Windows

Deploy Remote Desktop Services in Workgroup Mode

Posted on by Dan Tascher
0
(0)

This Post will show you how to deploy a Remote desktop session server (RDSH) in a workgroup (non Domain).

This deployment is Session based and will allow the use of desktop sessions. The down side to having a none domain joined Session host is that you will need to create users on the host and configure local Group policy’s to restrict user access.

I have deployed a single server (non domain Joined) with Server 2012 R2.

Details

Configuring the FQDN

As this is a workgroup server (non Domain) you will need to configure the Fully Qualified Domain name.

This can be done under system Properites

FQDN1
FQDN2
FQDN3
FQDN4

Deployment

We are going to deploy the RDS 2012 Session Host Role and the RDS licencing role

Deployment1
Deployment3
Deployment4
Deployment 6
Deployment 7

This image shows the roles and features that have been installed, as you can see the session host and remote desktop roles are shown as installed.

Adding the RDSH Certificate

Firstly you will need to import your certificate to the Local Computer , Personal Folder as shown in the screen shot.

MMC
GPeditor
Add certificate

Before configuring RDSH Servers you will see a warning stating that the certificate is untrusted.

This is because the configuration data for RDSH is stored in the WMI, Win32_TSGeneralSetting class in WMI in the rootcimv2TerminalServices namespace. You will need to change the certificate from default using the following commands.

Firstly, You will need to find the certificate thumbprint.

RDSH Certifcate

You can also use PowerShell to find the Thumbprint:

Get-Childitem Cert:\LocalMachine\My
thumbpirnt

Run one of the following cmds to apply the new certificate to the  Win32_TSGeneralSetting:

Command Prompt:

wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="Thumbprint"

PowerShell Cmd:

$path = (Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace rootcimv2terminalservices -Filter "TerminalName='RDP-tcp'").__path
Set-WmiInstance -Path $path -argument @{SSLCertificateSHA1Hash="THUMBPRINT"}

Licencing

You will need to configure the licencing to allow multiple users to connect via sessions.

Deployment 8

Adding Users

Add the users under Computer Management, Local Users and groups

Deployment 9
Deployment 10

Add the users to the remote desktop group.

Deployment 11

you can also do this in the server manager under local Computer

Deployment 12

As you are connecting to the RDSH host locally, use  local\username

Applying Security

Deployment 13
Deployment 15

As you can see from the screen shots, users cannot install roles and features or modify Group Policy’s with out Administrator permissions, I would recommend configuring local group policy’s to lock down remote users, as you would in a Domain. You can access the local group policy editor via MMC and add the snapin for the Group policy editor.

GPeditor1
GPeditor2

Administering sessions

In the Group Policy editor, I have set the idle limit on the sessions so that if users are inactive for over a hour their session will be terminated.

Deployment 14

.

You can also manage your users from the task menu

Deployment 18
Deployment 19

by right clicking on the user, you get a number of options including disconnecting the user, Sign them off, sending messages, and Connect which allows you to connect to a user session. You will need to be the user in question to do this.

When users are finished with their sessions they simply sign out, or they can disconnect. There is no option to shut down the server for remote session users.

Deployment 17

If you are receiving one of the below error messages, follow the configuration steps listed to resolve your issue.

“Remote Desktop licensing Mode is not configured”

“The remote session was disconnected because there are no Remote Desktop License Servers available to provide a license”

1) Open Command Prompt (as admin).

2) Type in the following command:

a. gpedit.msc

Navigate to:

a. Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Licensing

4) Select the policy: “Set the Remote Desktop licensing mode”. Click Edit.

a. 

5) Select “Enabled”, and change the dropdown to “Per User” (or device if you purchased device CALs). Click Apply.

a. 

6) Select the policy “Use the specified Remote Desktop license servers”

7) Select “Enabled”, then input the name or IP of the server you installed the licenses on (it could be the current server, or another server; in most cases you can just enter the name of the server you are on). Click Apply.

Note: When in doubt, use the local server IP. This can be found in Server Manager.

a. 

8) Navigate to:

a. Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections

9) Edit the policy “Limit number of connections”.

10) Select “Enabled” and change the number to “999999”. This will allow unlimited remote connections. Click Apply.

a. 

11) In order to apply changes, the group policy must be updated. To initiate this, open Command Prompt (as admin) and enter the following command:

gpupdate.exe /force

Note: This step is required for any changes to take effect.

After following the above steps, users will be able to remote into the specified server.

Still having issues?

In some cases a trial of Remote Desktop Services will leave a registry key that requires removal. See the steps below to check if this key is set, and how to remove it.

1) Open “regedit”:

a. 

2) Navigate to the following folder:

a. HKEY_LOCAL_SYSTEM \SYSTEM\CurrentControlSet\Control\Terminal Server\RCM\GracePeriod

3) Inside of the RCM folder you may see a folder titled GracePeriod with a REG_BINARY key. If the GracePeriod folder exists, the REG_BINARY key must be removed.

a. 

Note: Moving forward ensure that you are signed in as an administrator. The following steps will not work unless your current account has admin privilages

4) Right-click the GracePeriod folder and select “Permissions”.

5) Select the “Security” tab and click “Advanced”.

a. 

6) Change the owner to “Administrator”

a. Click “Change”.

b. Type “Administrator” in the large box and click Check names.

c. Click “Ok”

7) Apply Settings.

8) In the “Security” tab, select Administrator(s) and ensure “Full Control” is selected. Then click “Apply”.

a. 

9) Now that we have ownership of the folder, we can delete the REG_BINARY key. Right-click the “L$RTMTIMEBOMB_…” key and select “Delete”. If the permissions were set correctly the key will delete. If you see anotice regarding permissions, please check steps 4-8 again.

10) After the key is removed we can reboot the server and resume normal function. Complete a server reboot at your convenience to finalize the registry key removal.

How useful was this post?

Click on a star to rate it!

Average rating 0 / 5. Vote count: 0

No votes so far! Be the first to rate this post.

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?

Dan Tascher

Leave a Reply

Your email address will not be published. Required fields are marked *