Installing and configuring a Remote Desktop Services (RDS) farm on Windows Server.

This long guide focuses on the features of installing, configuring and operating a terminal server farm based on the Remote Desktop Services (RDS) role in Windows Server. The article will help you deploy Remote Desktop Services on Windows Server 2022, 2019 and 2016 in an Active Directory domain.

Remote Desktop Services components in Windows Server 2022/2016/2016/2012R2.

The RDS role in Windows Server includes the following components:

Remote Desktop Session Host (RDSH) - RDS session hosts. The main workhorses of the RDS farm that run user applications;
Remote Desktop Connection Broker (RDCB) is an intermediary for RDS connections. Used to manage the RDS farm, load balancing, reconnect users to their sessions, store RDS collections and published RemoteApps;
Remote Desktop Gateway (RDGW) - provides secure access to RDS services from the Internet;
RD Web Access (RDWA) - web interface for accessing desktops, RemoteApp programs;
Remote Desktop Licensing (RD Licensing) is a licensing service that manages RDS licenses (CALs) for users.

In our small booth there will be only three servers with the following distribution of rolesmsk

rds1.site.io – RDSH
msk-rds2.site.io – RDSH
msk-rdsman.site.io – RDSH, RDWA, RDCB, RD License

In the simplest cases, you can deploy a standalone server with the Remote Desktop Session Host (RDSH) role without Connection Broker and RDS Web Access.

Prerequisites to complete before creating an RDS farm:

Install the same version of Windows Server on all servers, configure them, and add them to the same AD domain;
Open the ADUC console (dsa.msc) and move all hosts with the RDSH role to the same OU in AD. So it will be more convenient to apply uniform settings through GPO;
Create a group for RDSH servers in the domain (for example, msk-rdsh ) and add all hosts to it;
If you want to use User Profile Disks (UPDs) to store RDS user profiles (or roaming profiles), you must create a network directory on the file server to store them (preferably on a Windows Server Failover File Cluster). Grant Full Control rights to this network directory for the group msk-rdsh.

Create a new Remote Desktop Services configuration in Windows Server.

Let's see how to create and configure an RDS configuration using the Server Manager GUI.

Open Server Manager and add all planned RDS servers to the console. Click All Server -> Add servers.

Now from the Server Manager menu select Add Roles and Features -> Remote Desktop Services installation -> Standard deployment -> Session-based deployment.

Quick Start mode is used to deploy all RDS components on a single server. An RDS farm can have at least one server that combines all RDS roles (RD Session Host, RD Web Access and RD Connection broker). However, this configuration does not provide fault tolerance and load balancing in Windows Server Remote Desktop Services.

Next, you need to specify how you want to distribute RDS roles across your servers. In the Build RDS Farm Wizard, you select servers for the appropriate roles. In my case, I want to build a configuration like this:

RD Connection Broker - msk-rdsman
RD Web Access - msk-rdsman
RD Session hosts - msk-rdsman, msk-rds1, msk-rds2

You can assign RDS roles to servers in any other configuration.

Check the Restart destination server automatically if required checkbox and click the Deploy button. Wait for the RDS roles to be installed on all servers.

So, your RDS farm is created.

The next step is to install and configure the RDS licensing server. You can install the RD Licensing role on one of the servers in your farm, or you can use an existing RDS licensing server in your domain. Detailed instructions for installing, configuring and activating the role of RD Licensing access follow the link.

To manage your RDS deployment, go to Server Manager -> Remote Desktop Services . The Overview tab shows the farm's current RDS configuration.

To change the RDS farm settings, select Tasks -> Edit Deployment Properties in the Deployment Overview section.

Here you can change:

RD Gateway parameters;
License server server address and type of user licenses RDS CAL (per user/per device);
View RD Web Access URL;
Add SSL certificates for RDS services (we will skip this step in the instructions).

The farm is managed through the RDCB server. The entire configuration of an RDS farm is stored in its SQL database. If necessary, you can manually transfer the RDS Connection Broker role and configuration to another server.

To build a failover Remote Desktop Services farm, the RD Connection Broker role must be made highly available. This is achieved by running multiple RDCB (Active/Active) instances on different servers with a common SQL database that stores the connection broker configuration. To ensure high availability of the RDCB SQL database, it can be placed in a SQL Server Always On high availability group . Previously, we published a detailed guide on setting up RDS Connection Broker with high availability.

Creating Remote Desktop Services Collections in Windows Server.

The next configuration step is to create collections of RDS sessions. Remote Desktop Collections allow you to separate hosts in an RDSH farm into separate groups, or create a different set of settings and available Remote Apps for different groups of users.

Go to the Collections section , select Edit -> Create Session Collection.

Here you need to set:

RDS collection name: rds-Msk-Managers
Select which RDSH hosts will serve users of the collection (one RDSH host can be in one collection; it is not recommended to combine servers with different versions of Windows Server into one collection);

The User Groups tab specifies the user groups that are allowed to connect to the collection. Remove Domain users from groups and add your group (msk-Managers);
On the User Profile Disk tab , you need to specify whether you want to use the UPD format for storing user profiles (Enable user profile disks). In the Location of user profile disks field, specify the UNC path to the network directory (for example, \\msk-fs01\mskrds_upd ) where user profiles will be stored in the UPD virtual disk formatter (in this case, when logging into any RDS collection server, the user will always load his profile) and the maximum disk size (20 GB by default);

Click Create to create a new RDS collection;
Make sure that the UPD file with the user profile template UVHD-template.vhdx has been created in the specified directory.

To set options for an RDS collection, select it and click Tasks -> Edit Properties.

Here you can change the basic parameters of the collection (name, description, access groups) and a number of other important settings.

In the Session section, you can set the parameters for reconnecting / automatically disconnecting idle RDP sessions (for more details, see the article Setting timeouts for RDP sessions).

On the Security tab , you can select security settings (Negotiate, RDP Security level or SSL/TLS) and encryption (Low, High, Client compatible or FIPS compliant) for RDP sessions. You can also enable/disable Network Level Authentication for RDP here.

In the Load Balancing section, you can change the weights ( Relative Weight ) of the RDSH hosts in your farm. If the characteristics of the servers (RAM, CPU) in the collection are very different, you need to set a lower weight for less productive servers. In this case, RDCB will distribute user sessions among servers depending on their weight.

On the Client Settings tab, you can specify which devices users are allowed to forward to the RDP session. For example, you can allow/prohibit forwarding a printer session, network drives, audio devices, clipboard from the user's local computer to RDS.

In the User Profile Disks section , you can fine-tune the UPD settings for user profiles. You can exclude certain folders or files from synchronization. This will reduce the size of the UPD profile in the network directory and increase the speed of loading the profile (remember that it is loaded over the network from the network folder when the user logs in).

Setting up and operating a UPD is usually much easier than using roaming profiles or folder redirection. One UPD profile cannot be used in different RDS collections.

To reduce the size of a user's UPD disk, you can use the standard PowerShell cmdlet Resize-VHD used to resize Hyper-V virtual VHDX disks.

In the HOST SERVERS section of the RDS collection, you can put any server in the farm into RDSH (Drain Mode) maintenance mode. To do this, click on it and select Do not allow new connection. As a result, Connection Broker will not send new user connections to this server. In this mode, you can safely install Windows updates or update the application server without affecting users.

Here you can also add/remove RDS Host from the collection.

Publishing a RemoteApp to Remote Desktop Services.

RemoteApps are applications published to users on RDS servers. Thanks to RemoteApp, you can use applications installed on the RDSH terminal server as if it were running directly on the user's computer. The user does not see the entire Windows Server RDS desktop and only works with programs that an administrator has published for them. Only the window of the program running on RDS will be displayed on the user's computer.

If you don't create a RemoteApp, users will work directly on their own desktops on Windows Server. Therefore, do not forget to copy all the application shortcuts that the user needs to the C:\Users\Public\Desktop folder. Files from this folder will be displayed on the desktop of all users. If you are installing MS Office 365 on RDSH, please note that Office must be deployed in SharedComputerLicensing mode.

RemoteApp applications are created in the RDS Collections settings. Select Tasks -> Publish RemoteApp Programs in the REMOTEAPP PROGRAMS section.

Windows will display all applications installed on the current server. You can choose one of them. If your application is not listed but is installed on other RDS hosts, click the Add button and specify the full path to the application's executable (exe, bat, cmd, etc.).

Publish the RemoteApp application.

You can then specify additional application options in the RemoteApp settings.

Whether to show the published RemoteApp application in the RD Web Access web interface;
Set the launch parameters (arguments) of the application (Command-line Parameters -> Always use the following command-line parameters);
On the User Assignment tab , you can further restrict which user groups are allowed to run the application.

If you want to change the icon of the published RemoteApp, you need to open the following folder on the server with the RDS Connection Broker role:

C:\Windows\RemotePackages\CPubFarms\rds-Msk-Managers\CPubRemoteApps

Replace the application icon with another ico file.

Now the user can launch the RemoteApp application from RD Web Access (https://msk-rdsman.site.io/RDWeb) or using a special RDP file.

You can set up transparent authorization on RDS Web Access using SSO.

To run the published RemoteApp application, you need to add the following lines to the RDP file:

remoteapplicationmode:i:1
remoteapplicationname:s:putty
remoteapplicationprogram:s:"C:\Tools\putty.exe"
disableremoteappcapscheck:i:1
alternate shell:s:rdpinit.exe

A few useful little things for convenient operation of the RDS farm:

The RDWeb role can be configured to support HTML5, this will allow users to connect to RDS servers from any browser and OS, even without an RDP client;
On the RD Web Access web server , you can publish a link to change an expired user password (by default, with NLA enabled, you will not be able to authenticate to RDSH with an expired Active Directory user password);
Instructions for users to change the password in the RDP session;
An administrator can use RD Session Shadow connections to connect/view the desktop of a user session on the RDS server;
To quickly find which RDS servers have sessions for a particular user, you can use PowerShell:

Import-Module RemoteDesktop
Get-RDUserSession -ConnectionBroker msk-rdsman.site.io | where {$_.UserName -eq "a.ivanov"} | Select HostServer

You can use PowerShell scripts to view and analyze RDP logs of user connections to RDS servers;
For additional protection, you can set up two-factor authentication (2FA) for users on Windows RDS servers using third-party tools.

Set up a Remote Desktop services farm using PowerShell.

If you have a clear understanding of the concept of an RDS farm, you can quickly deploy an RDS configuration using PowerShell.

The following PowerShell commands for creating an RDS farm are best run from a different server, because RDS managed hosts will need to be rebooted.

Set the server names in your RDS farm. In this example, I will install the RDCB and RDS Licensing roles on a separate server (it is recommended to set up a failover RDCB configuration later on).

$RDSH1 = "msk-rds1.site.io"
$RDSH2 = "msk-rds2.site.io"
$RDSCB = "msk-rdcb.site.io"
$RDSGW = "msk-rdsgw.site.io"
Import-Module RemoteDesktop

Install RDS roles on the server:

Add-WindowsFeature –ComputerName $RDSH1, $RDSH2 -Name RDS-RD-Server –IncludeManagementTools
Add-WindowsFeature –ComputerName $RDSCB -Name RDS-Connection-Broker -IncludeManagementTools
Add-WindowsFeature –ComputerName $RDSGW -Name RDS-Web-Access, RDS-Gateway –IncludeManagementTools

Restart all hosts:

Restart-Computer -ComputerName $RDSH1,$RDSH2,$RDSCB,$RDSGW

Create a new RDSessionDeployment instance:

New-RDSessionDeployment -ConnectionBroker $RDSCB -SessionHost $RDSH1,$RDSH2 –Verbose

Add RDWA and RDGW servers to the farm:

Add-RDServer -Server $RDSGW -Role RDS-WEB-ACCESS -ConnectionBroker $RDSCB
Add-RDServer -Server $RDSGW -Role RDS-GATEWAY -ConnectionBroker $RDSCB -GatewayExternalFqdn "rds.site.io"

The current distribution of RDS roles across farm servers can be displayed as follows:

Get-RDServer -ConnectionBroker $RDSGW

Installing the RDS Licensing Role:

Add-WindowsFeature –ComputerName $RDSCB -Name RDS-Licensing, RDS-Licensing-UI

Set the licensing mode to PerUser:

Invoke-Command -ComputerName $RDSCB -ScriptBlock {Set-RDLicenseConfiguration -Mode PerUser -LicenseServer $RDSCB -ConnectionBroker $RDSCB}
Add-RDServer -Server $RDSCB -Role RDS-LICENSING -ConnectionBroker $RDSCB

Add the license server to the domain group using Add-ADGroupMember:

Add-ADGroupMember "Terminal Server License Servers" -Members "msk-rdcb$"

If you have a certificate for RDS, you can add it to the farm configuration (you can use the free Let's Encrypt SSL certificate for your RDS host):

Path = "C:\ps\RDSCert.pfx"
$Password = ConvertTo-SecureString -String "CertPAssddr0w11-" -AsPlainText -Force
Set-RDCertificate -Role RDGateway -ImportPath $Path -Password $Password -ConnectionBroker $RDSCB -Force
Set-RDCertificate -Role RDWebAccess -ImportPath $Path -Password $Password -ConnectionBroker $RDSCB -Force
Set-RDCertificate -Role RDPublishing -ImportPath $Path -Password $Password -ConnectionBroker $RDSCB -Force
Set-RDCertificate -Role RDRedirector -ImportPath $Path -Password $Password -ConnectionBroker $RDSCB -Force

Information about installed SSL certificates can be obtained as follows:

Get-RDCertificate

Now we can create RDS collections:

$CollectionName = "DEVdept"
New-RDSessionCollection –CollectionName $CollectionName –SessionHost $RDSH1,$RDSH2 –ConnectionBroker $RDSCB –CollectionDescription “Develovers”

Allow access to RDS servers for groups:

$UserGroup =@("SITE\msk-developers","SITE\msk_devops")
Set-RDSessionCollectionConfiguration -CollectionName $CollectionName -UserGroup $UserGroup

Publish RemoteAPP:

New-RDRemoteapp -Alias GoogleChrome -DisplayName GoogleChrome -FilePath "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" -ShowInWebAccess 1 -CollectionName $CollectionName -ConnectionBroker $RDSCB

In this article, we looked at how to install and configure a Remote Desktop Services farm based on Windows Server 2019/2022 using the Server Manager GUI and using PowerShell. A more detailed description of the roles of RD Web Access and RD Gateway is beyond the scope of the article.