How to Deploy and Configure Remote Desktop Services (RDS) on Windows Server

Start by preparing your Windows Server environment. You'll need at least three servers for a proper RDS deployment: one for RD Connection Broker, one for RD Web Access, and one for RD Session Host. For production environments, consider separate servers for each role.

First, ensure all servers are domain-joined and have static IP addresses. Open Server Manager on your designated Connection Broker server (this will be your management server).

# Verify domain membership on each server
Get-ComputerInfo | Select-Object CsDomain, CsName

# Check network configuration
Get-NetIPAddress -AddressFamily IPv4 | Where-Object {$_.IPAddress -notlike "127.*" -and $_.IPAddress -notlike "169.*"}

Add all RDS servers to Server Manager for centralized management. Navigate to Manage > Add Servers > Find Now. Select all servers that will participate in your RDS deployment and click OK.

Now deploy the core RDS infrastructure using Server Manager's deployment wizard. This creates the foundation for your Remote Desktop Services environment.

In Server Manager, click Manage > Add Roles and Features. Select Remote Desktop Services installation and choose Standard Deployment. Select Session-based desktop deployment for traditional desktop sessions.

Assign servers to each role:

• RD Connection Broker: Your management server (e.g., Contoso-CB1)
• RD Web Access: Web gateway server (e.g., Contoso-WA1)
• RD Session Host: Server hosting user sessions (e.g., Contoso-SH1)

# Alternative PowerShell deployment method
New-RDSessionDeployment -ConnectionBroker "Contoso-CB1.domain.local" -WebAccessServer "Contoso-WA1.domain.local" -SessionHost "Contoso-SH1.domain.local"

Click Deploy and allow the wizard to complete. This process installs the necessary roles and configures basic connectivity between servers. The deployment may require server restarts.

RDS requires proper licensing to function beyond the 120-day grace period. Add and configure an RD Licensing server to manage your Client Access Licenses (CALs).

In Server Manager, go to Remote Desktop Services > Overview > click the + next to RD Licensing. Select your Connection Broker server or a dedicated licensing server, then click Add.

Activate the licensing server by navigating to Remote Desktop Services > Servers, right-clicking your license server, and selecting RD Licensing Manager. In the licensing manager, go to Action > Activate Server.

# Add licensing server via PowerShell
Add-RDServer -Server "Contoso-CB1.domain.local" -Role RDS-LICENSING -ConnectionBroker "Contoso-CB1.domain.local"

# Configure license mode
Set-RDLicenseConfiguration -LicenseServer "Contoso-CB1.domain.local" -Mode PerUser -ConnectionBroker "Contoso-CB1.domain.local"

Complete the activation wizard by providing your company information and connection method (typically Automatic connection for internet-connected servers). After activation, install your RDS CALs through the licensing manager.

Configure the license mode in Remote Desktop Services > Overview > Tasks > Edit Deployment Properties > RD Licensing. Choose between Per User or Per Device based on your CAL type.

Session collections define groups of resources and settings for user sessions. Create your first collection to enable user access to remote desktops.

In Server Manager, navigate to Remote Desktop Services > Collections > Tasks > Create Session Collection. Provide a descriptive name like "Production Desktop" or "Finance Collection".

Select your RD Session Host servers that will host user sessions. Add user groups that should have access to this collection (typically Domain Users or specific security groups).

# Create collection via PowerShell
New-RDSessionCollection -CollectionName "Production Desktop" -SessionHost @("Contoso-SH1.domain.local") -ConnectionBroker "Contoso-CB1.domain.local"

# Configure collection properties
Set-RDSessionCollectionConfiguration -CollectionName "Production Desktop" -MaxRedirectedMonitors 2 -ConnectionBroker "Contoso-CB1.domain.local"

Configure User Profile Disks (UPDs) for persistent user data. Specify a UNC path like \\Contoso-CB1\UserDisks and set an appropriate maximum size (typically 20-50 GB per user). Create this shared folder with proper permissions:

# Create and configure UPD share
New-Item -Path "C:\UserDisks" -ItemType Directory
New-SmbShare -Name "UserDisks" -Path "C:\UserDisks" -FullAccess "Domain Admins" -ChangeAccess "Domain Users"

Proper SSL certificates are essential for secure RDS access, especially when enabling external connectivity. Configure certificates for all RDS roles that require encrypted communications.

Navigate to Remote Desktop Services > Overview > Tasks > Edit Deployment Properties > Certificates. You'll need certificates for RD Connection Broker, RD Web Access, and RD Gateway (if deployed).

For internal deployments, you can create self-signed certificates, but production environments should use certificates from a trusted Certificate Authority:

# Create self-signed certificate for testing
$cert = New-SelfSignedCertificate -DnsName "contoso-wa1.domain.local" -CertStoreLocation "Cert:\LocalMachine\My"

# Export certificate with private key
$pwd = ConvertTo-SecureString -String "P@ssw0rd123" -Force -AsPlainText
Export-PfxCertificate -Cert $cert -FilePath "C:\Temp\RDSCert.pfx" -Password $pwd

Apply certificates to each role:

• RD Connection Broker: Use internal FQDN for SSO and Publishing certificates
• RD Web Access: Use external FQDN if accessible from internet
• RD Gateway: Must use external FQDN matching public DNS

For each certificate, click Create new certificate, specify the appropriate FQDN, and save the certificate to a secure location. Import the certificate on the target server and apply it through the deployment properties.

RD Gateway enables secure external access to your RDS environment through HTTPS. Deploy this role if users need to connect from outside your corporate network.

In Server Manager, go to Remote Desktop Services > Overview > click the + next to RD Gateway. Select your Web Access server or a dedicated gateway server.

Provide the external FQDN that users will use to connect (e.g., rds.contoso.com) and select or create an SSL certificate for this FQDN. The certificate must be trusted by client computers.

# Add RD Gateway via PowerShell
Add-RDServer -Server "Contoso-WA1.domain.local" -Role RDS-GATEWAY -ConnectionBroker "Contoso-CB1.domain.local" -GatewayExternalFqdn "rds.contoso.com"

Configure gateway policies by opening RD Gateway Manager from Server Manager. Create Connection Authorization Policies (CAP) and Resource Authorization Policies (RAP):

Connection Authorization Policy:

• Allow connections from specified user groups
• Configure authentication methods (password, smart card, etc.)
• Set session timeout values

Resource Authorization Policy:

• Define which internal resources users can access
• Specify computer groups or individual servers
• Configure port restrictions if needed

# Configure gateway bypass for local network
Set-RDDeploymentGatewayConfiguration -GatewayMode Custom -LogonMethod Password -UseCachedCredentials $True -BypassLocal $True -ConnectionBroker "Contoso-CB1.domain.local"

RemoteApp allows users to run individual applications remotely instead of full desktop sessions. This provides a more seamless experience for specific application access.

Navigate to your session collection in Remote Desktop Services > Collections > select your collection > RemoteApp Programs > Tasks > Publish RemoteApp Programs.

Select applications from the list of installed programs on your session hosts. Common choices include Microsoft Office applications, line-of-business applications, or specialized software.

# Publish RemoteApp via PowerShell
New-RDRemoteApp -CollectionName "Production Desktop" -DisplayName "Calculator" -FilePath "C:\Windows\System32\calc.exe" -ShowInWebAccess $True -ConnectionBroker "Contoso-CB1.domain.local"

# List published RemoteApps
Get-RDRemoteApp -CollectionName "Production Desktop" -ConnectionBroker "Contoso-CB1.domain.local"

Configure RemoteApp properties for each published application:

• Display Name: User-friendly name shown in RD Web Access
• Description: Helpful description for users
• Icon: Custom icon for the application
• Command Line Parameters: Default parameters if needed

For applications requiring specific user permissions or registry settings, configure these on the session host servers. Install applications in a way that makes them available to all users who will access them remotely.

# Configure RemoteApp to show in web access
Set-RDRemoteApp -CollectionName "Production Desktop" -DisplayName "Calculator" -ShowInWebAccess $True -ConnectionBroker "Contoso-CB1.domain.local"

Users can now access published RemoteApps through the RD Web Access portal or by downloading RDP files for direct application launch.

The final step involves configuring RD Web Access for user connectivity and performing comprehensive testing to ensure everything works correctly.

Access the RD Web Access portal by navigating to https://your-web-access-server/RDWeb. Users will see both published RemoteApps and desktop collections here.

Customize the web portal by modifying the RDWeb configuration. You can change the site name, add company branding, and configure default connection settings:

Test user connectivity by logging in with different user accounts that have been granted access to your collections. Verify that:

• Users can successfully authenticate
• Published RemoteApps launch correctly
• Desktop sessions connect and function properly
• User Profile Disks are created and persistent
• External connections work through RD Gateway (if configured)

# Test RDS connectivity
Test-RDOUAccess -OU "CN=Users,DC=domain,DC=local" -ConnectionBroker "Contoso-CB1.domain.local"

# Check active sessions
Get-RDUserSession -ConnectionBroker "Contoso-CB1.domain.local"

Configure load balancing if you have multiple session hosts by adding additional servers to your collection:

# Add additional session host to collection
Add-RDSessionHost -CollectionName "Production Desktop" -SessionHost "Contoso-SH2.domain.local" -ConnectionBroker "Contoso-CB1.domain.local"