In this second part of the Hybrid Cloud blog post series we’re going to setup Remote Access with 2-factor authentication and DHCP Failover.
With the Domain Controllers running on Server Core and a temporary Hydration server for deployment only, we’re going to setup Remote Access first using Parallels Remote Application Server (PRAS).
Don’t worry, we will be setting up a full Citrix Hybrid Cloud solution, but I need something for Remote Access today and I also like to have a fall back solution.
The PRAS infrastructure (PRAS-01) will be running on Server Core with 2 vCPU / 2GB / 40 GB. The RDSH Worker (PRAS-WS19-01) will be running Server with Desktop Experience with 2 vCPU / 4GB / 60 GB.
From the Hydration Server make changes to the configuration file located in C:\Source\Examples\Parallels to reflect your environment. For more information check the blog post Prevent RDP Hacking in 2 Minutes with OTP.
Set-NetFirewallProfile -Profile Domain -Enabled False
$Server = "YOURINFRASERVER"
$User = "[email protected]"
$Pwd = "YOURPASSWORD"
$Password = ConvertTo-SecureString $Pwd -AsPlainText -Force
$Email = "PARALLELS ACCOUNT EMAIL"
$EmailPwd = "PARALLELS ACCOUNT PASSWORD"
$EmailPassword = ConvertTo-SecureString $EmailPwd -AsPlainText -Force
New-RASSession -Username $User -Password $Password -Server $Server
$RDS1 = New-RDS -Server "YOURWORKERSERVER"
$RDSList = Get-RDS
New-RDSGroup -Name "Windows 2019 RDS" -RDSObject $RDSList
Set-RDSDefaultSettings -MaxSessions 100 -EnableAppMonitoring $true
New-PubRDSDesktop -Name "Desktop"
Set-RASTurboSettings -Enable $False
Set-2FASetting -Provider GAuthTOTP
Invoke-LicenseActivate -email $Email -Password $EmailPassword
Open a RDP session to PRAS-01 and type WhoAmI to make sure you’re logged in as Domain Administrator. Type PowerShell.
Now copy & paste the customized Parallels configuration above.
To logoff the Server Core session type sconfig and then 12.
Finally download, install and open the Parallels Client to scan the QR code into Google or Microsoft Authenticator (after authentication).
If you’re so lucky to have a UniFi Secure Gateway (USG) simply head over to Settings – Routing & Firewall – Port Forwarding. It’s that easy.
I found that the USG DDNS reports the internal IP address of the ISP modem, so I use Dyn.com and their Dyn Update client running on my Office PC to always update my DNS record with my external IP address.
The final part is to configure DHCP Failover. Open a RDP connection to PRAS-WS19-01 and install DNS RSAT Tools and connect to DC-01 and DC-02.
First of we need to right click DC-02 and Authorize it. Second expand IPv4 on DC-01 and click Scope Options. Double click 006 DNS Servers to add the 2nd DNS server.
Right click IPv4 on DC-01 and select Configure Failover.
Add DC-02 and click Next.
Set the Mode to Hot standby – Standby and type in a Shared Secret.
- Load balance mode (Both DHCP servers are active and the load is shared among the two).
- Hot standby mode (One of the DHCP servers is active and the other is passive. When active goes down, passive takes over and becomes active).
Click Next – Finish.
You’ve now successfully setup a DHCP Failover.
You can verify that it’s working by selection Address Leases on DC-02.
And that’s it. In Part 3 we’re going to setup Group Policy Central Store, enable Windows Remote Management (WinRM), install and configure ControlUp and Local Administrator Password Solution (LAPS).