Server 2012 has a new Remote Desktop Services (RDS) feature set which is a great addition to any network. A common reason for wanting to implement 2012 RDS is for the Remote FX feature, RDP on steroids, which provides substantially better performance when remotely running graphic intensive applications, but there are other Remote FX bonus elements as well, in addition to other 2012 RDS features. Remote FX was included with Server 2008 R2, but the pre 2012 hardware requirements were more restrictive, and configuration was a little more involved.
Remote Desktop Services is installed a little differently than it’s predecessor Terminal Services. Most current instruction sets advise you to use the “Remote Desktop Services installation” wizard, seen in the third image below. However this automatically installs related services that conflict with those already installed on SBS, such as the Remote Desktop Gateway Service. Therefore you need to install using the “Role Based or feature-based installation” method and manually select the features to be installed.
To add a Server 2012, running the RDS role, the steps are as follows.
- Install the basic Server 2012 operating system. This can be on either a physical or virtual machine
- Next join the computer to the domain. Where this is an SBS domain you want to do this for obvious reasons, but just to note; Server 2012 RDS does require it be domain joined. To do so open the Server Manager Dashboard, click on “local server”, in the window to the right click on “Workgroup”, in the resulting window click “Change” and then select “Domain” and enter your internal domain name, such as MyDomain.local
- Once completed and you have reboot the server, I recommend installing all Windows updates.
- You can now begin the RDS installation. Make sure you have first logged in with a Domain Admin account and not a local administrator account.
- First from the Server Manager Dashboard select “Add roles and features”
- Next, as mentioned earlier, choose “Role Based or feature-based installation”
- Select the local server
- Select the “Remote Desktop Service” role and click next
- Do not select anything in the Features window, click next
- There will be a pop-up window where you can select the RDS features you wish to install. Select only the “Remote Desktop Session Host” option. You may also want to add the “Remote Desktop Licensing” service, though you can do so at a another time. The Licensing service will be discussed a little later on. Click next
- Click Add Features.
- Select restart the server automatically, and choose install.
- After a reboot the RDS service should be installed.
Tweak and configure access
There are some minor configurations to be done as well.
- Computer OU: Firstly, on the SBS, in Active Directory Users and Computers (ADUC) you should move the new server from the Computer OU to the MyBusiness\Computers\SBSServers OU. This will allow it to show up in the Windows SBS Console under the Computers tab (it may take a few minutes to show up). I usually create a sub-OU for Terminal Servers when applying group policies, but this is by no means necessary.
- User Group: Users must be granted the right to “log on though Remote Desktop Services”. To do so they need to be added to the local Remote Desktop Users” group on the RDS server, not the SBS. It would not be convenient to manage this from the RDS server, adding one user at a time so it is best in ADUC on the SBS to add a new Security Group named something like “Terminal Server Users”. Then on the RDS server, under Administrative Tools | Computer Management | Local Users and Groups | Groups, add this domain group to the local Remote Desktop Users group. This way from the SBS you can centrally manage by simply adding users to your new Terminal servers user group.
- RWW / RWA: You will also want to make the new RDS server available through Remote Web workplace / Remote Web Access. If added to the proper OU above it will be by default with SBS 2008, however with SBS 2011 you need to add a registry key. The following link explains: https://blog.lan-tech.ca/2011/12/12/add-a-terminal-server-to-the-sbs-2011-rwa-page/ Note, that this does not apply to Server Essentials.
- Certificate: Accessing the RDS server through RWA or using the RDP client and RD Gateway requires an SSL certificate. Where you are adding this to an SBS domain, access will use your existing certificate. Should you need to add a certificate, please see: https://blog.lan-tech.ca/2012/05/17/sbs-2008-2011-adding-an-ssl-certificate/
- Router Configuration: Traditionally Terminal Services required forwarding port 3389 from the router to the Terminal server’s IP. SBS makes use of the Remote Desktop Gateway service and allows you to connect directly to the RDS server more securely using SSL and port 443. This does require that port 443 be forwarded to the SBS, but presumably this is already configured if you are using OWA, RWA, and/or Sharepoint.
- RDP client: To access using the RDP client simply enter the RDS server’s name in the “Computer” box, and your SBS site’s FQDN in the RD Gateway server name box, under advanced | settings.
- RDS also requires a CAL (Client Access License) be assigned to each device or user in order to use Remote Desktop Services. This is managed with the Remote Desktop Licensing service mentioned earlier. There is a 120 day grace period before you are required to install the Licensing service, purchase, and add your CAL’s. If you exceed the 120 day grace period, users will be blocked from accessing the RDS server.
- The service can be installed on an another similar vintage server in the domain, but for simplicity the following steps installs on the same server. If not already done, It is installed by running the Add Roles wizard in Server Manager, in the Add Roles window, expand Remote Desktop Services, select the Remote Desktop Licensing service, then complete the wizard.
- Open the RD Licensing manager, located under Administrative Tools | Remote Desktop services. Expand All servers, right click on your server, choose Activate Server, and complete the required company information fields. The last step will let you add your CAL’s now, but I recommend waiting until completing your configuration.
- Right click on the server and choose “Review Configuration”. You may need to add the licensing server to the appropriate group in ADUC. You can do so easily by clicking the Add to Group button.
- Licensing mode: CAL’s can be purchased as Per Device or Per User. The latter tends to be more common. A single Per User CAL allows one user to connect from as many devices as they like; office PC, home PC, hotel lobby PC, laptop, etc. A per Device CAL allows many users to connect from only one device. The latter is generally only used in situations similar to a call center. Though you can mix User and Device CAL’s it is best to pick one or the other. To set the licensing mode, open the local security policy by entering gpedit.msc in the Run box. Locate the following policy, enable, and set the licensing mode. Computer Configuration | Administrative Templates | Windows Components | Remote Desktop Services | Remote Desktop Session Host | Licensing | Set the Remote Desktop licensing mode.
- If you run the RD Licensing Diagnoser under Administrative Tools | Remote Desktop services, and it states a licensing server has not been specified, you may also have to manually enter the server’s name in the local security policy . It is located in the same place as the policy in the last step and named “Use the specified Remote Desktop license servers”.
- Server CAL’s: The discussion so far relates to RDS CAL’s but it should be noted that any user accessing any server on the network also requires Server CAL’s. Accessing the SBS and any other server of the same version year or older is covered by SBS CAL’s. Anyone accessing the new 2012 Server will also need Server 2012 CA’s in addition to SBS CAL’s.
- You may also have to edit the Windows firewall. Exceptions should automatically be created but on occasion they are not. You can verify and edit by using Control Panel | Windows Firewall | Allow an app or feature through the windows Firewall, and compare to the following screen shot. It seems to be the Remote Desktop Services Public setting that is not always enabled.
Your RDS server should now be fully functional.