In previous part I detailed what are RDS 2016 deployment types, news in RDS 2016 and what are core components. In this guide we will focus on Quick Deployment (All-In-One)
Let’s get started.
Install RDS Roles
OBS!!! Avoid adding RDS roles through Roles and Features Wizard if you are not a Powershell fan. You will need to configure RDS using Powershell.
Open Server Manager and click Manage -> Add Roles and Features
In the wizard on the Before you begin page click on next.
On Select Installation Type page, select Remote Desktop Services Installation, Click Next
On Select Deployment Type page, select Quick Start and click next
On Select Deployment Scenario page, Select Session-Based Desktop Deployment and click next
Since we did the Quick Start selection the Connection Broker, Web Access and Session Host roles will be installed on the single server. Click Next
On Confirmation page, check the box Restart the destination server automatically if required and click Deploy
When you click Deploy progress window will show up. After system restart check that all services configures successful and click Close
That’s it. We can access Remote Desktop Services through Server Manager if we click on Remote Desktop Service link in the left pane.
When you click on it, you will find your self in front of “RDS Manager”.
When you choose Quick Deployment type, Collection (QuickSessionCollection) and Remote App Programs are already configured.
Collections separate out RD Sessions Hosts into separate farms and allow admins to organize resources. (I will talk more about Collections and Collection Properties in my Purpose of RD Collections post).
As you can see the deployment is missing a RD Gateway server and a RD Licensing server.
Click the Add RD Licensing server green button.
Select a server, Next
Confirm selections and click add. Wait until the role service is deployed and click Close.
Next, we need to add RD Gateway. Click the Add RD Gateway server green button.
Select a server, Next
When we go through the wizard it’s gonna create a self-signed SSL certificate. I will replace that certificate with Trusted one a little bit later. On SSL Certificate Name page, I will type in Fully Qualified Domain Name of my RDS server rds01.mehic.se
Hit Next and Add. Wait until the role service is deployed and click on the Configure Certificate to review Certificate Options
(OBS!!! I will talk more about Deployment Properties in Exploring Deployment Properties series)
Notice that the certificate level currently has a status of Not Configured. The RD Gateway certificate is used for Client to gateway communication and needs to be trusted by the clients. Either install the self-signed certificate on all clients, or use a certificate for which the complete certificate chain is already trusted by all clients. As it said in the wizard, the external FQDN should be on the certificate.
Before we create new certificate, we need to configure DNS so that external users can resolve the name of the RD Gateway to the right IP address. You will configure it on your external DNS (hosted dns or DNS out on your ISP) somebody that we do not have the control over but that is accessible from the internet.
In this case my “external DNS” (ROUTER -machine on my external network) will handle DNS for the external network.
If I try to ping my gateway from external Windows 10 machine the ping will fail.
Everything works internally
Open DNS Manager and browse to Forward Lookup Zones. Right-Click on Forward Lookup Zones and select New Zone
On Welcome to the New Zone Wizard page click next. On Zone Type page accept the defaults and click next.
On Zone Name page, type in your zone name, In my case mehic.se and click next
On Zone File, Dynamic Update page accept the defaults and click Finish
Once finish, right-click on the new zone and select New Host (A or AAAA)
In real life you would type in the external IP address of your NAT router or the firewall, public IP that is closest to the gateway. In my case I am not running NAT and I am not running firewalls so I will put in its internal IP
I will also add my CA IP address.
Now if I try to ping from my “External Machine” ping will work.
Let’s try to connect to RDCB with RDP. Just open Run (Windows Button + R) and type in mstsc. Type in RDCB name and click on Advanced Tab
Advanced –> Settings and specify RD Gateway and click OK and Connect.
Windows Security will popup. Type in credentials and hit OK and you will run into this error.
We receive this error message because we didn’t configure certificate which is our second prerequisite.
In real life you would purchase this certificate from a public CA (GoDaddy,VeriSign etc.). This certificate needs to contain the FQDN you will use as the RD Web Access URL (mine is rds01.mehic.se). It needs to be in .pfx format and you need to have the private key in it. In my case I will use my private CA. (If you are not familiar or if you do not have private CA, please take a look on my Mastering Windows Server 2016 series to learn how to install Certificate Authority)
Open Server Manager –> Tools –> Certification Authority
In CA snap-in, right click on Certificate Template and select Manage
This opens up the certificate template snap-in. What we need to do is to pick one of these templates and copy it so that we can customize it for our purposes. With remote Desktops most certificates that we need are for SSL. Right-Click on Web Server template and select Duplicate Template
New Template Window will pop-up. First thing I am going to do is to change certificate name to MEHIC SSL on the General Tab.
Next click on Request Handling Tab and check Allow private key to be exported.
There is a number of things we can do but the most important thing is permission. So click on Security Tab and give Authenticated Users right to Enroll and Autoenroll. (OBS!!! In real life you may want to lock that certificate down to particular people but in this case it is not important.) I will also going to add in domain computers and give them permission to read, enroll and autoenroll. Click OK when it is done.
Now we need to take that template and Publish it to the CA. To do that, right-click on Certificate Templates –> New –> Certificate Template to Issue
Select our newly created certificate and click OK. When you click OK you will be able to see it in the list of the certificates that have been published to the CA.
The last step is to enroll certificate. Switch over to RDS01 and open up MMC (Windows button + R and type in mmc) Right-Click on Personal –> All Tasks –> Request New Certificate
On Before you begin and Select Certificate Enrollment Policy page, click Next. On Request Certificate page, select MEHIC SSL and click on the link More information is required…. (With an SSL we have to provide other information)
Change the Subject Name Type to Common Name and add the exact name of the server or web site that you are using. First I will add the single lable name rds01 and than the FQDN rds01.mehic.se, click OK
It allows me to Enroll, and then you can see that i have succeeded. Click Finish
Now underneath Personal I can go up and click Certificates, and there’s the certificate that I requested. Next we need to export the certificate with private key and configure gateway, rdwa, rdcb to use it.
Right-Click on it –> All Tasks –>Export
Welcome Export Wizard will pop-up. Click Next. Select Yes, Export the private key and click next
On Export File format click next.
Check Password box and type in the password. Click next
Type in the name and where you want to save it and click next and finish
Now let’s go back to the Deployment Properties and select RD Gateway –> Select Existing certificate
Add certificate and click OK.
Click Apply and you will notice that certificate level has now status of Trusted.
Do the same for the RDWA and RDCB.
Time to test the setup!
Browse to the https://”Your RDWA server name”/rdweb. If everything is good, we will not receive certificate error message. RD Gateway will also work.
You really awesome
LikeLiked by 1 person
Do you recommend installing RDS roles on a single server along with AD (Domain Controller)/DNS/DHCP roles?
No. Rds connection broker and dc don’t like each other and if you try to install it on a dc you will find your self in a big trouble. Dc should only be a domain controller and nothing else. Only roles that should be installed on it are dns and dhcp. If you have small environment you can install all rds roles on a single server but never on a domain controller.
Perfect. Thank you.
You are welcome 🙂
my server is Windows 2016 server tercentenary core installation and standalone/single vm RDS deployment required. is there a way to perform Quick Start deployment through powershell ?
There are only 3 roles that can be installed on core.
RD Connection Broker, RD Licensing and RD Virtualization Host so completely RDS deployment cannot be done on server core.
*sorry for typo – tercentenary = datacenter
I just need a RDS to run few application and I don’t need a domain. How can I configure RDS on a serveur 2016 without a DC ?
You will need to install Remote Desktop Services Session Host role on your server. After installing this role you will have the ability to host many rdp sessions but this will be valid for 120 days so you will need to have licensing role installed as well and CALs. To activate the CALs, you need to have product key, OLP license and activation number or other form of licensing information for your license.
Full rds deployment will need a domain
If I don’t want all the roles on single server but if I got say 4 servers, how do I design my small environment? I will have dc and others setup already in the environment. Just need RDS solution.
RD Licensing role uses very little resources so you can place it on any server. That role needs to be always on so placing it on a domain controller is a good idea. That is the only role that/should be installed on a DC. RD Gateway and RD Web Access can be on the same server. Broker needs one server and RDSH needs one. It all depends how many users will connect to the rd session host and what apps you are planing to run. If there are over 20 users I would recommend 2 Session host servers for HA and load.
Hi Nedim. Are there additional requirements for installing RDS quick on hosted VPS machines running Server 2016? Other than AD DS and DC on another machine)
No, domain membership is the only requirement for full RDS support with RD Connection broker etc…
I have issues with RDP from outside the network. It give me message “your computer can’t connect to the remote computer because the remote desktop gateway server address is requested and the certificate subject name do not match …” I install same certifacte issued and installed on the server and still same. I tried also “copy to file” the certificate and install it without success. Any help is appreciated.
How do you connect to your RDS farm from outside? Do you using RD Web Access? First of all, the certificate names much match the external name of the RD Gateway. When you’re using certificates for identification, there has to be an exact match between the entity you’re contacting and the name of the certificate. So let’s say the real name of our server is rdgw01.nm.com, but out on the internet we’re going to point people to rd.nm.com. We need to make sure that the rd.nm.com name is on that certificate. You can use wildcard as well so can you tell me what cert do you using and how do you connect?
I am trying to follow your instructions, but when I try to choose Quick Start (as deployment type) I get a message: The local server must be joined to the domain to complete the Remote Desktop Service Quick Start or Standard deployment option”
I have a new VPS with Windows Server 2016.
If I choose MultiPoint Services I can finish the installation, but when I try to manage the server I get a message saying that “You are currently logged on as local administrator on the computer. You must be logged on as a domain user to manage servers and collections”
What should I do?
Hi Perherman ,
RDS deployment is designed to be joined to a domain. If you want to run it in a workgroup then you will not be able to use connection broker , rdweb access etc. Can you tell me what are the requirements? Do you have a domain or you would like to run it in a workgroup?
What needs to be installed if the remote users will already be connected to the host network over a VPN?
Can you please be more specific? Do you mean what RDS roles or?
Thank you for this excellent guide. I need RDS primarily for Desktop sessions, external access will be taken care of via VPN, so I don’t really need the Web Access connection.
I do have an existing VM which is the AD DC (I could install the licencing Server here), and I have one other VM on which I would like to install the remaining roles. It’s for a small environment with a max of 5 Users on at the same time. This worked well in my current 2008 R2 RDS environment.
Will it work in Windows Server 2016? Do I still need to install the Certficate etc. if the Users will only connect via VPN?
Yes. If you are not going to use web access/gateway and if users will use built-in rdp (mstsc) then configure default collection on connection broker. It is a good idea to install licensing role on a domain controller. You can install all roles on one server it will not be a problem for a small environment.
When I open the MMC, the console root is empty.
I’m currently logging in as the domain administrator.
Any thought on this?
Did you press on file and on Add/Remove Snap-in to add that what you need? If I am not wrong it is about certificate? Please add certificate snapin.
Thanks, I added the local computer certificates snap-in and it works now.
Great articles! Thanks!
One question: is it allowed / recommended to do a quick install on a DC? I have a discussion with a company that did that and the server has a lot of problems from day 1 on.
That is never recommended and you should never try to implement RDS on a DC. For a small environment you should have another VM with all roles on it but never on a dc.
Hi Nadim, I have 1 Server running DC and 1 Server running sccm and sql on it. Should I setup another server or install RDS on the same server that runs sccm and sql?, This is for testing
I would configure new VM and install RDS components on it.
Thanks for the quick replay
Excellent. A really good and useful overview.
Hey Nedim, thanks so much for your posts, they are super helpful! I have a question, what would be the best way to publish app shortcuts from RDS directly to user workstation desktop when using 2016 RDS configured using a quick mode install?
Nedime, kao prvo, ti si car! Ovakvo lepo i detaljno objasnjenje odavno nisam doziveo/procitao!
Ako imas zivaca, pogledaj ovakav scenario:
-Unajmljen dedicated server 2016 kod provajdera (cloud)
-na njemu mi treba RDS, sa 1 aplikacijom koju ce da koristi 5 usera
-aplikacija je client/server sa sopstvenom database
-najradije ne bih pravio DC kontroler, nego stand alone server
-Cini mi se/mislim da je moja najbolja opcija, “quick start” i da sve strpam u tu jednu masinu. Razmisljanje je bilo da napravim VM i da tu instaliram klient, ali za 5 korisnika… a i stvar se komplikuje. Fizicki, masina ima 32GB RAM, 4 core, trebalo bi da je dovoljno da funkcionise lepo.
Imas li neki savet/predlog?
Lijep Pozdrav Edi,
Hvala ti puno na lijepim rijecima. Prvi problem sa kojim ces se sresti (ako se odlucis bez DC Kontrolera) je taj da ti nece sve komponente raditi. RD Connection Broker nemoze da radi u workgroup. Vecina powershell cmdlets nerade u workgroup i moraces da sve administriras sa lokalnim GPO, WMI komandama, registry i tako dalje. Ono sto mozes da napravis je da instaliras session host i licensing server role na taj server i na taj nacin dobijes terminal server koji sa tom konfiguracijom je dovoljno jak da podnese tu aplikaciju.
Ako ti bilo kako drugacije mogu pomoci samo reci.
This is by far the best instructions I have seen. I really appreciate your Mastering Windows Server 2016 series to learn how to install Certificate Authority. Big help there as well.
LikeLiked by 1 person
You are welcome Pawel, Thank you.
Wonderful, very helpful, thank you very much.
LikeLiked by 1 person
Excellent series of articles, great job!
LikeLiked by 1 person
The single best rdp deployment article. Blows the technet articles out of the water. Well done
LikeLiked by 1 person
Many thnx Joshua