Set up Remote Desktop Services in Windows 2012

This article demonstrates the steps to set up a collection of remote desktop servers for end clients to connect to using Session Hosts.
Note: This is not a VDI setup.

Service Requirements

  • Active Directory. This guide assumes you have a working AD environment up and running already.
  • DNS Server. This guide assumes you have a working DNS environment up and running already.
  • External DNS domain optional for Labs, but of course you would probably want one in production.

Servers used in this deployment

  • One Domain Controller (Microsoft recommend at least two DC's in live environments for redundancy purposes)

    Roles Applied: Domain Controller, DNS

    Hostname: DC1.tsdomain.local

  • One Domain member server

    Roles Applied: Domain member, Web access server, Gateway server, Licensing server, Connection broker server

    Hostname: DC2.tsdomain.local

  • One Domain member server

    Roles Applied: Domain member, File and storage services

    Hostname: fs1.tsdomain.local

  • Three Domain member servers

    Roles Applied: Domain member, Remote Desktop session host.

    Hostname: ts1.tsdomain.local, ts2 and ts3

General client settings/tips

RDP Client - Some connection/security problems can occur when using older versions of the RDP client. The majority of this article I was able to connect using Windows 7 SP1 with RDP client 6.1.7601. If possible I would recommend that you upgrade your RDP clients to 6.2.9200.

The update can be downloaded from the Microsoft Remote Desktop Protocol site.

You will need the latest version of RDP to get the best out of Remote Desktop Services VDI - More information here.

Web Access - When users are using the web access portal, I would recommend using Internet Explorer. Especially when using a Self Signed Certificate, as you are then able to install it correctly via the browser. Chrome gave me some difficulties and I did not test this with Firefox.

User groups

  • Human Resources
    • Jenny Smith (jsmith\Password123!)
  • Finance
    • Paul Jones (pjones\Password123!)
    • Sarah Young (syoung\Password123!)

Role definitions


These are the servers that users will be connecting to for the Remote Desktop Sessions.

Official definition - Remote Desktop Session Host (RD Session Host) enables a server to host RemoteApp programs or session-based desktops. Users can connect to RD Session Host servers in a session collection to run programs, save files, and use resources on those servers. (Source -

Session Collection

A group of RD Session Hosts, with permissions assigned according to User/Group requirements. An RD Session Host can only be part of one Session Collection.

RD Connection Broker

This is the role that connects users to their Remote Sessions, whether it’s a new session or an existing session.

Official definition - Allows users to reconnect to their existing virtual desktops, RemoteApp programs, and session-based desktops. Enables you to evenly distribute the load among RD Session Host servers in a session collection or pooled virtual desktops in a pooled virtual desktop collection. Provides access to virtual desktops in a virtual desktop collection. (Source -

RD Web Access

The starting point/online portal for users to login and start their Remote Desktop Sessions.

Official definition - Remote Desktop Web Access (RD Web Access) enables users to access RemoteApp and Desktop Connection through the Start menu on a computer that is running Windows 8, Windows 7, or through a web browser. RemoteApp and Desktop Connection provides a customized view of RemoteApp programs and session-based desktops in a session collection, and RemoteApp programs and virtual desktops in a virtual desktop collection. (Source -

RD Licensing

Remote Desktop Licensing (RD Licensing) manages the licenses required to connect to a Remote Desktop Session Host server or a virtual desktop. You can use RD Licensing to install, issue, and track the availability of licenses.

RD Gateway

Remote Desktop Gateway (RD Gateway) enables authorized users to connect to virtual desktops, RemoteApp programs, and session-based desktops on an internal corporate network from any Internet-connected device.

Firewall rules

Windows servers all have Windows Firewall enabled, but the rules can be configured on each to allow all traffic between all the servers. These settings are not configured by default. Here are scripts to help you configure these rules:

Where x, y and z are replaced with your trusted IP's and "Policy Name" is the name of the policy in question.

To add a new Policy:

New-NetFirewallRule -DisplayName "Policy Name" -LocalAddress "any" -RemoteAddress,yyy.yyy.yyy.yyy,zzz.zzz.zzz.zzz -Direction Inbound
-Action Allow -Protocol TCP -LocalPort any

To edit an existing Policy:

Set-NetFirewallRule -DisplayName "Policy Name" -LocalAddress "any" -RemoteAddress,yyy.yyy.yyy.yyy,zzz.zzz.zzz.zz -Direction Inbound
-Action Allow -Protocol TCP -LocalPort any

Install roles and services

All six servers are part of the domain that is set up in this scenario, tsdomain.local.

  1. We recommend adding the servers to the Server Manager All Services pool.
  2. Open the Server Manager.
  3. Right click All Servers, then click Add Servers to add the pool.

The examples in this article are from the first domain member server, DC2.

  1. From the Server Manager Dashboard, select "Add roles and Features" and then select "Remote Desktop Services Installation".

  2. The Quick Start deployment type is intended for single-server deployments. For our purposes, choose Standard Deployment.

  3. Select Session-based Desktop Deployment.Confirm the Role Services to be installed.
    1. Assign your RD Connection Broker.
      DC2.tsdomain was selected for our example. 
    2. Assign your RD Web Access Server. DC2.tsdomain was selected for our example. 
  4. Now, add in the Session Host Servers (TS1, TS2 and TS3). These are the servers that will host the RD Sessions.
  5. Review the selection of each role and when ready, click Deploy.
    Server Manager will then attempt to deploy each role for you. You can follow the progress.
  6. Once complete, you can go ahead and configure each of the Roles as required.

Configure roles and services

Now that the Roles and Services have been successfully installed, you must configure each of the services accordingly.

Configure gateway server

    1. From Server Manager > Remote Desktop Services > Overview, click the green + icon on the RD Gateway icon within the Deployment Overview. Add your RD Gateway Server and click Next.
    2. Set your RD Gateway URL.
    3. On the Confirm screen, confirm the setup and click Add, if you approve.
    4. From Server Manager > Remote Desktop Services > Overview, Click the Tasks Menu and select Edit Deployment:

    5. From this screen, you can configure the following Services:
      • RD Gateway
      • RD Licensing
      • RD Web Access
      • Certificates

    Gateway configuration

    Specify the Server name using the Domain as the External FQDN that users will be using to connect to the service.
    In this example, there is an A record in the External DNS for pointing to the External IP of my Gateway Server.

    Note: The RD Gateway and RD Web Access roles will reside on the same Server.

    Licensing configuration

    Next you can enter the licenses for the deployment, if you have them available. Licenses should not be required for testing purposes.

    RD web access configuration

    Confirm the Web Access portal is activated.
    Note: The Internal URL is shown here. If you open the External FQDN ( set earlier in Gateway Configuration, you will see the RD Web Access portal. 

    RD web access portal

    Set up certificates

    At this point if you browsed to the above Web Access Portal, you would of seen the Certificate warning, of course. In this section you can configure your certificates for each of the Roles. It is recommended that you use a valid Certificate for the domain but as this is a lab, you can go ahead and use a self-signed Certificate.

    Note: If you want to use a Self Signed Certificate then your client will need to access the Portal using Internet Explorer as this will allow you to install the certificate from the browser, in my scenario, Chrome did not let me do this.

    1. Use either an existing Certificate if you have one already, or Create a new one.

      Note: The preferred would be an existing certificate. You will need to know the location of the Certificate itself, as this wizard doesn’t use the Certificate Store.

    2. Check the Allow the Certificate to be added to the Trusted Root Certificate Store check box.
      This allows the client to install the Certificate from the browser, required for Self Signed Certificates.
    3. Once you have selected your Certificate, click Apply.

    4. Repeat for each of the Roles and Services listed, until they all have the Certificate installed.

    Set up User Profile Disks

    There are two main steps when setting up User Profile Disks (UPD for short):

    • Creating the NTFS Share where the vhdx files will live
    • Enabling and configuring UPDs on the Session Collections

    Create user profile share

    Log in to your Share Server. In this example we are using:

    • 1 x Domain Member Server
    • Roles Applied: Domain Member, File and Storage Services
    • Hostname: fs1.tsdomain.local

    Note: You will need to create a separate UPD Share for each Session Collection that you are enabling UPDs on, you cannot use a single share for UPD across Session Collections.

    1. Create the folder where you are going to store your UPDs:
    2. From the Server Manager open File and Storage Services > Shares > Tasks > New Share.
    3. Use the SMB Share - Quick option:
    4. Specify the Share Location, set to the folder you created earlier:
    5. Specify the Share name.
    6. Review additional settings, leave them as set in default.
    7. Review permissions, again I left them as set in default.
    8. Review the details, and click Create to confirm and apply changes:
    9. You will now see the Share in Server Manager > File and Storage Services > Shares.

    Add UPDs to existing Session Collections

    Now that the share is set up you can configure/add UPDs to the existing Session Collections.

    1. Log onto your RD Connection Broker, DC2.tsdomain.local and navigate to your Collections, select the Session Collection you want to add UPDs to and from the Properties box > "Tasks" > "Edit Properties":

    2. In the Session Collection properties, select "User Profile Disks".
    3. Configure User Profile Disks:
      • Check the "Enable User Profile Disks" tick box.
      • Set the "Location" to the share created previously.
      • Set the Max size of the disks.
      • Set the Data settings.
    4. You can choose to store ALL user settings or only certain profile folders. Typically, you chose the All User Settings option by default.

    5. If you scroll down further, you have the option of included custom folders outside the default options.
      There is no specific requirement for this, so you can leave this blank if you prefer. Click OK/Apply to confirm the change.

    6. Once complete you should see the VHD Template in the share directory.

      Note: When you log in as a user you will see their UPD created after they login from the template.

    That completes the process. Your User Profile Disks are now enabled, meaning whichever Session Host they connect to, their profile will follow.

    Was this content helpful?

    © 2015 Rackspace US, Inc.

    Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License

    See license specifics and DISCLAIMER