How to Setup a Single Server RDS Deployment Using Server 2016
Welcome to my guide on how to configure a single server Remote Desktop Services (RDS) deployment using server 2016. We’re seeing less and less RDS deployments but some situations still require some lite RDS access. Specialist software which doesn’t run over a VPN or is not cloud based is ideally suited to RDS deployments.
I’ve still seen lots of engineers struggle to properly configure a single server deployment so lets get stuck in because actually is really easy!
First install Server 2016 with GUI and get all the updates installed.
Add the server to the domain as a member server, in this lab I call mine RDS2016.
Login as a domain administrator.
Server manager should automatically launch, click on Dashboard then ‘Add roles and features’.
The wizard will launch so click on Next.
Click on ‘Remove Desktop Services Installation’ and click Next.
Click ‘Quick Start’ then Next.
Click ‘Session-based desktop deployment’ and click Next.
Your server should already be in the Selected server list on the right but if not highlight your server from the Server Pool and move it into the selected panel and click on Next.
Tick the box to restart the destination server and click on Deploy.
Let the installation complete.
The installation will start and the server may reboot, if it does then log back in and wait for the install to complete and click on Close.
In the server manager you will see the new role ‘Remote Desktop Services’ installed. Click on it from the menu to see the configuration.
At this point some will try and configure the RD Gateway option since its green and showing ready to configure. Just ignore this because in a single server deployment we don’t need a gateway load balancing our connections because we only have one server! We do however need to setup licensing.
Click on ‘RD Licensing’ to start setting it up.
As before your server should already be selected in the right hand panel but if not select it in the left and move it into the right and click Next.
Click Add to install the licensing role to the server.
Let the role install and click Close.
Next go back to the server manager and right click on ‘RD Licensing’ and click ‘Select RD Licensing Mode’ from the menu.
Select the mode based on the RDS cals that you have purchased. Here I select Per User because i’ve got a bunch of user cals available. Click OK.
Next we need to install our RDS licenses. From the server manager select Tools then ‘Remote desktop services’ then click ‘Remote Desktop Licensing Manager’.
First thing we do in the licensing manager is right click the server node and click ‘Activate Server’.
Click Next on the wizard.
Select ‘Automatic Connection’ and press Next.
Enter you company information and press Next.
Continue entering in your info and click Next.
Click Next.
Now starts the license installation wizard, click Next.
Select the license type that you have from the drop down. I’m using retail license packs here and click Next.
Enter your license key, click Add then Next.
Click finish to install the licenses.
Your license should appear in the list of available licenses. You can see here i’ve installed 50 2016 user cals. Next we need to right click the server and select ‘Review Configuration’.
You can see here a warning message that the server is not a member of the license servers group in AD. Click ‘Add to Group’.
The warning says you need to have admin privileges in AD to continue, click Continue.
Click OK to confirm the server has been added to the group.
Verify everything is green and click ok.
Next we need to specify who can connect to the server. From the server manager click on the Remote Desktop role from the left hand menu, click ‘QuickSessionCollection’ then from the Tasks menu click ‘Edit Properties’.
You can see here that Domain Users are allowed access to the server. This is no good from a security perspective! you cant allow everyone to connect remotely so its best practice to configure a specific group and add users to that group to allow access.
On a domain controller fire up ‘Active directory users and computers’ and create a new group. Select your appropriate OU location right click, select New then Group.
Give the group an appropriate name, here i use ‘RDS Users’. Set the type to security and click ok.
Next go to the properties of the new group, click the Members tab and add users who will require remote access and click ok.
Go back to the RDS server and remote the Domain users group and instead add the new ‘RDS Users’ group we just created.
Congratulations you’ve just configured a single server 2016 RDS deployment!
You next steps are to configure group polices and other UI elements so that the server is locked down enough that users cant cause it any harm 😉
Also seriously consider your security options, investigate the use of two factor authentication and brute force mitigation systems to keep the system safe especially if you open it up to the internet.
Oh and what ever you do ensure your domain and local administrator passwords are super secure. There’s a lot of brute force bots out there trying to login so be careful!
10th September 2018
Very clear and concise ‘how-to’ As a follow-up maybe you can explain how the user will access the server? Will they RDP directly to the server? Is virtualization used to provision what users have access to in their RDS desktop environment?
3rd December 2018
I have the very same question.
3rd December 2018
No problem guys ill update the post as soon as I get a chance but all you need to do is open the remote desktop application and enter the servers IP address or hostname and connect.
To open the remote desktop program, click the start menu and type mstsc and press enter.
Virtualisation is not generally used to provision to end users, you would put shortcuts to installed applications into c:\users\public\desktop and those icons will appear for all users. The end users would use the remote desktop application to then connect to the server.
Alternatively you could publish applications to their desktops as I show in this article although it’s more common to give end users a full remote desktop type experience: http://www.slashadmin.co.uk/remote-desktop-windows-10-virtual-applications-aka-xp-mode/
4th December 2018
How would you automate all this from PowerShell?
24th January 2019
Is it possible to setup Azure MFA server for authenticating RDS sessions on a single server?
29th May 2020
Publish rds via Azure application proxy then you can use MFA.
18th February 2019
Will this set-up work if users will be logging in from Thin-Clients?
18th February 2019
Hi Nina,
Yes it will no problem. Just point the rdp icon to the server’s IP address and away you go.
5th June 2019
Azure now have an 2019 RDS deployment available in their marketplace, allows you to deploy between 1 – 50 RDS hosts & creates a new 2019 AD Domain with load balanced RDS Host VMs – https://azuremarketplace.microsoft.com/en-us/marketplace/apps/cloud-infrastructure-services.rds-2019-basic-deployment-farm?tab=Overview
Post deployment steps: https://cloudinfrastructureservices.co.uk/how-to-setup-remote-desktop-services-rds-2019-farm-on-azure/
5th June 2019
Thanks Andrew,
yes this setup is super easy to do. If you only need a single RDS setup then the monthly costs for Azure hosting a recommended deployment is still on the high side for some when you look at the cost over four years compared to physical hardware.
There is always a hot debate over doing both!
Appreciate the comments and happy to share your link 🙂
9th July 2019
Hi Ian,
thanks for this post. is it ok to install this on a domain controller? thanks, georg
19th July 2019
See Georg’s question, I guess not?
You still need a seperate Domein controller?
1st August 2019
Ian, great article. What if you already have a 2016 RDS licensing server set up elsewhere on your domain? It’s working, configured correctly, per user license. How do we point this new RDS server to an existing license server, not configure it as a license server? Thanks.
14th August 2019
Hello Ian,
I followed your procedure through perfectly but then my thin client has connection alright but could not login. when I put in my login details I get “connection failure code10: No child process” I am able to configure same thin client to other tse servers.
15th August 2019
From what I can tell this is due to a driver issue. Possibly on the RDS or thin client. I would check the application and system logs on the thin client and the RDS host to see what events get logged when you try and connect.
Also I would turn off all options including sound in the local resources tab of the remote desktop connection app on the thin client.
23rd August 2019
To be sure, see previous questions; you still need a seperate Domein controller?
23rd September 2019
when trying to connect from client got error “there are no available computers in the pool”
What to
25th September 2019
Thank you so much for this detail install guide. I had such a hard time setting this up and your guide made it so easy. I thank you a thousand times as this same me a lot of time.
I really appreciate your time and efford to put this together.
12th November 2019
Hello,
Thanks for your helpful guide. I appear to be in a situation where the “Remote Desktop Services role services” Installing… step is hung about ten percent of the way through.
Has anyone else encountered this?
Thanks!
20th November 2019
You’re right, it’s not terribly difficult. However, there are so many options these days to get caught up on. Having this guide makes it a no-brainer job, THANKS!
3rd December 2019
Will this walk-thru work for Server 2019 as well?
4th December 2019
Yes pretty much identical in 2019
1st April 2020
Thanks for this awesome guide. It saved me a heap of trouble and worked perfectly!
17th July 2020
I still have my question if you need a separate domain controller so minimal 2 servers.
I guess you do?
5th August 2020
This guide is ROCK SOLID.
Thanks a million!
4th February 2021
Great article. I have successfully deployed, using my own domain administrator account, on the RDS Licensing/Broker server. I can see everything I am expecting in Server Manager > Remote Desktop Services.
However, if another member of my team logs onto the same server using their own domain administrator account they cannot see any of the configured RDS servers, collections, etc. It’s as if nothing exists and they get “the following servers in this deployment are not part of the server pool”, etc.
So, is there any way to make this full deployment visible to other domain admins?
If they add those servers to ‘their’ Server Manager will all of the RDS parts simply fall into place, or does all of the RDS really only work under one single login?
Thanks in advance
3rd March 2021
Can the RDS Web and Gateway roles be added to an installation of this nature?
9th March 2021
Good work man, it’s clear now. Thanks
29th June 2021
I created a new Security Group as suggested and added the new group and removed domain users – however, all domain users can still login – am I missing something? Thank you