These days I’m trying in depth Windows Server 2019. Today I chose to pay attention to Remote Desktop Services. The goal of my lab is to deploy a RDS Farm with all components and with the new HTML5 Remote Desktop Client. Even though I’m running my lab on Windows Server 2019, you can also deploy the HTML5 client on Windows Server 2016. In this topic, I wanted to share with you the steps I followed to deploy the Windows Server 2019 RDS farm.
Requirements
To make this lab, I have deployed four virtual machines which are running Windows Server 2019:
- RDS-APP-01: RD Host Server that hosts the RemoteApp collection
- RDS-DKP-01: RD Host Server that hosts the Remote Desktop collection
- RDS-BRK-01: Hosts RD Broker and RD Licensing
- RDS-WEB-01: Hosts RD Web Access and RD Gateway
Then I have a public certificate for RD Web Access and RD Gateway role:
I have also a private certificate for RD Broker publishing and RD Broker connection. To create this certificate, I duplicated the Workstation Authentication ADCS template as described in this topic.
I have register both certificates in PFX (with private key) and in cer (just the public certificate).
Finally, I have two DNS zone:
- SeromIT.local: Active Directory forest zone
-
SeromIT.com: splitted zone: hosted by local domain controllers and by public provider. I use this zone to connect from Internet. In this zone I have created two registrations:
- Apps.SeromIT.com: leading to RDS-WEB-01 (CNAME)
- RDS-GW.SeromIT.com: leading to RDS-BRK-01 (CNAME) for the gateway
RDS farm deployment
To deploy the RDS farm, I use only PowerShell. In this way I can reproduce the deployment for other customers. First of all, I run a Remote Desktop deployment to configure a RD Web Access, a RD Broker and a RD Host Server:
New-RDSessionDeployment -ConnectionBroker RDS-BRK-01.SeromIT.local `
-SessionHost RDS-DKP-01.SeromIT.local `
-WebAccessServer RDS-WEB-01.SeromIT.local
Then I run a PowerShell cmdlet to add another RD Host Server, a RD Licensing and a RD Gateway role.
Add-RDServer -Server RDS-APP-01.SeromIT.local `
-Role RDS-RD-SERVER `
-ConnectionBroker RDS-BRK-01.SeromIT.local
Add-RDServer -Server RDS-BRK-01.SeromIT.local `
-Role RDS-Licensing `
-ConnectionBroker RDS-BRK-01.SeromIT.local
Add-RDServer -Server RDS-WEB-01.SeromIT.local `
-Role RDS-Gateway `
-ConnectionBroker RDS-BRK-01.SeromIT.local `
-GatewayExternalFqdn RDS-GW.SeromIT.com
Once these commands are run, the role deployment is finished:
Now we can configure the certificates.
Certificate configuration
To configure each certificate, I use again PowerShell. Remember, I have store both certificates in PFX in C:\temp\RDS of my broker server.
$Password = Read-Host -AsSecureString
$Password = Read-Host -AsSecureString
Set-RDCertificate -Role RDGateway `
-ImportPath C:\temp\RDS\wildcard_SeromIT_com.pfx `
-Password $Password `
-ConnectionBroker RDS-BRK-01.SeromIT.local `
-Force
Set-RDCertificate -Role RDWebAccess `
-ImportPath C:\temp\RDS\wildcard_SeromIT_com.pfx `
-Password $Password `
-ConnectionBroker RDS-BRK-01.SeromIT.local `
-Force
Set-RDCertificate -Role RDPublishing `
-ImportPath C:\temp\RDS\Broker.pfx `
-Password $Password `
-ConnectionBroker RDS-BRK-01.SeromIT.local `
-Force
Set-RDCertificate -Role RDRedirector `
-ImportPath C:\temp\RDS\Broker.pfx `
-Password $Password `
-ConnectionBroker RDS-BRK-01.SeromIT.local `
-Force
Once these commands are executed, the certificate are installed for each role:
Collection creation
Now I create a collection to add resources inside the RD Web Access portal:
New-RDSessionCollection -CollectionName Desktop `
-CollectionDescription "Desktop Publication" `
-SessionHost RDS-DKP-01.SeromIT.local `
-ConnectionBroker RDS-BRK-01.SeromIT.local
Then from Server Manager, you can configure settings of this collection:
Enable HTML 5 Remote Desktop client
In this lab, I don’t want to use the legacy portal. I’d like to use the super cool new HTML5 RD client. To enable this client, I connect to the server hosting RD Web Access role and I run the following cmdlet:
Install-Module -Name PowerShellGet -Force -Confirm:$False
After, close and open again a PowerShell window. Then execute this command:
Install-Module -Name RDWebClientManagement -Confirm:$False
Then copy the RD Broker certificate in cer format into the RD Web Access server and run the following cmdlets:
Import-RDWebClientBrokerCert c:\temp\broker.cer
Install-RDWebClientPackage Publish-RDWebClientPackage -Type Production -Latest
Now you can connect to the RD Web client by using the following URL: https://
Conclusion
I like the RD Web client for several reasons. First, you can connect to a RDS session from a HTML5 ready web browser. You don’t need anymore a compatible RD client and you can connect from several devices such as Mac, a Linux device or maybe a tablet or smartphone. Secondly, the HTML5 client doesn’t require settings for SSO like we did with the legacy portal. The deployment is easier as before. And finally I found this client more user friendly than the legacy portal. The only thing missing is the ability to enable the HTML5 client by a single click or PowerShell cmdlet, or to enable it by default.
Hi great post, does USB redirection work?
I didn’t try sorry 🙂
Merci Romain,
Great post x2 🙂 Does it work for testing purposes with autosigned certificates?
Thanks
Yes it’s should work with autosigned certificate. 🙂
Thanks for your post. What, when i have certificate problems, also when i’ve done it the same way then you?
Is it possible to contact you directly?
Hey,
You can contact me at serre [dot] rom [at] outlook [dot] fr.
You have 4 servers to begin with, but then in the later section you have a brand-new RDS-DKP-01.SeromIT.local, seemingly 5th server… can you please explain what’s going on? I appreciate your walk-through brother!
Hey, It’s a mistake. I have only 4 servers but it’s a typo. I’ll correct that.
You the man, Romain!
Hii, thanks for the article. To save the next reader a bunch of time troubleshooting, you reference the CNAME for the Gateway pointing to the RDS-BRK-01 server, when it should be the RDS-WEB-01 server where you install the gateway role.
Hi, thank you very much for your guide, I really appreciate your work here.
I have 1 Question regarding Clustering.
I read, that with 2019, you can cluster the Licensing using a SQL-Database. How would that change the deployment If we want every server clustered ?
Hello, I never read this statement in the documentation so I don’t know sorry.
Hi, what type of Licensing do you use ? User or Device ? Freek Berson wrote in his Blog, that you need to use for the HTML5 per User Licensing… Did you try it per Device too ?
Hello,
When using RD Web Client, you have to use “Per User” license model.
I’m wondering which of these servers can be installed as Server Core, and which need to be the full desktop experience?
Hello,
The following service must be located on a full GUI experience Windows Server: RD Gateway, RD Host.
Romain.
Hello!
Thanks for a great post!
Does this mean that I only log once and then I can use any published app without need to reenter my credentials if using non domain joined devices?
Thank you once again!
Regards,
Adi
Yes, indeed 🙂 I use it to connect to my lab from a non-domain join, and I specify one time my password.
Hi,
Is it possible to create a HA this way, so that a users Remote Desktop is automaticly moved to other terminal servers, when the one they original connected to goes down?
I have been looking for something like that for a while, and I was thinking about using the HTML5 client instead, and it might work.
It should work like Hyper-V Live Migration / Failover.
Hello,
When you create a RD farm, the broker is in charge of distributing workload among RD Server. If a RD Server is down, the broker is able to detect it and stop to distribute traffic to this RD Server.
It looks like HTML5 doesn’t have MFA support? So I won’t use it in production I think.
You have to setup MFA via NPS, not in the HTML5 client. Azure MFA is fully supported for RDS connections through a gateway, so you must force even internal connections to go via the gateway.
Hello great articel,
RDS-GW.SeromIT.com: leading to RDS-BRK-01 (CNAME) for the gateway — is that the correct cname to the connection broker ?
Thanks
Hi,
Like many before me, i really want to thank you Romain.
That’s a great article and it’s very well explained!
Wanted to know if there’s a way to set the default on the customized rdweb client html to download to rpd file for everyone who enters?
Thanks!!
For the Certificates, why did you use two one for the broker and one being wildcard? I understand what the wildcard is for but can you go into a bit detail or some documentation for the broker cert.
Hello, thanks for the write up! can this method be used to create a windows 10 session in HTML 5 Browser window?
worked for me, in chrome and explorer, though i have to say that it takes around 5 minutes for the session to begin (at least in my case), so i just rather use the rdp files
Hi !
How I can configure “Desktop” on app publish?
In my work resources I add the “calculator” and works fine. But I want to my domain users open “vrtual windows” on their browers.
Could you help me pls?