Remote Desktop Services (RDS) is the Windows Server platform for delivering remote desktops and applications to users over a network. It goes well beyond simply enabling Remote Desktop on a server — a full RDS deployment includes multiple role services working together to provide scalable, load-balanced, and brokered remote sessions. This guide covers both basic RDP configuration and a production RDS deployment.
Simple RDP vs Remote Desktop Services
Every Windows Server supports up to two simultaneous administrative Remote Desktop connections for management purposes — this does not require the RDS role and does not need RDS CALs. Enable it under System Properties > Remote tab, or:
Set-ItemProperty -Path "HKLM:SystemCurrentControlSetControlTerminal Server" -Name "fDenyTSConnections" -Value 0
Enable-NetFirewallRule -DisplayGroup "Remote Desktop"The Remote Desktop Services role is required when you need more than two simultaneous connections, want to publish RemoteApps (individual applications rather than full desktops), or need Web Access for browser-based connections.
RDS Role Services
A complete RDS deployment uses several role services. For smaller deployments, these can all run on one server; for larger ones, each runs on dedicated machines:
- RD Session Host: The server where users actually run their sessions. This is where CPU, RAM, and disk performance matter most.
- RD Connection Broker: Manages session routing, load balancing across multiple Session Hosts, and reconnecting users to their existing sessions.
- RD Web Access: Provides a website where users launch RemoteApps or full desktops from a browser.
- RD Gateway: Encrypts RDP traffic over HTTPS, allowing remote users to connect without a VPN. Listens on port 443.
- RD Licensing: Manages RDS Client Access Licenses (CALs). Every user or device connecting to RDS (beyond admin connections) requires an RDS CAL.
Quick Deployment for Small Environments
Server Manager includes a guided RDS deployment wizard. In Server Manager, click Manage > Add Roles and Features, then on the installation type page select Remote Desktop Services installation rather than role-based installation. Choose Quick Start for a single-server deployment — this installs Session Host, Connection Broker, and Web Access on one machine automatically.
RD Licensing
After the first 120-day grace period, RDS connections will fail without valid CALs installed on an RD Licensing server. Install the RD Licensing role and activate it:
Install-WindowsFeature -Name RDS-Licensing -IncludeManagementToolsOpen RD Licensing Manager, right-click your server, and choose Activate Server. Use the web browser activation method if your server has internet access. After activation, right-click again and choose Install Licenses to enter your CAL packs.
Point your Session Host at the licensing server via Group Policy: Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > RD Session Host > Licensing. Configure both the licensing server address and the license type (Per User or Per Device).
Publishing RemoteApps
RemoteApps publish individual applications to users — the application appears to run on the local machine but executes on the Session Host. In Server Manager > Remote Desktop Services > RemoteApp Programs, click Publish RemoteApp Programs and select the applications to publish (e.g., Microsoft Word, a line-of-business application).
Users access published RemoteApps through the RD Web Access portal (https://rdweb.corp.local/RDWeb) or via an RDP file you distribute through Group Policy or email.
User Profile Disks
In a multi-session-host environment, users may connect to different servers on different days. User Profile Disks (UPDs) store user profiles on a central network share as VHD files, mounted at logon. This gives users a consistent profile regardless of which Session Host they land on.
Configure UPDs in Server Manager > Remote Desktop Services > Collections > right-click your collection > Properties > User Profile Disks. Specify a UNC path on a high-performance file server.
RD Gateway Configuration
RD Gateway lets external users connect over HTTPS without a VPN. After installing the RD Gateway role, bind an SSL certificate (from a public CA, matching your external DNS name) and create Connection Authorization Policies (CAP) and Resource Authorization Policies (RAP):
- CAP defines who can connect through the gateway (e.g., members of Domain Users)
- RAP defines what they can connect to (e.g., specific servers or the entire domain)
External users configure their RDP client to use rdgateway.corp.com as the gateway server, and connection is tunnelled through port 443 — typically open on any corporate firewall.
Performance Tuning for Session Hosts
Plan approximately 1 vCPU and 1.5-2 GB RAM per concurrent RDS user for typical office workloads (Office, browser, email). Use SSDs for the OS volume and user profile disk storage. Limit the number of concurrent sessions per Session Host and scale out with additional Session Hosts behind the Connection Broker rather than stacking more users on one machine.