UPDATE: If you are looking for a guide on a newer OS, I posted this guide updated to Windows Server 2019: Step by Step Windows 2019 Remote Desktop Services – Using the GUI
A step by step guide to build a Windows 2012 R2 Remote Desktop Services deployment.
Part 1 – Deploying a single server solution.
Although it is called a single server installation, we will need 2 servers as shown below.
Software used in this guide:
Windows Server 2012 R2 ISO (evaluation can be downloaded here: http://technet.microsoft.com/en-us/evalcenter/dn205286.aspx)
SQL Server 2012 SP1 Express x64 With tools (free version can be downloaded here: http://www.microsoft.com/en-us/download/details.aspx?id=35579. After clicking the download button select SQLEXPRWT_x64_ENU.exe)
SQL Server 2012 SP1 Native Client (free version can be downloaded here: http://www.microsoft.com/en-us/download/details.aspx?id=35580. After clicking the download button select ENU\x64\sqlncli.msi)
And a certificate. I got mine for free from https://startssl.com. This certificate needs to contain the FQDN you will use as the RD Web Access URL (mine is gateway.it-worxx.nl in this guide). It needs to be in .pfx format and you need to have the private key in it.
This guide will not focus on building a domain using a single domain controller and adding the second server as a member server to this domain.
Also some basic knowledge is assumed in this guide. I will not detail how to create a Security Group and adding a computer account to it. I will also not detail how to install SQL Express, or adding logins to a SQL Server Instance security context. If you need extra help with this, Bing it or drop me a mail with details, and I will provide steps to continue.
I will be using Hyper-V 3.0 on my Windows 8.1 laptop and I have prepared 2 servers:
ITWDC01 (1 vCPU, 512MB memory, dynamic, 60GB Harddisk)
Installed Windows IPv4 192.168.66.20/24
Added .NET Framework 3.5 as a feature
Added Active Directory Domain Services as a role
Configured this server as a Domain Controller in a new forest: itw.test
ITWRDS01 (1 vCPU, 512MB memory, dynamic, 60GB Harddisk)
Installed Windows
Added .NET Framework 3.5 as a feature
IPv4 192.168.66.21/24, DNS server 192.168.66.20
Configured it as a member server in the itw.test domain
Installing the Remote Desktop Services Roles
Log on to the Domain Controller, and in Server Manager right-click the All Servers node and add the second server using the Add Servers command (or select the All Servers node, click Manage and click Add Servers).
Now that all servers needed in this deployment scenario are present, click Manage, and click Add Roles & Features.
Select Installation Type
Select Remote Desktop Services installation. Click Next.
Select Deployment Type
Although Quick Start might be a valid option for a single server deployment, leave the default selected. This will explain the steps necessary to install Remote Desktop Services in greater detail.
Click Next.
Select Deployment Scenario
Select Session-based desktop deployment. The other option will be a different post in this series.
Click Next.
Review Role Services
Review the services that will be installed.
Click Next.
Specify RD Connection Broker server
Click the member server and click the Add button.
Click Next.
Specify RD Web Access server
Check Install the RD Web Access role on the RD Connection Broker server.
Click Next.
Specify RD Session Host server
Click the member server and click the Add button.
Click Next.
Confirm selections
Check Restart the destination server automatically if required.
Click Deploy.
View progress
Wait until all role services are deployed and the member server has restarted.
Click Close.
In Server Manager click Remote Desktop Services and scroll down to the overview.
As you can see the deployment is missing a RD Gateway server and a RD Licensing server.
Installing the missing Remote Desktop Services Roles
Click the Add RD Licensing server button.
Select a server
Click the domain controller and click the Add button.
Click Next.
View progress
Wait until the role service is deployed. No restart is needed.
Click Close.
Click the Add RD Gateway server button.
Select a server
Click the member server and click the Add button.
Click Next.
Name the self-signed SSL certificate
The wizard creates a self-signed certificate. We will deal with certificates in this deployment in a little bit. Enter the external Fully Qualified Domain Name which you will also use for the Web Access URL. In my case, for lack of a better name, I used “gateway.it-worxx.nl”. I didn’t want to use “remote.it-worxx.nl” or “desktop.it-worxx.nl” or anything else.
Click Next.
View progress
Wait until the role service is deployed. No restart is needed.
Notice that “gateway.it-worxx.nl” was configured for the deployment.
Also notice that even more certificate configuring is need, but we’ll get to that later. Pay no attention to it for now.
Click Close.
Let’s have a quick look at the certificate configuration.
Reviewing the Remote Desktop Services certificate requirements
In Server Manager, Remote Desktop Services, Overview, click Tasks and click Edit Deployment Properties.
Configure the deployment
Review the RD Gateway settings and notice what settings are available.
Click RD Licensing.
Configure the deployment
Notice that a RD License server is available, but no license type is selected yet.
I selected Per User, but since this is just a guide setup, it really doesn’t matter.
Click RD Web Access.
Configure the deployment
By default the RD Web Access IIS application is installed in /RdWeb. If you want to know how to change this, check another post: https://msfreaks.wordpress.com/2013/12/07/redirect-to-the-remote-web-access-pages-rdweb/
Click Certificates.
Configure the deployment
Notice that the certificate level currently has a status of Not Configured.
As you can see, certificates are used for different goals within the deployment.
The RD Gateway certificate is used for Client to gateway communication and needs to be trusted by the clients. Either install the self-signed certificate on all clients, or use a certificate for which the complete certificate chain is already trusted by all clients. As it said in the wizard, the external FQDN should be on the certificate.
The RD Web Access certificate is used by IIS to provide a server identity to the browser clients (and to the Feed clients, but that’s a subject for a future post).
The RD Connection Broker actually has two goals for which it needs certificates. To enable single sign on (server to server authentication), and for publishing (signing RDP files). If you look in the deployment you’ll see that the Connection Broker is now configured to use “itwrds01.itw.test”, so we have to change it to use an external FQDN as well.
If we use the same FQDN for all goals described above, we need only 1 certificate, and only 1 external IP address.
We’ll come back to this wizard later to assign the certificate. First order of business is to change the internal FQDN for the Connection Broker to an external FQDN.
Click OK (no reason why we shouldn’t commit the change we made on the licensing tab, remember?)
Preparing for completing the Remote Desktop Services configuration
Open DNS Manager on the domain controller and browse to Forward Lookup Zones.
Right click Forward Lookup Zones and click New Zone… Go through this wizard accepting the defaults until you have to enter a Zone Name.
Enter the external FQDN which will also be used by the Connection Broker.
Finish the rest of the wizard accepting the defaults.
Browse to the newly created zone.
Right click the newly created zone and click New Host (A or AAAA)…
New Host
Leave the Name field blank, but enter the member server’s (holding the RD Connection Broker role) IPv4 address.
Click Add Host.
Create a new Global Security Group called “RDS Connection Brokers” and add the computer account for the member server to it as a group member.
We need this group to be able to convert the RD Connection Broker to a highly available RD Connection Broker. You’ll see why we need to do this in a few steps.
Reboot the member server to let it know it’s a member of the RDS Connection Brokers security group.
Install SQL Express on the Domain Controller (or use an existing SQL Server if you already have one). Here’s a list of needed features:
Now you see why I pre-configured the servers with the .NET Framework 3.5 feature before starting anything.
Use the Default Instance (so click Default, and do not leave the wizard’s selection on Named instance: SQLEXPRESS).
When the installation is done open SQL Configuration manager and browse to Client Protocols under SQL Native Client 11.0 Configuration.
Check if TCP/IP is enabled under Client Protocols. SQL Express install enables this by default, but check it just to be sure, especially if you use an existing SQL Server.
Browse to Protocols for MSSQLSERVER under SQL Server Network Configuration.
Enable TCP/IP. If this is a new SQL installation, this will be disabled by default.
Restart the SQL Server service if you changed this setting.
On the SQL Server, make sure port 1433 is not being blocked by Windows Firewall.
I added the SQL Server executable to the exception list to allow all inbound traffic.
Open SQL Server Management Studio and browse to Logins under Security.
Right click Logins and click New Login…
Select User, Service Account, or Group
Click Object Types… and select Group.
Type the RDS Connection Brokers security group name and click Check Names.
Click OK.
Login – New
Click Server Roles and select dbcreator.
Click OK.
We have just effectively granted the RDS Connection Broker server the right to create databases.
We need this because the RDS Connection Broker service will try to migrate from WID (Windows Internal Database to a (high available) SQL Server instance when we convert the Broker to a high available broker.
Install the SQL Native Client on the member server (Client Components only).
Everything we need is now in place to convert the RD Connection Broker, so let’s do just that.
Convert the RD Connection Broker
In Server Manager click Remote Desktop Services and scroll down to the overview.
Right click RD Connection Broker and click Configure High Availability.
Before you begin
So we’re actually building a single node cluster here ;)
Look at the pre-requisites.
If you have more than one RD Connection Broker they need to be configured using DNS Round Robin. More on that in a later post.
Click Next.
Configure RD Connection Broker for High Availability
Database connection string:
DRIVER=SQL Server Native Client 11.0;SERVER=ITWDC01;Trusted_Connection=Yes;APP=Remote Desktop Services Connection Broker;DATABASE=ITWRDCB
Folder to store database files:
C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\DATA
I used the instance default folder.
DNS round robin name:
The DNS Zone name we configured in DNS earlier.
Click Next.
Confirmation
If you get an error before this page:
– Check if TCP/IP is enabled in client protocols and for your instance
– Check if you can reach port 1433 on the SQL Server from the member server
Click Configure.
Progress
If you get an error on this page:
– Check SQL permissions for the security group
– Check if the database path you entered is correct
Click Close.
The RD Connection Broker is now in High Availability Mode and we are finally ready to complete the configuration.
Completing the Remote Desktop Services configuration
In Server Manager, Remote Desktop Services, Overview, click Tasks and click Edit Deployment Properties, then click Certificates.
Configure the deployment
Click RD Connection Broker – Enable Single Sign On and click Select Existing certificate.
Browse to the .pfx file, enter its password, and check Allow the certificate..
Click OK.
So click Apply. This takes a little while, be patient.
Configure the deployment
Click RD Connection Broker – Publishing and click Select Existing certificate.
Browse to the .pfx file, enter its password, and check Allow the certificate..
Click OK.
Click Apply. This again takes a little while, be a little more patient.
Configure the deployment
Click RD Web Access and click Select Existing certificate.
Note: Did you notice the warning when you select RD Web Access? Browse to the .pfx file, enter its password, and check Allow the certificate..
Click OK.
Click Apply again. This takes another little while longer, be a slightly more patient.
Configure the deployment
Last one. Click RD Gateway and click Select Existing certificate.
Browse to the .pfx file, enter its password, and check Allow the certificate..
Click OK.
Click OK to finish the certificate configuration.
Configured all servers, configured certificates..
One thing left to do: Tell our RDS environment exactly what to publish.
In fact you can use this setup to either provide full desktop sessions on the Session Host, or you can choose to publish only applications on the Session Host.
Let’s publish full desktop sessions.
Publish a full Remote Desktop environment
In Server Manager, Remote Desktop Services, Session Collections, click Tasks and click Create Session Collection.
Before you begin
Review the requirements. This won’t be an issue in this setup, but you could restrict access to this collection by selecting a select group of people.
Click Next.
Name the collection
Enter a descriptive name. This name will be displayed under its icon in the Web Access interface.
Click Next.
Specify RD Session Host servers
Click the member server and click the Add button.
Click Next.
Specify user groups
You can limit access here. Add one or more groups to restrict access to these groups only. In this setup Domain Users will do fine.
Click Next.
Specify user profile disks
User profile disks are not in focus in this guide. Since I have no file shares configured in this setup, uncheck Enable user profile disks for now.
Does and Don’ts will be covered in a future post.
Click Next.
Confirm selections
Review the information and click Create.
View Progress
Wait until the collection is created and the server is added to the collection.
Click Close.
Time to test the setup!
Testing the Remote Desktop Services
On a machine that has access to your test setup (you may have to add the external FQDN to your hosts file if you didn’t publish it to the internet) open https://gateway.it-worxx.nl/rdweb.
Hey! At least the RD Web Access application works :)
Enter a valid username and password (ITW\username or username@itw.test).
Create a user for this, or simply use the domain admin account.
Click Sign in.
After logging in you’re presented with the full desktop session collection we created.
After clicking the Full Desktop icon you get the warning that devices are going to be redirected.
And when you click Connect, you actually connect :)
Enjoy.
In the next part of this series I will show how to extend this setup to use multiple session hosts, combine these with remote applications, and setting up dedicated servers for Web Access, Gateway and Connection Broker.
Arjan
Upate: Part 2 in the series was just published. Find it here: https://msfreaks.wordpress.com/2013/12/23/windows-2012-r2-remote-desktop-services-part-2/
Great article!
but for the HA part you said (Install SQL Express on the Domain Controller) and Microsoft says it is not recommended to install SQL Express on the DC.
Hi Karam,
In a production environment you would not do this indeed.
I wouldn’t even use SQL Express in a production environment at all but would instead use an existing SQL server, or build one if needed.
Eu aprendi contigo em 2013 quando você lançou este arquigo e continua sendo muito útil até nas versões atuais, windows 2106/2019.
Parabéns pela contribuição, você acrescenta mais do que custa.
Continue assim.
—
I learned with you in 2013 when you released this file and it is still very useful even in the current versions, windows 2106/2019.
Congratulations on the contribution, you add more than it costs.
Keep it up.
Hello Arjan,
Thank you for your tutorial.
I want to deploy a RDS on one server Windows Server 2012 with SAN certificate.
At the end of your tutorial “Testing the Remote Desktop Services”, what do you mean by “you may have to add the external FQDN to your hosts file if you didn’t publish it to the internet”, how to publish to the internet ?
Best regards
Fabrizio
I believe what he’s saying, is that if you don’t have a public DNS ‘A record’ (e.g. external IP address pointing to http://www.yourcompany.com), you will have to add this to your local hosts file so you can properly resolve your RD web access IIS page.
Howdy! I simply want to give a huge thumbs up for the good data you’ve here on this post. I shall be coming again to your blog for more soon.
I didn’t catch where did you choose the host OS, like windows 8 or 10 for the users?
So followed this and can get “most” of it working. set up at work, testing from home.
I can connect to the “full desktop” icon and get a remote to the gateway server.
– but when I connect through the “Connect to a remote pc, and put in the IP address
Runs me through the security warning – and then the connection
And then the actual RDP login
Everything working so far, but when I enter
AuthUser@domain.com, it sits for a while and then
Sooo close . yet so far away – I’m assuming I’ve messed up some setting, but can’t figure out what.
Any thoughts?
Getting the error “Could not create the database ‘ITWRDCB’. I’ve pointed it to my SQL Server I created (ITWSQL) since I was getting an error installing it on the DC. I setup the ‘RDS Connection Broker’ group in SQL Server Mgt Studio and assigned it the server role of dbcreator. ITWRDS01 is also a member of the ‘RDS Connection Brokers’ security group.
Hi, I have a RDS infrastructur running based on your tutorial. Everything worked fine still after couple of years. Now I wanted to do a in place upgrade to 2019: Everything worked except the connection broker. Have you every done a in place upgrade of the HA connection broker from 2012r2 to 2019 (or 2016) successfully?
Hi ,
I am trying to configure an rds broker HA on a server 2019.
I use sql express 2019.
I have already create the database from my Broker to SQL Server.
My problem is that i can’t add the second server for HA, i have an error :
unable to retrieve the list of nodes joined on srvbroker2.xxxx.domain ! privilege not maintained
I have check/disable the firewall.
I have change access (for my AD security group) on sql in security connection …. dbowner..datawriter
Thanks !
Impressive documentation. Learned a lot on different aspects of RDS deployment. Thank you
Hi Joseph, you’re welcome!
Hi Arjan,
i found a way to get DB and Broker on the same machine working.
You have to add the User “NETWORK USER” also and set the same rights as the broker AD group.
Greetings
Sorry, i meant “NT AUTHORITY\NETWORK SERVICE”.