Step by Step Windows 2012 R2 Remote Desktop Services – Part 1

A step by step guide to build a Windows 2012 R2 Remote Desktop Services deployment.

Part 1 – Deploying a single server solution.

Although it is called a single server installation, we will need 2 servers as shown below.
RDS Deployment - Single Server 

Software used in this guide:
Windows Server 2012 R2 ISO (evaluation can be downloaded here:
SQL Server 2012 SP1 Express x64 With tools (free version can be downloaded here: After clicking the download button select SQLEXPRWT_x64_ENU.exe)
SQL Server 2012 SP1 Native Client (free version can be downloaded here: After clicking the download button select ENU\x64\sqlncli.msi)
And a certificate. I got mine for free from This certificate needs to contain the FQDN you will use as the RD Web Access URL (mine is in this guide). It needs to be in .pfx format and you need to have the private key in it.

This guide will not focus on building a domain using a single domain controller and adding the second server as a member server to this domain.

Also some basic knowledge is assumed in this guide. I will not detail how to create a Security Group and adding a computer account to it. I will also not detail how to install SQL Express, or adding logins to a SQL Server Instance security context. If you need extra help with this, Bing it or drop me a mail with details, and I will provide steps to continue.

I will be using Hyper-V 3.0 on my Windows 8.1 laptop and I have prepared 2 servers:
ITWDC01 (1 vCPU, 512MB memory, dynamic, 60GB Harddisk)
Installed Windows IPv4
Added .NET Framework 3.5 as a feature
Added Active Directory Domain Services as a role
Configured this server as a Domain Controller in a new forest: itw.test

ITWRDS01 (1 vCPU, 512MB memory, dynamic, 60GB Harddisk)
Installed Windows
Added .NET Framework 3.5 as a feature
IPv4, DNS server
Configured it as a member server in the itw.test domain

Installing the Remote Desktop Services Roles
Log on to the Domain Controller, and in Server Manager right-click the All Servers node and add the second server using the Add Servers command (or select the All Servers node, click Manage and click Add Servers).
RDS Deployment - Single Server - 1

Now that all servers needed in this deployment scenario are present, click Manage, and click Add Roles & Features.

Before you begin
RDS Deployment - Single Server - 2

Click Next.

Select Installation Type
RDS Deployment - Single Server - 3
Select Remote Desktop Services installation. Click Next.

Select Deployment Type
RDS Deployment - Single Server - 4
Although Quick Start might be a valid option for a single server deployment, leave the default selected. This will explain the steps necessary to install Remote Desktop Services in greater detail.
Click Next.

Select Deployment Scenario
RDS Deployment - Single Server - 5
Select Session-based desktop deployment. The other option will be a different post in this series.
Click Next.

Review Role Services
RDS Deployment - Single Server - 6
Review the services that will be installed.
Click Next.

Specify RD Connection Broker server
RDS Deployment - Single Server - 7
Click the member server and click the Add button.
Click Next.

Specify RD Web Access server
RDS Deployment - Single Server - 8
Check Install the RD Web Access role on the RD Connection Broker server.
Click Next.

Specify RD Session Host server
RDS Deployment - Single Server - 9
Click the member server and click the Add button.
Click Next.

Confirm selections
RDS Deployment - Single Server - 10

Check Restart the destination server automatically if required.
Click Deploy.

View progress
RDS Deployment - Single Server - 11
Wait until all role services are deployed and the member server has restarted.
Click Close.

In Server Manager click Remote Desktop Services and scroll down to the overview.
RDS Deployment - Single Server - 12

As you can see the deployment is missing a RD Gateway server and a RD Licensing server.

Installing the missing Remote Desktop Services Roles
RDS Deployment - Single Server - 13
Click the Add RD Licensing server button.

Select a server
RDS Deployment - Single Server - 14
Click the domain controller and click the Add button.
Click Next.

Confirm selections
RDS Deployment - Single Server - 15
Click Add.

View progress
RDS Deployment - Single Server - 16
Wait until the role service is deployed. No restart is needed.
Click Close.

RDS Deployment - Single Server - 17
Click the Add RD Gateway server button.

Select a server
RDS Deployment - Single Server - 18
Click the member server and click the Add button.
Click Next.

Name the self-signed SSL certificate
RDS Deployment - Single Server - 19
The wizard creates a self-signed certificate. We will deal with certificates in this deployment in a little bit. Enter the external Fully Qualified Domain Name which you will also use for the Web Access URL. In my case, for lack of a better name, I used “”. I didn’t want to use “” or “” or anything else.
Click Next.

Confirm selections
RDS Deployment - Single Server - 20
Click Add.

View progress
RDS Deployment - Single Server - 21
Wait until the role service is deployed. No restart is needed.
Notice that “” was configured for the deployment.
Also notice that even more certificate configuring is need, but we’ll get to that later. Pay no attention to it for now.
Click Close.

Let’s have a quick look at the certificate configuration.

Reviewing the Remote Desktop Services certificate requirements
RDS Deployment - Single Server - 22
In Server Manager, Remote Desktop Services, Overview, click Tasks and click Edit Deployment Properties.

Configure the deployment
RDS Deployment - Single Server - 23

Review the RD Gateway settings and notice what settings are available.
Click RD Licensing.

Configure the deployment
RDS Deployment - Single Server - 24
Notice that a RD License server is available, but no license type is selected yet.
I selected Per User, but since this is just a guide setup, it really doesn’t matter.
Click RD Web Access.

Configure the deployment
RDS Deployment - Single Server - 60

By default the RD Web Access IIS application is installed in /RdWeb. If you want to know how to change this, check another post:

Click Certificates.

Configure the deployment
RDS Deployment - Single Server - 25

Notice that the certificate level currently has a status of Not Configured.
As you can see, certificates are used for different goals within the deployment.
The RD Gateway certificate is used for Client to gateway communication and needs to be trusted by the clients. Either install the self-signed certificate on all clients, or use a certificate for which the complete certificate chain is already trusted by all clients. As it said in the wizard, the external FQDN should be on the certificate.
The RD Web Access certificate is used by IIS to provide a server identity to the browser clients (and to the Feed clients, but that’s a subject for a future post).
The RD Connection Broker actually has two goals for which it needs certificates. To enable single sign on (server to server authentication), and for publishing (signing RDP files). If you look in the deployment you’ll see that the Connection Broker is now configured to use “itwrds01.itw.test”, so we have to change it to use an external FQDN as well.
If we use the same FQDN for all goals described above, we need only 1 certificate, and only 1 external IP address.
We’ll come back to this wizard later to assign the certificate. First order of business is to change the internal FQDN for the Connection Broker to an external FQDN.
Click OK (no reason why we shouldn’t commit the change we made on the licensing tab, remember?)

Preparing for completing the Remote Desktop Services configuration
Open DNS Manager on the domain controller and browse to Forward Lookup Zones.
RDS Deployment - Single Server - 33

Right click Forward Lookup Zones and click New Zone… Go through this wizard accepting the defaults until you have to enter a Zone Name.

RDS Deployment - Single Server - 61
Enter the external FQDN which will also be used by the Connection Broker.
Finish the rest of the wizard accepting the defaults.

Browse to the newly created zone.
RDS Deployment - Single Server - 34
Right click the newly created zone and click New Host (A or AAAA)…

New Host
RDS Deployment - Single Server - 35

Leave the Name field blank, but enter the member server’s (holding the RD Connection Broker role) IPv4 address.
Click Add Host.

Create a new Global Security Group called “RDS Connection Brokers” and add the computer account for the member server to it as a group member.
We need this group to be able to convert the RD Connection Broker to a highly available RD Connection Broker. You’ll see why we need to do this in a few steps.
Reboot the member server to let it know it’s a member of the RDS Connection Brokers security group.

Install SQL Express on the Domain Controller (or use an existing SQL Server if you already have one). Here’s a list of needed features:
RDS Deployment - Single Server - 26

Now you see why I pre-configured the servers with the .NET Framework 3.5 feature before starting anything.
RDS Deployment - Single Server - 27
Use the Default Instance (so click Default, and do not leave the wizard’s selection on Named instance: SQLEXPRESS).

When the installation is done open SQL Configuration manager and browse to Client Protocols under SQL Native Client 11.0 Configuration.
RDS Deployment - Single Server - 62

Check if TCP/IP is enabled under Client Protocols. SQL Express install enables this by default, but check it just to be sure, especially if you use an existing SQL Server.

Browse to Protocols for MSSQLSERVER under SQL Server Network Configuration.
RDS Deployment - Single Server - 38

Enable TCP/IP. If this is a new SQL installation, this will be disabled by default.
Restart the SQL Server service if you changed this setting.

On the SQL Server, make sure port 1433 is not being blocked by Windows Firewall.
RDS Deployment - Single Server - 37

I added the SQL Server executable to the exception list to allow all inbound traffic.

Open SQL Server Management Studio and browse to Logins under Security.
RDS Deployment - Single Server - 29
Right click Logins and click New Login…

Login – New
RDS Deployment - Single Server - 30

Click Search…

Select User, Service Account, or Group
RDS Deployment - Single Server - 63
Click Object Types… and select Group.
Type the RDS Connection Brokers security group name and click Check Names.
Click OK.

Login – New
RDS Deployment - Single Server - 64

Click Server Roles and select dbcreator.
Click OK.

We have just effectively granted the RDS Connection Broker server the right to create databases.
We need this because the RDS Connection Broker service will try to migrate from WID (Windows Internal Database to a (high available) SQL Server instance when we convert the Broker to a high available broker.

Install the SQL Native Client on the member server (Client Components only).

Everything we need is now in place to convert the RD Connection Broker, so let’s do just that.

Convert the RD Connection Broker
In Server Manager click Remote Desktop Services and scroll down to the overview.
RDS Deployment - Single Server - 31

Right click RD Connection Broker and click Configure High Availability.

Before you begin
RDS Deployment - Single Server - 32

So we’re actually building a single node cluster here ;)
Look at the pre-requisites.
If you have more than one RD Connection Broker they need to be configured using DNS Round Robin. More on that in a later post.
Click Next.

Configure RD Connection Broker for High Availability
RDS Deployment - Single Server - 39
Database connection string:

DRIVER=SQL Server Native Client 11.0;SERVER=ITWDC01;Trusted_Connection=Yes;APP=Remote Desktop Services Connection Broker;DATABASE=ITWRDCB
Folder to store database files:
C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA
I used the instance default folder.
DNS round robin name:
The DNS Zone name we configured in DNS earlier.
Click Next.

RDS Deployment - Single Server - 39
If you get an error before this page:
Check if TCP/IP is enabled in client protocols and for your instance
– Check if you can reach port 1433 on the SQL Server from the member server
Click Configure. 

RDS Deployment - Single Server - 40

If you get an error on this page:
Check SQL permissions for the security group
– Check if the database path you entered is correct
Click Close.

RDS Deployment - Single Server - 41
The RD Connection Broker is now in High Availability Mode and we are finally ready to complete the configuration.

Completing the Remote Desktop Services configuration
RDS Deployment - Single Server - 22
In Server Manager, Remote Desktop Services, Overview, click Tasks and click Edit Deployment Properties, then click Certificates.

Configure the deployment
RDS Deployment - Single Server - 42

Click RD Connection Broker – Enable Single Sign On and click Select Existing certificate.
RDS Deployment - Single Server - 43

Browse to the .pfx file, enter its password, and check Allow the certificate..
Click OK.

RDS Deployment - Single Server - 44
So click Apply. This takes a little while, be patient.

Configure the deployment
RDS Deployment - Single Server - 45

Click RD Connection Broker – Publishing and click Select Existing certificate.
Browse to the .pfx file, enter its password, and check Allow the certificate..
Click OK.

Click Apply. This again takes a little while, be a little more patient.

Configure the deployment
RDS Deployment - Single Server - 46

Click RD Web Access and click Select Existing certificate.
RDS Deployment - Single Server - 47
Note: Did you notice the warning when you select RD Web Access? Browse to the .pfx file, enter its password, and check Allow the certificate..
Click OK.

Click Apply again. This takes another little while longer, be a slightly more patient.

Configure the deployment
RDS Deployment - Single Server - 48
Last one. Click RD Gateway and click Select Existing certificate.
Browse to the .pfx file, enter its password, and check Allow the certificate..
Click OK.

Click OK to finish the certificate configuration.

Configured all servers, configured certificates..

One thing left to do: Tell our RDS environment exactly what to publish.

In fact you can use this setup to either provide full desktop sessions on the Session Host, or you can choose to publish only applications on the Session Host.

Let’s publish full desktop sessions.

Publish a full Remote Desktop environmentRDS Deployment - Single Server - 49
In Server Manager, Remote Desktop Services, Session Collections, click Tasks and click Create Session Collection.

Before you begin
RDS Deployment - Single Server - 50

Review the requirements. This won’t be an issue in this setup, but you could restrict access to this collection by selecting a select group of people.
Click Next.

Name the collection
RDS Deployment - Single Server - 51

Enter a descriptive name. This name will be displayed under its icon in the Web Access interface.
Click Next.

Specify RD Session Host servers
RDS Deployment - Single Server - 52

Click the member server and click the Add button.
Click Next.

Specify user groups
RDS Deployment - Single Server - 53

You can limit access here. Add one or more groups to restrict access to these groups only. In this setup Domain Users will do fine.
Click Next.

Specify user profile disks
RDS Deployment - Single Server - 54
User profile disks are not in focus in this guide. Since I have no file shares configured in this setup, uncheck Enable user profile disks for now.
Does and Don’ts will be covered in a future post.
Click Next.

Confirm selections
RDS Deployment - Single Server - 55
Review the information and click Create.

View Progress
RDS Deployment - Single Server - 56

Wait until the collection is created and the server is added to the collection.
Click Close.

Time to test the setup!

Testing the Remote Desktop Services
On a machine that has access to your test setup (you may have to add the external FQDN to your hosts file if you didn’t publish it to the internet) open
RDS Deployment - Single Server - 57
Hey! At least the RD Web Access application works :)
Enter a valid username and password (ITW\username or username@itw.test).
Create a user for this, or simply use the domain admin account.
Click Sign in.

RDS Deployment - Single Server - 58
After logging in you’re presented with the full desktop session collection we created.

RDS Deployment - Single Server - 59
After clicking the Full Desktop icon you get the warning that devices are going to be redirected.
And when you click Connect, you actually connect :) 


In the next part of this series I will show how to extend this setup to use multiple session hosts, combine these with remote applications, and setting up dedicated servers for Web Access, Gateway and Connection Broker. 


Upate: Part 2 in the series was just published. Find it here:


20+ years experience in Microsoft powered environments. Enjoy automating stuff using scripts, powershell, and even batch files. In my free time (hah! as if there is any) I hunt achievements and gamerscore on anything Xbox Live enabled (Windows Mobile, Windows 8, Windows 10, Xbox 360 and Xbox One). When I'm not doing that I enjoy traveling or riding my Yamaha R1 on the edge ;)

Tagged with: , ,
Posted in Remote Desktop, Step-by-Step guide, Windows 2012 R2
583 comments on “Step by Step Windows 2012 R2 Remote Desktop Services – Part 1
  1. Afzal Hussain says:

    Hi I’ve just been through your guide which is super helpful. I’m just waiting for my SSL to arrive before I can properly test it. However, while I’m waiting, I setup a collection, and I get the following message when completing the process.

    The property UserAuthenticationRequired is configured is configured by using the group policy settings. Use the the group policy management console to configure this property.

    I’ve done a bit of searching on this, and it seems to indicate that you need to ensure the NLA settings are set on your RDP server, which I’ve done. I’confirmed this through gpresults. However I still can’t get rid of the error.

    I’ve posted screenshots on here,

    and would be most grateful if you can help.

  2. Kevin Bloomfield says:

    SQL Express will not run on a DC so these instructions need changing

    • Arjan Mensch says:

      Hi Kevin,
      It does and they don’t.

      • belgiandude says:

        Thanks a lot for this detailled guide just putting my cent and a question.
        I think what he meant was that it isn’t recommanded to let SQL vulnerabilities on a DC . I am not an SQL Expert and his comment was aggressive . but i think it’s better done on another VM ? or you have a better explanation than i have Arjan? in this case i am willing to be enlightened .

  3. Andy says:

    Thanks for your detailed guide. A few questions:
    1) While your guide goes thru the process of creating a self-signed certificate, the steps to export the certificate so that it can be used if the Deployment Properties seems to be missing. Also how did it get to a .pfx format?
    2) You go thru the process to make the Connection Broker High-availability instead of using the WID. What are the benefits? Is this necessary for a small number of RDP clients (3)?

    • Arjan Mensch says:

      Hi Andy,
      In the guide I use certificates from StartSsl, those are definately not selfsigned.
      The broker needs to hav a certificate that is trusted by all clients, internally and externally. If you make it HA you determine the FQDN.

      • Justin says:


        From StartSsl, after you download the file. Did you just copy that across to your DC to add or? Im a little confused on what to do here.

        Any help would be grateful. Using this guide to help implement RDS for a assignment.


      • Arjan Mensch says:

        Hi Justin,
        Whatever you do or where you copy the file, as long as you can reach it from the certificate wizard you’re good.

  4. Hi,

    In a Domain where there’s allready functionning RDS deployment, i want to deploy a new RDS with new Servers-Version and demote the Old-one.
    my question: can i deploy a new RDS in the Domain while the other is working ? will the Deployment process affect the functionning one ? and what should be the BPA for such a Planing ?
    I will be greatfull for any help.

    • Arjan Mensch says:

      Hi Vilick,
      If you build the new farm and roles on new machines there’s no problem.
      I’m running 5 different deployments alongside each other at times.
      Best practices would be to build it the way you want it with probably the same DNS FQDNs and certificates, then have it tested by end-users (using modified host files to allow them to reach the new farm instead of the current one), then switch DNS to the new farm and role IPs and decommission the old farm and roles.

  5. Robin Schoofs says:

    Hey thanks man this works for me, Good Job !!!

  6. Arjan hello, thanks for the instructions I just wanted to ask a few things before I get started,
    I never had good luck installing SQL In a domain controller, but I did build 2 servers one Is domain controller running windows 2012 R2 Essentials and the other is setup as SQL server running windows 2012 R2 Datacenter, another is I don’t have a static IP address or a registered Domain resolved in the DNS on DC server, do I need that configured first? Thanks Im Pat

  7. Arjan , in addition I want to use the Server with Domain Controller installed as the main server and I want to be able to remote into the server running SQL , I m pretty sure reading your instructions it looks possible , Thanks once again.

    • Arjan Mensch says:

      Hi Patrick,
      I would not configure a server running the essentials role or the domain controller role as a session host.
      If you have plans to add a RDS environment next to the 2 servers you already have you can publish an RDP file to the users that absolutely need connections to the 2 servers.

    • Arjan Mensch says:

      Hi Andrey,
      Sorry for the late reply.
      It’s an option you can turn on or off. Basically it means that when a user selects private computer the session is much longer, and there’s no auto-logoff after a certain amount of time.

  8. Frank DeLuca says:

    Hi Arjan,

    I have referenced this article several times over the past few years and thank you for taking the time to put it together! This time around however I am having a problem and wonder if you have any thoughts?

    Before I convert to HA, everything works fine – I can hit the web page, and open an app. However, once I convert to HA, I can log into the web page, but once I open an app I am prompted to enter the username and password again, and each time it says “The log on attempt failed.” I’ve even killed and rebuilt the vm for the RDS server and tried many things over the past few weeks with no luck.

    • Arjan Mensch says:

      Hi Frank.
      When did you apply the certificates to the services in the deployment properties? Before or after converting to HA? If you convert to HA most probably the broker name changes and this name needs to be associated with the certificate you use for signing and broker.

      • Frank DeLuca says:

        Prior to converting. It’s bizarre that I’ve deployed this before without issue. The difference in this scenario is that there is already a Citrix deployment in the same domain. I wonder if that may be causing issues? I build a totally new RDS server and am using the new one as the connection broker, and attempted to use the DC as the licensing and SQL server. Trying it again as we speak with two new servers (RDS and a totally separate licensing / sql server). We’ll see what happens. Thanks for your feedback.

  9. Patrick Kirby says:

    Why is the virtual machine server needed? Why cant you have the domain controller and the RDS on one server. I have not created a virtual server and have already installed RDS. Do I need to remove RDS from the domain server? And then create the virtual server and reinstall RDS?
    Thank you,

    • Arjan Mensch says:

      Installing on a Domain Controller is not recommended. I’m not saying it won’t work, and it depends on your needs. Not all applications you want to offer through RDS won’t install on a Domain Controller.

  10. Ben says:

    Need of SQL. Can this same install be done without sql if i am just using two servers ; one a domain controller and one to run desktop sessions. I have a total of 5 users

    • Arjan Mensch says:

      Hi Ben, this guide is for 2 servers with a free version of SQL. It can be done without SQL, in which case the broker will keep using the WID (Windows Internal Database) and you won’t be able to configure HA for the broker.
      You’ll most definately run into certificate and SSO issues when you want to publish such a setup to the internet.

  11. Rusti says:

    Have used this process several times to setup RDS 2012 R2 & it works perfectly. Thanks for taking the time to put this together!

  12. David Adams says:

    Hi Arjan,

    So I’ve setup a new RDS server on Windows Server 2016, got the RDS role installed, configured licensing etc., added user security group and have set GPO to allow unlimited connections to the server. Logged on as administrator just fine (obviously) but when I go to log on as another user my admin session displays the following message;

    Remote Desktop Connection
    Do you want to allow to connect to this machine?
    Click OK to disconnect your session immediately or click Cancel to stay connected.
    No action will disconnect your session in 30 seconds.

    I’m actually at a bit of a loss, the other RDS server (2008R2) which I’m replacing with this new one has no issues with multiple logons. BPA scan finds no issues… and I’ve rebuilt the server twice, same issue… any thoughts/suggestions?

    • Arjan Mensch says:

      Hi David,
      Are you connecting using mstsc with the / admin option? If not I have no clue, it should work out of the box, the way you’ve set it up.

      • David Adams says:

        Hi Arjan, thanks for the reply. No, not using the admin switch. So my question was if this is expected behaviour but by the sounds of it it’s not. Was hoping someone might have setup up a classic term server with WS2016 just to confirm that it can be done…

  13. Ben says:

    Is there any way to have the profiles that are created when a user first logs in to be created on a different drive. i know i can modify the registry and change the location but is that the only way?

  14. Steve Fiore says:

    Hi – I think I’ve actually seen this issue before. I believe I had installed updates or (perhaps even a service pack), at any rate, I ended up using VNC to see exactly what was going on, and it turns out there was another dialogue saying “Windows Updates installed Successfully” or some such non-sense… After clicking OK everything worked fine.
    I hope this helps!

  15. Ben says:

    get an error installing sql on the DC database engine services failed. Any ideas?

    • Arjan Mensch says:

      Lots. Google or Bing for installing SQL on a DC, lots of great articles that will help you.

    • swiftsos says:

      I have same issue, and it’s ok for now.
      What I did to resolve it is:
      – I restore system to previous case before installing SQL Express (for your case try to uninstall SQL Server if there is no backup available)
      – I install again SQL Express, as admin, following Arjan Guide, except for step “Server Configuration”
      – At this step, I changed column “Account Name” of service “SQL Server Database Engine” to be “NS AUTHORITY\SYSTEM”
      – and changed column “Stratup type” of service “SQL Server browser” to be “Automatic”

  16. Ben says:

    just reinstalled and got database engine recovery handle failed” I did run as admin

  17. Ben says:

    I got SQL installed by changing the user account to the administrator

    For those who are having issues with the certificate to pfx here is the info you need:

    I cant actually open the desktop session. i get an error


  18. Philip Goldwasser says:

    I am up to the part where I am going to convert to high availability. Under Database Connection string I entered “DRIVER=SQL Server Native Client 11.0;SERVER=XYZDC;Trusted_Connection=Yes;APP=Remote Desktop Services Connection Broker;DATABASE=XYZRDCB”. I chose the same path you used and entered my dns name. After I click next, I get an error telling me “The database specified in the database connection string is not available from the RD connection Broker server XYZRD. Ensure that the SQL server is availabel on the network, the SQL Native Client is installed on the RD Connection Broker Server and the RD Connection Broker has write permissions to the database.” I followed you instructed very carefully so I am assuming that the permissions are correct. Does anyone have any thoughts?

    • Arjan Mensch says:

      Hi Philip,
      Make sure the broker is a member of a security group that has the appropriate rights on the SQL instance (remember to restart the broker after you added its computer account to the security group!).
      Make sure the path you provide in the connection string actually exists on the SQL server.
      Make sure the SQL instance is reachable on TCP 1433 from the broker’s perspective (telnet XYZDC 1433).

      • Philip Goldwasser says:

        I got it to work! I went to many web pages and looked at many step by step instructions to set up the SQL part of this, and they all said to go to SQL server Configuration Manager and then to SQL Server Network Configuration, like you say above. I enabled TCP/IP and also made sure the ports were all set to 1433. However, across the board they said to set “Listen All” to No. On a whim, I set it to Yes, and then suddenly the server was listening on 1433! After that it was all cake.

        Thanks for your great guide, but perhaps you can add a note that sometimes you need to set “Listen All” to Yes and sometimes No.

  19. Chris says:

    Couple of questions….
    Could I have 1 DC + SQL and 2 RDSH
    If so where would I put the RDCB and RDWA roles?
    I’m aiming for a load balanced RDSH, I’m not after full scale HA….
    Also can you do this with a single certificate or do you need a wildcard?

  20. Frank M says:


    Can you have a vsphere environment with a server running 5 vm Windows instances, 2 Windows server with ad etc. So on the same network when you turn on a physical computer, when you are at log on screen you give username and password – in order to connect automatically to the vm as remote session. Is this possible?

    • Arjan Mensch says:

      Hi Frank,

      It is possible, but you’ll have to auto-start the RDP file after logon. Google ThinPC to find out how to convert your Windows PC to a thin client solution.

  21. Jeff says:

    I have installed everything and all seems working correctly.
    When i open the RD Access website intern i can login and run applications.
    When i open the RD ACcess website extern i can login, but cannot run applications.

    I got an error like:

    A connection can be made with the remote computer Because of the following Reasons:

    1) Your user account is not in the authorization list of the Remote Desktop Gateway.
    2) You have the remote computer possible NetBIOS format (eg Computer 1) Data, but the External Gateway expects a FQDN format or IP address format.

    I tried to login with Administrator en checked all the permissions for the broker and the Collection has the Domain\Domain Users permission.

    • Arjan Mensch says:

      Hi Jeff,
      I suspect this has to do with the RAP in the gateway configuration.
      For testing purposes, configure this to allow access to all resources for all users.
      If that works, work from there to limit access to the sessionhosts, and the brokers (FQDN).

  22. Lucia says:

    Dear Arjan,

    I’ve installed Server 2016 Datacentre on three virtual machines in a production environment (to be implemented for RDS). I need to add them in a server pool to be able to install all RDS roles from one console. I managed to add two that are in the same VLAN, but couldn’t add the one configured in a different VLAN that is associated with DMZ (RD Gateway). I keep getting errors ‘Refresh failed’, ‘Target computer no accessible’. As well as the following error: “Configuration refresh failed with the following error: The metadata failed to be retrieved from the server, due to the following error: WinRM cannot complete the operation. Verify that the specified computer name is valid, that the computer is accessible over the network, and that a firewall exception for the WinRM service is enabled and allows access from this computer.” The name is definitely correct, the servers can ping each other, and firewall is off.
    I have been tasked with the project the implement RDS Infrastructure at my company’s client where I normally work, and this errors are driving me crazy as I can’t figure it out. Please help, any advice will be appreciated. I just don’t know where else to look for help.

  23. Tyrone says:

    Hello I am trying configure HA on a terminal server. the error keeps telling me that the sql server I am trying to contact doesnt exist. I am also trying to connect the native client to the sql server from my terminal server but when I test this it keeps failing . Any guidance would be appreciated.

    • Arjan Mensch says:

      Hi Tyrone,
      Follow one of the other guides.
      Creating HA should be done on the broker level. On the “terminal server” level you don’t need to configure SQL at all. Just add multiple “terminal servers” to the collection and your “terminal servers” are HA.

      • Tyrone says:

        Hello my native clients were not configured to communicate properly, once I did this , my HA on my terminal went into High availability mode. Thank you for the post, I will still be asking you questions in near future if thats okay with you. Im running my network setup live soon and my experience with virtual networks is very little.

  24. On the part of Configuring High Availability. I would like to use my SQL server. How would I go about doing that?

  25. Markus says:

    Hi Arjan, great post thanks.

    I did follow your post with the single server solution which I completed successfully.
    As this part did cover the Remote Desktop Service and would like to have the Remote App Service as well I added a second RD session host server which I could only achieve by a new machine. Setup went well and I could see the Remote Desktop and the Remote APP Service on my “Portal”
    BUT I am facing two big issues since installed second server:
    A) I am not able to remote connect my first RDS server anymore. Error message:This Computer cannot connect to the Remotecomputer
    B) If I like to connect to the Desktop Service or any published APP I am getting a a download window to download a file with “AppName”.rdp. Open this file will end up in the same error message that I get from A)
    Any idea where I can search for solution, please?

    Thanks, Markus

    • Arjan Mensch says:

      Hi Markus,
      A) Make sure you also have 2 collections set up now. 1 with the original server hosting your “Remote Desktop”, and another with the new server hosting the Remote App(s).
      B) Use Internet Explorer. Any other browser (Edge, Chrome, Firefox, etc) will not load the ActiveX needed to handle the RDP files in the browser and instead will download an .RDP file.

  26. Markus says:

    Hi Arjan, thanks for your quick Reply.

    B) IE was the perfect anser. Unfortunately I get an error message: This Computer cannot connect to the Remotecomputer
    A) I do have two collections. One on first server for Remote Desktop and second one on second machine for Remote Apps.
    I do have the “new RD RAP” as showed in your post and under Network Resources both servers as well my broker FQDN are included.

    Thanks for your new Reply. Markus

  27. Dimitris Varouxis says:

    Hi Arjan,
    Can i install sql exp 2014 on dc and sq; connectivity client on rdc member ?

  28. John Williams says:

    When I start to add the certificate in deployment options to enable single sign on, I get the error “cannot bind to parameter ‘raw data’ because it is an empty array” What am I missing here? Thanks for your help!

  29. Neha Saraf says:

    thanks for your guide.

  30. chicagotech says:

    Our policy doesn’t allow us to install SQL on a domain controller. Can I install SQL Express on one of RD servers? If so, which server do you recommend to install sql?

  31. Russell says:

    Hi Arjan,

    I’m new into implementing RDS and found your post very helpful especially to beginners like myself. Anyway, at the moment, I’m stuck at implementing the Certificate. When I requested the Certificate from StartSSL (free), I chose .pfx and when they generated the Certificate, I got .crt file. With that being said, would you mind letting me know how you got .pfx from them? I tried importing the .crt on to my Internet Explorer and export it but .pfx isn’t one of the available option. Any help would be greatly appreciated.

  32. Hello. I’ve implemented your suggestions and everything works correctly. Or almost .. even though I have installed 25 RDS licenses I can not log in to more than 12 users. It seems somewhere there is information where the installed licenses are only 10 and it allows additional access to the 2 administrative ones. But no more than 12 in total. can you help me?
    Sorry for my bad english! :-)

  33. David Fox says:

    Hi Arjan …. I thought I had left you a message on this but perhaps did not go through.

    I am setting up a single session host and getting the “Your computer can’t connect to the remote computer because the Remote Desktop Gateway server is temporarily unavailable…” error after connecting to webaccess URL and clicking on session collection to connect to Session Host. I am banging my head against a wall trying to get my head around this … please help :)

    DC01: Gateway, Licensing
    RDS01: Broker, Session Host, Web Access

    DNS and used for Web Access

    I get the feeling I am not setting up my DNS correctly. Works fine internally but not externally.

    URGENT help please :)

  34. Steve Fiori says:

    Hi Arjan,
    Thank you again for your time and expertise – it is truly appreciated!
    I have a quick question for you, I’m hoping you have some time to respond.

    I have all 4 roles on different servers (CB, WA, GW, RDVH). Other than that I’ve followed everything precisely. I have a trusted wildcard cert from GoDaddy (let’s call it * Currently the forward lookup zone has an A record pointing to the GW IP address, and the name of the zone is the name I want to connect to externally ( I want to use the WA to access the VDI pool, so I have TCP 443, & UDP 3391 open for the external IP, and a NAT pointing to the WA server. It works internally, but I get the ‘gateway server is temp unavailable’ error when trying to access externally. I’m sure I could get this to work if I combined the WA and GW roles on one machine, but there has to be a way to get this working with the WA and GW roles on different servers right?

    • Arjan Mensch says:

      Hi Steve. If you have the gateway and webacces roles separated you’ll need two different A records. One pointing to the webaccess ip and one to the gateway ip.

      • Steve Fiori says:

        Thank you very much for your response Arjan.

        So, I need 443 open for IIS (WA role), and 3391 for the GW role (assuming default config)? In other words, which ports do I NAT (thru my firewall) for each role?? Would I have to use the same host names externally and internally as a result? I guess I just don’t understand how RDS will know what request go to which resources…

        Also, please see below:

        ***VERY IMPORTANT*** Today I encountered the following problem and want to share with everyone, because even after I combined the GW & WA roles I was still getting the “can’t connect to the remote computer because the RDG server is temp unavailable” error. The following fixed the issue – I would not have believed it, had I not seen it with my own eyes!!!

        Users using Windows 8, 8.1 or Windows 10 can’t connect to the RD Gateway with the error “Your computer can’t connect to the remote computer because the Remote Desktop Gateway server is temporarily unavailable”.

        Caused by update KB2592687, an update to the RDP Client 8.0

        Push out a registry fix to all Windows 8, 8.1 or 10 clients

        HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client
        REG_DWORD RDGClientTransport (1)

      • Arjan Mensch says:

        Hi Steve. You need 443 to the webaccess server AND to the gateway server. UDP 3391 only to the gateway server. And yes, to keep things simple and manageable, keep external and internal FQDNs the same.

      • Steve Fiori says:

        Thank you Arjan, I completely understand now – that makes total sense.

        Thank you, Thank you, Thank you!


  35. Jonathan says:

    Hello Arjan

    Thank you for the guide. I’ve successfully implemented the remote desktop services and published some apps. However I’m unable to access the published link over the internet using my private vpn but can locally. I’ve already opened up ports 443 and 3391 and my internal/external fqdn are the same.

    Any advice you could have.


  36. Andrea Onesti says:

    Hello Arjan,
    thanks for your guide. I’m wondering if you can help on this matter.

    I have an AD domain named Domain1 and a RDS complete deployment. 2 RD GW, 2 WA, 2 CB with a shared SQL Express DB and many SH. Everything is working fine.

    I have to publish RemoteAPP for users in a fully trusted domain named Domain2 (forest trust).

    Users from Domain2 can login into Web Access (so authentication is working) but they can see all applications instead of only applications published for them. RemoteAPP filtering is not working.

    I find out an article saying that it happens when RDS don’t recognize a domain account but I don’t understand why.

    Have you any idea on how to solve? I searched the network, books and articles without luck.

    Thanks in advance,

  37. Nate Lawrence says:

    Hi! I was hoping you might be able to clarify why we create a separate DNS zone for the RD Gateway address – is this just so you can use a fully customized FQDN that doesn’t have to relate to your AD domain zone(s)?

    • Arjan Mensch says:

      Hi Nate,
      Not really. It’s for the certificate.

      • Nate Lawrence says:

        I’m not sure I follow; the certificate just serves as a validation marker of the remote server’s identity, right? What other purpose does it serve that would need a dns forward lookup zone that exists outside your domain namespace?

      • Steve Fiore says:

        Yes, I would very much like to get some clarification as to why we need a dns forward lookup zone (outside of our existing namespace) as well. I’m actually running a production version of this with server 2016 (and server 2012 in a proof of concept before this), and in both instances it didn’t seem to make a difference whether we used it or not, so I’m a bit confused.
        Thank you Arjan, we do appreciate your time and look forward to your response : ).

      • Arjan Mensch says:

        Hi Steve,
        If your internal users will not use the gateway you won’t need it.

      • Arjan Mensch says:

        Nate, none really but if your internal users use the gateway, they will connect using the fqdn and you normally don’t want to route traffic exterannly and then loop back in. Using the lookup zone internally allows you to specify the internal IP, keeping the traffic inside.

  38. Steve Fiore says:

    Ahhh, okay that makes MUCH more sense : ).

    Thank you for the clarification Arjan!

  39. Nate Lawrence says:

    Ah, that explains it perfectly! Thank you Arjan!

  40. Hi Arjan, your guide is great and thank you for it. Though, I’m having a little issue in the high availability conversion of the broker. After pressing configure, I have the error “Impossible to set client access name xxx(DNS name set in the DNS cluster box) on yyy(member server name). DNS entries are done (both as and yyy, Anybody has any idea ? I have access to database server from member. Thanks in advance.

  41. Steve Fiore says:

    Hi Arjan!

    I have a quick question for you – I can’t find the answer to this ANYWHERE so I’m hoping you can help. I have an RDS environment setup with 5 collections. I was originally asked to create 10 VDI machines in each collection, then they only wanted 5, so I deleted 5 them. Now they want to add 2 more to each collection but the naming convention is going to be way off (Lab1-PC1,Lab1-PC2, Lab1-PC3, etc.) – (Lab2-PC1, Lab2-PC2, Lab2-PC3, etc.). If I create another VDI in Lab1 it will try to name it Lab1-PC11 (as opposed to Lab1-PC6) because it thinks that machine already exists (even though I deleted it). If I manually rename the PC, the Collection status (within server mgr) is “Unknown”.

    Have you ever seen this? Is there ANY way around creating a new collection? I’ve also gone into the local folder on the rdvh server and removed all references to the collection name\workstation name as well.

    • Arjan Mensch says:

      Hi Steve,
      The records of known and previous VDI names are kept in the database as well I think. Couldn’t say which table of the top of my head, but I think the answer to this lies there.

      • Steve Fiore says:

        Thanks Arjan,

        The database makes sense (logically, what else could it possibly be?). I am more than willing to hunt through the tables to find the correct one, but I am not sure exactly which database you are referring to. Is it the connection broker HA database (C:\Windows\rdcbDb)?

  42. Gilles says:

    Hi Arjan
    I have a quick question for you, how to configure the configuration tab in the remote access portal RDS2012 ?

  43. Chris Kasztner says:

    Hi Arjan, I have a successful deployment based on your method: 2 dedicated Session hosts, 1 License Server (DC), 1 Broker/Gateway, Broker database is on it’s own dedicated SQL standard server.

    The time has come to decommission my SQL server, and to move the broker DB to a SQL Express instance. Do you think there will be any problem moving the broker DB to the Broker/Gateway server?

  44. Goran says:


    How come sometimes I try logging in and It just hangs on “loading virtual machine”… It only happens sometimes. Any thoughts? Thanks

    • Arjan Mensch says:

      Hi Goran,
      Doing any loadbalancing in your setup? Might be session affinity to your gateway loadbalancer?

      • Goran says:

        Yes sir I am. I am using a barracuda load balancer. What does session affinity mean? How can I check? How can I fix this please?

      • Arjan Mensch says:

        Try running it with a single gateway to see if that loadbalancing is the issue. If it is then start troubleshooting the loadbalancer. I’m not a specialist but it means that the loadbalancer knows the path from client to sessionhost and which gateway you initially landed on without switching midsession because of load.

  45. Aleem Uddin Syed says:

    I have two issues;

    1. When creating collection on RDGW, when i add RD Session host, operation complete with error . it says “Invalid Operation” when adding RD Session Host server.
    2.When I try to access https://rdsweb.domain.local/RDWeb internally , i get HTTP 404.

    My environment consists of Windows Server 2012 servers.

  46. Jim in AL says:

    On premise I have Outlook and Microsoft Access. With Access one can generate a report on screen, right click, there is a Send option, – – and this launches my Outlook client with the report as a pdf attachment. All fine. Remote I have Outlook and Access but the email sending, out of Access, does not work. The error message includes the phrase “…configure your computer to send and receive e-mail messages”… One IT staffer is saying it is OL security but I think it must be the Remote Access Server set up that these 2 apps of mine don’t know each other as they do on premise. Advice?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

Blog Authors

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 399 other followers

Blog Stats
  • 2,696,333 hits
%d bloggers like this: