All Collections
itopia WorkAnywhere Help Library
Launch Your Cloud Desktop
Configuring a Remote Desktop Deployment with Extended Active Directory
Configuring a Remote Desktop Deployment with Extended Active Directory

Step-by-step guide to provision a Remote Desktop Services (RDS) environment into an existing Active Directory domain

Reisbel Machado avatar
Written by Reisbel Machado
Updated over a week ago

This article walks through the process to create a new itopia CAS deployment for Remote Desktop Services (RDS) using an existing Active Directory domain. The existing AD domain may be one of the following scenarios:

  • An Active Directory domain deployed on a VPC in your GCP project

  • An Active Directory domain deployed on-premises (or other external network) that has connectivity to your GCP project via VPN tunneling, Cloud Interconnect, or network peering

  • An Active Directory domain deployed cross-premises, with domain controllers deployed to both your GCP project and to on-premises or external networks

Before completing this process, please ensure you have previously completed the following:

Create a Deployment

  1. Log in to itopia and create a new deployment. Click All deployments from the main menu and click the green plus (+) button.

If you have already created a deployment, select it from the Deployments menu on the top left of the CAS console. You will get the option to continue the deployment in the dashboard. The system will resume your deployment at the same step where you left off. Click the Continue button.

2. Select Remote Desktop Services as the deployment type, then type the Name of your deployment. The deployment code will be generated automatically. If you prefer to define your own code, uncheck the "Autogenerate Code" box and type your code (we allow from 3 to 8 characters). Click Create.

Configure the Deployment

Section 1 - Common Configuration

  • Time Zone: Select the time zone to be configured for the deployment and the servers

  • Operating System: The OS to use for all servers in the deployment (domain controllers and RDS servers). If you select Windows Server 2012, users will get a Windows 8 desktop experience; with Windows Server 2016 or later they'll have a Windows 10 desktop experience.

  • Estimated Number of Users: Specify the number of users that are expected to be created for this deployment so CAS can provide an accurate Google cost estimate in the last step. The number is also used later to configure RDS licensing. This estimate only assists in the configuration; the actual number of users in the deployment will be based on the users added in the CAS console.

  • Proxy Execution Service: Whether CAS should use the Proxy Execution Service (PES) to administer this environment. If this option is selected, the RD Gateway server role must be deployed (see Section 3 below), and only the Gateway servers will receive public IP addresses; other servers in the deployment will not be assigned public IP addresses.

Section 2 - Active Directory and DNS

  • Domain Type: Select Existing Domain

  • Username (UPN) suffix: is the username login identifier (the portion of the username after the @ sign) that will be used by end users when logging in to Cloud desktop (i.e. username@suffix). This suffix does not need to be configured in the AD forest as an alternate UPN suffix, although it is recommended to do so.

  • Domain admin username: the username of an account with Domain Admin, Enterprise Admin and depending on failures the Schema Admin memberships. These account credentials are not stored by itopia, and are only used for the initial configuration of the domain.

  • Domain admin password / Confirm password: The password for the domain admin account.

  • DNS Server IP: Specify the IP address of a DNS server that hosts the DNS records for the AD domain. You may specify additional DNS servers by clicking the Add button.

  • Deploy a redundant domain controller: To ensure good performance, CAS creates a domain controller for the AD domain in each region of the deployment. If this option is enabled, CAS will promote two domain controllers in each region for increased resiliency.

Section 3 - RDS Configuration

  • External DNS Domain: A real domain or subdomain you own is needed here since you will input DNS entries with your registrar later. We require the DNS to make the configuration of the RDP file easier. The system configures the RDP files for end users with a subdomain of your external domain so once the Deployment is launched to Cloud, you will create a DNS record for the subdomain pointing to the session host / gateway server IP so the preconfigured RDP files can work correctly (instructions to do the above are received via email).

  • Deploy a dedicated file server: If selected, a dedicated file server will be created. No end users sessions will be hosted in the server, it will host only data. A separate server will be created for end user sessions. If the option is not selected, files will be hosted on the first User Session Server (RD Session Host) in each region.

  • Deploy RD Gateway role: The RD Gateway role serves as a proxy for RDP connections; users connecting over the Internet will connect to the RD Gateway via HTTPS (TCP/443), which then relays their connection to the internal RDS servers. If enabled, the RD Gateway role will be deployed to a dedicated server in each region; you will need to provide an RD Gateway certificate (SSL) in .pfx format after the deployment is created. NOTE: this role is required if the Proxy Execution Service option is enabled in Section 1 above.

  • Redundant RD Gateway: If enabled, CAS will deploy two RD Gateway role servers in each region and will configure a Google Cloud Load Balancer to provide load-balancing and high-availability for user connections.

  • Dedicated RD Broker: If enabled, the RD Broker role will be configured on a dedicated server in each region. If disabled, the RD Broker role is installed on the first User Session Server (RD Session Host) in each region).

  • Redundant RD Broker: If enabled, CAS will deploy two RD Broker role servers in each region for high availability (HA). This will also create a GCP Cloud SQL instance to house the RD Connection Broker database, as required for HA configuration of the RD Broker role.

  • Enable User Profile Disks: If enabled, CAS will configure the RDS environment to use user profile disks (UPD); this allows users to access the same user profile and documents when logging in to different User Session Servers in the same region. If you would prefer another solution for user profiles, you can disable this option and manually configure a different configuration once the deployment is created.

Once all the above fields are populated, click Next.

Configure Google Cloud

Connect to a GCP Project

Click Authenticate to sign in with your GCP account. The system will prompt you for your Google email address and password. Make sure to use the same one you used to sign up for Google Cloud, or a Google account that has owner permissions on the project you wish to use. Note that these credentials are only used for the initial provisioning of the deployment in your GCP project; these credentials are not stored by itopia and are not used again.

Once you've authenticated, CAS will populate the list of GCP projects that are associated with your account. Use the Select project drop-down menu to specify which project CAS should use.

💡 Note: It is recommended (but not required) to use a "fresh" project for the CAS deployment, one that does not have any other resources already provisioned. Although CAS isolates its GCP resources and configuration, having existing resources and configurations increases the possibility of encountering an issue. Also note that a GCP project can only be assigned to one CAS deployment at any given time.

If you want to create a new project for your deployment, select Create new project from the drop-down menu.

Validate GCP Environment

itopia requires access to several application programming interfaces (APIs) to be able to provision and manage objects in the Google Cloud project. Once you select a GCP project, CAS will check if these APIs are enabled and, if they are not, will give you the option to enable them. Clicking Enable or Add next to an API will redirect you to the relevant page in the GCP Console. On the page, click Enable near the top of the screen. 

Once enabled, the button will change to Disable.

CAS will also check the IP quota restriction in the GCP project. The system will confirm if your Google project is upgraded. If the project is not upgraded, you will only have access to a limited number of static IPs which may be insufficient for a CAS deployment. If the Public IP Quota validation fails, click on Increase in the top-right corner to upgrade your account. If you don't see such button in the IP quota tab, it means that your account was already upgraded.

After you enable any APIs that failed validation, click the Refresh icon next to it to re-validate.

Once all validation tests  are green, you can continue to the Region section below.

Select your GCP Regions

Select the GCP region to use for your RDS deployment. If you wish to configure the deployment in multiple regions, click Add Region and specify the additional regions to include in the deployment. If desired, you may specify custom subnets for each region; this is useful if you plan to connect the deployment to your on-premises network or another VPC and want to avoid conflicting subnets.

On the bottom of the screen you can check the servers that will be created; each server is a Google Compute Engine (GCE) instance. For each instance, you can edit certain settings such as CPU, RAM, and disk space by clicking the Edit (pencil) icon. 

You can also specify additional instances to be created, such as for database servers or web servers, using the green Add (+) button. If your GCP project has existing GCE instances that you would like to include in the itopia CAS console, you can import them by hovering on the Add (+) button and selecting Import. More information on importing existing GCP servers is available here.

💡 Note: itopia CAS will not be able to see or manage servers that you deploy directly in the GCP Console unless you import them in.

Once you've added all servers, click Next.

Review Configuration and Begin Provisioning

The final screen will provide a summary of the RDS deployment you just configured. Review the configuration to ensure everything is correct. This screen also provides a general estimate for monthly GCP compute costs for the environment for two scenarios: leaving all servers running full-time (730 hours), or using the Scheduled Uptime feature to only have servers running during normal business hours (305 hours). Please note the provided costs are just estimates; your actual costs may differ.

Review all information, click the checkbox to confirm consent, and then click Deploy. CAS will begin provisioning the RDS deployment into your GCP project.

The Deployment Process

Once the provisioning begins, you can monitor Provisioning Status in your CAS dashboard.

Please note the provisioning process could take several hours, depending on the size of your deployment and the number of regions. After the automatic server configuration is complete, you will receive an email with your administrator credentials to be able to connect to your servers

In the CAS console, you will see two Tasks that must be completed manually: uploading your SSL certificate, and creating a DNS record for external connectivity; refer to the links in the Next Steps section of this article for more details. Once both tasks are marked complete, you will receive a link to download RDP file so users can connect to their cloud desktop. 

💡 IMPORTANT: Do not turn off your servers before the provisioning process has fully completed. If the provisioning process appears to be "stuck" for an extended period of time, please contact itopia for assistance (use the "Chat" icon in the bottom-right corner of your screen).

Next steps

💡 Note: If you'd like to build your remote desktop deployment using a new domain rather than an existing domain, please refer to this article.

Did this answer your question?