Deploy Windows 2016 RDS with PowerShell

Leave a Comment / By /

Turotial on how to deploy Windows 2016 RDS with PowerShell in a Single Server

Updated based on Windows 2019 RDS Server

Lab Components

Server Name IP Address Functionality
DEV-AD01.AVENTIS.DEV 10.10.10.30/24 AD Domain Controller
DEV-RDS01.AVENTIS.DEV 10.10.10.31/24 RD Licensing, Session Host & Connection Broker
DEV-RDSGW.AVENTIS.DEV 10.10.10.32/24 RD Web & Gateway

Enable RSD Roles

The New-RDSessionDeployment cmdlet installs role services required for the Virtual Desktop Infrastructure (VDI) to create a Remote Desktop Services (RDS) session-based Remote Desktop deployment

Enable all RDS Roles from DEV-AD01 Server

Import-Module RemoteDesktop

$RDS01 = "dev-rds01.aventis.dev"
$RDSGW = "dev-rdsgw.aventis.dev"

# Install RD Connection Broker & Session Host
New-RDSessionDeployment -ConnectionBroker $RDS01 -SessionHost $RDS01 -Verbose

# Add RD Web & Gateway to RD Session Deployment
Add-RDServer -Server $RDSGW -Role RDS-WEB-ACCESS -ConnectionBroker $RDS01 
Add-RDServer -Server $RDSGW -Role RDS-GATEWAY -ConnectionBroker $RDS01 -GatewayExternalFqdn "rds.aventis.dev"

Do NOT run the PowerShell above on DEV-RDS01 or DEV-RDSGW, run it on DEV-AD01

DEV-RDS01 & DEV-RDSGW will be rebooted automatically once all RDS Roles are installed successfully

RDS Licensing Server (Optional)

Login to DEV-RDS01 to enable RDS Licensing Role

Add-WindowsFeature -Name RDS-Licensing, RDS-Licensing-UI

Change the RDS License Mode to Per User Mode, and point local RDS Server to local Licensing Server

Set-RDLicenseConfiguration -Mode PerUser -LicenseServer $RDS01

Get-RDLicenseConfiguration

Mode                 LicenseServer                                                  
----                 -------------                                                  
PerUser              {DEV-RDS01.AVENTIS.DEV}

Add the Licensing Server into Deployment

Add-RDServer -Server $RDS01 -Role RDS-LICENSING -ConnectionBroker $RDS01

Activate RD Licensing Server

Set-Location RDS:
# Navigate to the RD License Server configuration 
cd  RDS:\LicenseServer\Configuration
# Config required info fields for the activation process 
Set-Item –Path .\FirstName -Value AVENTIS
Set-Item –Path .\LastName -Value DEV
Set-Item -Path .\Company -Value AVENTIS
Set-Item -Path .\CountryRegion -Value "MALAYSIA"
# Optional info can be configured with the following lines 
Set-Item -Path .\eMail -Value  [email protected]
Set-Item -Path .\OrgUnit –Value AVENTIS
Set-Item -Path .\Address –Value AVENTIS
Set-Item -Path .\City –Value PUCHONG
Set-Item -Path .\State –Value SELANGOR
Set-Item -Path .\PostalCode –Value 47100
# Navigate to the RD License Server configuration
cd  RDS:\LicenseServer
# Activate the RD License Server
Set-Item –Path .\ActivationStatus -Value 1 -ConnectionMethod AUTO -Reason 5

Add DEV-RDS01 to Terminal Server License Servers Group in DEV-AD01

# Run in AD
Add-ADGroupMember "Terminal Server License Servers" -Members "dev-rds01$"

SSL Certificate for RDS Roles

Set all RDS Roles to use the Let’s Encrypt Wildcard SSL Certificate

$Path = "C:\Temp\Lets-AventisDev.pfx"

$Password = ConvertTo-SecureString -String "P@ssw0rd!@#$" -AsPlainText -Force
Set-RDCertificate -Role RDGateway -ImportPath $Path -Password $Password -ConnectionBroker $RDS01 -Force
Set-RDCertificate -Role RDWebAccess -ImportPath $Path -Password $Password -ConnectionBroker $RDS01 -Force
Set-RDCertificate -Role RDPublishing -ImportPath $Path -Password $Password -ConnectionBroker $RDS01 -Force
Set-RDCertificate -Role RDRedirector -ImportPath $Path -Password $Password -ConnectionBroker $RDS01 -Force

Verify the SSL Certificate are configured properly

 Get-RDCertificate

Role          Level          ExpiresOn                           IssuedTo                                               
----          -----          ---------                           --------                                               
RDRedirector  Trusted        03/14/2021 13:44:41                 CN=*.aventis.dev                                       
RDPublishing  Trusted        03/14/2021 13:44:41                 CN=*.aventis.dev                                       
RDWebAccess   Trusted        03/14/2021 13:44:41                 CN=*.aventis.dev                                       
RDGateway     Trusted        03/14/2021 13:44:41                 CN=*.aventis.dev

Session Collection

A Session Collection holds the apps and desktops you want to make available to users. pooled desktop sessions or personal desktop sessions can be configured

Create a Session Collection called UAT

$CollectionName = "UAT"

New-RDSessionCollection –CollectionName $CollectionName –SessionHost $RDS01 –ConnectionBroker $RDS01 –CollectionDescription “UAT for Session Host”

Allow the Domain Administrator to access the new Session Collection. Domain Users is included by default.

$UserGroup =@("AVENTIS\Domain Users","AVENTIS\Administrator")
Set-RDSessionCollectionConfiguration -CollectionName $CollectionName -UserGroup $UserGroup

Please refer to Microsoft Docs for detail configuration available with PowerShell

Publish Application

Install Microsoft Edge on DEV-RDS01 and publish it

$Edge = Get-RDAvailableApp -CollectionName $CollectionName | ? DisplayName -like "Microsoft Edge"

Publish Microsoft Edge

New-RDRemoteapp -Alias $Edge.DisplayName -DisplayName $Edge.DisplayName -FilePath $Edge.FilePath `
-ShowInWebAccess 1 -CollectionName $CollectionName -ConnectionBroker $RDS01

Login to https://rds.aventis.dev with AVENTIS\USERNAME to verify Microsoft Edge is published and can be launched successfully

Deploy Windows 2016 RDS with PowerShell

RDS HTML5 Web Client

Update the PowerShellGet Module

Install-Module -Name PowerShellGet -Force

Close the existing PowerShell Console and reopen it, otherwise the module may not work

Install RD Web Client Management Module

Install-Module -Name RDWebClientManagement

Download the latest version of RD Web Client

Install-RDWebClientPackage

Link the SSL Certificate used for RD Connection Broker

$Password = ConvertTo-SecureString -String "P@ssw0rd!@#$" -AsPlainText -Force
Import-RDWebClientBrokerCert -Path C:\Temp\Lets-AventisDev.pfx -Password $Password

Publish RD Web Client

Publish-RDWebClientPackage -Type Production -Latest

Ignore the warning mention that per-device CALs are not supported if Pre-User CALs is used.

Login with valid domain user’s account via https://rds.aventis.dev/RDWeb/webclient/index.html

Launch the Published Application – Microsoft Edge

Refer to Microsoft – Set up the Remote Desktop web client for your users for more detail

Redirect URL

Configure HTTP Redirect for the Default Web Site to /RDWeb in RDS Server

User can login to RD Web Client via https://rds.aventis.dev now

Troubleshooting

A Remote Desktop Services deployment does not exist in the server pool

Ensure that all RDS Servers are added to Server Manager

SSL Certificate Binding in IIS

Bind the Let’s Encrypt SSL Wildcard Certificate in IIS using PowerShell

Import-Module webadministration

Get-Website -Name 'Default Web Site'
Get-WebBinding -Name 'Default Web Site'

(Get-Website -Name 'Default Web Site').bindings.Collection

$cert = Get-ChildItem cert:\localmachine\my | ? Subject -EQ "CN=*.aventis.dev"

$bindingInfo = "IIS:\SSLBindings\*!443"

$cert | Set-Item -Path $bindingInfo

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top