How to Setup a Single Server RDS Deployment Using Server 2016
Welcome to my guide on how to configure a single server Remote Desktop Services (RDS) deployment using server 2016. We’re seeing less and less RDS deployments but some situations still require some lite RDS access. Specialist software which doesn’t run over a VPN or is not cloud based is ideally suited to RDS deployments.
I’ve still seen lots of engineers struggle to properly configure a single server deployment so lets get stuck in because actually is really easy!
First install Server 2016 with GUI and get all the updates installed.
Add the server to the domain as a member server, in this lab I call mine RDS2016.
Login as a domain administrator.
Server manager should automatically launch, click on Dashboard then ‘Add roles and features’.
The wizard will launch so click on Next.
Click on ‘Remove Desktop Services Installation’ and click Next.
Click ‘Quick Start’ then Next.
Click ‘Session-based desktop deployment’ and click Next.
Your server should already be in the Selected server list on the right but if not highlight your server from the Server Pool and move it into the selected panel and click on Next.
Tick the box to restart the destination server and click on Deploy.
Let the installation complete.
The installation will start and the server may reboot, if it does then log back in and wait for the install to complete and click on Close.
In the server manager you will see the new role ‘Remote Desktop Services’ installed. Click on it from the menu to see the configuration.
At this point some will try and configure the RD Gateway option since its green and showing ready to configure. Just ignore this because in a single server deployment we don’t need a gateway load balancing our connections because we only have one server! We do however need to setup licensing.
Click on ‘RD Licensing’ to start setting it up.
As before your server should already be selected in the right hand panel but if not select it in the left and move it into the right and click Next.
Click Add to install the licensing role to the server.
Let the role install and click Close.
Next go back to the server manager and right click on ‘RD Licensing’ and click ‘Select RD Licensing Mode’ from the menu.
Select the mode based on the RDS cals that you have purchased. Here I select Per User because i’ve got a bunch of user cals available. Click OK.
Next we need to install our RDS licenses. From the server manager select Tools then ‘Remote desktop services’ then click ‘Remote Desktop Licensing Manager’.
First thing we do in the licensing manager is right click the server node and click ‘Activate Server’.
Click Next on the wizard.
Select ‘Automatic Connection’ and press Next.
Enter you company information and press Next.
Continue entering in your info and click Next.
Now starts the license installation wizard, click Next.
Select the license type that you have from the drop down. I’m using retail license packs here and click Next.
Enter your license key, click Add then Next.
Click finish to install the licenses.
Your license should appear in the list of available licenses. You can see here i’ve installed 50 2016 user cals. Next we need to right click the server and select ‘Review Configuration’.
You can see here a warning message that the server is not a member of the license servers group in AD. Click ‘Add to Group’.
The warning says you need to have admin privileges in AD to continue, click Continue.
Click OK to confirm the server has been added to the group.
Verify everything is green and click ok.
Next we need to specify who can connect to the server. From the server manager click on the Remote Desktop role from the left hand menu, click ‘QuickSessionCollection’ then from the Tasks menu click ‘Edit Properties’.
You can see here that Domain Users are allowed access to the server. This is no good from a security perspective! you cant allow everyone to connect remotely so its best practice to configure a specific group and add users to that group to allow access.
On a domain controller fire up ‘Active directory users and computers’ and create a new group. Select your appropriate OU location right click, select New then Group.
Give the group an appropriate name, here i use ‘RDS Users’. Set the type to security and click ok.
Next go to the properties of the new group, click the Members tab and add users who will require remote access and click ok.
Go back to the RDS server and remote the Domain users group and instead add the new ‘RDS Users’ group we just created.
Congratulations you’ve just configured a single server 2016 RDS deployement!
You next steps are to configure group polices and other UI elements so that the server is locked down enough that users cant cause it any harm 😉
Also seriously consider your security options, investigate the use of two factor authentication and brute force mitigation systems to keep the system safe especially if you open it up to the internet.
Oh and what ever you do ensure your domain and local administrator passwords are super secure. There’s a lot of brute force bots out there trying to login so be careful!