Preface

We have gone through the VPN deployments using SSTP, PPTP, and so on in our other articles. Today we are going to deploy the DirectAccess server in Windows Server 2019. The same step can be followed on Windows Server 2016 or Windows Server 2022.

This is a single server deployment where the default settings are used to deploy the server. It is recommended to enable a firewall at the server and client-side to make the remote access more secure. We don’t need a certificate authority in an Active Directory domain, but if it is there we can make use of it. In this deployment, a public hostname pointing to the DirectAccess server with a third-party certificate will be used. The client computers accessing DirectAccess must be Windows 8 Client operating system or later. The network location server in this scenario is the same server with that we are deploying the DirectAccess role. Also, the Network Access Protection server is not used and multi-factor authentication is not supported. As all services related to DirectAccess point to the same server, the installation of the DirectAccess role service will be simple and easy.

The server deployment is started with creating a security group to assign client computers that are a member of this computers group. After that, we are installing a remote access role and configuring DirectAccess alone Remote Access client, Remote Server, and Infrastructure is the components we are going to configure in it. Also, the DirectAccess client configuration is mostly dependent on Group Policy objects and the windows client computers need to be connected to the domain network before connecting from the remote network as the client computers need to be updated with group policy object settings. The client PC with group policy updated required for DirectAccess connected to domain network from any public network over the internet where the connection to the DirectAccess server is allowed to access.

What are we waiting for, lets’s start dipping in the water to get a rinse of how to deploy DirectAccess and configure of single server scenario. The demonstration will cover DirectAccess role installation and configuration and connecting from an external network using a windows 10 client computer. Let’s get started.

Create Direct Access Client Security Group

Before we start adding the Remote Access role on the DirectAccess server we are going to create a group to allow access to specific computers as a member and get the DirectAccess connectivity privileges.

To add a security group, we are login into Domain Controller and launching “Active Directory Users and Computers” and this group is under the appropriate OU under the Domain hierarchy. In this case to identify the nature of the group we call the OU name “DA-Clients”.

Type a name for the group and select scope as Global and type as Security and click OK.

Once a group has been created double click the group object to go to its property and select the member’s tab and add the computers that you want to allow access to connect to DirectAccess.

On the Select object type select Computers as we are going to add computer objects as members.

On the Enter object names to select box type names of the computers, you want to give access to and click OK twice to close the properties window.

We have completed creating a group and are ready to go to the next step which is to add the Remote Access role.

Add Remote Access Role Service

To add Remote Access role launch, Select Server Manager “Add roles and features”

The wizard instructions give you a gist of how the Add roles and features wizard helps you install the roles or features to your local or remote computer. You may go through the instruction if you are new to adding roles and features to Windows Server. If you don’t want to see “before you begin page” anymore, click skip this page and click next to move on to the next page of the wizard.

The Remote Access role comes under role-based or feature-based installation. So, click Role-Based or Feature-Based installation and click Next.

On the server selection, the local server is listed, and our intention is also to install the Remote Access role on the local server. Click Next to continue.

From the server roles list, select Remote Access and click Next.

The next screen is to select features related to the role, leave the default selection, and click Next.

On the Remote Access page, the instruction for the Remote Access role would be given, go through the Remote Access instruction, and click Next to continue.

From the Remote Access role services list, select DirectAccess and VPN, and when you click on the role service, you will be prompted to choose the features to install, leave the default selection and click Add Features to return to the role services selection window.

When the role service features are selected click Next to continue.

On the web service, role services go through the instruction and click Next.

Under Web Server Role, leave the default role services and click Next.

Click Install on the confirmation page to start the installation.

The view installation progress, let you know the installation progress of the installation, wait for the Remote Access role installation to complete.

The Remote Access role has been added. Now, click on Open the getting started wizard to start the wizard.

Configure and Deploy DirectAccess Service

We are going to configure DirectAccess, so click on Deploy DirectAccess only.

Every DirectAccess setup may not have the same network topology of the server, select the appropriate topology as per your network, if your remote access server is behind a firewall, choose behind an edge device. Type the public hostname of the DirectAccess server. You can create a host record on your domain registrar DNS and install a third-party certificate from a CA. I have created a hostname in the name of da.getanadmin.cloud and installed the CA certificate already.

On clicking Next, you will be prompted to apply settings, before we apply settings, we need to configure a few more settings, to open the settings wizard, click the link on the as in the wizard.

First, we are going to configure Remote clients with a few settings.

The default group added to the remote clients is domain computers, to allow only certain computers to access the domain network we need to remove domain computers and add the group with computers that we need. Click Add to add a group to the list. You may remember we have created a security group previously for this purpose add that group and remove the Domain Computers group.

Once the security group with allowed computer members in it is added, remove the domain computers. Also, uncheck “Enable DirectAccess for mobile Computers Only”.

Now the group has been tidied up and click Next to continue.

Type email address to get email related to the issue and logs from Remote client computers to contact the administrator and type a connection name and click finish.

On the Remote Access review page click Change besides Remote Access Server.

On the Remote Access Server settings, we have already configured the details click next on the network topology to get to the next page.

On the Network Adapters page leave the default settings and click Finish.

The Final setting, we are doing on the remote access review is to change the remote access infrastructure server. Click Change next to Infrastructure Servers

Here makes sure DNS IP address is specified for domain suffix and make sure there is a DNS host record available on the local DNS for the name DirectAccess-NLS. Click Finish to exit out of the infrastructure server configuration.

Click OK on the Remote Access review page to apply changes.

Click Finish to apply changes to return to the Remote Access Management console.

On the Remote Access management console, under configuration and Remote Client, click Edit to Edit the settings.

By Default, Network Connectivity Assistant settings will get Direct-AccessWebProbehost hostname on the resources list, we need to remove it and add the hostname we have added on the public DNS. Choose the protocol as HTTP on the dropdown list. And add the URL with the public hostname pointing to the DirectAccess server. Click Validate to validate the URL and click add.

Click Finish to exit out of Remote client settings.

Click Finish at the bottom of the Remote access setup to apply changes.

Click Apply to apply the configuration changes.

Once configuration changes are applied go to operation status and check all operations are working.

Go to Domain controller and open DNS Manager management console and check the highlighted hostnames are created.

Connect Windows 10 client from an external network

We have completed the server-side setup and now the time to access a windows client PC from an outside network using DirectAccess connected. Before we do log in to the client computer and check the server is in the domain network and the IP address of it by running ipconfig /all. We can run gpupdate /force to get the PC to get the DirectAccess group policy settings, but I recommend restarting the Windows client PC.

We can utilize some PowerShell commands to check if the settings are updated on the client’s computer. You can use these commands to troubleshoot DirectAccess in case remote clients are not connecting or unable to access resources from outside the network.

Get-DNSClientNRPTPolicy is the command to check the DirectAccess DNS IP address is assigned for the domain namespace.

Get-DAClientExperienceConfiguration PowerShell command to check the URL that we mentioned in the remote client resource setup is displaying correctly.

netsh dnsclient show state

Command will show whether the windows client PC is inside or outside the network. In this case, we have not disconnected from the domain network, so it’s showing that the client PC is inside the network as Machine Location.

Now, we have disconnected the Windows Client PC from the domain network and connected it to a private network away from the domain network. You can see the different network and DNS IP addresses. Also, you can see the tunnel network adapter IP address for the Microsoft IP-HTTPS platform. The adapter will get only IPv6.

As you can see that the Machine Location is not Outside Corporate Network.

Click on the network link on the taskbar and find the Direct Access connection connected.

If you look under network & Internet settings you can see DirectAccess connection status.

Test domain network resources access

We can try to ping some servers inside the corporate network, and you can see it pining. I try to ping the domain controller and DirectAccess server and I can see a successful ping reply.

I also tried to access the file share on the DC01 and was able to get to the share as well.

Conclusion

In this article, we have discussed the complete installation and configuration to deploy DirectAccess. Also, we have tested with a remote client to access the resources inside the corporate network. The demonstration is completed here and if you have any queries or feedback that you want to share, please send a comment below. I look forward to seeing you another time with a different article.

High Availability and Load Balancing Remote Desktop Services:

The Remote Desktop Services also called the Terminal Server predecessor is a value-added service of Windows Servers that is a cost-effective solution for the hardware and software licenses and ease of access to the apps. The RDS servers are very critical services as other Windows Services and high availability and Load Balancing is the most needed configuration in the Microsoft Windows Network. The High Availability and Load Balancing are not changed much from Windows Server 2012 R2 to the most recent release of Windows Server 2022.

In this article, we are going to look at important configurations required to set up High Availability and Load Balancing. The High availability part is relevant to RDS Connection Brokers and Load balancing will be of RDS Session Hosts. In order to configure RDS Connection Broker with High Availability, we need to have Microsoft SQL servers in place. Even though we have High availability for Connection Broker it is not complete if you have not configured failover for the Microsoft SQL server which holds the database of Connection Broker services. I have demonstrated RDS high availability with a single SQL server, but in your setup make sure you have configured high availability for the MSSQL server as well.

The following configurations are outlined for High Availability and Load Balancing in RDS:

1. MS SQL Installation and configuration (pointed out some important parts)
2. Deploy RDS roles with standard deployment.
3. Create an Active Directory security group and add connection broker servers to it.
4. Add Security group to MSSQL login and give dbcreator server role.
5. Open port 1433 on the MSSQL server windows firewall.
6. Create DNS A record for the RDS Farm hostname.
7. Install MSSQL Client Tools connectivity and add ODBC x64 connection on Connection broker servers.
8. Configure High Availability for Connection broker RDS server role.
9. Configure User mapping to the Connection Broker DB as DB owner for the security group created in Step 3.
10. Add a second Connection Broker server to the CB role.
11. Add RD Licensing role to a server in the pool.

MS SQL Installation and configuration (pointed out some important parts)

Install the MSQL server with the Client Tools connectivity feature. This will allow client connectivity from the connection broker servers.

Once MSSQL server installation is complete, the TCP/IP protocol on the server needs to be enabled, and check dynamics port on the properties of the TCP/IP protocol Is set to port number 1433.

After enabling the TCP/IP port, restart the SQL server service from the services window.

Now, that the SQL server has been set up and configured, if you already have the SQL server in place just make sure the TCP/IP protocol is enabled and the port is set correctly.

• Deploy RDS roles with standard deployment.

The next part is to deploy RDS roles on one of the servers assigned for RDS deployment. Before doing the deployment, make sure you have added servers that you are configuring with RDS roles already added in the server pool.

To add servers to the server pool, click Add other servers to manage and add the servers by selecting appropriately

When you click the find now button on the add other servers window, you will be listed out with the list of servers in the network. If your network is big then type the names and add one by one.

Now servers are added to the server pool, and you are ready to start the deployment of RDS with standard deployment.

Click Add roles and features from the server manager console and the add roles and features wizard will be shown to you for further actions.

Here, we are installing remote desktop server roles, so select remote desktop services installation and click Next.

On the deployment, type select Standard deployment and click Next.

On the Next screen of the adding roles, select session-based desktop deployment and click Next.

The Review Role services screen goes through the services and clicks Next.

Select the appropriate server for connection broker, this is the first server you are installing you can add only one server to this role service, select the appropriate one and click Next.

On the RD web service select the web service role server and click next.

The next screen is to select session hosts, here you can select more than one server, I have selected ts01 and ts02. Click Next to continue.

Verify all the server selections are as you intended and click Deploy. Make sure the restart check box is checked.

The progress bar indicates the progress of the role services deployment, the server will restart in between and start the installation again when you log in to the server after a restart.

The below screen shows the deployment completion, and all role services are successfully installed. Click close to close out the deployment window.

1. Create an Active Directory security group and add connection broker servers to it.

Now, we are going to create a security group and add the connection broker server’s computer accounts to it. We are creating a security group with connection broker servers in it to assign the DB creator role on the MSSQL server so that the connection broker server can create a database on the MSSQL server.

On the domain controller launch Active Directory Users and computer and right-click on an Organizational Unit and point to New/Group to add a security group.

On the New object for group dialogue box opens type a name for this group that would be descriptive and leave security scope and type default and clicks OK.

Once the Security group has been created, right-click the group, select properties and go to the Members tab and add connection broker servers that you are intended to configure. Make sure you have selected object type to Computers and location to the active directory domain.

Once the connection broker servers are added, click OK to close the group object properties.

1. Add Security group to MSSQL login and give dbcreator server role.

The next step is to add the security group that was created In the previous step in the MSSQL security login menu. Launch SQL Server Management Studio on SQL server and expand security and right-click Logins and select New Login as in the screenshot below.

On the general tab and login name field search for the security group with connection broker computer object in it and leave other settings default.

On the Server, roles tab select dbcreator server role and click OK to exit the dialogue box.

Open port 1433 on the MSSQL server windows firewall.

Once we completed adding connection broker servers to dbcreator role with the security group, the next step is to open the MSSQL default port 1433 on the windows firewall on the MSSQL server, Launch the windows firewall, and follow the steps below.

Select Inbound Roles and on the Actions menu click the new Rule. And on the New inbound rule wizard select Port and click Next.

Leave the apply to TCP and type the specific local ports to 1433 and click Next.

On the Action, tab select “Allow the connection” and click Next.

On the profiles tab, leave all profiles selected and click Next.

Give a descriptive name and click Finish to end the inbound rule wizard.

Create DNS A record for the RDS Farm hostname.

We have completed the inbound rule wizard and the next step is going to be to create “DNS Round Robin”. This means creating A records for the farm name and giving the IP address of each connection broker server IP address. The created Farm and its records are depicted on the screen capture below, so create the records as per your environment IP addresses of connection broker servers.

Install MSSQL Client Tools connectivity and add ODBC x64 connection on Connection broker servers

The next action is to install client tools connectivity on each connections broker server. Go to each connection broker serves and launch the MSSQL server setup from the MSSQL server installation media. The only thing we need to select is Client tools connectivity and remove all other selections on the Feature selection. The following steps must be done on each connection broker server. As the steps are identical, I have shown the demo of this installation and configuration one time. You need to do the same on all the connection broker servers.

On each connection broker server, go to server manager à Tools and launch ODBC data administrator x64. The following dialogue box pops up and clicks add to add a data source.

Select SQL Server Native Client 11.0 and click Finish, the Create a new data source to SQL server wizard will open on clicking the Finish button.

Give some descriptive name and description and type the name of the SQL server and click Next.

Leave the integrated windows authentication selected and click Next.

Leave the settings as default and click Next.

Click Finish to end the wizard.

Click Test data source and find the Tests Completed Successfully popup and click OK. Do these steps on other connection broker servers.

Configure High Availability for Connection broker RDS server role.

Now we are ready to configure the connection broker server’s High Availability. Launch Server manager on remove Desktops services management servers, this happens to be the first server that you install the RDS role service, and right-click on the connection brokers icon and click Configure High Availability.

Leave the Dedicated database server radio button selected and click Next.

On the Configure High availability tab, type the details intuitive to your environments such as SQL Server, Far, and database name, and click next. The explanation is given below.

DNS Name connection Broker cluster:

Ts.getanadmin.com

Connection string:

DRIVER=SQL Server Native Client 11.0;SERVER=srv01;Trusted_Connection=Yes;APP=Remote Desktop Services Connection Broker;DATABASE=RDCBDB

Physical path:

C:\sqldb

In your environment replace SRV01 with your MSSQL server and RDCBDB with a database name appropriate to you. It’s ok to leave this database name if you have no specific names.

Ensure the folder name you have typed on the physical path exists on the SQL server.

If your high availability details are correct you will be shown with the confirmation dialogue and click configure to configure High Availability.

The progress bar indicated that the High availability configuration is succeeded, and you can click close to close the wizard.

The RDS connection broker high availability configuration is completed and now the steps to follow is to add the rest of the connection broker servers to the connection broker configuration.

Before adding the connection broker servers, we need to make the security group the owner of the database that we created In the configure high availability wizard in our previous step.

Launch SQL Server Management Studio and go to the Logins tab and select security group to open login properties of the security group. On the User Mapping tab on the left side navigation, select the database that configures the high availability wizard created and change the database role membership to DB owner.

Configure User mapping to the Connection Broker DB as DB owner for the security group created in Step 3

Now the security group is the DB owner of the database, now we go back to RDS Server and launch server manager and right-click the Connection broker icon, and select Add RD Connection Broker Server.

Add a second Connection Broker server to the CB role

The Add Connection Broker servers wizard pops up and on the server selection tab select the connection broker server that you intended to add and click Next.

On the confirmation, dialogue click adds to confirm the addition of the second connection broker server.

The results tab shows the progress and the “succeeded” status after adding the server to the server pool. Click close to end the ”Add Connection Broker Server” wizard.

The very next and last part of this demonstration is adding RD Licensing Servers to RD Servers Farm. Click on the Green icon with add licensing server to launch add licensing server wizard. Once the add licensing server wizard pops up select the server meant for Licensing and click Next.

Add RD Licensing role to a server in the pool

On the confirmation tab with the Licensing server selected click to add to add this server as Licensing server on the RD Farm.

The Wizard shows that the status of adding Licensing server is succeeded and click close to close the wizard and back to server manager with Remote Desktop configuration.

Here is the list of servers and their installed Role services from Remote Desktop Configuration.

High Availability Remote Desktop Services Conclusion:

This is the end of the demonstration and in this article, we have seen how to install and configure Remote desktop Services in infrastructure with multiple servers with different role services using standard Installation. We also looked at how to install and configure the connection broker server’s High Availability and add connection broker servers o the High availability pool. We have seen how to add Licensing server in the end.

I hope this will help administrators assigned with the RD Farm installation and configuration work. I am excited to receive comments from you, send me your comments and feedback to help others and improve this article and other articles on this website. And, I am pleased that you have read this article to the end of it. I look forward to meeting you in some other article that you are expecting to join with. See you next time and I sign off now.

In this article, we are going to Troubleshoot SQL Service Error. I recently had a client called me and told me that their application stopped working, and they did not know precisely the issue and asked me to investigate it and resolve the issue. As the client’s data center is far from my place, I decided to take the server remote access using VPN and started the investigation.

When I started accessing the app, the app was spitting out that the database was not accessible from the app server. So, I logged into the Microsoft SQL server and started checking the status of the service. I saw the SQL server instance on services not running, and when I tried to start the service, I get the following error. We are going to troubleshoot SQL Service Error 1051 in this article.

As mentioned in the services warning, I went to the system log on the MS SQL server and analyzed the records. I found that the MS SQL server was running on evaluation and stopped working after the evaluation period. So I confirmed license is the issue.

I pointed this to my client and requested them to arrange for the license and its product key.

Upgrade MS SQL server instance edition to Troubleshoot SQL Service Error

I got the license key and launched the SQL installation center from StartàMicrosoft SQL 2017àSQL installation center. You can launch this from launching setup.exe on MS SQL server installation media as well. Once the Installation center is launched, click Maintenance on the left side navigation and click Edition upgrade.

On the product key page, select ”Enter the product key,” and type the product key and click Next.

Accept the license terms and click Next.

Verify the Edition upgrade rules do not have any error. The SQL server is installed on the domain controller in my environment, so ignore the warning and click on Next.

Select the instance you want to upgrade. You can see the instance name and select that instance. In this case, MSSQLSERVER instance, which pointed out with evaluation. Select the instance and click Next.

Once the ”Ready to upgrade edition” page click upgrade.

The upgrade process will take about 5 mins to complete; wait if it even takes more than that.

Once the upgrade is over, you will get a complete status. All succeeded with a green tick stating that Microsoft SQL edition upgraded.

Now for to services and start the Microsoft SQL instance service, and you see the service running.

Conclusion:

In this article, we gone through troubleshooting the SQL server instance services not starting issue and upgrading the SQL server edition for a particular instance. If you want to learn more about MS SQL click here and for installation guidance click here.

I would like to hear from you if you come across any issues doing this or have any feedback to share. I look forward to sharing our thoughts in the comments section, and I sign off for now

---

Preface

Microsoft SQL Server 2019 is a new personification of the familiar relational database management system. The latest version of the Transact-SQL system gives a mission-critical performance and lowest vulnerabilities among other RDBMS servers. Microsoft SQL Server is a leading product in the database engine and management arena and used in the various level of need from SOHO environment to high transaction database server such as enterprise requirements. SQL Server 2019 Installation will be covered in this article with SQL server management studio installation access.

There are different editions of the SQL server from free express edition to Enterprise edition. The following list shows the different editions of SQL server 2019.

Express editions

Developer

Web

Standard

Enterprise

Express edition is a free and entry-level usage edition, and Enterprise is most robust in performance and data handling for high-level database transactions.

In this article, we are going to demonstrate the SQL server 2019 evaluation that gives 180 days trial to test and plan for your database needs. The installation of Microsoft SQL Server 2019 is straight forward and can be installed by any junior-level system administrators. We are also going to download and install SQL Server Management tools (SSMS) after the installation Microsoft SQL server database engine.

SQL Server 2019 Installation

You can download Microsoft SQL server 2019 from the link here https://www.microsoft.com/en-us/sql-server/sql-server-downloads#. Before starting the SQL server 2019 installation, make sure the Windows update is up to date, and the windows server is fully patched.

Once download the ISO, mount it as a DVD drive on the server that you are planning to install SQL server 2019. Double click the ISO file on the Windows server will mount the ISO file as a drive. Once the ISO file mounted, you can expand the directory on the windows explorer and right-click the setup executable file and run as administrator to start the installation.

The setup executable will open the SQL Server Installation center, as shown below. On the SQL server installation center, select an installation from the left side navigation and click on the link with the description “New SQL server standalone Installation or add features to an existing installation.” Clicking on the link will start the installation.

If you have already purchased one of the SQL Server editions, you can enter the product key and continue the installation, or you want to try the SQL server before buying the software, you can select Evaluation and continue with the installation. This is just a demonstration, so I choose Evaluation from the dropdown. Click Next to continue once the proper installation edition is selected.

The next page is agreeing to license terms, and you need to go through the license terms before continuing the installation. Once you have gone through and agree to the license terms, select the “I accept license terms and privacy statement” checkbox and click Next.

It is recommended to check for Microsoft updates before starting the installation, check the box neat to “Use Microsoft Update to check for updates” and click Next.

On the next screen, Install Rules would check various problems. In this demonstration, Install rules warned about the 1433 inbound rule on the Windows firewall to open for SQL server accessed from other servers or client computers. Click Next to continue the installation.

On the Features selection of setup wizard select the database engine feature and the installation path, you can also select the other features as you need. For this demonstration, we are only focused on the installation of a database engine, select the database engine feature, and click Next.

On the Instance configuration, we either go with default instance, or you can name the instance as you want. The default instance name is MSSQLSERVER, to make administration simple, we are going to select the default instance and click Next to continue.

Service accounts are utilized to make the SQL server database engine services more secure. You must create service access on Active Directory if you are in a domain environment and provide that service account here with the credentials. We leave the service account no utilized and click Next to continue.

On the database engine configuration, you can select an access-mode which is suitable for your need. There are two authentication modes on the SQL server. The Windows authentication mode is allowed authentication happens only with the Windows credentials, for example, Active Directory environment. In contrast, Mixed Mode will give you the ability to authenticate using Windows authentication as well as the SQL server authentication. You can change the authentication mode on the SQL server properties after the SQL server installation. Add current logged in user as a SQL server administrator and select relevant mode and click Next to continue, in this demonstration we stick with Windows Authentication.

Verify the features selected for installation, if you are not happy with the features you may always go back and change the selected by adding or removing features and come back here and click install to start the installation.

The installation progress screen helps you check the progress of the installation, and you should wait until the installation shows 100% completed.

Once the status of features installation complete, you can close out the installation wizard.

Install SQL Server Management Tools

The next step in setting up the SQL server is to install SQL Server Management Tools. Go back to the installation center and remain on the installation tab on the left side navigation and select SQL Server Management tools. You will get to the download page of SQL Server Management tools.

On the download page will open on the web browser of Microsoft site. Click on download SQL Server management studio, which will download the latest version of SQL Server management tools binaries.

On the Install page of SQL server management studio, either leave the default installation path, or if you want to install other installation, you need to specify here. Once the installation path has been pointed, click Install to start the installation.

The Microsoft SQL Management Studio installation progress will give you the status of installation and the progress of the installation.

Once the installation is completed, you will get a message saying setup completed. Click close to closeout the installation wizard.

The SQL server management studio can be accessed from the Start menu of the Windows server. The management tools can also be installed on a desktop computer installed with Windows client operating system such as Windows 10.

The SQL Server Management Studio will prompt for administrator login as in the screen below. It will use the currently logged in user to access the database engine on the windows server. Click connect to open SQL server database engine.

Once the object explorer of the SQL server opened on the SQL Server Management Studio, you can access the various SQL server management features to control and configure them.

Conclusion

In this article, we have demonstrated the installation of SQL Server and SQL server management tools. We have gone through the installation elements one by one, and the primary selection is SQL server edition and features.

We have posted a lot of other Windows server roles and server products on the Blog site here. You may have some questions or feedback to share with me, please click the comments below and share your thoughts. I am so happy to answer your questions.

Preface

Folder redirection is a group policy setting which used to store user data on the profile, usually Documents, Desktop, and so on stored on a server share. By using these policy settings, the domain users assigned to the folder redirection will get the same data when they log in from a different computer. So, the users can move from one computer to another computer and retain the data stored on the profile. Folder redirection is also helpful to back up the user’s data at the server level, so the user’s data will not be scattered and lost when the user computer is down or disk problem. Let’s get to how to Redirect Folders in Windows Server 2019

In this article, I have demonstrated the folder redirection setup with redirect folder shared on the domain controller and applied group policy to a domain-joined client computer.

The following key points demonstrated and explained to setup folder direction on your environment.

• Create a security group and add test user as a member
• Create a folder to store the redirected file
• Configure security settings and share the folder
• Create group policy and link it to company users OU
• Redirect documents folder with offline access
• Test folder redirection policy with Windows 10 client computer

Create a security group and add test user as a member for Folder Redirection

We are going to create a security group in Active Directory and add a test user as a member to it assign permission for redirect folder shared on the server and filter the group to permit group policy settings to apply. To create a security group, we need to launch Active Directory Users and Computers from the tools menu of the Server Manager.

The security group can be created on the OU that is relevant to your environment. In this demonstration, there is an OU called Users under Company OU. Right-click on Users OU and point to New and click group.

Type a descriptive group name, her I named Folder-redirect-Users, and leave the group scope to Global and group type to security and click OK.

Right-click on the group just created, and go to properties to add members to the security group.

Go to Members tab and click add to add members to the group.

I have added a test user for this demonstration, once users are added click OK and close out the Active Directory Users and Computer management snap-in.

Create a folder to store the redirected file

The folder redirection needs a shared folder on the server. Share it with the security group so that the user’s data will be stored in that folder. On windows explorer, go to the home tab and click New folder to create a folder. You can right-click on the windows explorer pane and create a new folder as well.

A new folder with the name Redirect is created on the data drive, as in the picture below.

Configure security settings and share the folder

We are going to set permission for the folder to store the user’s data with the highest level of security. Right-click the Redirect folder and click properties and go to the security tab and select advanced.

On the advanced properties disable inheritance, you will get a popup window to select a type of permission option you want to have for ease of further permission assignment.

To retain some of the permissions to tweak, select “Convert inherited permissions into explicit permissions on the object.” And click Add to go to permission entry for the redirect folder.

On the Permission entry, select the principal to add the security group that we had created before. In this case, Folder-Redirect-Users is the group name and click OK.

The permission type is Allow and applies to the folder that we are in and its subfolder and files. On the basic permission, leave full control and select all other checkboxes and click OK.

As we have added the security group and disabled inheritance, click OK and go to the Sharing tab on the same property settings.

On the Sharing tab of properties, click advanced sharing to share this folder and give share permissions to the security group.

Remove Everyone share permission and add the security group and check Full Control that will add remaining sharing permission.

Click on the Advanced sharing tab and closeout folder properties. We have set security permission and share permission.

Create group policy and link it to company users OU

The next step in the folder redirection setup is to create a GPO and link it to the OU where the active directory user object resides. To launch the Group policy management console, go to the server manager,  click the Tools menu, and select Group Policy management as in the picture below.

Expand the group policy management until the Users OU and click Create a GPO in the domain, and link it here… to create a new Group Policy Object and link it to the Users OU.

Give New GPO a descriptive name and click OK. In this demo, I have given Folder Redirect Policy.

Redirect documents folder with offline access

Once GPO created, right-click and edit the policy to modify the settings of the folder redirection policy settings.

Before going into group policy settings go back to the folder that we had created for folder redirection properties and on the sharing tab take down the Network path to use it on the folder redirection policy settings.

Return to the Folder-redirect-policy GPO and expand the GPO until Folder Redirection policy settings.

The path is User Configuration -> Policies -> Windows Settings -> Folder Redirection

In this demonstration, we are going to see the Folder redirection for the Documents folder. To make it simple and understandable, we are going to set up only one folder here. These settings apply to all other folders and have to go through the same settings to set them up.

Right-click Documents folder and go to properties, and on the target tab, choose a setting basic or advanced, in this demo basic is selected under settings property, that is “Redirect everyone’s folder to the same location.” On the Target folder location, the option “Created a folder for each user under the root path” selected and Root path is the one we have taken down in the previous step, which is the shared folder created earlier. Click Apply and move on to settings.

On the settings tab following option is selected and explained below. The option

Grant the user exclusive rights to Documents – This checkbox is for the user data on the shared folder only exclusively available for the particular user to access, for the administrator to access, the owner’s permission has to be set.

Move the contents of Documents to the new location. This checkbox is for if the folder on the local path has some documents or files in it that will be moved to the respective shared folder.

Redirect the folder back to the local user profile location when the policy is removed. This option is for offline access to the files, and also, when the policy is removed, the user will have the documents on the local profile.

Click OK to accept the settings modified so far.

There will be a warning message popped out as we have not selected the support for the older client operating system. Select yes and closeout the group policy management console, go to Windows 10 client computer to test the folder redirection.

We have returned to Group Policy management editor, so we can either set up other folders as we want or if we have completed, we can close the management edit and management console and test the Windows 10 client.

Test Folder Redirection policy

We are on the Windows 10 client computer and try to login as a test user with credentials.

Once logged on to the Windows 10 client computer, open command prompt window, and type below command.

Gpupdate /force

The command will prompt to logoff and login as the user to apply the policy. Click ‘y’ on the prompt and let the client system logoff.

Now, to confirm folder direction work, right-click documents folder, and click properties.

If you look closely, the location of the documents folder is on the shared drive.

We are going to do one more test whether we can create a file and save them, we have created a test file and save it to the documents folder.

If you goto the network share and the user Redirect folder, you can see the file created in the folder under network share.

Conclusion

In this article, we have gone through the settings of redirect folders in Windows Server 2019 using a group policy object. On demonstrating the concept, we created a folder and shared it with a security group. A new GPO has been created and set up the folder redirection for the documents for the user’s profile data. We also have demonstrated the folder redirection test with Windows 10 client.

If you want to go through my other articles about Windows Server 2019, you can visit the link Get an Admin

You can use this article to setup folder redirection in your environment. You may have some questions or feedback to share with me, please click the comments below and share your thoughts. I am so happy to answer your questions.

Preface

Windows server update services (WSUS) retrieves Windows and other Microsoft products (such as office application products) updates and store them internally as a distribution point. So, it is not hectic for bandwidth consumption as each Microsoft device does not have to contact Microsoft servers for the update. WSUS is also a valid source if we consider a security point of view as well. The WSUS is a distribution point for local Windows servers and workstations to get the security and other updates from Microsoft servers. The WSUS servers can act as replica servers where the replica copies of Microsoft updates fetch from a central WSUS server and distribute the updates for a subnet or site. WSUS services can be used for testing updates before it approved for a server or workstation.

In this article, I am going to demonstrate how to deploy Microsoft Windows Server Update Services from the Windows server role group and configure to synchronize patches from Microsoft update servers. We are also going to look at how to configure Group Policy Object to auto-update the approved windows patches from the WSUS server and schedule the restart after the update installation. We are going to configure client-side targeting to group the computers to a specific target name so that it will be easier for administrators to troubleshoot or update the systems.

The following points are discussed in this article while demonstrating the WSUS role installation. I would recommend going through this article step by step for the audience who are new to this concept called WSUS. But for experienced administrators, you can go to the configuration step where you are stuck at configuring. Let us begin the installation and when you are ready with the server installed Windows server 2019 and joined to the Active Directory domain.

• Add Windows Server Update Services role
• WSUS Configuration Wizard
• Launch Windows Server Update Services Console
• Configure the Group Policy object for WSUS Clients
• Testing WSUS Client

Add Windows Server Update Services role

The demonstration begins with installing the WSUS role from the Windows server 2019 role group from the server manager snap-in. Launch server manager and click on Add roles and features to start adding the server role.

The wizard instructions give you a gist of how the Add roles and features wizard help you install the roles or features to your local or remote computer. You may go through the instruction if you are new to add roles and features of Windows Server. If you don’t want to see “before you begin page” anymore, click skip this page and click next to move on to the next page of the wizard.

The WSUS role comes under role-based or feature-based installation. So, click Role-Based or Feature-Based installation and click Next.

On the server selection, the local server listed, and our intention is also to install the WSUS role on the local server. Click Next to continue.

From the server roles list, select Windows Server Update Services, and when you click on the role, you will be prompted to choose the features to install, leave the default selection and click Add Features to return to the role selection window.

As the Windows Server Update Services role with checkbox selected, click Next to continue.

The next screen is to select features related to the role, leave the default selection, and click Next.

On the WSUS page, the instruction of WSUS would be given, go through the WSUS instruction, and click Next to continue.

On the select role service page, leave the WID connectivity and WSUS roles selected, and move on to the next page by clicking Next.

On the content location selection, give a path to a drive that has at least 50 GB disk space and enough space to grow as your update selection. It is also a good idea to select a keep the content away from the system drive. As this is a demonstration, I have pointed C:\WSUS as a content path. Type the folder path and click Next to continue.

The WSUS clients such as Windows client workstations and Windows Servers mostly depend on Web services of WSUS for connectivity. For detailed information, you may go through the details on this page and click Next to continue.

On the Role Services page, leave the default selection and click Next to continue.

On the confirmation page, you would see all the roles and features selected so far to install the WSUS role, click install to start the installation.

The view installation progress, let you know the installation progress of the installation, leave the WSUS installation to complete.

Once the installation completed, you would see launch post-installation, click post-installation to start.

Click the notification flag to check the post-installation progress and status of it. After about two minutes, you would get the state as installation succeeded.

WSUS Configuration Wizard

Select the WSUS role from the left side navigation and right-click the server and click Windows Server Update Services to start the WSUS configuration wizard.

On the before you begin page, there are some questions prompted to check if the firewall allowed to access the clients, connectivity to the internet to access the Microsoft servers to download the updates, and in there is any proxy server credentials to access the Microsoft servers. Go through the questions and get on them if required and click Next to continue.

As this is a demonstration, I have unchecked the Microsoft update improvement program to participate. You can choose either to join or not, whatever you wish. Click next to continue.

This server is going to get the updates from the Microsoft Server, so select synchronize from Microsoft update and click next.

If you are using a proxy server to access the internet, type the proxy server details. Mostly the internet is connected directly, click Next to continue.

The next page is to connect the upstream server; this will take about ten minutes to complete the connection, wait for the server to connect to the upstream server.

The connection progress will give you the status of the connectivity, wait for the connection to happen to the upstream server.

Once the connectivity has completed connection to the upstream server, click Next to continue.

As all Microsoft systems installed with the English language in my lab network, I have selected English. In your installation, if multiple languages are needed or any specific language to choose, select the appropriate language, and click Next.

In this demonstration, I’m using a Windows 10 computer to test the Windows update settings, and you can go through the list and choose the appropriate selection for other windows to update such as Windows Server 2019, Office pro plus, and so on. Click Next to continue.

Select the updates as you need, I have selected Critical, definition, and security updates. You may also choose updates such as upgrades, drivers, and so on. Click Next to continue.

On the Synchronization schedule, select “synchrone automatically” and choose a time suitable for synchronization to happen, also windows update synchronization per day, default is 1. Select a time in the early morning window will be a good idea. Click Next to continue

On the Finished page, Select Begin initial synchronization and click Next.

On the what’s next page, click finish to end the WSUS configuration wizard and launch WSUS.

Launch Windows Server Update Services Console

The next is to go to the server manager and select the WSUS role on the left side navigation and right-click the server from the middle pane and click Windows Server Update Services.

On the updates tab, expand it and select critical updates and change the status to any on the top filtering options and click refresh. You would see the critical updates available for installation.

Same way, select security updates, and you would see the security updates ready for installation as in the below screen.

On the Computers hierarchy, we are going to create a group called workstations where all the workstation computers are grouped by client-side target GPO, which we are going to look at in the upcoming demonstration. On the All Computers node right-click and click Add computer Group and type a name, I am creating a group called workstations. Click Add to add the computer group.

Apart from already configured from WSUS configuration wizard, we are also going to do a slight configuration change on the options navigation under computers. Double click Computers and select User Group Policy or registry settings on computers to assign the computers to the group with the help of client-side targeting to assign the computers to the group.

Configure the Group Policy object for WSUS Clients

To configure client computers automatically get the configuration details of the WSUS server, we are going to use the Group Policy object to update the configurations.

Login to Domain Controller and launch server manger. On the server manager snap-in click on tools and Group Policy Management to open Group Policy management console

Right-click the OU where the Computer objects of the computers to which you want to configure WSUS and click create and link Group policy object to create and link a new Group Policy object. The Group Policy object happens to be Computers OU under Company root OU in this demonstration.

As this is Workstations Policy, I have given name as WSUS Workstations Policy. Type a name descriptive and click OK.

Right-Click the Policy created just before, and click Edit.

We are going to enable three Group Policies in the following GPO Section.

Computer Configuration -> Policies –> Administrative templates-> Windows Component-> Windows Update

The first one we are going to edit is “Specify Intranet Microsoft update Service location,” double click on it.

Click enable to enable this setting and type the URL of the WSUS server. In this demonstration, the server name of WSUS is WSUS.mrigotechno.club. Replace this hostname as per your installation and add 8530 to it. So the URL to provide on Set the intranet  update service for detecting update and set the  intranet statistics server is http://wsus.mrigotechno.club:8530

The Next setting is “Configure Automatic Updates,” double click to edit the setting.

Click Enabled to enable the setting, and in the options section, select one of the four options which match your environment. The auto downloads and schedule the install under configure automatic updating is the good option as there is less overhead on the administration point of view. Also, select a time to schedule install. Click OK to go back to the GPO settings list.

The third setting is client-side targeting. Double click on the “Enable Client-Side Targeting” setting.

On the Client-Side Targeting settings, click enabled to enable these settings and type the group name that we created for the group created on the WSUS console previously. The group name was workstations, and you type the name that you have created and click OK

Testing WSUS Client

We have completed setting up Group Policy. Now I’m going to start the Client computer installed with Windows 10 and joined to the Active Directory domain. Open a command prompt and type the following command to get the group policy update.

gpupdate /force

You can see the command output as in the screen below on the Windows 10 computer.

Once the group policy is updated on the client computer, the client’s computer name and update status visible on the WSUS console under Computer Group, which happens to be client-side targeting.

Conclusion

This is the end of the Windows Server Update Services demonstration. In this article, we have covered installing the WSUS role and Configuring WSUS using configuration wizards. Once the WSUS installed and configured computer group created and Group Policy Object created on the Group Policy Management console on the domain controller. The Windows client computer tested with WSUS as the final verification of the WSUS deployment.

I have demonstrated other roles of Windows Server 2019 in Get An Admin article. You may have some questions or feedback to share with me, please click the comments below and share your thoughts. I am so happy to answer your questions.

Preface:

Remote Desktop Services is a robust role in the windows role group. RDS is used to remote into the central RDS server or any member server or the user’s desktop computer through the RDS server using the Remote Desktop web services either on the internal network or through the internet.

This article discusses the access of the servers and desktops accessed over the internet using RD Gateway using the https port. The Servers and desktops on the on-premises can be accessed without the need RDP port 3389 opened on the firewall. Where the RDP port 3389 is the hacking target for hackers over the internet. As the https port used for the access of remote desktop, the port is usually used for most of the businesses to access the webserver hosted internally.

The Remote Desktop Services will be cost-effective when the number of users or devices accessing applications with an excessive amount of licenses needed. Also, this role is most useful where the client computers installed on the company network or home is not the latest, and the application demands such as hardware or operating systems.

We are going to delve deep into this installation and configuration on an active directory domain network with network policy server (NPS) security. We are using a public CA certificate in this demonstration and hostname assigned on the public DNS.

The following points discussed in this article. Following this article, one can install and configure Remote Desktop Services on a Windows Server 2019 and publish the RDP app to access a server or a desktop as per need on the remote desktop web app portal.

• Add Remote Desktop Services Role
• Add Server to RD Licenses and RD gateway
• Install public CA certificate to each role of RDS
• Configure RD Licenses
• Configure Remote App Collection
• Publish and Configure Remote App
• Access RD Web and Remote App

To begin with, the demonstration, let’s add the Remote desktop Roles group on the server manager and going forward to configure each component.

Add Remote Desktop Services Role

There are two Windows Server 2019 servers used on this demonstration where the first server is installed as a domain controller, and the RDS server has been joined to the domain of the domain controller, which we have added in the first place.

On the planned RDS installation server called remote, we are going to install the RDS role by launching the server manager dashboard and by clicking the “Add roles and features” link.

The instruction of wizard will show up on the screen, and if you don’t want to see this page on adding roles and features anymore, just check the skip this page checkbox and continue by clicking next.

The RDS Installation can be installed through Role-based or feature-based installation. Still, it requires a lot of effort as there are a number of components to be selected and configured after installation. To make life easier, Microsoft has consolidated all the component installation in one group. That installation method can be used by clicking the Remote Desktop Services installation option at the select installation type.

On the deployment type, select Quick Start so that all components will be installed by itself, and the Quick App Collection will be added to the Remote Desktop Services deployment. Select Quick Start and click Next.

In this article, we are going to look into Session-based desktop deployment, so select session-based desktop deployment and click Next.

On the Server Selection page, select the local server where we have planned for RDS deployment and click next.

On the confirmation page, check the checkbox “Restart the destination server automatically if required” and click deploy to start the RDS deployment.

When the Deploy tab is clicked, the RDS Role installation will start installing roles, and the progress can be monitored on the popup.

The server will be restarted in the middle of the installation. When the server restarted and logged in as the same administrator account, the installation will continue, and the progress will show succeeded on the RDS roles deployment completion.

Once the Remote Desktop Services role has been added, the very next step is to configure it. On the server manager, you would find a Remote Desktop Service deployment setup on the left side navigator. Click on that, and additional configuration of this service will be available.

Add Server to RD Licenses and RD gateway

The icons in green or not configured with a deployment server, here the RD licensing and RD Gateway, are in green, and we are going to configure them in the coming up steps. Click RD Licensing, and the configuration window will show up.

On the RD Licensing deployment windows select the server which in our case the local server and selects the server and click on the arrow next to it to deploy RD Licensing server and click Next.

Once the RD licensing server added, the result indicates succeeded next to the progress bar. Click close to close out the RD License server deployment wizard.

As we have already planned, this RDS server is accessed through the internet also, so our very next move is the deploy RD Gateway. Click the RD Gateway icon on the deployment overview area, which is in green, which means it has not been deployed yet. The RD Gateway deployment wizard will open, and we can deploy it with adding the server.

We are adding the local server as an RD Gateway server to the Remote Desktop Services by clicking the arrow in the middle of the selection, and once the server added, click next to configure SSL certificate name.

In this demonstration, I have already created a hostname under my public domain mrigotechno.club called remote, but you need to give a name that is relevant to your RDS gateway hostname and certificate pertinent to be purchased and installed on the internet information Server (IIS). Once the Certificate Name typed, click Next.

On the confirmation, click add to add RD Gateway server to the deployment. Click Add.

On the Results page, the progress indicator will show succeeded and click Configure Certificate to install the certificate.

Install public CA certificate to each role of RDS

On each role services on the Manage Certificate, we need to configure the certificate, there are four roles, and we need to configure the certificate for them. I have installed the third-party CA certificate on Internet information server and export it as a pfx file format while exporting I have secured the certificate with a password. Please have your third party certificate in pfx format file and the password of the pfx file handy as we are going to apply the certificate from the topmost role and apply one by one till the fourth role.

Select the first role and select an existing certificate to apply the certificate dialogue window.

On the Choose a different Certificate, click browse and select the pfx certificate file and type the password of the certificate and check “Allow the certificate to be added to the trusted root certification authorities certificate store on the destination computer.” Click OK to go back to manage the certificate window.

On the state of the certificate configuration for the role, you would see Ready to Apply on state column, click apply and wait to change for the level to Trusted and status to OK and the state to Success. 

Do the same steps to apply the certificate to the next three roles, and you would see the State changes to Success as in the below screen capture. Click OK to complete the certificate Configure.

Configure RD Licenses

The Next step is to Edit Deployment properties, on the deployment overview click tasks, and select edit deployment propertied to start the wizard.

As we have already completed Certificate configuration, we have only edit that we need to do RD Licensing. On the RD Licensing under Configure the deployment, select the RDS Licensing mode as per your requirement in the example. I have chosen Per user, but choose the one which is relevant to your environment and click OK.

Configure Remote App Collection

On the left side navigation on the Remote Desktop Services Setup, you would see Quick Session Collection, where the App publisher available to published App, which we would access through RD Web Access. On the Properties area, click properties and select edit properties.

We are going to edit only one option in these properties that we are going to add the User groups to associate to this collection. I have already created a security group called RDS_Users and added some test users to it. I’m adding that group here to associate with the collection., click OK and back to the main window.

Publish and Configure Remote App

In this demonstration we are going to see how to access a member server or a user desktop from the RD web access from the internet, without opening RDP port 3389, the same steps will apply to add a user’s desktop. But make sure the member server or user desktop is enabled Remote Desktop on the system property of the computer. So I got a server on the network that can be configured to access from RD Web, we are going to configure Remote Desktop App by publishing the RDP app to the Quick Collection Apps.

On the Remote App Programs area, click tasks on the screen below and click “Publish RemoteApp Programs.”

You will be presented with selecting the RemoteApp programs list and choose the App you want to publish. In this case, the Remote Desktop Connection. Select “Remote Desktop connection” and click Next.

On the confirmation page, click publish.

On the completion page, you would see published status message click close to go back to the main window.

On the Remote Desktop Connection RemoteApp that we just published right-click and select edit properties to configure the properties of the App.

On the General page, type a name that is appropriate for the RDP Connection Computer. In this case, it a server called server1, so I type the name server1 on the name box.

The next page is parameters, on the parameters page, click “Always use the following command paraments” radio button and type the IP address of the server or desktop to which the RDP connection to be established. In this case the private IP4 address of server1 is 192.168.24.190. The correct parameter value is /v:192.168.24.190. Replace the IP address with the one of the servers or Desktop IP address on your network.

The next item is User Assignment, add the user account to which users need to find this Remote App program that has to be visible on the RD Web Access login. Click add and choose the relevant user or group.

On the next page, leave the file type association with default setting and click OK.

Access RD Web and Remote App

We have completed all RDS configuration and moving on to the RD Web portal to login to the portal and access the apps assigned to the use. The URL for the RD Web is https://remote.mrigotechno.club/rdweb

Replace the remote.migotechno.club with the one you have configured for your environment.

Type the username and password with the domain\user format and password of the user and click Sign In.

The portal will show the web resources, the Remote desktop connection app that we have configured with the name server1 is available for us to access from the RD Web access login. Click Server1 and follow the login screen.

Click connect on the notification popup.

On the security login dialogue, type the user name and password of the user and click OK.

The RDP connection is remote into the server1 computer, as shown below.

The RDP access is successful to the IP address 192.168.24.190, and this concludes our demonstration.

Conclusion

In this article, we have discussed and gone through the demonstration of deploying Remote Access Services on Windows Server 2019 elaborately. You can follow the same step and deploy Remote Desktop Services on your lab or production environment.

I have demonstrated other roles of Windows Server 2019 in Get An Admin article. You may have some questions or feedback to share with me, please click the comments below and share your thoughts. I am so happy to answer your questions.

Preface

We already posted an article to set up a VPN on Windows Server 2019 using Secure Socket Tunneling Protocol (SSTP) using a third-party certificate. This one, we are going to discuss ‘How to Setup VPN using PPTP’ based article . The Point to Point Tunneling Protocol using the Generic Routing Encapsulation feature along with tunneling over TCP/IP wrapped transmission. The PPTP creates a tunnel on TCP/IP and transfer the packets securely—this very old and reliable method of transferring or accessing the private network over the internet. We can deploy this method to connect a Home or a user with a laptop to access their home network or small office network efficiently and quickly.

Configuring Point to Pointing Tunneling Virtual Private Network on a Windows Server 2019 is straightforward. We can use this method of deploying a VPN where the Secure Socket Layer type of VPN is not possible. In this method of configuring VPN, we need to open the port 1723 and enable a feature called Generic Routing Encapsulation (GRE) on the edge firewall or router under security settings. I am going to explain the step by step and cover the entire setup process from install and configure Remote Access Role to configure Client device to connect the network where we have installed the PPTP VPN.

So, let get to the server and start the Remote Access Role installation and subsequently look at configuring VPN policy on the Network Policy Server on the Windows Server 2019. If you are ready to take a configuration task, we are here, to begin with, so let us get started.

• Add Remote Access Server Role
• Configure Remote Access with VPN Access
• Configure Remote Access Settings for VPN
• Configure Dian-in connection on the user object
• Configure Dial-in policy on Network Policy Server
• Crete VPN network connection on Windows 10 device
• Connect VPN Server over the Internet

Add Remote Access Server Role

The first step in deploying a VPN server is Adding the Remote Access Server Role on the server—the remote access server role to be installed by going to the Server Manager Dashboard. Once the Server Manager windows would open, click on the Add Roles and Features, and the ‘Add Roles and Features’ wizard would start, and we can go through this wizard to complete the Remote Access role installation.

The wizard will start with instructions on using this tool to add the roles and features. If you don’t want to see this page, you can click the checkbox next to ‘Skip this page by default,’ and you won’t be prompted with this page anymore.

In this wizard, we are going to use the role-based installation to add this role, so select Role-based or Feature-based Installation to begin with and click Next to continue.

Make sure the local server in the server pool and select it and click Next.

In the Select Server Role page, select Remote Access checkbox, and click Next.

On the next page, leave the Features as it is and click Next.

If you need more details, you may go through the details about remote access on this page, and once you are ready to move, click Next.

This step is significant, select the Direct Access and VPN (RAS) alone, and you would be prompted with related features on the pop-up and click Add Features, which will return to select the role services page.

We have selected the roles services and its feature, and we are right to move to continue, click Next.

The next page is an information page, and it describes that adding this role service also install the Web Server (IIS) role, Click Next to continue.

The Web Server (IIS) role will install this role services, leave the default selection, and click Next.

On the confirmation page, verify that the Roles mentioned above and Role Services correct and click Install to start the Remote Access role installation. Sit back and relax for a few minutes to get the installation to complete.

The Remote Access role installation started. Let wait till the installation complete, and then we start the configuration.

You would notice the installation succeeded message and there is a link to open the getting started wizard to start the configuration of the Remote Access Role, click the link.

Clicking the link will start Configure Remote Access Wizard, on the wizard click Deploy VPN only tab as in the screen below.

Configure Remote Access with VPN Access

On the Configure Remote Access prompt select the Deploy VPN Only to define the Remote Access multiple configuration methods.

The Routing and Remote Access management console will be opened and right-click on the server node and click ‘Configure and Enable Routing and Remote Access.’

The Routing and Remote Access Server Setup Wizard will start with a Welcome Screen, Click Next to begin the wizard.

Select the Radio button next to Custom Configuration and click Next.

On the Custom Configuration page, select the checkbox next to VPN Access and click Next.

The VPN Access configuration selected on the wizard, and that is the end of the wizard and click Finish.

Click OK to the warning message that the Remote Access Configuration couldn’t open the required port. We will open the port on the Windows Firewall manually.

As we have configured Routing and Remote Access services with VPN Access and the wizard will end by prompting to start service.

Once the Routing and Remote Access Service Started, you will see a green arrow on the server node implying that the service started and running.

Configure Remote Access Settings for VPN

There are specific settings we need to update to set the VPN to function securely and get the IP4 IPs to the client system.

Right-click the server node and click properties as in the screen below.

On the Remote Access, Server Properties go to the IPV4 tab and Select the Static Address pool radio button under IPv4 Assignment and click add to add IP address pool. Choose an IP address Pool and type start and end IP address of the pool. The IPV4 address pool is a static one, and if you are running the DHCP server on the server, you can leave the IP address to assign from the DHCP server. As we are not running a DHCP service, we are creating a static address pool in this example.

Choose IP address pool and type start and end IP address on the Add dialog box. We have chosen 172.16.1.1 to 172.16.1.10 range to assign the IP addresses to the VPN clients.

Click OK once the IP address properly typed.

How to Setup VPN using PPTP

Configure VPN Policy on Network Policy Server

Open the Server Manager window and on the Tools menu select Network Policy Server to begin with configuring VPN Policy

Expand the Network Policy Server and select New to create a new policy for VPN access.

On the New Network Policy Window type VPN Access as Policy Name and in the drop-down list of typer of network access server select Remote Access Server (VPN-Dial Up) and Click Next.

On the Specify Condition page, select Windows Group and Click Add.

I have already created an Active Directory group called “vpngroup” for this purpose, and we are going to add that group. Please note that we are adding all users who need VPN access to this group.

How to Setup VPN using PPTP

Once we confirmed the group added, click Next to continue.

As we are granting access to this AD Group users, we are selecting Access Granted and Clicking Next.

On the Configure Access methods, select Add and Microsoft Secure Password (EAP-MSCHAP v2 as Extensible Authentication Protocol on the list of authentication methods.

Also, uncheck the boxes near Less Secure Authentication methods.

How to Setup VPN using PPTP

Once the Authentication method has been selected, click Next.

On the Configure Constraints page, leave the defaults and click Next.

Also, Configure Settings page leave the default and click Next.

Click Finish to end the wizard.

Create a Windows Firewall rule to open port PPTP VPN

Go to Control Panel>System and Security>Windows Defender Firewall and click Advanced settings.

Select Inbound Rule from the left navigation and New Rule on the Actions Menu

Select Port as Rule type and click Next

How to Setup VPN using PPTP

The PPTP port number is 1723, Select Rule “Apply to TCP” and Specific local ports 1723 and, click Next.

Select Allow Connections and click Next.

Select all the Network Locations and click Next.

Type a name for the Rule and Click Finish

Create VPN Network Connection

So, we have completed all server configurations, now is the time to create a VPN connection on the Windows 10 client computer.

Right-click network Icon on the taskbar and select ‘Open Network & Connection Sharing.’ On settings, windows click ‘Network and Sharing Center’ that will open the ‘Network and Sharing Center’ where we need to select ‘Set up a New Connection or Network’ as in the steps provided on the screenshot below.

How to Setup VPN using PPTP

Select the steps as in the steps below.

1. Open Network & Internet Sharing
2. Network Sharing Center
3. Set up a New Connection or network

There is a Wizard start, and in the connection options, select ‘Connect to a workplace’ and click Next.

In the destination name type, a name implies the connection purpose. I left the default name in this example.

Leave the selection of ‘Remember my credentials’ and click create.

1. Type the VPN server’s internet hostname or IP address.
2. Give a name to the VPN Connection.
3. Click Create to create a workplace connect.

To change the type of VPN, right-click newly created Network Connection and select properties.

On the Security tab, select Point to Point Tunneling Protocol (PPTP) and click OK.

How to Setup VPN using PPTP

Click Network icon on the taskbar and the newly created VPN connection will appear on the list of connections, click that, and there will be a credentials box open.

On the Sign-in prompt type, the AD user and password and click OK.

The VPN connection will show connected. Now we can access the internal devices on the office network using their private IP address.

Conclusion

In this article, we have gone through step by step instructions on how to 1. Install and configure Remote Access VPN role 2.  Network Policy Server VPN policy 3. Creating windows firewall rule and 4. Making a VPN Connection on the Windows client system and connected to Office network remotely using PPTP. Also, we have one more step to that on the router or Firewall device connecting to the internet we need to add a port forwarding rule to point the VPN server connecting port 1723. On the security settings on the firewall, we need to enable Generic Routing Encapsulation to connect the VPN from remote windows client to the VPN Server that we just configured.

You may have some questions or feedback to share with me, please click the comments below and share your thoughts. I am so happy to answer your questions.

Read More

In this article, we are going to take a look at Domain controller installation and configuration of Active Directory domain services Role on Windows Server 2022 and promote Windows Server 2022 as Domain Controller.

The first step will be to install the ADDS binaries and then promote Windows Server 2022 to a Domain Controller.

In the first place install the Active Directory Domain Services role to the Windows server 2022.Log on to the server as Local Administrator and launch server manager and in the top menu select Add Roles and Features.

This will start the Add Roles and Features wizard and it will show the before you begin the instructions window. You can select Next and go to the next prompt.

Click Next

In the Select Installation Type, select Role-based feature-based installation

Click Next

Continue with the default selection on Select Destination Server as we are going to install it on the local server.

Click Next

On the Server Roles list click Active Directory Domain Services role.

When you select Active Directory Domain Services Role it will prompt for required Features to add and click Add Features.

As the Active Directory Domain Services and DNS Server roles are selected in the Add roles wizard.

Click Next

On the Features selection leave the default, click Next.

The next screen will outline the things to note about Active Directory Domain Services, you may go through this for your understanding.

Click Next.

The installation of Active Directory Domain Services and DNS role will be installed and you can view the installation progress.

The Active Directory Domain Services and Domain Services and DNS Server Roles are Installed, now you can close the AD Roles and Features Wizard this will return back to Server Manager

On the Server Manager select the notification icon and continue with post-installation configuration which is promoting the server as Domain Controller.

Select Notifications and click “Promote This server to a Domain Controller”

This will start “Active Directory Domain Services Configuration Wizard”

Select Add a New Forest in the Select Deployment Operation options.

Type the domain name as you want.

Click Next.

In the next screen leave the settings default and type password for “Directory Services Restore Mode”. This password is different from the Administrator login password. So you can type the password and keep it somewhere in the secured place.

In the DNS options leave the default

Click Next

By default, the NetBios name will be shown prefix of the Domain name and leave the default.

Click Next

You may change the path of the Database, log and Sysvol folder, but you can leave it to default and Continue

Click Next.

Go through the review Options

Click Next.

The prerequisite check will verify the Domain Controller Operation, once completed you would get an All Prerequisite check passed green tick.

Click Next.

The installation will complete the configuration and restart the server automatically.

Once the server restarted, on the login screen type the administrator password which was used before and log in.

Launch Server Manager and select Tools –> Active Directory users and computers, which will open Active Directory Users and Computers management console.

You can add users, groups and other objects and start to using Active Directory Domain Services.

The Windows Server 2022 Domain Controller Installation Completed Successfully.