Installing Remote Desktop Services

Remote Desktop Services is a role, but the installation is a bit different from the past roles that you may have installed. Here’s how to install RDS:

1. Starting from Server Manager, click Manage and then click Add Roles and Features.

   The Add Roles and Features Wizard opens.

2. On the Before You Begin screen, click Next.
3. On the Select Installation Type screen, select Remote Desktop Services Installation, as shown in Figure 3-1, and click Next.
4. On the Select Deployment Type screen, select Quick Start and click Next.
5. On the Select Deployment Scenario screen, choose Session-Based Desktop Deployment and click Next.
6. On the Select a Server screen, the server you are on is already selected, so just click Next.

7. On the Confirm Selections screen, check the Restart the Destination Server Automatically If Required check box, and then click Deploy.

   You see a progress screen as the role installs (see Figure 3-2). When the role is installed, the server reboots.

8. After the server reboots, click Close.

Configuring user-specific settings

After you have RDS installed, you may be tempted to let people start connecting and enjoying the service, but you should hold off because you may want to make some changes first. If you use roaming profiles, you may want to set the RDS server to use roaming profiles. You may also want RDS to map the user’s home drive. The goal is generally going to be giving your end users the best experience possible, with things like being able to access mapped drives and applications just as they would on a regular, physical desktop. You can do all of these things in RDS just as you do with regular user sessions.

1. Log on to a system that has the RSAT tools installed for Active Directory.
2. Click Server Manager and then choose Tools⇒  Active Directory Users and Computers.
3. Expand your domain name and select the Users container.

4. Double-click a user account.

   In this example, I’m using my Karen Smith account.

   The Properties dialog box for the user you selected appears.

5. Click the Remote Desktop Services Profile tab (see Figure 3-3).

   

6. Fill in the information as needed.

   Here are your options:

   • Profile Path: Fill this in if you’re using roaming profiles.
   • Remote Desktop Services Home Folder: This sets the home drive for the user when they log into a session on RDS.
   • Deny This User Permissions to Log on to Remote Desktop Session Host Server: Checking this box blocks the user from connecting through RDS, regardless of whether they’re part of a security group that allows it.

Configuring apps

One of the really useful things about RDS is the ability to publish apps. You may be publishing them to a user’s desktop, or you may want to make them available through RD Web Access. There are common reasons to share applications through RDS. Applications that rely on old versions of Java or Flash or Internet Explorer, for example, are great candidates for this service. By using RDS to support this legacy application, you only have the old version of the software installed on one system, rather than all the systems where users need to use the legacy application. This reduces the amount of vulnerable software on your network. Windows Server 2022 has three apps already shared by default (assuming you deployed with the Quick Start method — see “Installing Remote Desktop Services,” earlier in this chapter): Calculator, Paint, and WordPad. Let’s say the business doesn’t want users to work with WordPad through RDS; instead, it wants users to work with Notepad++. You can install Notepad++ on the server and configure it to be used over RDS. In that case, you would follow these steps:

1. Download the Notepad++ executable and install it on the Windows server you installed RDS on earlier.
2. From Server Manager, click the side menu where it says Remote Desktop Services.
3. Click QuickSessionCollection located under Collections.
4. In the RemoteApp Programs window, click Tasks and then click Publish RemoteApp Programs.
5. Click Add, locate the executable for Notepad++, make sure it’s selected (see Figure 3-4), and then click Next.
6. On the Confirmation screen, click Publish.
7. On the Completion screen, click Close.
8. Right-click the newly added app, and choose Edit Properties.

   

9. Click User Assignment.

   By default, everyone has access to the new app. However, you can change that by selecting Only Specified Users and Groups.

10. Make your changes if desired, and click OK.

That’s all there is to configuring an application and making it available to your users with RDS.

Using RD Web Access

RDS has a great feature known as RD Web Access, which allows you to connect to applications or Remote Desktop sessions via a standard web browser. By default, when you install RDS in Quick Start mode this is enabled, and the address follows this format: https://serveraddress/RDWeb.

You can control which applications are visible in RD Web Access from the same screen where you publish new apps. By default, they're published in RD Web Access when you publish them on the RDS Server. If you don’t want an app to be in RD Web Access, you can edit the properties of the app. The General tab has an area titled Show the RemoteApp Program in RD Web Access. Simply change the button to No and click OK to remove it.

Before you can access the RD Web Access page, you need to configure a Secure Sockets Layer (SSL) certificate. In previous versions of Windows Server, a self-signed certificate was automatically created and you could just bypass certificate warnings. A self-signed certificate is no longer created by default, however, so let’s create one and attach it to the RDWeb service. Follow these steps:

1. Open Server Manager and select Remote Desktop Services from the menu on the left.
2. On the Overview screen, click the Tasks drop-down next to Deployment Overview.
3. Select Edit Deployment Properties.
4. Select Certificates to expand it.
5. Click RD Web Access

6. Click Create New Certificate

   You can alternatively click Select Existing Certificate if you have a certificate issued from your enterprise Public Key Infrastructure (PKI) system.

7. For certificate name, you need to enter a fully qualified domain name (FQDN).

   For my example, I’ve entered server2022-svr2.sometestorg.com.

8. Enter a password.
9. Select the Store This Certificate check box and choose a location to save the certificate.
10. Check the Allow the Certificate to Be Added to the Trusted Root Authorities Certificate Store on the Destination Computers check box.

11. Click OK.

    State will say Ready.

12. Click Apply.

    After you’ve clicked Apply, State will say Successful.

Keep in mind that you only need to perform steps 6 through 11 if you don’t have a certificate already issued by a trusted certificate authority. If you’d like to know more about deploying your own certificate authority in Windows Server, check out Book 5, Chapter 6.

I assume if you’re reading and you’ve done this setup that you want to play with RD Web Access. Open your web browser (on a system that is not the RD web server) and enter the address for your RD web server. In my case, the address is https://server2022-svr2.sometestorg.com/RDWeb.

You may get an error due to an untrusted certificate. This is expected because the certificate is self-signed if you chose to create a certificate in the previous instructions. You can safely disregard this message for now. After you’ve entered the address, you should see a screen similar to Figure 3-5.

When you log in to RD Web Access, you see all your published apps that you have permissions to. If you were following along in the previous section and installed the Notepad++ application, you see the icon for Notepad++ in the list. Click that icon to launch Notepad++.

You may get a message saying that a website is trying to run a RemoteApp program. It’s complaining because Microsoft doesn’t recognize the publisher. Because you know that Notepad++ is safe, go ahead and click Connect. You see a dialog box that says Starting Your App (see Figure 3-6). After the remote connection to the server is established, the application will open just as if it were installed on your system.

Configuring and using RDS licensing

Licensing for RDS is done with client access licenses (CALs). A CAL is essentially a commercial license that allows you to consume a service on a server. The RDS CAL specifically is used to license either a user or device that is connecting to the RDS server.

There are two types of Remote Desktop Services (RDS) licensing:

• Device-based licensing: Device-based licensing has the following characteristics:
  • It’s physically assigned to a device.
  • It can be tracked regardless of whether a device is in Active Directory or not.
  • Temporary CALs are good for up to 89 days.
  • CALs can’t be over-assigned.
• User-based licensing:
  • CALs are assigned to users in Active Directory.
  • CALs can’t be tracked via workgroup; they can only be tracked via Active Directory.
  • Temporary CALs aren’t available.
  • CALs can be over-assigned (which allows you to go over what you’re allowed in your licensing agreement).

You need to have an active licensing server to be able to assign licenses. I find it strange that this piece doesn’t get installed with the other components for RDS. Here’s how to install the licensing role onto your RDS server:

1. From Server Manager, click the left side of the screen where it says Remote Desktop Services.
2. In the Deployment Overview window, click the green plus sign labeled RD Licensing to start adding the RD licensing role.
3. Select your server and click the arrow to move your server into the selected box.
4. Click Next and then click Add.

5. Click Close.

   Now that RD Licensing is installed, the plus sign has been replaced by a ribbon icon, as shown in Figure 3-7.

6. Click the Tasks button right above RD Licensing and choose Edit Deployment Properties.

7. Click RD Licensing and select which licensing mode you want to use.

   I’m going to select Per User.

8. Click OK.

Now that the licensing server is installed, let’s look at how to add a license to the RDS server:

1. From Server Manager, choose Tools⇒  Remote Desktop Services⇒  RD Licensing Manager.
2. Right-click the server name and choose Activate Server.
3. In the Welcome to the Activate Server Wizard, click Next.
4. Under Connection Method, leave it on Automatic Connection and click Next.
5. Enter your company’s information, and click Next.

6. Skip the next screen because it’s asking for additional optional information — just click Next.

   You see a message that says “Activating the License Server.”

   If activation was successful, you see the Completing the Activate Server Wizard screen.

7. Click Finish.

Now that your RDS server is activated, you can install your CALs.

1. Right-click the server and choose Install Licenses.
2. On the Welcome screen, click Next.
3. Select the program that you purchased your licenses through, and click Next.
4. Enter the information for your license program (a license code, agreement/authorization code, or something along those lines), and click Next.

5. Select your product version, your license type, and the number of licenses you want to install, and click Next.

   You server will reach out to Microsoft to retrieve the licenses.

6. After the licenses are retrieved, click Finish.

Your RDS server is now installed and licensed. Your users are able to connect to remote desktop sessions and do their work as if they were sitting in front of a desktop in the office. Or maybe they can access a legacy application that has historically had difficulty running on their regular desktops. Setting up RDS is not a small or simple task, but it’s a very useful service to support your business’s needs.

Network Policy Server

Network Policy Server is a component of NPAS that allows you to centrally manage authentication, authorization, and accounting for various devices on the network. It’s very commonly used to support authentication on network switches and firewalls. After you’ve installed NPAS, you can access NPS from Server Manager by choosing Tools⇒  Network Policy Server.

Setting up a RADIUS client

For this scenario, let’s say you have a Cisco switch. You’ve been logging into the switch locally, but you want to configure a central source of authentication so that you don’t have to remember a username and password for every switch in your environment. The configuration of the switch to point to the RADIUS server is out of scope for this book, but the configuration of the client is not. Here’s how to set up the RADIUS client for a Cisco switch:

1. From Server Manager, choose Tools⇒  Network Policy Server.
2. Expand RADIUS Clients and Servers and select RADIUS Clients.

3. Right-click RADIUS Clients and choose New.

   The New RADIUS Client dialog box appears.

4. Fill in the friendly name, the IP address, and the shared secret.

   The dialog box should look similar to Figure 3-8.

5. Click the Advanced tab.
6. From the Vendor Name drop-down list, select Cisco.
7. Click OK.

Setting up a network policy

Network policies control what is allowed to authenticate through your RADIUS server. Here’s how to configure a basic network policy:

1. From Server Manager, choose Tools⇒  Network Policy Server.
2. Expand Policies.
3. Right-click Network Policies and select New.

4. Give the policy a name and specify the type of network access server.

   In this case, I’ve named the policy Domain Admins to Network Switches and I’ve left the type of network access server on Unspecified.

5. Click Next.

6. On the Specify Conditions screen, specify what conditions must be met for the policy to apply.

   I followed these steps:

   1. Select the condition User Groups.
   2. Click Add.
   3. Click Add Groups.
   4. Type Domain Admins and then click OK.
   5. Click OK one more time.
   6. Click Add.
   7. Select the condition Client Vendor.
   8. Click Add.
   9. Choose Cisco
   10. Click OK.
7. Back on the Specify Conditions screen, you can add another condition or click Next.
8. On the Specify Access Permission screen, select Access Granted, and click Next.
9. On the Configure Authentication Methods screen, click Next.
10. On the Configure Constraints screen, click Next.
11. On the Configure Settings screen, click Next.
12. On the Completing New Network Policy screen, click Finish.

You can see in Figure 3-9, my new Allow policy on top of the deny policies. If an incoming connection doesn’t match my policy, it will automatically be denied.