Deploying a RDSH Server in a Workgroup – RDS 2012 R2


This Post will show you how to deploy a Remote desktop session server (RDSH) in a workgroup (non Domain).

This deployment is Session based and will allow the use of desktop sessions. The down side to having a none domain joined Session host is that you will need to create users on the host and configure local Group policy’s to restrict user access.

I have deployed a single server (non domain Joined) with Server 2012 R2.

Details

Configuring the FQDN

As this is a workgroup server (non Domain) you will need to configure the Fully Qualified Domain name.

This can be done under system Properites

FQDN1

FQDN2 FQDN3

FQDN4

Deployment

We are going to deploy the RDS 2012 Session Host Role and the RDS licencing role

Deployment1

Deployment3

Deployment4

Deployment 6

Deployment 7

This image shows the roles and features that have been installed, as you can see the session host and remote desktop roles are shown as installed.

Adding the RDSH Certificate

Firstly you will need to import your certificate to the Local Computer , Personal Folder as shown in the screen shot.

MMC

GPeditor

Add certificate

Before configuring RDSH Servers you will see a warning stating that the certificate is untrusted.

This is because the configuration data for RDSH is stored in the WMI, Win32_TSGeneralSetting class in WMI in the rootcimv2TerminalServices namespace. You will need to change the certificate from default using the following commands.

Firstly, You will need to find the certificate thumbprint.

RDSH Certifcate

You can also use PowerShell to find the Thumbprint:

Get-Childitem Cert:\LocalMachine\My

thumbpirnt

Run one of the following cmds to apply the new certificate to the  Win32_TSGeneralSetting:

Command Prompt:

wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="Thumbprint"

PowerShell Cmd:

$path = (Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace rootcimv2terminalservices -Filter "TerminalName='RDP-tcp'").__path
Set-WmiInstance -Path $path -argument @{SSLCertificateSHA1Hash="THUMBPRINT"}

Licencing

You will need to configure the licencing to allow multiple users to connect via sessions.

Deployment 8

Adding Users

Add the users under Computer Management, Local Users and groups

Deployment 9

Deployment 10

Add the users to the remote desktop group.

Deployment 11

you can also do this in the server manager under local Computer

Deployment 12

As you are connecting to the RDSH host locally, use  local\username

Applying Security

Deployment 13

Deployment 15

As you can see from the screen shots, users cannot install roles and features or modify Group Policy’s with out Administrator permissions, I would recommend configuring local group policy’s to lock down remote users, as you would in a Domain. You can access the local group policy editor via MMC and add the snapin for the Group policy editor.

GPeditor1

GPeditor2

Administering sessions

In the Group Policy editor, I have set the idle limit on the sessions so that if users are inactive for over a hour their session will be terminated.

Deployment 14.

You can also manage your users from the task menu

Deployment 18

Deployment 19

by right clicking on the user, you get a number of options including disconnecting the user, Sign them off, sending messages, and Connect which allows you to connect to a user session. You will need to be the user in question to do this.

When users are finished with their sessions they simply sign out, or they can disconnect. There is no option to shut down the server for remote session users.

Deployment 17

57 thoughts on “Deploying a RDSH Server in a Workgroup – RDS 2012 R2

  1. Hello Mr. Ray
    I have been trying to run 2012r2 in workgroup environment for quit some time of course i would like to use management tools like TSadmin and remoteapp
    I was able to get everything working except the management tools
    but I guess if we are able to make a pool maybe all the integrated management tools will work
    Advice SVP
    if not maybe a third party tool
    thx

  2. Hello,
    I also would like to use the management tools in workgroup configuration (non-domain).
    How can i get those?
    Thank u very much for deployment instructions above!

  3. Hello Mr Ray. i would like to ask about grace period on licensing server. I have problem with that. My RDS server has grace period 120 days and i cannot configure remote desktop session host. On remote desktop services it says that i’m not part of domain users. Thanks for your help.

  4. Thanks for this guide, but I am stuck on the same place as Martin Svec. You said to log in as a domain admin, but how do you log in as a domain admin when there is no domain?

      1. thanks for the response, i’m not very good with servers especially 2012. i’m trying to configure the licensing and had to look up other guides to figure out how to do this.

        i go to server manager, click on remote desktop services and go to overview. from the overview page you are supposed to be able to add the licensing servers, but instead on that page it says “You are currently logged on as local administrator on the computer. You must be logged on as a domain user to manage servers and collections”

        so i keep getting the message that the rds server has a grace period. i feel like i’m missing something easy, but i’m quite lost.

      2. You will see this message if you are trying to access the RDMS. If this is a workgroup build as in not joined to the domain. You will need to install the licencing role manually and then load the licencing MMC in the metro start menu. You can configure licencing using the local group policy’s on the Server and again this can be found in the MMC.

  5. Hi Ryan – I’m attempting to configure Remote Desktop Services on a hosted VPS that is in a Workgroup. Is it possible to use the RemoteApp functionality in this scenario? You help is greatly appreciated, thankyou

  6. Hi Ryan – I have read this article and it has resolved (I think) my licensing issue, but I am not able to connect to this workgroup server from a Windows 8,1 laptop. This failure tells me that:
    1. Remote access to the server is not enabled
    2. The remote computer is turned off.
    3. The remote computer is not available on the network.

    I suspect that option 1 is the most appropriate.

    When following your instructions, the one error I get is when using the PowerShell window and the first element of the setup fails as follows:

    PS C:\Users\Administrator> $path = (Get-WmiObject -class “Win32_TSGeneralSetting” -Namespace rootcimv2terminalservices -Filter “TerminalName=’RDP-tcp'”).__path
    Get-WmiObject : Invalid namespace “rootcimv2terminalservices”
    At line:1 char:10
    + $path = (Get-WmiObject -class “Win32_TSGeneralSetting” -Namespace rootcimv2termi …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidArgument: (:) [Get-WmiObject], ManagementException
    + FullyQualifiedErrorId : GetWMIManagementException,Microsoft.PowerShell.Commands.GetWmiObjectCommand

    Is this what causes the failure?

  7. Following up on my last comment (currently unposted), I have fixed my issue. I spotted another information source which suggested the following:

    Open a CMD window and enter the command
    SystemPropertiesRemote

    In my case the option was set to ‘Dont allow remote connections to this computer’. Switching this to ‘Allow remote connections to this computer’ and Apply resolved my issue.

    It is worth you adding this step to your blog.

  8. Hi Ryan – I’m attempting to configure Remote Desktop Services on a hosted VPS that is in a Workgroup, but I can’t configure the RDSH server. Is it possible in this scenario? How ?
    You help is greatly appreciated, thankyou

  9. Hi! Thanks for the great description. I did everything as described (left out the gateway part) and now I’m heaving the problem, that – although I activated the license server and installed user-RDS-CALs – the server won’t issue licenses (and the grace period clock is ticking).

    Any idea what I can check? I also configured the server in gpedit.msc to use itself as the license server.

    Thanks.

  10. Hi Ryan,

    I installed RDS on a Windows 2012 R2 server in a workgroup (no AD) following the instructions from Microsoft kb2833839 article. Besides the fact that I have no RDMS, everything seems to work fine. The licensing mode has been set to Per User (mode 4).

    I can connect RDS clients with no message about the 120 days grace period. But I notice in RDS Licence server that the User CALs are not issued when RDS clients are connected to the server.

    Will I run into a problem when the 120 days grace perios will end? Thank’s in advance for your expertise,

    François

  11. Hi Ryan,

    Excellent tutorials!

    Is it possible to use User Profile Disks with a single RDS 2012 R2 workgroup deployment?

    If not how do you suggest storing Users on a separate drive?

    Thanks.

    Jonathan

  12. What is important for me would be similar to the Terminal Services Manager where I get to see whose logged in, disconnect, send message or log off a user. Is this what RDMS would do?

    1. Hello,

      Copy / paste this into notepad and save as batch file (.bat). Edit ‘servername’ into your servers name…

      @echo off
      qwinsta
      set /P id=Enter id: %=%
      mstsc /v:servername /shadow:%id% /control /noConsentPrompt

      Jelle

  13. This is all I get for role services

    TEST-SERVER Remote Desktop Services TermService Running Manual
    TEST-SERVER Remote Desktop Licensing TermServLicensing Running Automatic
    Any clues?

  14. Ryan, can you go over the license requirement again? I am unable to run the Power Shell command without an error.
    It looks incomplete from what you wrote above. Thanks, robb

  15. Hi Ryan

    Thanks for the instructions and yes I got a standalone / workgroup server running with remote desktop services. Yay!

    Next issue, if I now want to join that server to a domain, is it as simple as migrating user profiles and changing the server to join the domain or does RDS have the workgroup hard-wired to its settings ?

    thanks

    Tony

  16. Hello Ryan
    Trying to follow your instruction on inserting the certificate for RDSH and the modifications that you are doing. Can you explain in more step by step detail on were to obtain the certificate to be inserted.

  17. I had a question about a test server I setup with RDS setup on a workgroup server 2012 R2. my users are not getting assigned licenses by the server. I am still within the 120 days, but seeing it not hand out/assign the licenses makes me weary for a small production environment. Any tips?

      1. Ryan – I just want to be clear here, even though I have installed 5 user licenses your telling me the server will not work this way? I have to use device licenses? I’ll have to repurchase the the RDS licenses as device?

  18. Thank you for the article. It helped me to deploy RDS on a workgroup. I would like to have 5 users. Do I need to buy a license for 5 devices? Or just 1 since it is a device license? Can anyone please comment on how they solved the licensing problem. Your help is much appreciated!

  19. Hello Ryan, thank you so much for the tutorial. This is exactly what I need. I’m upgrading the network in a really small company, three accountants need to be able to connect remotely via RDP and launch an accounting program on the server, which will also have a MS SQL Express database.

    The question: can this be done on Windows Server 2012 R2 Foundation, with a single server? If so, apart from the Foundation licence, I will be needing three RDS CALs and nothing more, correct? Again, thanks so much.

  20. So I have this all working but I’m unsure of what to configure re licenses?? On 2008 you used the session manager and pointed at the license server but although the service is installed it doesn’t show up to configure.
    Or is the fact that I have device licenses installed all I need?
    Thanks

  21. Hi Ryan,
    Please help me. I have RDS setup on a workgroup server 2012 R2. My mission is deploy HMI via Intouch Access Anywhere ( Wonderware) to Internet, my customer want to access HMI from internet . The guidance of intouch, I must deploy remote desktop service, then add Intouch Access Anywhere through RemoteApp. But I don’t fine RemoteApp after install RDS

  22. Thank you so much Ryan. this is a really good guide, got it all working and issuing licences.

    I just wanted a simple standalone TS server here for testing and did not want to make the box a domain controller of a fictional domain and you have made it possible!

    For anyone else who makes this mistake: I jumped the gun and activated my (MSDN) licences early before following Ryan’s guide. This meant that the licences were associated with the non-FQDN server and certificate. I was able to right click in RD Licensing Manger and choose “Manage licences” then migrate them, after ticking in blood that the old server was non-functional (true of course). This gave a new line in RD Licensing Manger alongside the old one but the logins decrement this new block of licences correctly.

    Dominic

  23. Hi Ryan

    I want to generate report of all the RDS user from a workgroup machine in Windows 2008R2. As per microsoft it is not possible.Is there a way I can extract this report

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s