What is RDS and what roles are needed
Remote Desktop Services is a set of Windows Server roles for publishing full desktops and applications (RemoteApp) on server hosts (RD Session Host), with session balancing and reconnection via RD Connection Broker, the RD Web Access web portal, and, if necessary, an external RD Gateway and a separate RD Licensing service (CAL for users/devices).
Minimum setup (example):
- 2× RD Session Host (session hosts)
- 1× manager with RD Connection Broker + RD Web Access + RD Licensing roles (for the pilot, roles can be combined on one server)
Preliminary in AD:
- All servers are added to one domain and placed in one OU;
- A group (e.g., rdsh-servers) is created and all RDSH are added to it;
- A shared directory for User Profile Disks (UPD) has been prepared for user network profiles (optional).
Installing RDS via Server Manager (Standard deployment)
Open Server Manager, add all servers to the pool (All Servers → Add Servers):
Start the wizard: Add Roles and Features → Remote Desktop Services installation → Standard deployment → Session-based deployment.
Assign roles by server (example below: RDCB+RDWA on the manager, RDSH on all nodes):
Confirm and wait for deployment:
After installation, open Server Manager → Remote Desktop Services → Overview:
In Tasks → Edit Deployment Properties, specify:
- Licensing server and RDS CAL mode (Per User or Per Device);
- RD Web Access URL;
- (Later) SSL certificates for RDGW/RDWeb/Publishing/Redirector.
For an isolated scenario (without a broker/web, on a single host), see the Standalone RDSH option (working in a workgroup).
Create a session collection and connect users
Go to Remote Desktop Services → Collections → Tasks → Create Session Collection:
Add RD Session Host hosts to the collection:
Specify user groups (delete Domain Users, add your own, for example, RDS-Users) and, if necessary, enable User Profile Disks. Next, click Create.
To edit the settings, open the collection properties (Tasks → Edit Properties):
RemoteApp (applications) are also published here, and session limits (timeouts for active/disconnected sessions) are set. There is a good explanation of timeouts with pictures.
Certificates and HTTPS for RDS roles (briefly)
To remove the dangerous connection warning and enable SSO, assign the correct SSL certificates to the roles:
- RD Gateway, RD Web Access, RD Publishing, RD Redirector.
Via PowerShell (example for a single PFX and broker $RDSCB):
$RDSCB = "msk-rdsman.contoso.local"
$Path = "C:\certs\rds-cert.pfx"
$Pwd = ConvertTo-SecureString "StrongPfxPassword!" -AsPlainText -Force
Set-RDCertificate -Role RDGateway -ImportPath $Path -Password $Pwd -ConnectionBroker $RDSCB -Force
Set-RDCertificate -Role RDWebAccess -ImportPath $Path -Password $Pwd -ConnectionBroker $RDSCB -Force
Set-RDCertificate -Role RDPublishing -ImportPath $Path -Password $Pwd -ConnectionBroker $RDSCB -Force
Set-RDCertificate -Role RDRedirector -ImportPath $Path -Password $Pwd -ConnectionBroker $RDSCB -Force
Get-RDCertificate
External access without VPN is safer to perform through RD Gateway (deployed separately; detailed instructions are available).
Licensing (RDS CAL)
Install the Remote Desktop Licensing role (can be done on the broker), activate the license server, and specify the address of this server and the license mode (Per User/Per Device) in the deployment settings. The parameters are set in Edit Deployment Properties → RD Licensing.
It is useful to remember the limitations: a regular Windows Server without RDS provides only 2 administrative RDP connections; full user sessions require RDS CAL.
Application publishing (RemoteApp) and access
Publish applications in the collection properties (RemoteApp Programs → Publish) or via PowerShell:
New-RDRemoteApp -Alias "Chrome" -DisplayName "Google Chrome" `
-FilePath "C:\Program Files\Google\Chrome\Application\chrome.exe" `
-ShowInWebAccess 1 -CollectionName "General" -ConnectionBroker $RDSCB
Users can log in via:
- RD Web Access (web portal),
- .rdp/RemoteApp shortcuts,
- or directly to the FQDN of the farm (if the broker and DNS record are configured).
Quick deployment of an RDS farm using PowerShell (from scratch)
Below is a condensed example: creating a collection, assigning groups, publishing RemoteApp. (Deploy roles via the GUI, as above, or automate according to your standard.)
$RDSCB = "msk-rdsman.contoso.local"
$RDSH1 = "msk-rds1.contoso.local"
$RDSH2 = "msk-rds2.contoso.local"
# Collection
New-RDSessionCollection `
-CollectionName "General" `
-SessionHost $RDSH1,$RDSH2 `
-ConnectionBroker $RDSCB `
-CollectionDescription "General users"
# Access
$Groups = @("CONTOSO\RDS-Users","CONTOSO\ServiceDesk")
Set-RDSessionCollectionConfiguration -CollectionName "General" -UserGroup $Groups
# App publication
New-RDRemoteApp -Alias "WordPad" -DisplayName "WordPad" `
-FilePath "C:\Program Files\Windows NT\Accessories\wordpad.exe" `
-ShowInWebAccess 1 -CollectionName "General" -ConnectionBroker $RDSCB
Network, firewall, and diagnostics
Open ports on Windows Firewall and the external ACL of the Windows VPS provider:
- RD Web: 443/TCP
- RD Gateway: 443/TCP
- RDP to RDSH via broker: 3389/TCP (+ 3389/UDP for enhanced graphics)
- Broker/SQL inter-server connections — according to your scheme
Quick checks from the client:
Test-NetConnection rds.contoso.ru -Port 443 # RDWeb/RDGW
Test-NetConnection rds.contoso.ru -Port 3389 # RDP (if you publish directly)
There is a separate discussion about “freezing”/black screen during UDP transport RDP.
Common problems and quick solutions
- The user is not included in the collection. Check if they are in the correct collection access group (not just Domain Users).
- Broker not visible/reconnection errors. Check the farm’s DNS record, broker database availability, and relevant ports; for HA on the broker, check Always On in SQL.
- Sessions do not end/hang. Set limits (timeouts) for active/disconnected sessions on the Session tab of the collection.
Secure external access is required. Deploy RD Gateway (HTTPS, access policies, certificate).
