Your browser doesn’t support HTML5 audio
Microsoft’s Remote Desktop Services is a widely used desktop virtualization product. RDS provides users with a Windows client desktop that is shared among other users on Windows Server and allows administrators to provide a Windows desktop experience for many users at once, using one or more servers and a Remote Desktop Protocol client.
As such, RDS is a valuable and widely available tool for operations continuity, empowering government workers with the capabilities to function both in the office and away from it.
With two servers, administrators can set up an entire RDS implementation in only four steps.
1. Install RDS Base Roles
A typical RDS implementation has five roles: RD Connection Broker, RD Web Access, RD Session Host, RD Licensing and RD Gateway.
Think of the RD Connection Broker, RDP Web Access and the RD Session Host roles as base roles, which need to be installed on the primary RDS server.
Within the Add Roles and Features wizard, select Remote Desktop Services installation using the Quick Start option on Windows Server. The RDS wizard will then serve as a guide to installing all of these roles at once.
2. Install the Licensing Server
From within the Server Manager application, add a server to manage what will become a licensing server. Navigate to Remote Desktop Services and click on the green plus sign for RD Licensing. From there, add the other server under the Add RD Licensing Servers screen.
Once Windows installs the licensing server, a green plus sign should be visible above RD Licensing in the RDS Deployment Overview section.
Under the Remote Desktop Services screen, click on the green plus sign over RD Gateway, then select the destination server. When prompted, name the self-signed SSL certificate with a fully qualified domain and click Next to add the role.
4. Configure Deployment Properties
Once all roles are installed, navigate to the Remote Desktop Services screen, click on Tasks, then click on Edit Deployment Properties. On this screen, click on RD Licensing, choose Per User or Per Device settings depending on your agency’s needs, and click OK. These settings will provide a basic RDS setup.
More On Virtual Machines, Digital Workspace, Telework,
Copyright © 2022 CDW LLC 200 N. Milwaukee Avenue, Vernon Hills, IL 60061
In previous part I detailed what are RDS 2016 deployment types, news in RDS 2016 and what are core components. In this guide we will focus on Quick Deployment [All-In-One]
Let’s get started.
Install RDS Roles
OBS!!! Avoid adding RDS roles through Roles and Features Wizard if you are not a Powershell fan. You will need to configure RDS using Powershell.
Open Server Manager and click Manage -> Add Roles and Features
In the wizard on the Before you begin page click on next.
On Select Installation Type page, select Remote Desktop Services Installation, Click Next
On Select Deployment Type page, select Quick Start and click next
On Select Deployment Scenario page, Select Session-Based Desktop Deployment and click next
Since we did the Quick Start selection the Connection Broker, Web Access and Session Host roles will be installed on the single server. Click Next
On Confirmation page, check the box Restart the destination server automatically if required and click Deploy
When you click Deploy progress window will show up. After system restart check that all services configures successful and click Close
That’s it. We can access Remote Desktop Services through Server Manager if we click on Remote Desktop Service link in the left pane.
When you click on it, you will find your self in front of “RDS Manager”.
When you choose Quick Deployment type, Collection [QuickSessionCollection] and Remote App Programs are already configured.
Collections separate out RD Sessions Hosts into separate farms and allow admins to organize resources. [I will talk more about Collections and Collection Properties in my Purpose of RD Collections post].
As you can see the deployment is missing a RD Gateway server and a RD Licensing server.
Click the Add RD Licensing server green button.
Select a server, Next
Confirm selections and click add. Wait until the role service is deployed and click Close.
Next, we need to add RD Gateway. Click the Add RD Gateway server green button.
Select a server, Next
When we go through the wizard it’s gonna create a self-signed SSL certificate. I will replace that certificate with Trusted one a little bit later. On SSL Certificate Name page, I will type in Fully Qualified Domain Name of my RDS server rds01.mehic.se
Hit Next and Add. Wait until the role service is deployed and click on the Configure Certificate to review Certificate Options
[OBS!!! I will talk more about Deployment Properties in Exploring Deployment Properties series]
Notice that the certificate level currently has a status of Not Configured. The RD Gateway certificate is used for Client to gateway communication and needs to be trusted by the clients. Either install the self-signed certificate on all clients, or use a certificate for which the complete certificate chain is already trusted by all clients. As it said in the wizard, the external FQDN should be on the certificate.
Before we create new certificate, we need to configure DNS so that external users can resolve the name of the RD Gateway to the right IP address. You will configure it on your external DNS [hosted dns or DNS out on your ISP] somebody that we do not have the control over but that is accessible from the internet.
In this case my “external DNS” [ROUTER -machine on my external network] will handle DNS for the external network.
If I try to ping my gateway from external Windows 10 machine the ping will fail.
Everything works internally
Open DNS Manager and browse to Forward Lookup Zones. Right-Click on Forward Lookup Zones and select New Zone
On Welcome to the New Zone Wizard page click next. On Zone Type page accept the defaults and click next.
On Zone Name page, type in your zone name, In my case mehic.se and click next
On Zone File, Dynamic Update page accept the defaults and click Finish
Once finish, right-click on the new zone and select New Host [A or AAAA]
In real life you would type in the external IP address of your NAT router or the firewall, public IP that is closest to the gateway. In my case I am not running NAT and I am not running firewalls so I will put in its internal IP
I will also add my CA IP address.
Now if I try to ping from my “External Machine” ping will work.
Let’s try to connect to RDCB with RDP. Just open Run [Windows Button + R] and type in mstsc. Type in RDCB name and click on Advanced Tab
Advanced –> Settings and specify RD Gateway and click OK and Connect.
Windows Security will popup. Type in credentials and hit OK and you will run into this error.
We receive this error message because we didn’t configure certificate which is our second prerequisite.
In real life you would purchase this certificate from a public CA [GoDaddy,VeriSign etc.]. This certificate needs to contain the FQDN you will use as the RD Web Access URL [mine is rds01.mehic.se]. It needs to be in .pfx format and you need to have the private key in it. In my case I will use my private CA. [If you are not familiar or if you do not have private CA, please take a look on my Mastering Windows Server 2016 series to learn how to install Certificate Authority]
Open Server Manager –> Tools –> Certification Authority
In CA snap-in, right click on Certificate Template and select Manage
This opens up the certificate template snap-in. What we need to do is to pick one of these templates and copy it so that we can customize it for our purposes. With remote Desktops most certificates that we need are for SSL. Right-Click on Web Server template and select Duplicate Template
New Template Window will pop-up. First thing I am going to do is to change certificate name to MEHIC SSL on the General Tab.
Next click on Request Handling Tab and check Allow private key to be exported.
There is a number of things we can do but the most important thing is permission. So click on Security Tab and give Authenticated Users right to Enroll and Autoenroll. [OBS!!! In real life you may want to lock that certificate down to particular people but in this case it is not important.] I will also going to add in domain computers and give them permission to read, enroll and autoenroll. Click OK when it is done.
Now we need to take that template and Publish it to the CA. To do that, right-click on Certificate Templates –> New –> Certificate Template to Issue
Select our newly created certificate and click OK. When you click OK you will be able to see it in the list of the certificates that have been published to the CA.
The last step is to enroll certificate. Switch over to RDS01 and open up MMC [Windows button + R and type in mmc] Right-Click on Personal –> All Tasks –> Request New Certificate
On Before you begin and Select Certificate Enrollment Policy page, click Next. On Request Certificate page, select MEHIC SSL and click on the link More information is required…. [With an SSL we have to provide other information]
Change the Subject Name Type to Common Name and add the exact name of the server or web site that you are using. First I will add the single lable name rds01 and than the FQDN rds01.mehic.se, click OK
It allows me to Enroll, and then you can see that i have succeeded. Click Finish
Now underneath Personal I can go up and click Certificates, and there’s the certificate that I requested. Next we need to export the certificate with private key and configure gateway, rdwa, rdcb to use it.
Right-Click on it –> All Tasks –>Export
Welcome Export Wizard will pop-up. Click Next. Select Yes, Export the private key and click next
On Export File format click next.
Check Password box and type in the password. Click next
Type in the name and where you want to save it and click next and finish
Now let’s go back to the Deployment Properties and select RD Gateway –> Select Existing certificate
Add certificate and click OK.
Click Apply and you will notice that certificate level has now status of Trusted.
Do the same for the RDWA and RDCB.
Time to test the setup!
Internal
Browse to the //”Your RDWA server name”/rdweb. If everything is good, we will not receive certificate error message. RD Gateway will also work.
External
Cheers,
Nedim