained endpoint that lets your deployment identity run only the RDS cmdlets it needs without local Administrator and without an interactive T1 login on the box. Did your security team already define approved delegation from management tier to user tier, or are you the first RDS build hitting this wall?