Windows Server 2016 Quick Start Guide to Deploy Remote Desktop Services

Now 2016 server supports multi-site https service better than win2008 and 2012. The following 123WORDPRESS.COM editor will share with you

Open Server Manager and click Manage -> Add Roles and Features

In the wizard on the Before You Begin page, click Next.

On the Select Installation Type page, select Remote Desktop Services Installation, and then click Next.

On the Select a deployment type page, select Quick Start, and then click Next.

On the Select a deployment scenario page, select Session-based desktop deployment, and then click Next.

Since we chose the Quick Start, the Connection Broker, Web Access, and Session Host roles will be installed on a single server. Click Next

On the Confirmation page, check the box to automatically restart the destination server when needed, and then click Deploy.

When you click Deployment Progress, a window appears. After the system restarts, check whether all service configurations are successful, and then click Close.

That's it. You can access Remote Desktop Services through Server Manager if you click the Remote Desktop Services link in the left pane.

When you click on it, you will find yourself in front of the “RDS Manager”.

When you select the Quick Deployment type, a collection (QuickSessionCollection) and a remote application are already configured.

Collections separate RD Session Hosts into separate farms and allow administrators to organize resources. (I discuss collections and collection attributes further in the Purpose of RD Collection article).

As you can see, the deployment is missing the RD Gateway server and the RD Licensing server.

Click the Add RD Licensing Server green button.

Select a server, next

Confirm your selections and click Add. Wait for the role services to deploy, and then click Close.

Next, we need to add the RD Gateway. Click the Add RD Gateway Server green button.

Select a server, next

As we go through the wizard it will create a self-signed SSL certificate. I will replace this certificate with Trusted later. On the SSL Certificate Name page, I will enter the Fully Qualified Domain Name of my RDS server, rds01.mehic.se.

Click Next and Add. Wait for the role service to deploy and click Configure Certificate to view the Certificate Options

(OBS!!! I will discuss more about deployment properties in the "Exploring Deployment Properties" series)

Note that the certificate level currently has a status of Not Configured. The RD Gateway certificate is used for client-to-gateway communications and needs to be trusted by the client. Install a self-signed certificate on all clients, or use a certificate whose full certificate chain is already trusted by all clients. As stated in the wizard, the external FQDN should be on the certificate.

Before we create a new certificate, we need to configure DNS so that external users can resolve the name of the RD Gateway to the correct IP address. You will configure it on an external DNS (hosted dns or DNS on your ISP) which we have no control over but which is accessible from the internet.

In this case, my "external DNS" (the ROUTER-machine on my external network) will handle DNS for the external network.

If I try to ping the gateway from an external Windows 10 machine, the ping fails.

Everything works internally

Open DNS Manager and browse to Forward Lookup Zones. Right-click Forward Lookup Zones and select New Zone

On the Welcome to the New Zone Wizard page, click Next. On the Zone Type page, accept the defaults and click Next.

On the Region Name page, enter your region name, in my case mehic.se, and click Next.

On the Dynamic Update for Zone File page, accept the defaults, and then click Finish.

Once completed, right click on the new zone and select "New Host" (A or AAAA)

In real life, you would type in the external IP address of your NAT router or firewall, which is the public IP closest to your gateway. In my case, I have no NAT running, nor a firewall running, so I put its internal IP in

I will also add my CA IP address.

Now if I try to ping from an "external computer" the ping works.

Let's try to connect to RDCB using RDP. Just open Run (Windows Button + R) and type mstsc. Enter the RDCB name and click on the Advanced tab

Advanced–>Settings and specify the RD Gateway, then click OK and connect.

Windows Security will pop up. Enter the credentials and click OK and you will encounter this error.

We are getting this error message because we don't have a certificate configured, which is our second prerequisite.

In real life you would purchase this certificate from a public CA (GoDaddy, VeriSign, etc). The certificate needs to contain the FQDN that you will use as the RD Web Access URL (mine is rds01.mehic.se). It must be in .pfx format, and you need to include your private key. In my case, I will use my private CA. (If you are not familiar with or do not have a private CA, check out my Mastering Windows Server 2016 series to learn how to install a Certificate Authority)

Open Server Manager –> Tools –> Certification Authority

In the CA snap-in, right-click Certificate Templates and select Manage

This opens the Certificate Templates snap-in. What we need to do is select one of these templates and copy it so that we can customize it to our needs. For Remote Desktop, most of the certificates we need are for SSL. Right click on the Web Server template and select Duplicate Template

The New Template window will pop up. The first thing I did was to change the certificate name to MEHIC SSL on the General tab.

Next, click on the Request Handling tab and check Allow export of private key.

There are many things we can do, but the most important thing is to allow. Therefore, click the Security tab and grant Authenticated Users permissions for both enroll and auto-enroll. (OBS! In real life, you'd probably want to lock that certificate down to specific people, but in this case, that's not important.) I'd also add the domain computers and give them permissions to Read, Enroll, and Autoenroll. When you are finished, click OK.

Now we need to take that template and publish it to the CA. To do this, right-click Certificate Templates –> New –> Certificate Template to Issue.

Select our newly created certificate and click OK. After clicking OK you will be able to see it in the list of certificates that have been issued to the CA.

The final step is to register the certificate. Switch to RDS01 and open MMC (Windows button + R and type mmc), right click Personal->All Tasks->Request New Certificate

On the Before You Begin and Select a Certificate Enrollment Policy page, click Next. On the Request a Certificate page, select MEHIC SSL and click the link. Do you have questions or need additional information? Simply fill out this form and we will get right back to you. (To use SSL, we must provide additional information)

Change the Subject Name type to Common Name and add the exact name of the server or website you are using. First I will add a single label name of rds01, then add the FQDN rds01.mehic.se and click OK.

It allowed me to register, and then you can see that I was successful. Click Finish

Now, under Personal, I can go up and click Certificates and then the certificate that I requested. Next, we need to export the certificate with the private key and configure the gateway rdwa, rdcb to use it.

Right click on it –> All Tasks –> Export

The Welcome Export Wizard will pop up. Click Next. Select Yes, export the private key and click Next

On Export File Format, click Next.

Check the Password box and enter your password. Click Next

Enter a name and where you want to save it, then click Next and Finish

Now, let’s go back to Deployment Properties and select RD Gateway –> Select Existing Certificate

Add the certificate and click OK.

Click Apply and you will notice that the certificate level now has a status of Trusted.

Do the same for RDWA and RDCB.

Time to test the setup!

internal

Browse to https://"your RDWA server name"/rdweb. If everything is OK, we will not get a certificate error message. RD Gateway will also work.

external

Related articles about Windows Server 2016 Remote Desktop Services configuration and license activation

The default number of remote desktop connections for Server 2016 is 2 users. If more than two users connect to the remote desktop, the system will prompt that the number of connections has exceeded. This can be solved by adding remote desktop authorization:

1. Add Remote Desktop Licensing Service

Step 1: Server Management - Add Roles and Features Open the Add Roles and Features Wizard window and select role-based or feature-based installation:

Step 2: Add Remote Desktop Session Host and Remote Desktop Authorization features:

After the above configuration is completed, more than 2 users can log in at the same time, but the validity period is 120 days. If you log in again, you will be prompted as follows:

2. Add Remote Desktop License

Before adding, adjust the time to a future time to increase the validity period

Open Remote Desktop Licensing Manager:

It is not activated at this time:

Right-click and select Activate Server to open the Server Activation Wizard:

Connection method: Select Web browser:

Open the Remote Desktop Licensing website as prompted and select Enable License Server:

Enter the product ID and fill in the rest of the information as you like:

Obtain and enter your license ID:

To activate the license server:

License Program Select Enterprise Agreement:

Select Per User Access License. The agreement number can be 6565792, 4954438, 6879321 or 5296992. The quantity can be any:

Get the license key pack ID:

Enter the License Key Pack ID in the Activation Wizard:

The activation status is now activated:

At this point, the entire installation process has been completed.

3. If the license provided by the Remote Desktop Authorization Server expires, you will not be able to log in remotely. The solution is as follows:

Step 1: Use "mstsc /admin /v:target ip" to force login to the server (note that you can only log in as an administrator)

Step 2: Adjust the date to a future time (to obtain a longer period of time, if not changed, another 120-day authorization can be obtained)

Step Three: Delete the Registry Key

Tip: regedit enter

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\RCM\GracePeriod

Note: The registry key may not be deleted and the permissions need to be modified as follows:

Run gpedit.msc, and in User Configuration - Administrative Templates - System, change the organization access registry editing tool to disabled.

Change GracePeriod item permissions

Delete the GracePeriod item, restart the machine, and change the time back.

This is the end of this article about the detailed graphic steps for quickly getting started with deploying Remote Desktop Services in Windows Server 2016. For more relevant 2016 Remote Desktop content, please search 123WORDPRESS.COM's previous articles or continue to browse the following related articles. I hope everyone will support 123WORDPRESS.COM in the future!