How do I install Remote Desktop Services in Windows Server 2016?

Deploy your Remote Desktop environment

• Article
• 12/23/2021
• 5 minutes to read
• 7 contributors

Is this page helpful?

Yes No

Any additional feedback?

Feedback will be sent to Microsoft: By pressing the submit button, your feedback will be used to improve Microsoft products and services. Privacy policy.

Submit

Thank you.

In this article

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016

Use the following steps to deploy the Remote Desktop servers in your environment. You can install the server roles on physical machines or virtual machines, depending on whether you are creating an on-premises, cloud-based, or hybrid environment.

If you are using virtual machines for any of the Remote Desktop Services servers, make sure you have prepared those virtual machines.

1. Add all the servers you're going to use for Remote Desktop Services to Server Manager:

   1. In Server Manager, click Manage > Add Servers.
   2. Click Find Now.
   3. Click each server in the deployment [for example, Contoso-Cb1, Contoso-WebGw1, and Contoso-Sh2] and click OK.

2. Create a session-based deployment to deploy the Remote Desktop Services components:

   1. In Server Manager, click Manage > Add Roles and Features.
   2. Click Remote Desktop Services installation, Standard Deployment, and Session-based desktop deployment.
   3. Select the appropriate servers for the RD Connection Broker server, RD Web Access server, and RD Session Host server [for example, Contoso-Cb1, Contoso-WebGw1, and Contoso-SH1, respectively].
   4. Select Restart the destination server automatically if required, and then click Deploy.
   5. Wait for the deployment to complete successfully

3. Add RD License Server:

   1. In Server Manager, click Remote Desktop Services > Overview > +RD Licensing.
   2. Select the virtual machine where the RD license server will be installed [for example, Contoso-Cb1].
   3. Click Next, and then click Add.

4. Activate the RD License Server and add it to the License Servers group:

   1. In Server Manager, click Remote Desktop Services > Servers. Right-click the server with the Remote Desktop Licensing role installed and select RD Licensing Manager.
   2. In RD Licensing Manager, select the server, and then click Action > Activate Server.
   3. Accept the default values in the Activate Server Wizard. Continue accepting default values until you reach the Company information page. Then, enter your company information.
   4. Accept the defaults for the remaining pages until the final page. Clear Start Install Licenses Wizard now, and then click Finish.
   5. Click Action > Review Configuration > Add to Group > OK. Enter credentials for a user in the AAD DC Administrators group, and register as SCP. This step might not work if you are using Azure AD Domain Services, but you can ignore any warnings or errors.

5. Add the RD Gateway server and certificate name:

   1. In Server Manager, click Remote Desktop Services > Overview > + RD Gateway.
   2. In the Add RD Gateway Servers wizard, select the virtual machine where you want to install the RD Gateway server [for example, Contoso-WebGw1].
   3. Enter the SSL certificate name for the RD Gateway server using the external fully qualified DNS Name [FQDN] of the RD Gateway server. In Azure, this is the DNS name label and uses the format servicename.location.cloudapp.azure.com. For example, contoso.westus.cloudapp.azure.com.
   4. Click Next, and then click Add.

6. Create and install self-signed certificates for the RD Gateway and RD Connection Broker servers.

   Note

   If you are providing and installing certificates from a trusted certificate authority, perform the procedures from step h to step k for each role. You will need to have the .pfx file available for each of these certificates.

   1. In Server Manager, click Remote Desktop Services > Overview > Tasks > Edit Deployment Properties.
   2. Expand Certificates, and then scroll down to the table. Click RD Gateway > Create new certificate.
   3. Enter the certificate name, using the external FQDN of the RD Gateway server [for example, contoso.westus.cloudapp.azure.com] and then enter the password.
   4. Select Store this certificate and then browse to the shared folder you created for certificates in a previous step. [For example,\Contoso-Cb1\Certificates.]
   5. Enter a file name for the certificate [for example, ContosoRdGwCert], and then click Save.
   6. Select Allow the certificate to be added to the Trusted Root Certificate Authorities certificate store on the destination computers, and then click OK.
   7. Click Apply, and then wait for the certificate to be successfully applied to the RD Gateway server.
   8. Click RD Web Access > Select existing certificate.
   9. Browse to the certificate created for the RD Gateway server [for example, ContosoRdGwCert], and then click Open.
   10. Enter the password for the certificate, select Allow the certificate to be added to the Trusted Root Certificate store on the destination computers, and then click OK.
   11. Click Apply, and then wait for the certificate to be successfully applied to the RD Web Access server.
   12. Repeat substeps 1-11 for the RD Connection Broker - Enable Single Sign On and RD Connection Broker - Publishing services, using the internal FQDN of the RD Connection Broker server for the new certificate's name [for example, Contoso-Cb1.Contoso.com].

7. Export self-signed public certificates and copy them to a client computer. If you are using certificates from a trusted certificate authority, you can skip this step.

   1. Launch certlm.msc.
   2. Expand Personal, and then click Certificates.
   3. In the right-hand pane right-click the RD Connection Broker certificate intended for client authentication, for example Contoso-Cb1.Contoso.com.
   4. Click All Tasks > Export.
   5. Accept the default options in the Certificate Export Wizard accept defaults until you reach the File to Export page.
   6. Browse to the shared folder you created for certificates, for example \Contoso-Cb1\Certificates.
   7. Enter a File name, for example ContosoCbClientCert, and then click Save.
   8. Click Next, and then click Finish.
   9. Repeat substeps 1-8 for the RD Gateway and Web certificate, [for example contoso.westus.cloudapp.azure.com], giving the exported certificate an appropriate file name, for example ContosoWebGwClientCert.
   10. In File Explorer, navigate to the folder where the certificates are stored, for example \Contoso-Cb1\Certificates.
   11. Select the two exported client certificates, then right-click them, and click Copy.
   12. Paste the certifcates on the local client computer.

8. Configure the RD Gateway and RD Licensing deployment properties:

   1. In Server Manager, click Remote Desktop Services > Overview > Tasks > Edit Deployment Properties.
   2. Expand RD Gateway and clear the Bypass RD Gateway server for local addresses option.
   3. Expand RD licensing and select Per User
   4. Click OK.

9. Create a session collection. These steps create a basic collection. Check out Create a Remote Desktop Services collection for desktops and apps to run for more information about collections.

   1. In Server Manager, click Remote Desktop Services > Collections > Tasks > Create Session Collection.
   2. Enter a collection Name [for example, ContosoDesktop].
   3. Select an RD Session Host Server [Contoso-Sh2], accept the default user groups [Contoso\Domain Users], and enter the Universal Naming Convention [UNC] Path to the user profile disks created above [\Contoso-Cb1\UserDisks].
   4. Set a Maximum size, and then click Create.

You've now created a basic Remote Desktop Services infrastructure. If you need to create a highly-available deployment, you can add a connection broker cluster or a second RD Session Host server.

Activate the Remote Desktop Services license server

• Bài viết
• 07/29/2021
• 2 phút để đọc
• 4 người đóng góp

Trang này có hữu ích không?

Có Không

Bạn còn phản hồi nào nữa không?

Ý kiến phản hồi sẽ được gửi đến Microsoft: Bằng cách nhấn nút gửi, ý kiến phản hồi của bạn sẽ được sử dụng để cải thiện các sản phẩm và dịch vụ của Microsoft. Chính sách về quyền riêng tư.

Gửi

Cảm ơn bạn.

Trong bài viết này

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016

The Remote Desktop Services license server issues client access licenses [CALs] to users and devices when they access the RD Session Host. You can activate the license server by using the Remote Desktop Licensing Manager.

How to Install Remote Desktop Services [Terminal Services] on Server 2016/2012.

This article contains step by step instructions on how to install and configure the Remote Desktop Services on a Windows Server 2016 or 2012. In Windows Server 2016 & 2012 the Terminal Services role has been replaced by the Remote Desktop Session Host [RDSH] role service and is part of Remote Desktop Services [RDS]. A Remote Desktop Session Host [RDSH] server, provides to remote users the ability to access the applications on the RDS host server and the company resources from anywhere by using an RDP client.

In this tutorial you 'll learn how to setup and configure a Windows Server 2016 or 2012 as a Remote Desktop Session Host [Terminal] server, in order to provide remote desktop sessions, based on the number of Remote Desktop Services client access licenses [RDS CALs] installed on the RDSH server.

How to Setup a Single Server RDS Deployment Using Server 2016

Posted By Ian@SlashAdmin in Windows Server | 29 comments

Welcome to my guide on how to configure a single server Remote Desktop Services [RDS] deployment using server 2016. We’re seeing less and less RDS deployments but some situations still require some lite RDS access. Specialist software which doesn’t run over a VPN or is not cloud based is ideally suited to RDS deployments.

I’ve still seen lots of engineers struggle to properly configure a single server deployment so lets get stuck in because actually is really easy!

First install Server 2016 with GUI and get all the updates installed.

Add the server to the domain as a member server, in this lab I call mine RDS2016.

Login as a domain administrator.

Server manager should automatically launch, click on Dashboard then ‘Add roles and features’.

The wizard will launch so click on Next.

Click on ‘Remove Desktop Services Installation’ and click Next.

Click ‘Quick Start’ then Next.

Click ‘Session-based desktop deployment’ and click Next.

Your server should already be in the Selected server list on the right but if not highlight your server from the Server Pool and move it into the selected panel and click on Next.

Tick the box to restart the destination server and click on Deploy.

Let the installation complete.

The installation will start and the server may reboot, if it does then log back in and wait for the install to complete and click on Close.

In the server manager you will see the new role ‘Remote Desktop Services’ installed. Click on it from the menu to see the configuration.

At this point some will try and configure the RD Gateway option since its green and showing ready to configure. Just ignore this because in a single server deployment we don’t need a gateway load balancing our connections because we only have one server! We do however need to setup licensing.

Click on ‘RD Licensing’ to start setting it up.

As before your server should already be selected in the right hand panel but if not select it in the left and move it into the right and click Next.

Click Add to install the licensing role to the server.

Let the role install and click Close.

Next go back to the server manager and right click on ‘RD Licensing’ and click ‘Select RD Licensing Mode’ from the menu.

Select the mode based on the RDS cals that you have purchased. Here I select Per User because i’ve got a bunch of user cals available. Click OK.

Next we need to install our RDS licenses. From the server manager select Tools then ‘Remote desktop services’ then click ‘Remote Desktop Licensing Manager’.

First thing we do in the licensing manager is right click the server node and click ‘Activate Server’.

Click Next on the wizard.

Select ‘Automatic Connection’ and press Next.

Enter you company information and press Next.

Continue entering in your info and click Next.

Click Next.

Now starts the license installation wizard, click Next.

Select the license type that you have from the drop down. I’m using retail license packs here and click Next.

Enter your license key, click Add then Next.

Click finish to install the licenses.

Your license should appear in the list of available licenses. You can see here i’ve installed 50 2016 user cals. Next we need to right click the server and select ‘Review Configuration’.

You can see here a warning message that the server is not a member of the license servers group in AD. Click ‘Add to Group’.

The warning says you need to have admin privileges in AD to continue, click Continue.

Click OK to confirm the server has been added to the group.

Verify everything is green and click ok.

Next we need to specify who can connect to the server. From the server manager click on the Remote Desktop role from the left hand menu, click ‘QuickSessionCollection’ then from the Tasks menu click ‘Edit Properties’.

You can see here that Domain Users are allowed access to the server. This is no good from a security perspective! you cant allow everyone to connect remotely so its best practice to configure a specific group and add users to that group to allow access.

On a domain controller fire up ‘Active directory users and computers’ and create a new group. Select your appropriate OU location right click, select New then Group.

Give the group an appropriate name, here i use ‘RDS Users’. Set the type to security and click ok.

Next go to the properties of the new group, click the Members tab and add users who will require remote access and click ok.

Go back to the RDS server and remote the Domain users group and instead add the new ‘RDS Users’ group we just created.

Congratulations you’ve just configured a single server 2016 RDS deployment!

You next steps are to configure group polices and other UI elements so that the server is locked down enough that users cant cause it any harm 😉

Also seriously consider your security options, investigate the use of two factor authentication and brute force mitigation systems to keep the system safe especially if you open it up to the internet.

Oh and what ever you do ensure your domain and local administrator passwords are super secure. There’s a lot of brute force bots out there trying to login so be careful!

How to Set up Remote Desktop Services in Windows Server 2016

• Author:

  sengstar2005

• Updated date:

  Dec 25, 2020

Accomplished systems and network administrator with 10+ years of experience managing server infrastructures and data-center operations.

There was quite a change from installing Remote Desktop Services [aka Terminal Services] with the introduction of Windows 2012. It was confusing, and when you install the Remote Desktop Services host server, there was no longer the familiar Remote Desktop Manager, and you could either work through the settings in the registry directly or bring over the remote desktop manager snap-in from Windows 2008R2.

However, that wasn't quite the right way to install Remote Desktop Services on Windows 2012 and later. This tutorial will show how to install Remote Desktop Services in Windows Server 2016, but it can be applied to Windows 2012 or Windows 2012R2. This tutorial assumes that there are no Windows 2012 or later versions of Remote Desktop Services installation in the Windows domain.

Author: Robert Smit [MVP]

Robert Smit is Senior Technical Evangelist and is a current Microsoft MVP in Clustering as of 2009. Robert has over 20 years experience in IT with experience in the educational, health-care and finance industries. Robert’s past IT experience in the trenches of IT gives him the knowledge and insight that allows him to communicate effectively with IT professionals who are trying to address real concerns around business continuity, disaster recovery and regulatory compliance issues. Robert holds the following certifications: MCT - Microsoft Certified Trainer, MCTS - Windows Server Virtualization, MCSE, MCSA and MCPS. He is an active participant in the Microsoft newsgroup community and is currently focused on Hyper-V, Failover Clustering, SQL Server, Azure and all things related to Cloud Computing and Infrastructure Optimalization. Follow Robert on Twitter @ClusterMVP Or follow his blog //robertsmit.wordpress.com Linkedin Profile //nl.linkedin.com/in/robertsmit Robert is also capable of transferring his knowledge to others which is a rare feature in the field of IT. He makes a point of not only solving issues but also of giving on the job training of his colleagues. A customer says " Robert has been a big influence on our technical staff and I have to come to know him as a brilliant specialist concerning Microsoft Products. He was Capable with his in-depth knowledge of Microsoft products to troubleshoot problems and develop our infrastructure to a higher level. I would certainly hire him again in the future. " Details of the Recommendation: "I have been coordinating with Robert implementing a very complex system. Although he was primarily a Microsoft infrastructure specialist; he was able to understand and debug .Net based complext Windows applications and websites. His input to improve performance of applications proved very helpful for the success of our project View all posts by Robert Smit [MVP]