Installing and Configuring Remote Desktop Services (Terminal Services) on Windows Server 2008 R2
In the latest release of Windows 2008 R2, Terminal Services has been renamed Remote Desktop Services (RDS). There are many enhancements in this release including enhanced multimedia performance and the ability to publish custom applications sets to specific users through Remote Desktop Web Access. The Web Access role as the name suggests allows users to access Remote Desktop applications through a web site. This feature is official known as RemoteApp. The new name for the core Terminal Server running in application mode for user sessions is Remote Desktop Session Host.
In my environment I will configure the Remote Desktop Session Host and Web Access roles on the same server. I will also install the Remote Desktop Licensing role on a dedicated server so that any additional Session Hosts I add in the future can share this service. The License Server role can be installed on your Session Host server if desired. All of my servers are members of an Active Directory domain.
Install Remote Desktop Licensing Role
To start go into the Server Manager on the server that will host the Licensing role service.
Under Roles Summary select “Add Roles”.
Click Next.
Check Remote Desktop Services and click Next.
Click Next.
Check Remote Desktop Licensing and select Next.
Discovery scopes are no longer used for licensing with Windows 2008 R2 Remote Desktop, we can assign these to our Remote Desktop Session Host manually or through a group policy. There is a 120 day grace period allowed for connections to a Remote Desktop Session Host before a license server needs to be activated. Click Next.
Confirm the settings and click Install. Then click Close once the install is completed.
Aaron Walrath - Another IT Guy's Meanderings 
Hi Aaron,
Nice doc.
If you create a farm of multiple RDSH, would you install RD Web access on every RDSH? I tought the Web Access role should be installed on 1 server only?
I’m setting up a testlab with 1 Broker, 1 Web Access and 3 Session hosts and the role of the Web Access is not yet quite clear for me.
If a client connects to an url (for example tsfarm.domain.local), does the tsfarm (if you use RR) point to the Web Access Server only or to the 3 Session hosts?
Thx.
David
Hi David,
Actually the setup you are proposing with the Web Access role on a separate server will work fine. Or you could have the Web Access also run on one or more of the Session Hosts if you wanted to save Windows licenses. One thing that I will note is that you want to be careful running the Connection Broker role on a server that also has other RDS roles. In my experience I have had great difficulties with this, so a separate server for the Broker is definitely the way to go IMO.
Your tsfarm URL will point clients to the Web Access server website for authentication and to enumerate the RemoteApp application list, but it should also distribute application run requests to all 3 Session Hosts.
All the best,
Aaron
Hi Aaron,
Does having multiple Web Access servers provide any advantage? I can imagine it will provide some kind of redundancy for the web access portal. For example, if you only have 1 web access server and it goes down, no more access to the farm is possible? If you have multiple RDWA then people can relaunch the web portal?
The point where it gets stuck with me is the farm url. If you use RR and create an A record for all the RDSH servers (no RDWA) like rdservers.domain.local, what url do you use to connect to the farm? Do you use rdservers.domain.local to connect to the farm or do you use fqdn of the web access server? And in case of multiple web access servers, to what do you connect then? Create also a RR adres for the web access servers?
The Broker I certainly want to put on a separate server, might be a DC in the future or just a member server.
Lucky for us we have the Server datacenter licenses, so windows licensing isn’t the issue, certainly in a highly virtualized environment.
BR,
David
Yes David, I would recommend running more than one Web Access server. If will provide better performance but most importantly better redundancy as you mentioned. And since you can run the Web Access role on servers that are also Session Hosts, there really isn’t a good reason not to have multiple Web Access.
Yes, you would set up an A record with the RDS farm name for each Session Host’s IP address. Did you see my post on setting up an RDS farm with Connection Broker? In this example though the Web Access and Session Host roles are hosted on the same server(s). If you set up a separate Web Access server I would imagine that the web clients would connect to that server’s host name, but then the Connection Broker should route them to an appropriate Session Host in the farm. If you do multiple Web Access on separate servers you should set up an additional host name for that DNS RR/NLB/load balancer cluster. Hope that makes sense.
Aaron
Aaron,
Now it makes all sense. Let me epxlain a bit our current situation.
We are looking to replace our Citrix farm (which contains of around 15 citrix servers) by an RDS farm with RemoteApp webinterface. My test farm contains only of a few servers (1 RDCB, 1 RDWA and 3 RDSH) and there the design is offcourse quite different. So when I think further to create a production farm of 10-15 RDSH and want to keep all RDSH the same (just for easy deployment & setup), then I would install the RDSH and RDWA role on the same server. But then 15 RDWA roles sounds a bit overkill no? This is why I wanted to step out of RDSH/RDWA on the same server. But then to create for example 2 RDWA servers just seems to make life harder to create this setup. Apparantly this is quite an unusual setup as I hardly can find docs to design this.
David
Hey David,
Sorry, I may be making things sound more convoluted than they actually are. If you are building an RDS environment of the size of the Citrix farm you are replacing it is probably best to keep the RDWA and RDSH roles on separate servers. Yes, 15 Web Access hosts are definitely not necessary. I would stick with what you are proposing for your test environment, then think about adding an additional RDWA server once you have the initial configuration working and verify the Connection Broker is distributing requests to the various Session Hosts. Think of the Session Hosts as a set of load balanced servers and set up the additional A records for those servers with the common farm name. Later when you set up an additional RDWA server that will be an additional cluster of web servers distinct from the Session Hosts.
Yes, there isn’t much out there to consult for resources on this. Some of the help files available on the server may help, that’s where I got all the information on the permissions that must be granted for all the different RDS server roles for them to work with each other properly.
Aaron
Does anyone have experience with installing RDP External Connector which are
supposed to provide unlimited RDP sessions? I bought 2 licenses for this
from Dell, Microsoft is now saying that there is no license that goes with it.
What the heck?
Hi Aaron
Can i please bother for a little assistance on the following Server 2008 R2 solution:
1, I have set up the following 1xDC, RDSCB (as per your article) and RDSGW
2x RDSSH with Webserver
2, I have also configured NLB between between the 2x RDSSH with Webserver
I have bound the Cluster IP Address to the both the web servers in the header.
I have forwared the ports 443 and 3389 to the RDSCB and RDSGW from the outside
The issue i have is when i hit the gateway web interfacce i do not get the RDweb page, i have tried to redirect the page to the cluster DNS name but it still wont display the RDweb
Please request more information
Hi Ronak,
I don’t have a tremendous amount of experience with the RDS Gateway service. I’m not sure if you’ve tried already but you may want to first get the Gateway service configured with a single RDS Web server before moving on and using two servers with NLB into the scenario. I have generally had a lot of difficulty related to the configuration of Windows NLB and the necessity of having routers properly configured with how Windows rewrites the MAC addresses.
Best Wishes,
Aaron
Aaron
I have previsouly managed to get the GW/SH/WS configured and working from one server.
Whats im not sure is when i seperate the GW and WS/SH on different boxes ?
So my questions are:
1, on the firewall what traffic forwards to which internal server?
or
2, And from the GW do i need to forward/ Redirect HTTP tp the WS/SH servers?
or Both……Sorry if it comes across confusing but i`m unsure of the RDS mechanics.
@ Ronak
In configuring WNLB clusters for Exchange High Availability we run into issues with using Multicast Traffic with certain routers and switches.
Reference:
http://technet.microsoft.com/en-us/library/cc778263(WS.10).aspx
Note
If Network Load Balancing clients are accessing a cluster through a router when the cluster has been configured to operate in multicast mode, be sure that the router meets the following requirements:
Accepts an ARP reply that has one MAC address in the payload of the ARP structure but appears to arrive from a station with another MAC address, as identified by the Ethernet header.
In multicast mode, accepts an ARP reply that has a multicast MAC address in the payload of the ARP structure.
This allows the router to map the cluster’s primary IP address and other multihomed addresses to the corresponding MAC address. If your router does not meet these requirements, you can also create a static ARP entry in the router. Cisco routers require a static ARP entry because they do not support the resolution of unicast IP addresses to multicast MAC addresses.
In multicast mode, the IGMP multicast check box enables Internet Group Management Protocol (IGMP) support for limiting switch flooding by limiting traffic to “Network Load Balancing ports” only. That is, enabling IGMP support ensures that traffic intended for a Network Load Balancing cluster passes through only those ports serving the cluster hosts and not all switch ports.
Once I worked thru these issues my external clients could connect to my Exchange via the WNLB virtual IP without issues.
I assume you are having the same issue if using WNLB in your setup.
Hello,
Very nice work , detailed step by step article , Thanks . Just one questions :
If I fix all the certificate issues , how can I do these 2 things :
1- Automaticlly login the user with his logged in credentials so no need to enter the credentials if he is a domain user .
2- How can I cancel the RDP options that popup also when trying to open a progra.
I am trying to make the program open directly with no questions or errors when the user presses on the remote app program link , is that possible?
Thanks again
Hi Saad,
I can understand your desire for Remote Desktops to open without prompts. I can’t believe how many there are!
Configuring trusted certificates I was able to get to the point where all but one of the prompts was eliminated. I never was able to get rid of the prompt warning of access to local client resources, but I think there are various work arounds available to remove it. I never pursued any of these, however.
Unfortunately I don’t have any experience configuring single sign on/pass through authentication from a domain user on a client machine to log on to RDS.
Best Wishes,
Aaron
Hello Aaron,
Here is what I did to make it work :
1 – Configure a trusted root certificate via group policy to all users.
2- add http://RDSserver and https://RDSserver to trusted websites in IE.
3- disable protected mode in IE .
4- add the users and PC`s in the TS WEB ACCESS group on the RDS server.
5- add the users and PC`s to Remote desktop users on RDS server.
6- downgrade User access control to Never notify me.
7- on the RDweb page specify it is a private PC.
8- Make sure to check the box when it gives the first notification when you login not to notify you and trust this request.
It worked for me and now after login my users can just click the application and it will open directly.
Thanks all.
Wow, thanks so much for sharing the process, Saad!
hi,
I have 2 RDS servers in a farm, 1 connection broker, and one TSweb app server.
as far as steps 2, 3, 6, 7, 8 > all of these are done on the client pc connecting to the tsweb app server?
Thanks
scott
I’m studing for MCITP, and this article is very usefull. Sorry for bad english. I have an assigment on – How to configure remote access on web server 1, so I can remotely control it.
Hi Darkojuca,
If I understand you correctly you are asking about configuring RDS/remote desktop on your web server. If so click the Start button, right click “Computer” and select Properties. In the Window that shows up on the left side select “Remote settings” and then choose one of the “allow” options under “Remote Desktop”.
Only 36 more days until Natty!
Best Wishes,
Aaron
I’ve set up Remote desktop services using two servers (one gateway and one as the host/app manager/etc) and it works fine from the LAN but from the outside internet, I can log into the web access site but connecting to remote apps or desktops fails. Any ideas?
Hi Martin,
Unfortunately I do not have a tremendous amount of experience with RDS Gateway, we are primarily a Citrix shop. You mentioned using a gateway server, did you set up the RD Gateway service on that and configure a certificate and HTTPS? My understanding of the Gateway service is that the RDP client session should tunnel through HTTPS.
Best Wishes,
Aaron
HetAaron, I want to thank you for an excellent document. It was immensely helpful. There is one thing that I would like to add and its about certificates. Not being fully up to speed on the subject, I simply imported the certificate I had onto the RDP server (as you describe om page 5). When I tried to associate it with my .rdp files through the remote apps manager I received a warning that my certificate was not installed and would not work properly. I spent a day hunting the web and found mention of private key not properly being installed references.. it took me sometime to realize that I had goofed and needed to export and import an existing certificate WITH the private key, and then import it onto my rdp server so that both the certificate and the key were present.
I know this is not best practice, but for test purposes it works fine.
Great to hear that worked out for you, Peter. I don’t have a lot of experience with Remote App deployment using .rdp files so it is nice to know if I should ever encounter the issue that you experienced. Thanks!
Aaron
I like your article, very instructive on the set up.
Do you have any thoughts you can share on how to size a terminal server? I’ve got some performance data for a small population for an application served up over terminal services (win2k8R2), but I don’t have a lot of experience on how to extrapolate that data to figure out what I need for a larger population of users. I want to run on VMware and I’m looking for suggestions on what to consider when deciding on scaling out versus up or moving to physical servers to host term svcs. (I’m googling like mad, as well, which led me here…)
Hi Scott,
I understand what you mean, it seems that there is limited information on this topic out on the Internet. At least info that I too have been able to find. Part of the issue is that you have distinct types of organisations, users, application sets, etc.; all of which place a differing amount of demand on computer resources. You can end up with a very wide range of recommendations.
To nail this down a bit in my experience there is not a tremendous performance penalty running terminal servers under VMware ESX(i). Perhaps 10%, if even that. You can pretty much size your terminal server on VMware as if it were physical. The beauty with virtualization (as I’m sure you are aware) is you can modify the resources available to the server quickly with little or no down time, provided the virtualization hosts have that capacity available.
Don’t know how much application this would be for you but as an example in the environment where I work we are running Citrix XenApp 5 (Win2003 version) under VMware ESXi 4.1. Each virtual Citrix server is configured with 48GB RAM, 2 virtual CPUs, and the VMDK of the C drive (with the OS + applications) runs from a 6 disk RAID 10 SCSI LUN hosted on an iSCSI SAN. This LUN hosts 2 Citrix servers, with more Citrix servers hosted on additional LUNs on a different iSCSI device. Each Citrix server hosts perhaps 30 user sessions at a time, each of which is running 2 or 3 applications at any given time. The apps we run on Citrix are mostly general business programs, no multimedia or high end 3D rendering programs. I could probably get to a higher ratio of users per server, but I am a cautious type and prefer to have extra capacity if needed.
Hope that helps some, Scott. Cheers!
Aaron
I have a scenario where I would want to drop specific users or groups of users onto specific servers in the TS Farm. Is there a way to do that?
Hi David,
You may be able to publish the same application on each set of servers to different RemoteApp names. Then you could filter using RemoteApp User Assignment. I’m not sure if this would work for you, as I’ve always assumed that each published RemoteApp must be available on all servers. There is a good writeup available here:
http://blogs.msdn.com/b/rds/archive/2009/06/12/introducing-remoteapp-user-assignment.aspx
Cheers,
Aaron
Here is another resource with interesting tips on configuring terminal services:
http://www.ericom.com/Configuring-Terminal-Services-Access.asp?URL_ID=708
There is also information on load balancing.
Here’s a guide to get rid of the certificat warnings in a RDS farm.
http://blog.kristinlgriffin.com/2010/07/how-to-test-rds-farm-scnarios-with-self.html
Awesome write up! I have a RDS configured and *working* but I am getting SSL errors externally. Maybe I’m doing this wrong? I have one server that has all services on it except remoteapp and virtual machine services, one with remote apps and another with hyperV and my virtual machines. I have it set up perfectly and it works. However, when I connect from outside, when it redirects to the remote apps server or the hyperV virtual machine server it pops our SSL cert errors since it produces the .lan dns of those servers. Am I doing this wrong, I see no way around it. Before I changed it to this setup (required for the redirection), I had no problem with SSL errors. The redirection causes it. Thx!
This article was very very helpful. Since you happen to have Citrix experience I hope you can answer this question which for some reason I have not found a decent answer to. Does Remote Desktop Services allow you to create and publish Full Desktops? I have worked with Citrix in the past and I am really discouraged from using their products due to their lack of support and their frustrating errors that Citrix shrugs off as just “yea that will happen.”
Also, for the purpose of redudancy, when configuring the Licensing Role on the Broker Server or Servers, can you enter multiple IP’s to tell it where the failover server is?
Thank you for all the post’s that helps everyone. Thank you for your time.
I am not getting add roles tab the only iis tab is showing when i am trying to install new role as i want to install RDS for my windows web server service pack 1
Please help me sir
Issues i am facing
1.The add role tab not highlighting .
2.iwant to install RDS but only IIS tab is showing when i open add roles tab
What version of windows 2008 R2 are you running, it looks like its the web services version from what you say.
you mention that domain joined computers should automatically trust the AD enterprise CA but i still get the following popup on domain joined systems .
“the certificate is not from a trusted certifying authority”
Did I miss something ?
Hi, I am also facing the same issue..Windows version id 2008 R2 but in add role tab only two roles are available..DNS and Web(IIS)…can any one let me know what is the issue
Hi there,
I’ve a question about certificates please. We have two RDS servers (2008R2) and a separate server that acts as license server, gateway and connection broker. As far as certification is concerned, we purchased a third party certificate issued to rdgateway.domain.com, which is installed to the gateway.
We only use RDP connections via the gateway to full desktops (i.e. we do not use web access or access webapps).
When users connect, they receive warning errors from the individual servers stating that the certificate on rd1.domain.com is not from a trusted certifying authority.
We do not currently have a CA in the domain.
What is the best way to configure certificates to suppress these warnings?
Thanks in advance
John
it wasn’t work….. when client trying to connect within remote desktop it blocked by terminal services….n how to enabling group in terminal serviecs