Step by Step Windows 2019 Remote Desktop Services – Using the GUI


A step by step guide to build a Windows Server 2019 Remote Desktop Services deployment.
I posted this before based on Windows Server 2012 R2 RDS and thought it was high time to update this post to a more modern OS version.
I will provide all the steps necessary for deploying a single server solution using the GUI tools.

Although it is called a single server installation, we will need 2 servers as shown below.

01 RDS Deployment - Single Server 2019

Software used in this guide:
Windows Server 2019 ISO (evaluation can be downloaded here: https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-2019).

SQL Server 2017 Express x64 (free version can be downloaded here: https://www.microsoft.com/en-us/download/details.aspx?id=55994).

SQL Server 2016 Native Client (free version can be downloaded here: https://www.microsoft.com/en-us/download/details.aspx?id=52676. After clicking the download button select ENU\x64\sqlncli.msi). Although I’m installing SQL Express 2017, there are no newer client tools available.

SQL Server Management Studio (free, and can be downloaded here: https://docs.microsoft.com/en-us/sql/ssms/download-sql-server-management-studio-ssms).

And a certificate. I got mine for free from https://www.sslforfree.com/. This certificate needs to contain the FQDN you will use as the RD Web Access URL (mine is rds.it-worxx.nl in this guide). It needs to be in .pfx format and you need to have the private key in it.

 

This guide will not focus on building a domain using a single domain controller and adding the second server as a member server to this domain.

Also some basic knowledge is assumed in this guide. I will not detail how to create a Security Group and adding a computer account to it. I will also not detail how to install SQL Express, or adding logins to a SQL Server Instance security context. If you need extra help with this, Bing it or drop me a mail with details, and I will provide steps to continue.

 

I will be using Hyper-V on my Windows 10 1809 laptop and I have prepared 2 servers:

ITWDC (1 vCPU, 1024MB memory, dynamic, 60GB Harddisk)
Installed Windows
IPv4 192.168.0.4/24
Added .NET Framework 3.5 as a feature

Added Active Directory Domain Services as a role

Configured this server as a Domain Controller in a new forest: it-worxx.lab

 

ITWRDS (1 vCPU, 1024MB memory, dynamic, 60GB Harddisk)

Installed Windows

Added .NET Framework 3.5 as a feature

IPv4 192.168.0.10/24, DNS server 192.168.0.4

Configured it as a member server in the it-worxx.lab domain

 

Installing the Remote Desktop Services Roles

Log on to the Domain Controller, and in Server Manager right-click the All Servers node and add the second server using the Add Servers command (or select the All Servers node, click Manage and click Add Servers).

02 RDS Deployment - Single Server 2019

Now that all servers needed in this deployment scenario are present, click Manage, and click Add Roles & Features.

Before you begin
03 RDS Deployment - Single Server 2019
Click Next.

Select Installation Type
04 RDS Deployment - Single Server 2019
Select Remote Desktop Services installation.
Click Next.

Select Deployment Type
05 RDS Deployment - Single Server 2019
Although Quick Start might be a valid option for a single server deployment, leave the default selected. This will explain the steps necessary to install Remote Desktop Services in greater detail.
Click Next.

Select Deployment Scenario
06 RDS Deployment - Single Server 2019
Select Session-based desktop deployment.
Click Next.

Review Role Services
07 RDS Deployment - Single Server 2019
Review the services that will be installed.
Click Next.

Specify RD Connection Broker server
08 RDS Deployment - Single Server 2019
Click the member server and click the Add button.
Click Next.

Specify RD Web Access server
09 RDS Deployment - Single Server 2019
Check Install the RD Web Access role on the RD Connection Broker server.
Click Next.

Specify RD Session Host server
10 RDS Deployment - Single Server 2019
Click the member server and click the Add button.
Click Next.

Confirm selections
11 RDS Deployment - Single Server 2019
Check Restart the destination server automatically if required.
Click Deploy.

View progress
12 RDS Deployment - Single Server 2019
Wait until all role services are deployed and the member server has restarted.
Click Close.

In Server Manager click Remote Desktop Services and scroll down to the overview.
13 RDS Deployment - Single Server 2019
As you can see the deployment is missing a RD Gateway server and a RD Licensing server.

14 RDS Deployment - Single Server 2019
Click the Add RD Licensing server button.

Select a server
15 RDS Deployment - Single Server 2019
Click the domain controller and click the Add button.
Click Next.

Confirm selections
16 RDS Deployment - Single Server 2019
Click Add.

View progress
17 RDS Deployment - Single Server 2019
Wait until the role service is deployed. No restart is needed.
Click Close.

18 RDS Deployment - Single Server 2019
Click the Add RD Gateway server button.

Select a server
19 RDS Deployment - Single Server 2019
Click the member server and click the Add button.
Click Next.

Name the self-signed SSL certificate
20 RDS Deployment - Single Server 2019
The wizard creates a self-signed certificate. We will deal with certificates in this deployment in a little bit. We will replace the self-signed certificate.

Enter the external Fully Qualified Domain Name which you will also use for the Web Access URL. In my case, for lack of a better name, I used “rds.it-worxx.nl”. I didn’t want to use “remote.it-worxx.nl” or “desktop.it-worxx.nl” or anything else.
Click Next.

Confirm selections
21 RDS Deployment - Single Server 2019
Click Add.

View progress
22 RDS Deployment - Single Server 2019
Wait until the role service is deployed. Again, no restart is needed.

Notice that “rds.it-worxx.nl” was configured for the deployment.

Also notice that even more certificate configuring is needed, but we’ll get to that later. Pay no attention to it for now. The same goes for the RD Gateway properties for the deployment. We’ll get to that later.
Click Close.

Review role installation and setting License Mode

Let’s have a quick look at the configuration we have so far.

23 RDS Deployment - Single Server 2019
In Server Manager, Remote Desktop Services, Overview, click Tasks and click Edit Deployment Properties.

Configure the deployment
24 RDS Deployment - Single Server 2019
Review the RD Gateway settings and notice what settings are available.
Click RD Licensing.

Configure the deployment
25 RDS Deployment - Single Server 2019
Notice that an RD License server is available, but no license type is selected yet.

I selected Per User, but since this is just a guide setup, it really doesn’t matter.
Click RD Web Access.

Configure the deployment
26 RDS Deployment - Single Server 2019
By default the RD Web Access IIS application is installed in /RdWeb.

If you want to know how to change this, check another post: https://msfreaks.wordpress.com/2013/12/07/redirect-to-the-remote-web-access-pages-rdweb/

This is for Windows Server 2012 R2 RDS, but it also works for Windows Server 2019 RDS.
Click Certificates.

Configure the deployment
27 RDS Deployment - Single Server 2019
Notice that the certificate level currently has a status of Not Configured.
As you can see, certificates are used for different goals within the deployment.

The RD Gateway certificate is used for Client to gateway communication and needs to be trusted by the clients. Either install the self-signed certificate on all clients, or use a certificate for which the complete certificate chain is already trusted by all clients. As it said in the wizard, the external FQDN should be on the certificate.

The RD Web Access certificate is used by IIS to provide a server identity to the browser clients.

The RD Connection Broker actually has two goals for which it needs certificates. To enable single sign on (server to server authentication), and for publishing (signing RDP files). If you look in the deployment you’ll see that the Connection Broker is now configured to use “itwrds.it-worxx.lab”, so we have to change it to use an external FQDN as well.

If we use the same FQDN for all goals described above, we need only 1 certificate, and only 1 external IP address.

We’ll come back to this wizard later to assign the certificate. First order of business is to change the internal FQDN for the Connection Broker to an external FQDN.

Click OK (no reason why we shouldn’t commit the change we made on the licensing tab, remember?)

Changing the Connection Broker FQDN to an externally resolvable FQDN

Open DNS Manager on the domain controller and browse to Forward Lookup Zones.
28 RDS Deployment - Single Server 2019
Right click Forward Lookup Zones and click New Zone… Go through this wizard accepting the defaults until you have to enter a Zone Name.

29 RDS Deployment - Single Server 2019
Enter the external FQDN which will also be used by the Connection Broker.

Finish the rest of the wizard accepting the defaults.

Browse to the newly created zone.
30 RDS Deployment - Single Server 2019
Right click the newly created zone and click New Host (A or AAAA)…

New Host
31 RDS Deployment - Single Server 2019
Leave the Name field blank, but enter the member server’s (holding the RD Connection Broker role) IPv4 address.
Click Add Host.

Now the configuration will be able to resolve “rds.it-worxx.nl” to the server holding the Connection Broker role, and this will work because “rds.it-worxx.nl” is also on the certificate that we will configure later.

Create a new Global Security Group called “RD Connection Brokers” and add the computer account for the member server to it as a group member.

We need this group to be able to convert the RD Connection Broker to a highly available RD Connection Broker. You’ll see why we need to do this in a few steps.

Reboot the member server to let it know it’s a member of the RDS Connection Brokers security group.

The next steps in re-configuring the RD Connection Broker depend on an SQL database shared by all Connection Brokers in the deployment. Without this configuration the RD Connection Broker will rely on the Windows Internal Database that was created during the initial deployment of the roles.

Install SQL Express on the Domain Controller (or use an existing SQL Server if you already have one).

It’s not best practice to install SQL onto a Domain Controller, but it’ll do for this guide.

Here’s a list of needed features:
32 RDS Deployment - Single Server 2019

33 RDS Deployment - Single Server 2019
Use the Default Instance (so click Default, and do not leave the wizard’s selection on Named instance: SQLEXPRESS).

34 RDS Deployment - Single Server 2019
Set the SQL Service to start using SYSTEM because the default account of SQLSERVER cannot be used on a Domain Controller.

When the installation is done open SQL Configuration manager and browse to Client Protocols under SQL Native Client 11.0 Configuration.
35 RDS Deployment - Single Server 2019
Check if TCP/IP is enabled under Client Protocols. SQL Express install enables this by default, but check it just to be sure, especially if you use an existing SQL Server.

Browse to Protocols for MSSQLSERVER under SQL Server Network Configuration.
36 RDS Deployment - Single Server 2019
Enable TCP/IP. If this is a new SQL installation, this will be disabled by default.
Restart the SQL Server service if you changed this setting.

On the SQL Server, make sure port 1433 is not being blocked by Windows Firewall.
37 RDS Deployment - Single Server 2019
I added the SQL Server executable to the exception list to allow all inbound traffic, but TCP 1433 inbound should suffice.
If you installed SQL Server using the default folder locations, the sqlservr.exe executable is found in “C:\Program Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\Binn”.

Open SQL Server Management Studio, connect to the default instance on the Domain Controller and browse to Logins under Security.
38 RDS Deployment - Single Server 2019
Remember the Management Studio is no longer available with the SQL Server download, but is a different download.
Right click Logins and click New Login…

Login – New
39 RDS Deployment - Single Server 2019
Click Search…

Select User, Service Account, or Group
40 RDS Deployment - Single Server 2019
Click Object Types… and select Group.
Type the RDS Connection Brokers security group name and click Check Names.
Click OK.

Login – New
41 RDS Deployment - Single Server 2019
Click Server Roles and select dbcreator.
Click OK.

We have just effectively granted the RDS Connection Broker server the right to create databases.

We need this because the RDS Connection Broker service will try to migrate from WID (Windows Internal Database to a (high available) SQL Server instance when we convert the Broker to a high available broker.

Install the SQL Native Client on the member server (Client Components only). If you used the member server in this setup to install the SQL Management Studio, you can skip this step because the Native Client was installed with installing the Management Studio.

Everything we need is in place to convert the RD Connection Broker, so let’s do just that.

In Server Manager click Remote Desktop Services and scroll down to the overview.
42 RDS Deployment - Single Server 2019
Right click RD Connection Broker and click Configure High Availability.

Before you begin
43 RDS Deployment - Single Server 2019
So we’re building a single node cluster here ;)
Look at the pre-requisites.

If you have more than one RD Connection Broker they need to be configured using DNS Round Robin.

Click Next.

Configure RD Connection Broker for High Availability
44 RDS Deployment - Single Server 2019
Since we just installed an SQL Server for this, leave the default selected. You’d use the other option for instance if you’d like to use Azure SQL for this deployment.
Click Next.

Configure RD Connection Broker for High Availability
45 RDS Deployment - Single Server 2019
DNS name for the RD Connection Broker cluster:
The DNS Zone name we configured in DNS earlier: rds.it-worxx.nl

Connection string:
DRIVER=SQL Server Native Client 11.0;SERVER=ITWDC;Trusted_Connection=Yes;APP=Remote Desktop Services Connection Broker;DATABASE=ITWRDCB

Folder to store database files:
C:\Program Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\DATA
I used the instance default folder.

Click Next.

Confirmation
46 RDS Deployment - Single Server 2019
If you get an error before this page:

  • Check if TCP/IP is enabled in client protocols and for your instance
  • Check if you can reach port 1433 on the SQL Server from the member server

Click Configure.

Progress
47 RDS Deployment - Single Server 2019
If you get an error on this page:

  • Check SQL permissions for the security group
  • Check if the database path you entered is correct

Click Close.

48 RDS Deployment - Single Server 2019
The RD Connection Broker is now in High Availability Mode, and configured as “rds.it-worxx.nl” and we are finally ready to complete the configuration.

Configuring Certificates

49 RDS Deployment - Single Server 2019
In Server Manager, Remote Desktop Services, Overview, click Tasks and click Edit Deployment Properties, then click Certificates.

Configure the deployment
50 RDS Deployment - Single Server 2019
Click RD Connection Broker – Enable Single Sign On and click Select Existing certificate.

51 RDS Deployment - Single Server 2019
Browse to the .pfx file, enter its password, and check Allow the certificate..
Click OK.

67 RDS Deployment - Single Server 2019
So click Apply. This takes a little while, be patient.

Configure the deployment
52 RDS Deployment - Single Server 2019
Click RD Connection Broker – Publishing and click Select Existing certificate.

51 RDS Deployment - Single Server 2019
Browse to the .pfx file, enter its password, and check Allow the certificate..
Click OK.

67 RDS Deployment - Single Server 2019
Click Apply. This again takes a little while, be a little more patient.

Configure the deployment
53 RDS Deployment - Single Server 2019
Click RD Web Access and click Select Existing certificate.

68 RDS Deployment - Single Server 2019
Note: Did you notice the warning when you select RD Web Access?

51 RDS Deployment - Single Server 2019
Browse to the .pfx file, enter its password, and check Allow the certificate..
Click OK.

67 RDS Deployment - Single Server 2019
Click Apply again. This takes another little while longer, be slightly more patient.

Configure the deployment
54 RDS Deployment - Single Server 2019
Last one. Click RD Gateway and click Select Existing certificate.

51 RDS Deployment - Single Server 2019
Browse to the .pfx file, enter its password, and check Allow the certificate..
Click OK.

Click OK to apply the final certificate step.

Configured all servers, configured certificates..

One thing left to do: Tell our RDS environment exactly what to publish.

Publishing resources to your users

In fact you can use this setup to either provide full desktop sessions on the Session Host, or you can choose to publish only applications on the Session Host.

Let’s publish full desktop sessions.

55 RDS Deployment - Single Server 2019
In Server Manager, Remote Desktop Services, Session Collections, click Tasks and click Create Session Collection.

Before you begin
56 RDS Deployment - Single Server 2019
Review the requirements. This won’t be an issue in this setup, but you could restrict access to this collection by selecting a select group of people.
Click Next.

Name the collection
57 RDS Deployment - Single Server 2019
Enter a descriptive name. This name will be displayed under its icon in the Web Access interface.
Click Next.

Specify RD Session Host servers
58 RDS Deployment - Single Server 2019
Click the member server and click the Add button.
Click Next.

Specify user groups
59 RDS Deployment - Single Server 2019
You can limit access to the resource here if you want. Add one or more groups to restrict access to these groups only. In this setup the default selection of Domain Users will do fine. Groups you specify here will be added to the list of groups of users that are allowed to connect using RDP to the Session Host server(s).
Click Next.

Specify user profile disks
60 RDS Deployment - Single Server 2019
User profile disks are not in focus in this guide. Since I have no file shares configured in this setup, uncheck Enable user profile disks for now.
Click Next.

Confirm selections
61 RDS Deployment - Single Server 2019
Review the information and click Create.

View Progress
62 RDS Deployment - Single Server 2019
Wait until the collection is created and the server is added to the collection.
Click Close.

Time to test the setup!

Testing the setup

On a machine that has access to your test setup (you may have to add the external FQDN to your hosts file if you didn’t publish it to the internet) open https://rds.it-worxx.nl/rdweb

63 RDS Deployment - Single Server 2019
Hey! At least the RD Web Access application works :)
Enter a valid username and password (IT-WORXX\username or username@it-worxx.lab).
Create a user for this, or simply use the domain admin account.
Click Sign in.

64 RDS Deployment - Single Server 2019
After logging in you are presented with the full desktop session collection we created.

65 RDS Deployment - Single Server 2019
After clicking the Full Desktop icon you get the warning that devices are going to be redirected.

66 RDS Deployment - Single Server 2019
And when you click Connect, you connect :)

Enjoy.

 

Arjan

 

25+ years experience in Microsoft powered environments. Enjoy automating stuff using powershell. In my free time (hah! as if there is any) I used to hunt achievements and gamerscore on anything Xbox Live enabled (Windows Mobile, Windows 8, Windows 10, Xbox 360 and Xbox One). Recently I picked up my Lego addiction again.

Tagged with: , ,
Posted in Remote Desktop, Step-by-Step guide, Windows 2019
92 comments on “Step by Step Windows 2019 Remote Desktop Services – Using the GUI
  1. Dale Forguson says:

    Arjan,

    I wanted to take a minute to personally thank you for the original server 2012 deployment guide. I used it successfully and learned a bit more about the Server OS in the process. Because the customer already had Sonicwall routers in place I used a combination of VPNs and Sonicwall Netextender instead of a certificate which has worked very well. Thanks for following up with a 2019 version. I will be reading that soon.

    Best Wishes,

    Dale Forguson

  2. torben vilhelmsen says:

    Great article, thanks. Do you know if enabling Credential Guard on Windows 10 (client side) still breaks SSO or can you point to a combination of GPO-settings on server and client that will make this work?

  3. Jerto says:

    Arjan, Great article as always. I dont have a vpn. But I do have SSL configured on the RDS. Attacks still can be done easily right? Do you recommend a VPN as must? Because right now everyone can access my rds webpage. Thank you.

    • Arjan Mensch says:

      Hi Jerto.
      SSL alone does not prevent your website from being attacked.
      If that is a valid concern, then yes, do not publish the website to the internet and make you isers access the RDS environment using VPN.
      Other solution would be to enable MFA on the website, but that is way out of scope of my articles.

  4. Steve Fiore says:

    Hi Arjan,

    Great post (as usual) – your posts are my RDS lifeline : ).

    I have one question – I hope you can help. I have a fully functional RDS environment setup and working great for VDI. I just recently purchased a new server to add another RDVH, with 30 more VM’s.
    I have everything setup and now trying to add VMs to the new RDVH server by creating another collection, but I’m getting an error (could not validate the permissions on the storage location) – error 67. I’ve tried just about everything to resolve, in terms of permissions etc.

    Also, I am getting this error no matter which rdvh server I try to create a new collection on. I know that I could create a collection on the initial server prior to adding the new server.

    Am I doing something wrong? Can you have multiple rdvh servers like this?

  5. Hector says:

    Hi Arjan,

    Wow! great article…straight forward and perfect explanation!

  6. Tanner says:

    Hello,

    I’m looking to setup my own environment at home for learning purposes. Does this have to be installed on two servers, or can it be done on one? (Or is my question rather silly due to my ignorance).

    Thanks!

  7. Mike Matheny says:

    Let me add some things I discovered while setting up a completely single-server RDS system using SQL Express 2017 advanced (this is for a small deployment <20 users – sure it could handle more users.) We have to disable TLS 1.0 is the reason for SQL Express.

    After searching to the ends of the internet, we did not find a single blog addressing this. This requires NO DNS entries:

    1. Follow Arjan's instructions but skip the DNS host entry part.

    2. Install SQL Express on the same server you are running RDS – I suggest a separate disk

    3. When configuring HA select Dedicated database server

    4. DNS name for RD Connection Broker cluster: FQDN of your server

    5. RDS HA Connnect String:
    DRIVER=SQL Server Native Client 11.0;SERVER={your
    NETBios server name}\SQLEXPRESS;Trusted_Connection=Yes;APP=Remote Desktop Services Connection Broker;DATABASE=ITWRDCB

    6. Folder to store database files:
    {drive letter}:\Program Files\Microsoft SQL Server\MSSQL14.SQLEXPRESS\MSSQL\DATA

    7. Must add the service that the Remote Desktop Connection Broker service is running under to the SQL database as a sysadmin

    That's it! Works like a charm!

    Mike

  8. steve says:

    Hi,
    I used your great guide for an 2012R2 RDS setup which works just fine.
    Now I read your 2012 RDS article and ask myself if it is possible to deploy a 2019 side-by-side to the 2012R2 structure?

    It would be nice if there would be a second web access like: rds2019.it-worxx.nl

    Do you think this can work simultaneously?

    Steve

    • Arjan Mensch says:

      As long as you setup a full infrastructure deployment side by side, I don’t see why this wouldn’t work. Just don’t mix 2012r2 roles with 2019. Not tested btw.

  9. bob says:

    Hey, having a few issues getting this working externally. Any ideas?

    Domain provider DNS points to external IP

    Local DNS server points to internal server IP

    If I ping remoteaccess.company.org locally it replies with local IP fine.

    If I ping remoteacces.company.org externally it replies with external IP fine.

    RD Gateway points to remoteaccess.company,org

    Externally if I got to remoteaccess.company.org It loads to white or server not found.

    Any help will be much appreciated.

    • Arjan Mensch says:

      Hi Bob, so internally it loads the webaccess page just fine and you can click a resource and connects? If so, this is a firewall issue. Externally open only tcp 443 and udp 3389 to your webaccess/gateway server. They must be on the same machine anyway, since you are using the same dns name for webaccess and gateway.

      • bob says:

        Hey, thanks for getting back to me. Only using web access users won’t be RDP’ing as such. Internally works perfectly just externally. Firewall is open on 443 as wasn’t aware 3389 was needed? Web access and gateway are all on the one server. Speak soon

      • Arjan Mensch says:

        Hi Bob, UDP 3389, not TCP. 443 is needed for the webaccess and for the gateway.

  10. bob says:

    Hey, UDP 3389 seems to have resolved the issue but will test fully later! thanks for your help and great guide!

  11. Nalin says:

    HI Arjan,

    Many thanks for this and the 2012 series they are great guides.

    I work in a school and would like to set up session hosts separate from the rest and as these are not going to be accessed from outside would only give the .local addresses as only the students would access them to do some Java scripting. What changes if any would be needed to your set up to do this? We already have our DC.

    So we plan to set up a separate license server, one server for connection broker / web access / gateway ( even though we don’t access it via web) and a separate session host server.

    Thanks for your response in advance.

    • Arjan Mensch says:

      Hi Nalin, if it’s the same company you can use the same license server. Besides that, internally you won’t need a gateway and you can use your own internal CA for the certificates.

  12. Nalin says:

    Hi Arjan,

    Thanks for taking the time to respond. I am in the middle of setting this up as per your guide. I have some more questions if you don’t mind please.

    1. It seems like the session server doesn’t want to accept normal RDP session using the MSTSC command from a windows 10 machine. So I have to use the VMware console to work on this machine. When I try to login It tries to log me in and then fails with an error ” the initial program cannot be started explorer.exe” I have tried many solutions offered on the internet but none seem to work.

    2. Once you get it up and running how do you publish a program? We want to publish some Java IDE’s for students and want the students to use them in a sort of a sandbox environment.

    3. would you be doing a similar guide for Virtual machine based deployment as opposed to session based deployment?

    Thanks again for this post and others. They are very well presented and very little can worng if you follow them to the letter.

    • Arjan Mensch says:

      Hi Nalin, please check other posts in this series to learn about application publishing. And of course you are not supposed to mstsc dorectly to a server. Always use web access or the downloaded rdp file from web access.

  13. Raul Panim says:

    Arjan, first – kudos on the comprehensiveness and clarity. this article is a great resource. Have tried adding Connection Broker using an onprem Windows 2016 failover clustered SQL database? I’ve tried different versions of native client and multiple versions of connection strings and either it fails to db reach check or gets stuck after initiating the db create. is it possible that CB HA can connect only to an Azure cluster?

  14. Jean-Pierre DUBREUIL says:

    This has been extremely helpful to follow, however,
    My remote users are connecting to the network via a Netextender SonicWall VPN and do not need to access an external IP. They are given direct access to the Terminal server internal IP. How can I simplify the setup ?

    • Arjan Mensch says:

      Hi Jean-Pierre. In this case you can just ignore all the gateway stuff. You won’t need that role.

      • Jean-Pierre DUBREUIL says:

        Do I still need the RD Web access as well ? Are certificates still required ? Would I only need RD licensing, connection broker and Session host ? and how do I configure my RDS license – I am lost in the whole thing

      • Arjan Mensch says:

        Hi JP. For a full working deployment you’ll need WebAcces, Broker, Licensing, and SessionHost roles. You’ll still need certificates on the WebAccess role and on the broker role, but these can be from your internal CA instead.
        Licensing is the same as with a Gateway role. Either assign per user licensing, or per device, depending on requirements and needs of your organization.

  15. John Carver says:

    I am trying to troubleshoot an issue that happens when I launch the published app. I have the gateway and broker on one server, the rdweb server independent, and the app servers. When it launches it gets into the server and then a message pops up with an error that says Windows can not start the RemoteApp program The following RemoteApp program is not in the list of authorized programs. All Servers are 2019 Datacenter and the Cap and Rap is setup. Please help me find what I am missing. Trying to roll this out in 2 weeks!

  16. Bruce Banner says:

    Am I the only one that can’t get past configuring the gateway? Mine fails saying “Unable to configure the RD Gateway server. Error 2147749890

  17. Jude says:

    Thanks a lot.

    Can I use an external RD CAL license server from a trusted domain to performant as the license server for this domain?

  18. Daniel Weijers says:

    Hello, i am trying to do the same but with VM’s (Virtual Machine based deployment) is it the same to set up (gateway etc)

    • Arjan Mensch says:

      Hi Daniel. All the guides were made using VMs, so yes, Windows is Windows. Works on physical machines and on VMs.

      • Daniel Weijers says:

        Hallo Arjan, that’s not what i was trying to say, my question is about RDS services using VDI to give my users access to the environment.

  19. Oleg says:

    Hello. Following the guide and setup all on one server. Got all working only if gateway is detected automatically. if I specify my server by its external FQN name in gateway settings – getting error during configuring remote session: 1.The remote computer is not capable of exchanging policies with the Remote Desktop Gateway. 2. The remote computer configuration does not permit new connection. 3. The connection between the Remote Desktop Gateway and the remote computer ended.
    Server is on VM 6.5.
    Also, question 2. If I use automatic settings, when connecting from Mac OS RDP session, I always get full desktop, event if I have only 2 apps published. Windows works as expected and show only requested app.
    Thank you.

  20. Florian says:

    Hi,

    thanks for the great guide! It helped me a lot but i have a Question (sorry i have no idea About) :-(

    I setted up the session based remote Services and want to publish a app (for example word). Maybee you know how tis can be done in a way that i close the “Windows” and connect later again to resume my work. Right know after Closing the app all is gone :-(

    Im not sure but can this be done only in a “virtual Computer based” Setup and not in a session based Setup?

    maybee you have a idea About it.

    and many THANKS again für this GREAT guide!

    Florian

  21. João J. Furtado Neto says:

    Hello,

    I did everything like the tutorial and it worked, I was happy.
    However, when I click on some APP, it downloads an RDP file to the connection, I would like it to be directly without downloading the file. How can this be done?

    Thank you so much for the step by step.

    • Arjan Mensch says:

      Hi João, if you use Internet Explorer, it opens automatically. All other browsers will download the rdp file unless you teel it to always Open the filetype. Google for specifics for the browser you are using.

  22. Jean-Pierre Dubreuil says:

    Do you do remote consulting for setting up RDS server ? I am not getting anywhere and wasting time and energy.

  23. SZ says:

    Great Article. Except:

    When configure the HA for RD Connection Broker,

    DRIVER=SQL Server Native Client 11.0;SERVER=ITWDC;Trusted_Connection=Yes;APP=Remote Desktop Services Connection Broker;DATABASE=ITWRDCB

    Sever=%yourSQLservername%

    DATABASE = ????

    Apparently ITWRDCB is just an example, but what it should be?

  24. fitzwar says:

    Great step by step guide. You could also use the Azure RDS 2019 deployment template that will deploy all this for you: https://azuremarketplace.microsoft.com/en-us/marketplace/apps/cloud-infrastructure-services.rds-2019-basic-deployment-farm?tab=Overview

    Once deployed there are post configuration steps on: https://cloudinfrastructureservices.co.uk/how-to-setup-remote-desktop-services-rds-2019-farm-on-azure/

  25. mhkl says:

    Great guide, but can you PLEASE PLEASE mention that you have to enable the SQL Server Browser service?
    It took me literally 3 hours to find out, you have to enable this service on the server where you installed SQL Server for this to work…

    • Arjan Mensch says:

      Hi mhkl,
      I didn’t mention that because you don’t need it. I’ve done this dozens of times and never enabled the SQL browser service.

      • mhkl says:

        Hey Arjan,

        I followed your guide twice now, and I have the same problem every time. I always get a timeout when trying to connect to the sql instance.
        I even use “SERVER\INSTANCE” for the server option in the connection string.

        It just never works, but as soon as I enable the SQL Browser Service it works instantly.

  26. David says:

    I am following your guide but using Server 2019 and SQL 2017 and can not get the Connection Broker HA to create nor connect to an existing database. I am getting the error the database specified in the database connection string is not available from RD connection broker server ……… error. I can connect using the ODBC in Administrative Tools and connect using SQL Management Studio and connect using telnet. Please help!!

  27. Larry Wesner says:

    Thanks for such a GREAT how to. I installed TS-2019 based off of your guidelines. There was an occasional change or deviation but it went well. A lot has changed since the days of Server 2008 r2 Terminal Server.

  28. Georg Greindl says:

    Hello, thanks for this valuable guide. What I don’t get is how the FQDN of the connection broker server is changed. doesn’t get changed automatically, I always can only select the internal name. have tried to rebuild it using gui and power shell, no avail. any hints?

  29. […] I am certain. Far more common for the Domain setup is the Quick Start. You can look at examples of Standard Deployment, but that is outside the scope of this article.  Quick Start -> Session Deployment is in these […]

  30. RustiJ says:

    Arjan, I have used your 2012 R2 guide several times & now the 2019 guide both without issues. Just wanted to thank you for taking the time to post these as they have saved me numerous hours over the last few years! Much appreciated!

  31. Brian says:

    May i ask why you are configuring the connection broker to be higly available, when you only have a single server?

  32. Thomas says:

    Hi Arjan

    Thanks for the setup. All is working except one thing, SSO is not working. it keeps asking for the logon name when i click on the published icon of the desktop. I created an policy settings Allow delegation defaults credential with the server names in it. TERMSRV/*.domain.x but did not solve, i also tried : Set-RDSessionCollectionConfiguration -CollectionName “Desktop” -CustomRdpProperty “pre-authentication server address:s: https://website .x.x./rdweb/n’ require pre-authentication:i:1?” any idea ?

  33. Oudel Inc says:

    Thanks for sharing such beautiful information with us.
    I hope you will share some more info about Remote Desktop Services Remote .

    Please keep sharing.

  34. Jerry says:

    Hello Arjan
    I wanted to confirm something. In your explanation of the previous scenario I am assuming the PDC is performing “round Robin” o the connection request for web RDP access? Is his correct? Since we have a “pool” with 2 servers.

    Please let me know.

    Jerry

  35. Maciej says:

    Hi Arjan!
    Please tell me if you know how to limit the number of simultaneous connections for a given RemoteAPP collection. The point is that within a given collection there could be max 10 connections at the same time or that there could be only one RemoteAPP session on one user so that it is impossible to log in to one user from two computers at the same time. Can you help me with this

  36. doktorteknik says:

    It was a good article. Thank you

    I did not understand where to do the job of creating the Global Security Group. In Windows Firewall?

  37. nektarai says:

    Hello Arjan
    I am having unending pain installing RDCB (Remote Desktop Connection Broker)
    Tried it with 2 different official Win Essentials 2k19 iso version, both on physical server and a VM.. i tried every helping site i could lay a hand on.
    Everytime, it fails with that message :
    Failed:
    Unable to install the role services. ArgumentNotValid: The role, role service, or feature name is not valid: ‘rds-connection-broker’. The name was not found
    i did every trick about the Window Internal Database, puting it on Local Account, then tried with Domain admin account.. uninstalled, reinstalled it, (the service is indeed running, with its “VSS Writer” counterpart), and every single time, i get the same message.
    I have DNS / DHCP / IIS / ADDS services configured on this server, and the Remote Desktop Licensing installed also
    Any clue to save me from my hell ?
    Thanks in advance for the time taken reading this

    • Arjan Mensch says:

      Hi Nektarai,
      The problem is in your iso. You need standard or datacenter I think. Check if it is even possible doing what you want on Essentials. The error is literally that it cannot install the role, not that it cannot be configured

      • nektarai says:

        Thanks very much for your reply
        I see i might have a problem there, and im so sad that change i just found, isnt appearing clearly anywhere till i found this on some blog :

        Quote from Microsoft:

        The Windows Server Essentials Experience Role has been removed from all server SKUs, including Windows Server 2019 Essentials. This means that the Administrative Dashboard that used to be the core feature for Essentials Experience Role is no longer accessible and all management and configuration must be completed manually.

        With Server Essentials Experience Role deprecation, the following features are no longer available:

        Client backup
        Remote web access

        Sad me, who, seemingly bought an essentials for nothing
        Thanks for your quick reply

  38. Heath Durrett says:

    Hi Arjan,

    This guide is awesome thank you so much!

    I’m struggling with the SQL Express part of the install. I do not mean to sound like a “nay-sayer” but can you definitively confirm that useing SQL Express as a RDSCB back end database solution works?

    Since SQL Express does not have any HA features native built into it?

  39. Martin says:

    HI,
    i Have a new server with Win 2019, It is used for remote connections for domain users,
    They can connect fine, it works ok but the remote app shows jsome columns on zeros, just with admin account the sql query of this vb app works fine and shows all the information without zeros, i tried with “Runas” command, checking the “Run as Administrator” checkbox, i added the users to the administrators group but nothing works without admin account, this app used to work great on the 2008 r2 old remote server but not on win 2019 please help.

    Thanks in advance.

  40. Rob Nicholson says:

    What a great article! Has got me right up that RDS learning curve in hours and not days. You often come across articles like this that just don’t match the real life install experience but not in this case. And your explanations of why one is doing some things is pitched at just the right level. Can I buy you a virtual beer?

  41. munrobasher says:

    Most fun so far is tip-toeing around their existing Azure setup, not breaking anything – setup by a previous techie with zero documentation and a horribly complex group policy setup. Getting the domain upgraded so we can have W2019 DC on there was something I don’t want to do again! Got it wrong and nearly had a heart attack when I thought I’d accidentally deleted their existing XenApp server… fortunately I hadn’t but it was also still in the recovery services vault. I’m going to need a drink when this is all over!

  42. dubbya gee says:

    What license is needed for a Windows machine to connect to another Windows machine through a Remote Desktop Gateway? Is it any different for a Mac to connect to a Windows machine?

    • Arjan Mensch says:

      Hi dubbya,
      There are user CLient Access Licenses and Device calls. You need either one to set up the connection. Device calls might be cheaper if multiple users work from the same device. Device type, gateway or not, doesn’t matter. You always nee an RDP CAL to connect. The exception is the admin or console connection, those are free and therefor limited to a maximum of 2 per server.

  43. RDWeb Holdout says:

    Can you do an updated version of your Customizing Remote Desktop Web Access articles. They do not work with 2019.

    I’d at least like to add links to RDP files like the Essentials Roles used to do in 2016 and prior, but I can’t figure out how to add/edit a Custom.aspx with HTML code that doesn’t fail.

  44. James Conway says:

    Hi Arjan,

    When I configure certs (select existing certificate) from the site you suggested, windows server says Could not configure the certificate on one or more servers. Ensure that the servers are available on the network and apply the certificate again.

    • Arjan Mensch says:

      Hi James,
      I never had that happen. Are you applying them one at a time?

      • James Conway says:

        Yes. What I’m trying now is doing HA as I had thought this unnecessary with only one CB at first.

      • Landon says:

        I’m in a similar boat. My hang up is that I can’t authorize a domain user to run System services, nor can I add a system account as an admin in SQL. Which is a bit mind boggling.

      • James Conway says:

        Currently my problem is while enabling high availability: Could not create database ‘…’ please check that the broker server has access to the sql server… The SQL server is on the same VM as the connection broker.

      • James Conway says:

        Hi Arjan, any updates on this?

  45. James Conway says:

    What do you mean by that? Do you mean you cant put the local account from the SQL server in the global security group? Because the solution for that is to add the computer and run the service from the system account (at least that fixed it for me).

  46. Sumit Tiwari says:

    Hi! Msfreaks,

    Greeting for the day hope you are doing well.
    I am facing an issue I have created an RDS firm with 1 RDSW / 1 RDSBROKER / 1 RDSGATEWAY / 4 Session Hosts.

    When I am trying to add one more broker getting error will you please let me know if I had installed HA with a dedicated server is there any option I can change with a shared server option for connection broker configuration.

  47. Paolo says:

    Very good and detailed tutorial.
    Is it possible to use a single host (DC + RDS on the same server)?
    I only need to allow users connect via RDP sessions (throught VPN)
    Thanspwk@apf.itks

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Blog Authors
https://paypal.me/ArjanMensch
BTC:1AiAL6QDbfNPiduYYEoy3iNS2m6UKJW2He

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 431 other followers

Blog Stats
  • 3,220,841 hits
  • An error has occurred; the feed is probably down. Try again later.
  • An error has occurred; the feed is probably down. Try again later.
%d bloggers like this: