How to Setup a Single Server RDS Deployment Using Server 2016
Welcome to my guide on how to configure a single server Remote Desktop Services (RDS) deployment using server 2016. We’re seeing less and less RDS deployments but some situations still require some lite RDS access. Specialist software which doesn’t run over a VPN or is not cloud based is ideally suited to RDS deployments.
I’ve still seen lots of engineers struggle to properly configure a single server deployment so lets get stuck in because actually is really easy!
First install Server 2016 with GUI and get all the updates installed.
Add the server to the domain as a member server, in this lab I call mine RDS2016.
Login as a domain administrator.
Server manager should automatically launch, click on Dashboard then ‘Add roles and features’.
The wizard will launch so click on Next.
Click on ‘Remove Desktop Services Installation’ and click Next.
Click ‘Quick Start’ then Next.
Click ‘Session-based desktop deployment’ and click Next.
Your server should already be in the Selected server list on the right but if not highlight your server from the Server Pool and move it into the selected panel and click on Next.
Tick the box to restart the destination server and click on Deploy.
Let the installation complete.
The installation will start and the server may reboot, if it does then log back in and wait for the install to complete and click on Close.
In the server manager you will see the new role ‘Remote Desktop Services’ installed. Click on it from the menu to see the configuration.
At this point some will try and configure the RD Gateway option since its green and showing ready to configure. Just ignore this because in a single server deployment we don’t need a gateway load balancing our connections because we only have one server! We do however need to setup licensing.
Click on ‘RD Licensing’ to start setting it up.
As before your server should already be selected in the right hand panel but if not select it in the left and move it into the right and click Next.
Click Add to install the licensing role to the server.
Let the role install and click Close.
Next go back to the server manager and right click on ‘RD Licensing’ and click ‘Select RD Licensing Mode’ from the menu.
Select the mode based on the RDS cals that you have purchased. Here I select Per User because i’ve got a bunch of user cals available. Click OK.
Next we need to install our RDS licenses. From the server manager select Tools then ‘Remote desktop services’ then click ‘Remote Desktop Licensing Manager’.
First thing we do in the licensing manager is right click the server node and click ‘Activate Server’.
Click Next on the wizard.
Select ‘Automatic Connection’ and press Next.
Enter you company information and press Next.
Continue entering in your info and click Next.
Click Next.
Now starts the license installation wizard, click Next.
Select the license type that you have from the drop down. I’m using retail license packs here and click Next.
Enter your license key, click Add then Next.
Click finish to install the licenses.
Your license should appear in the list of available licenses. You can see here i’ve installed 50 2016 user cals. Next we need to right click the server and select ‘Review Configuration’.
You can see here a warning message that the server is not a member of the license servers group in AD. Click ‘Add to Group’.
The warning says you need to have admin privileges in AD to continue, click Continue.
Click OK to confirm the server has been added to the group.
Verify everything is green and click ok.
Next we need to specify who can connect to the server. From the server manager click on the Remote Desktop role from the left hand menu, click ‘QuickSessionCollection’ then from the Tasks menu click ‘Edit Properties’.
You can see here that Domain Users are allowed access to the server. This is no good from a security perspective! you cant allow everyone to connect remotely so its best practice to configure a specific group and add users to that group to allow access.
On a domain controller fire up ‘Active directory users and computers’ and create a new group. Select your appropriate OU location right click, select New then Group.
Give the group an appropriate name, here i use ‘RDS Users’. Set the type to security and click ok.
Next go to the properties of the new group, click the Members tab and add users who will require remote access and click ok.
Go back to the RDS server and remote the Domain users group and instead add the new ‘RDS Users’ group we just created.
Congratulations you’ve just configured a single server 2016 RDS deployment!
You next steps are to configure group polices and other UI elements so that the server is locked down enough that users cant cause it any harm 😉
Also seriously consider your security options, investigate the use of two factor authentication and brute force mitigation systems to keep the system safe especially if you open it up to the internet.
Oh and what ever you do ensure your domain and local administrator passwords are super secure. There’s a lot of brute force bots out there trying to login so be careful!
10th September 2018
Very clear and concise ‘how-to’ As a follow-up maybe you can explain how the user will access the server? Will they RDP directly to the server? Is virtualization used to provision what users have access to in their RDS desktop environment?
3rd December 2018
I have the very same question.
3rd December 2018
No problem guys ill update the post as soon as I get a chance but all you need to do is open the remote desktop application and enter the servers IP address or hostname and connect.
To open the remote desktop program, click the start menu and type mstsc and press enter.
Virtualisation is not generally used to provision to end users, you would put shortcuts to installed applications into c:\users\public\desktop and those icons will appear for all users. The end users would use the remote desktop application to then connect to the server.
Alternatively you could publish applications to their desktops as I show in this article although it’s more common to give end users a full remote desktop type experience: http://www.slashadmin.co.uk/remote-desktop-windows-10-virtual-applications-aka-xp-mode/
4th December 2018
How would you automate all this from PowerShell?
24th January 2019
Is it possible to setup Azure MFA server for authenticating RDS sessions on a single server?
18th February 2019
Will this set-up work if users will be logging in from Thin-Clients?
18th February 2019
Hi Nina,
Yes it will no problem. Just point the rdp icon to the server’s IP address and away you go.