TECHNICAL WHITE PAPER
Deployment Guide:
Unidesk and Hyper-‐V
This document provides a high level overview of Unidesk 3.x and Remote Desktop
Services. It covers how Unidesk works, an architectural overview of Unidesk and
Remote Desktop Services, and what it takes to deploy both.
Table of Contents
How Unidesk Works
3
Summary of Unidesk Benefits
5
Desktop Provisioning
5
Application Layering
5
Image Management
5
Persistent Personalization
5
Storage Optimization
5
Patch, Repair, Audit
5
Architectural Overview
6
Overview
6
Unidesk
6
Desktops
6
Storage
7
Management Appliance
7
Master CachePoint Appliance
7
Secondary CachePoint Appliances
7
Remote Desktop Services
8
Connection Broker
8
Virtualization Host
8
Web Access
8
Gateway
8
Licensing
9
Deployment Overview
10
Remote Desktop Services
10
Unidesk
10
Unidesk Hyper-‐V Agent
10
Management Appliance
10
Master CachePoint
10
Secondary CachePoints
11
Broker Agent
11
Directory Junction
11
Operating System Layer
11
Installation Machines
12
Collections
12
Conclusion
13
References
14
Glossary of Unidesk terms
14
How Unidesk Works
Unidesk is a virtual desktop and application management platform. It works in conjunction with the Hyper-V hypervisor and the Remote Desktop Services broker to deliver desktops to the end users. Unidesk manages both desktops and applications creating a seamless experience for the end user and giving the administrator a single pane of glass to manage both. Unidesk can deliver both personal and pooled desktops through the Remote Desktop Services broker. Unidesk works by virtualizing a Windows desktop’s “C:” drive by breaking it up into a set of layers. Layers are created for the operating system, applications and desktop personalization. Each layer is encapsulated into a separate virtual disk that stores the file system and registry settings for that layer. Layers are then "merged" into a single C: drive using Unidesk’ s patented technology called Composite Virtualization. Using Composite Virtualization, the registry settings and file systems from each layer added to the desktop are presented as if all the files and registry settings were installed within a single “C:” drive on the users desktop. When using the desktop the user will see applications appropriately defined within the "C:\program files" directory structure, they will see the registry entries, and they will even see the applications underneath Programs and Features.
Each desktop is assigned to a particular CachePoint and therefore managed by that CachePoint. Each CachePoint manages a separate set of layer disks that are used by the desktops that the CachePoint manages. The operating system and applications layers themselves are read-only and are shared across all the desktops managed by the same
CachePoint. These are the layers that get replicated across the CacheCloud environment. The personalization layer is the layer on desktops where all the writes go. Since the OS and Application layers are read only, whenever a change is made to a file in an OS or Application layer or whenever a file is written directly to a desktop, it is always placed into the personalization layer. So everything unique about a desktop is stored in the personalization layer disks.
Summary of Unidesk Capabilities
Unidesk makes building and managing desktops extremely simple. Unidesk delivers the following significant capabilities:
Desktop Provisioning
Unidesk layering technology makes building virtual desktops fast and easy – even if your users all require different applications and personal settings. Unidesk uses a simple wizard driven interface that is very much point and click. Each desktop or set of desktops can have their own applications while still using the same operating system layer.
Application Layering
There’s no long list of apps that cannot be packaged with Unidesk. Our next-generation file system and registry virtualization technology starts running at the moment Windows boots, so it can package drivers, Ring 0 apps, apps with global DLL hooks, custom apps, apps that hard-code to C: drive, and anything else you can throw at us.
Image Management
With Unidesk’s advanced layering technology, you can package any application as its own read-only, shareable virtual disk – even the ones that are too hard for traditional
application virtualization. This means your Windows OS layer can be kept clean. You’ll finally have one true golden image that can be used as the basis for all desktops, no matter how many different desktop pools and application combinations you have.
Persistent Personalization
Unidesk retains all user customizations, including settings that live inside a profile, as well as documents, plug-ins, and applications that live in the Windows file system and registry. When you create a persistent desktop with Unidesk and assign it to a user, all changed settings are naturally captured in the user’s local profile. All data and user-installed applications are automatically written to the desktop’s Personalization layer, the writable virtual disk that is associated with each VM. When you change any of the underlying OS or Application layers, the Personalization layer remains intact, merging seamlessly with the other layers through the magic of Unidesk Composite Virtualization.
Storage Optimization
Our approach of virtualizing everything above the hypervisor gives you space savings as a natural side effect. Unidesk stores Windows OS and application layers as read-only virtual disks that are shared by many desktops. Instead of having 100 copies of Windows and 100 copies of Microsoft Office for 100 desktops, you only have one. That’s why Unidesk layered VMs use up to 80% less space than full clones. Without a new parent VM for every pool or redo logs that grow endlessly, Unidesk is more efficient than Linked Clones and vDisks, too.
Patch, Repair, Audit, Restore
Unidesk allows for easy patching and repairing of desktops. Unidesk’s ability to version the operating system and application layers allows an administrator to easily roll forward or roll back between versions.
Repairing broken applications is extremely simple as well with layering. An administrator simply chooses the reinstall option of an application when editing a desktop and this will reset the application back to its original state without losing the application’s user profile personalization. Unidesk also allows for easy auditing of desktops and layers.
Architectural Overview
Overview
As shown in the following illustration, the Unidesk system provides the disk (or C: drive) to virtual desktops hosted in a virtual infrastructure. Administrators use the Unidesk management interface to create, manage, update, and report on the desktop virtual machines in the environment. As directed by the administrator, the Unidesk software builds, deletes, and reconfigures virtual desktops.
The Management Appliance communicates with the CachePoint Appliances in the environment. The single Master
CachePoint Appliance maintains a copy of every Operating System or Application layer in the environment. Each additional CachePoint Appliance manages layers for Unidesk desktops that are associated with that CachePoint.
Remote Desktop Services is a set of roles within Windows Server 2012 R2 that allows end users to access a set of virtual machines running on Hyper-V. Users access the environment through a web front end that works with the connection broker to authenticate users and deliver the appropriate desktop to them. Remote Desktop Services can also securely deliver desktops by encrypting the connections with SSL over the internet.
Unidesk
Unidesk infrastructure consists of a set of Linux virtual appliances to manage both desktops and applications. The administrator does not need to know anything about Linux to manage the environment. The management of the environment is taken care of through the Unidesk Management Console.
Desktops
read-only and the disks that make up the personalization layer are writable disks. Then at the core of Unidesk’s Composite Virtualization is a Windows filter driver that "merges" all these layers together to form a single C: drive that the operating system and user interact with. In essence, the entire C: is virtualized.
Storage
In version 3.x, layers are stored as separate .vhdx files. Desktops mount these directly from the storage in a many to one fashion.
Unidesk stores content in tiers. There are two tiers of storage that Unidesk uses when creating desktops. First is the Boot Image tier. This is where the virtual machines are created. This includes the virtual machine settings, the boot image and any differencing disks. The boot image is a local disk to the virtual machine. It holds three things within it: Enough of the Windows boot files to start the boot of Windows and load the Composite Virtualization drivers, the page file and a composited registry.
The second tier is the CachePoint and layers. This tier contains the CachePoint appliances as well as the Operating System, Application and Personalization layers for the desktops. The virtual machines attach directly to the layers.
Management Appliance
The Management Appliance is a virtual appliance that coordinates all of the communication in the Unidesk environment. It includes the Management Console and the management infrastructure that controls the workflow of managing virtual desktops.
Master CachePoint Appliance
A special CachePoint Appliance that manages a master copy of all operating system and application layers and versions of layers in the Unidesk environment. It also manages all of the Installation Machines used to create application layers and layer versions.
Secondary CachePoint Appliances
A Secondary CachePoint is a virtual appliance that builds and manages a set of desktops. A Secondary CachePoint manages the copies of the operating system, application and personalization layers in use by its desktops. These copies are replicated from the Master to the Secondary. These CachePoints also handle the creation, editing, and deleting of the desktops they manage. For example, when a desktop is edited (say adding a new layer), it is the CachePoint that steps in and does the adding and removing of layers from the virtual desktop. It is also does the boot image creation of the boot disk.
Remote Desktop Services
Remote desktop services uses a number of roles to deploy virtual desktops and grant users access to those virtual desktops. Roles such as the Connection Broker, Virtualization Host, Licensing and others work together to deliver a virtual desktop to the end user. For small environments, many of these roles can be run on a single Windows server but in larger environments, where high-availability is a concern high availability, splitting out the roles across multiple servers is recommended.
Connection Broker
The Connection Broker role is central to providing desktops to end users. This role is essentially the business logic behind everything else in the environment. It performs functions such as redirecting users to desktops, checking
credentials, turning on desktops, Collection creation and others. The Connection Broker can be setup in a highly available configuration with a centralized SQL Server maintaining the information about the environment. Otherwise, the
information is local to the Connection Broker server.
Virtualization Host
The Virtualization Host role is assigned to every Hyper-V server that will be hosting desktops. This is a separate role from the Hyper-V server role. The Virtualization Host is where all virtual machines are stored and run from.
Web Access
Web Access allows users to access their virtual desktops through a web browser. This is a web server that acts as a front-end interface to the Collections that front-end users have access too. A user logs in with their domain credentials which will pull up the Collections that they have access to. By clicking on the appropriate Collection, the end user is connected to a desktop in the Collection.
Gateway
server uses a set of certificates to securely route the user connection to the appropriate desktops. It works in conjunction with the Web Access server.
Licensing
Licensing is critical in a Remote Desktop Services environment. Without a license, the Connection Broker will not route the user to their desktop. This role hands out licenses to either the device or the end user when they access the virtual desktops.
Deployment Overview
Remote Desktop Services
Remote Desktop Services is deployed using Server Manager. The roles can be deployed from any server in the environment as long as the administrator has added the appropriate servers to be managed in Server Manager. From within Server Manager, the administrator starts the Remote Desktop Services wizard through the Add Roles and Features. There is a specific option for Remote Desktop Services. This wizard allows the administrator to choose what server or servers will perform which role. Once the wizard is complete, the administrator can add additional roles to servers or add additional servers to the already configured roles. In many cases, some sort of load balancing should be used to provide redundancy for certain roles.
Unidesk
The Unidesk infrastructure is built using virtual appliances running in a Hyper-V infrastructure. The Unidesk components are deployed in the following order:
1. The Hyper-V agent
2. The Unidesk Management Appliance 3. The Unidesk Master CachePoint 4. Secondary CachePoints (if required)
5. Lastly, the Broker Agent must be deployed to the appropriate broker server.
Unidesk Hyper-‐V Agent
The Unidesk Hyper-V agent is required on every Hyper-V server that will be used to host Unidesk desktops. The first step in installing Unidesk requires the install of the agent. The Management Appliances communicates with the Hyper-V agent to send that are used for creating virtual machines, deleting virtual machines etcetera. The Unidesk Installer will install and setup communication with the Management Appliance for the first Hyper-V server you install to. However, the agent must also be installed on other Hyper-V servers. You can run the stand-alone installer from the download directory of Unidesk. When the agent installer is run, it will prompt the administrator for Management Appliance information so it can register successfully. By default, the Hyper-V Agent uses port 8014.
Management Appliance
The second step of the Unidesk installer is to create the Management Appliance. The Management Appliance requires information such as
• Name • Folder Location • Virtual Switch • Time Zone • NTP Servers • IP Configuration (DHCP or Static)
Once this information is provided, the installer will automatically create the Management Appliance on the Hyper-V host as a virtual machine and apply the above settings.
Master CachePoint
• Name of the Appliance
• Host
• Boot Image storage
• CachePoint and Layer storage
• IP Address information (DHCP or Static)
When the information is set, the wizard will create a task in the Management Console and create the Master CachePoint.
Secondary CachePoints
Unidesk works as a scale-out technology. As you add hosts and storage, you also add CachePoints. CachePoints are typically associated with storage but they are virtual machines and need a host to reside on. As stated in the Hyper-V agent section, as you add more hosts, you need to install the agent. Once the agent is installed, the Create CachePoint wizard will be allowed to see and use the host and storage associated with it.
To create a Secondary CachePoint, the same process is used that created the Master CachePoint. The same wizard, Create CachePoint, will now create Secondarie CachePoints, requesting the same information as before.
Broker Agent
The Broker Agent is required on a broker controller to facilitate communication between the Management Appliance and the broker. This agent is included in the base download of Unidesk. The default port used is 8015. The administrator simply runs the installer to install and configure the agent. Once the agent is installed, the administrator then uses the Unidesk Management Console to configure the connection to the broker. This is done in the System tab under Settings and Configuration.
Directory Junction
To finish configuring the Unidesk environment, you must create a Directory Junction to an Active Directory domain. This allows the Unidesk administrator, when creating Collections and desktops, to specify what user or group is associated with the Collections and desktops. For example, if the administrator creates a Persistent Collection they would specify the users or group of users that would be able to be assigned desktops during the create desktop process.
To create a Directory Junction, in the Unidesk Management Console, go to the Users tab and the Directory Service sub-tab. Then, run the Create Directory Junction wizard to create a read-only connection to the Active Directory domain. Many junctions can be created to different domains and different Organizational Units.
Certain information is required when running the wizard: • Directory Junction name (can be anything) • Server address (can be FQDN of the domain)
• Port used and whether SSL is required to connect to the domain controllers
• User account and password used to access the domain (requires read rights to the domain)
• Distinguished Name: This is either specified as the top level of the domain or specified down to the Organizational Unit level where user accounts and groups are located by using the provided dropdown box. • NetBIOS Name of the domain
• Folder Location: Where in the Unidesk folder hierarchy will this Directory Junction be located. Once the information is filled out, the Junction can be created.
Operating System Layer
• Update the Microsoft Integration Services if the operating system is Windows 7. • Update Windows with all available Windows Updates
• Do not join Windows to a domain
• Do not run any outside optimizations on Windows
Once you have Windows installed, it is time to prepare the Operating System. There is a set of Gold Image tools in the download of Unidesk that will help you to do this. Extract the Gold Image tools to the default location. Use File Explorer to browse to that location and run the Unattend.exe as an administrator. This utility creates the required Unattend.xml file that is used to automate the build process of the desktops. When desktops are built in Unidesk, the Windows mini-setup process is invoked and if the Unattend.xml file is not there or properly configured, the mini-setup will stop and ask questions. This utility will prevent that.
Once the Unattend.xml is created, it is time to run the Optimize.exe as an administrator. This utility allows you to select and deselect which optimizations to run within Windows. The optimizations are based on best practices collected from a variety of resources. Once you've selected which ones you would like to apply, you save the selections. Next, run the newly created Optimizations.cmd file as an Administrator. This will optimize the base image so that when creating application layers the operating system layer will be in the same state as the desktops when they are created.
The last portion of preparing Windows is to run the setup executable so that the Unidesk image prep tools are installed and the virtual machine is registered with the Management Appliance. The executable will be located in the same directory that was extracted earlier. Once this is done, the virtual machine can be shut down. It is now ready for import. To import the operating system of the virtual machine you must use the Unidesk Management Console. Once that is opened go to the Layers tab and select OS Layers. The Create OS Layer will start the process of importing the operating system. The wizard will ask for three mandatory things:
• Operating system layer name • Version
• Gold Image: The dropdown box will show the name of the virtual machine that you ran the Image Prep tools on earlier when finishing the operating system.
• The rest of the fields are optional
Once you complete the wizard, a task is created to import the operating system from the virtual machine.
Installation Machines
Installation Machines are used to create and add versions to applications and operating system layers. These are virtual machines specifically set aside for this task. They are also reusable. This means that an Installation Machine is not tied to any specific application or version of application.
To create an Installation Machine, in the Management Console, go to System and then select Installation Machines. The Create Installation Machine wizard will create the virtual machines. Simply fill in the required fields and the Installation Machine will be created.
Collections
Unidesk Collections are groups of virtual desktops in the Unidesk Management Console. When a Collection is created, the administrator can specify whether a Collection is tied to a particular broker or none at all. Persistence and
Non-Persistence is also specified when creating a Collection. When tied to a broker, Unidesk Collections become the equivalent of a Remote Desktop Services Collection. When the first set of virtual desktops are created for a particular Collection, Unidesk will automatically create a Remote Desktop Collection with the same name. Entitlements are also selected during the Collection creation.
Create Desktop wizard were specified during Collection creation (Entitlements). This is not required for Non-Persistent Desktops. If a desktop is created in a Collection that is tied to a broker, then when the desktop is created, it is automatically assigned to the broker and any user entitlement as well.
Conclusion
With the infrastructure in place, the administrator can now create application layers and deploy desktops. Using Unidesk and Remote Desktop Services together gives administrators an easy to setup infrastructure and easy, single pane of glass management of desktops and applications. The two together deliver a seamless experience to end users whether the desktops are personal or pooled.
References
Glossary of Unidesk terms
The following table provides definitions of terms that are specific to the Unidesk product.
Unidesk Term Definition
Application Layer A container or layer that includes an application or set of
applications that you can assign to a hosted virtual desktop.
CacheCloud® A grid of virtual appliances that replicate operating system,
application, and user workspace layers across an enterprise network.
The environment uses the Unidesk Composite Virtualization™ technology to synthesize the layers into complete, personalized desktops.
CachePoint® Appliance A virtual appliance that manages the layers and virtual desktops
that you deploy to end users.
Desktop A hosted virtual machine that is a local composite of the layers
assigned to it and a Personalization Layer that contains all specific desktop information including a user's personalized data, settings, and applications.
Operating System Layer A container or layer that includes an operating system that you
can assign to a hosted virtual desktop.
Gold Image A virtual machine configured with an operating system and any
desired applications that, when imported into Unidesk, creates the Operating System Layer.
Installation Machine A special type of virtual machine that acts as a staging area for
the creation of Application Layers as well as versions of Operating System and Application Layers.
Management Appliance A virtual appliance that coordinates all of the communication in
the Unidesk® environment. It includes the Management Console and the management infrastructure that controls the workflow of managing virtual desktops.
Management Console The Web-based management console that allows you to manage
Master CachePoint Appliance A special CachePoint Appliance that hosts a copy of all layers and versions of layers in the Unidesk environment. It also manages all of the Installation Machines used to create Operating System Layers and layer versions.
Operating System Layer A shared container or layer that includes the Operating System
that you can assign to hosted virtual desktops. A desktop is a composite of an Operating System Layer and several Application Layers.
Personalization Layer A unique container or layer that stores all of a desktop’s specific