So far we’ve accomplished a lot and progressed tremendously, now we face a challenge:
Computers for HR and Finance departments are low-end and incapable of running the basic applications needed for work:
Finance: Quickbooks desktop edition.
HR: Clockify (Time Tracking).
NOTE: Nowadays there are Cloud/Web apps that can serve that purpose, my goal today is to show how an RDS can help us with on-premise setups.
To tackle this, Microsoft offers us a solution: Remote Desktop Services (RDS). These Windows Server sets of roles and components will help us install and run those apps on the server itself, then the users will be able to connect from workstations and run those apps as if they were local.
Now let’s get started:
What is Remote Desktop Services (RDS)?
Remote Desktop Services (RDS) is a Microsoft Windows Server technology that allows users to access Windows desktop environments and applications remotely over a network. It enables organizations to provide secure, centralized access to computer resources from various devices.
What are the components of Remote Desktop Services (RDS)?
RD Connection Broker: In a multiserver deployment, it will redirect the user connection request to an available server (with the least amount of users and the most resources available), for a single server deployment it will just pick the same server.
RD Web Access: It provides us with a web interface where we can connect and download an RDP shortcut for the apps already deployed on the server, a certificate is needed.
RD Session Host: It runs all requests from all users trying to connect.
RD Gateway: Provides secure remote access through internet-facing servers, useful if we want to make this server available on the Internet.
RD Licensing: Manage client licenses.
Use cases/Benefits
At this point you may be thinking, why do we even need an RDS if we have the cloud and web apps?
That’s a great question, there are many cases where an RDS deployment can be beneficial:
Health care centers: In many countries, patients and sensitive information are NOT allowed to traverse the Internet, therefore an RDS is a way to go for app deployment.
Country specific - Government regulations: Similar case as before, some countries don’t allow certain time of data to leave their territory - therefore it only stays on-prem, RDS is a great option in that case.
Call Centers / Customer / Tech Support: Standardized desktop environment for all support representatives, easy onboarding of new employees with pre-configured virtual desktops, ability to quickly scale up or down based on staffing needs.
Configuration
Let’s open the Add Roles and Features Wizard:
After hitting Next, we select Remote Desktop Services installation:
At this point, we have 2 options:
Standard Deployment.
Quick Start.
Let’s work with Standard deployment:
Here we see 2 options as well:
Virtual machine-based desktop deployment: It will create a virtual machine per session.
Session-based desktop deployment: This is the traditional way to share the RDP session and publish RemoteApp, we will use this one for today’s deployment.
Then we see an overview of Role Services and hit Next:
Select the RD Connection Broker, same server: BBM-RDS01:
Select the RD Web Access, same server: BBM-RDS01:
Select the RD Session Host, same server: BBM-RDS01:
Confirmation: it shows which servers will get each role installed:
Let’s check: Restart the destination server automatically if required.
The server will be restarted 1 or multiple times during this install process.
In Completion we can see the progress:
After a reboot, we can see it succeeded:
Let’s open now Server Manager > Remote Desktop Services:
In Deployment Overview:
We can see most of the roles in Gray, which means they are already configured.
The missing ones (In Green) are RD Gateway (we won’t use it for this deployment), RD Licensing (we will configure it later).
As previously mentioned we will need to have an SSL certificate for us to use the RD Web, the best case scenario is to purchase that certificate from a trusted authority (Godaddy, NameCheap, Network Solutions), for our case, we will create a self-signed certificate:
Open Powershell as an Admin and run:
cd \
New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname "rdp"
Now let’s set a password for the certificate:
$pwd = ConvertTo-SecureString -String "SetCertPasswordHere" -Force -AsPlainText
Copy the Thumbprint and paste it on the following command:
Export-PfxCertificate -cert cert:\localMachine\my\D841035590D9BC4BFF5882A3E1000F7171031210 -FilePath c:\rdp.pfx -Password $pwd
This will save the Certificate on the C drive and then we can move it to another location:
With that, we have our self-signed SSL Certificate:
Now let’s configure the RD Licensing:
After the configuration was successful, let’s open Remote Desktop Licensing Manager:
As we can see the RD Licensing server - BBM-RDS01 is not activated yet, let’s activate it:
Let’s select Automatic connection (Recommended) and Next:
Enter the Company Information:
We can fill out more optional information and hit Next:
Let’s leave it unchecked: Start install Licenses Wizard for now and hit Finish:
NOTE: We get 120 days of free trial with all features and options available, after that, we will need to install licenses per user.
Set permissions
The Remote Desktop Services (RDS) Server is finally set up!
Now who will be able to connect? - As stated before this will help HR and Finance departments, so let’s set them up with access:
Let’s first create a Security Group that will contain HR and Finance users:
For now, we will all both RW and RO groups for both departments:
Navigate to Settings > Advanced System Settings > Remote > Select Users…:
Let’s add the RDS Security Group previously created:
Testing
With the configuration and permissions in place, it’s time for testing!
Let’s log on to BBM-WS01 with Avery (a member of Finance-RW):
Open the Remote Desktop Connection client app and type in bbm-rds01 (we can also use its private IP:
It will prompt for credentials:
After entering the credentials we will be signed in:
Notice the blue toolbar on top, that’s something characteristic of RDP Connections.
and we are in:
Last configurations:
Let’s navigate to Server Manager > Remote Desktop Services > Tasks > Edit Deployment Properties
RD Licensing:
Let’s select Per User and hit Apply:
This will apply the license per each user connected and users will be able to use any device on the domain to connect.
RD Web Access:
Just select our server BBM-RDS01
Certificates:
Let’s set up the certificate that we previously created.
Hit Apply:
Let’s do the same for the rest and hit Apply and OK:
Now let’s set up the Apps on the BBM-RDS01:
As mentioned previously we will have:
Finance: Quickbooks desktop edition / Users can RDP into the BBM-RDS01 and work with the application.
HR: Clockify (Time Tracking) / Published as a RemoteApp.
NOTE: We won’t delve into how to install each app on the BBM-RDS01 Server, the install process itself depends on the specific app, it’s usually the same process as any Windows apps, for any difficulties reaching out to the vendor is advised.
Publish a RemoteApp (Clockify for HR)
We have the Clockify app already installed on our server:
Let’s navigate to Server Manager > Remote Desktop Services > Collections > Tasks > Create a Session Collection:
Hit Next:
Set Name as Apps:
Select the RD Session Host (BBM-RDS01):
For User Groups select the previously created Security Group RDS:
Profile disks: This will create a disk that will store the user’s data, let’s disable it for now:
Review and confirm:
We can verify by navigating to Server Manager > Remote Desktop Services > Collections > Apps
Testing Remote App / Clockify
Let’s log on to BBM-WS01 with Teddy (a member of HR-RW):
Open a web browser and type in: bbm-rds01/rdweb (we will get an invalid certificate error because keep in mind we are using a self-signed certificate), just go to Advanced and continue.
It will ask for domain credentials:
We see the Clockify application there:
It will download an RDP shortcut, we can rename it and move it to the Desktop: Clockify
Let’s run it:
From here the user will be able to log in and work normally as if the app were local:
To verify let’s go to the BBM-RDS01:
Testing Quickbooks through RDP
Let’s log on to BBM-WS01 with Avery (a member of Finance-RW):
Let’s create an RDP shortcut: BBM-RDS01 and set it on the desktop:
Then let’s connect:
We can open Quickbooks and work normally:
To verify let’s go to the BBM-RDS01:
NOTE: A common troubleshooting step for connection issues is to log in to the RDS, find the user on Task Manager, see if it has any sessions (it may show disconnected), then remove them all and have the user try again.
Conclusion
Today we've explored Remote Desktop Services (RDS), examining its core components, diverse use cases, and significant benefits for modern organizations. Through our implementation, we've demonstrated the practical application of RDS by successfully configuring and publishing a RemoteApp for the HR Team: Clockify and enabling secure access to Quickbooks via RDP for the Finance Team. We've not only set up the infrastructure but also verified user connectivity and established troubleshooting protocols to ensure smooth remote access. This implementation showcases RDS's ability to enhance workplace flexibility, centralize application management, and provide secure remote work capabilities.
The next steps will be setting up the Domain, Emails, and much more!
Stay tuned for more content.
Thanks for reading!
Link to the series 👉 https://beyondbaremetal.hashnode.dev/series/beyond-bare-metal-setup