Yandex Cloud
Search
Contact UsGet started
  • Blog
  • Pricing
  • Documentation
  • All Services
  • System Status
    • Featured
    • Infrastructure & Network
    • Data Platform
    • Containers
    • Developer tools
    • Serverless
    • Security
    • Monitoring & Resources
    • ML & AI
    • Business tools
  • All Solutions
    • By industry
    • By use case
    • Economics and Pricing
    • Security
    • Technical Support
    • Customer Stories
    • Gateway to Russia
    • Cloud for Startups
    • Education and Science
  • Blog
  • Pricing
  • Documentation
Yandex project
© 2025 Yandex.Cloud LLC
Yandex Compute Cloud
  • Yandex Container Solution
    • All tutorials
    • Configuring time synchronization using NTP
    • Autoscaling an instance group to process messages from a queue
    • Updating an instance group under load
    • Deploying Remote Desktop Gateway
    • Getting started with Packer
    • Transferring logs from a VM to Yandex Cloud Logging
    • Building a VM image with infrastructure tools using Packer
    • Migrating data to Yandex Cloud using Hystax Acura
    • Fault protection with Hystax Acura
    • VM backups using Hystax Acura
    • Deploying a fault-tolerant architecture with preemptible VMs
    • Configuring a fault-tolerant architecture in Yandex Cloud
    • Creating a budget trigger that invokes a function to stop a VM
    • Creating triggers that invoke a function to stop a VM and send a Telegram notification
    • Creating a Python web application with Flask
    • Creating an SAP program in Yandex Cloud
    • Deploying a Minecraft server in Yandex Cloud
    • Automating image builds using Jenkins and Packer
    • Creating test VMs via GitLab CI
    • High-performance computing on preemptible VMs
    • Configuring an SFTP server based on CentOS 7
    • Deploying GlusterFS in high availability mode
    • Deploying GlusterFS in high performance mode
    • Backing up to Object Storage with Bacula
    • Building a CI/CD pipeline in GitLab using serverless products
    • Implementing a secure high-availability network infrastructure with a dedicated DMZ based on the Check Point NGFW
    • Cloud infrastructure segmentation with the Check Point next-generation firewall
    • Configuring a secure GRE tunnel over IPsec
    • Creating a bastion host
    • Implementing fault-tolerant scenarios for NAT VMs
    • Creating a tunnel between two subnets using OpenVPN Access Server
    • Creating an external table from a Object Storage bucket table using a configuration file
    • Setting up network connectivity between BareMetal and Virtual Private Cloud subnets
    • Working with snapshots in Managed Service for Kubernetes
      • Secure password transmission to an initialization script
      • Deploying Active Directory
      • Deploying Microsoft Exchange
      • Deploying Remote Desktop Services
      • Deploying an Always On availability group with an internal network load balancer
      • Deploying Remote Desktop Gateway
      • Creating an MLFlow server for logging experiments and artifacts
      • Deploying GitLab Runner on a virtual machine
    • Launching the DeepSeek-R1 language model in a Yandex Compute Cloud GPU cluster
  • Access management
  • Terraform reference
  • Monitoring metrics
  • Audit Trails events
  • Release notes

In this article:

  • Get your cloud ready
  • Required paid resources
  • Create a cloud network and subnets
  • Create an administrator account management script
  • Create a Windows Server Remote Desktop Services VM
  • Install and configure Active Directory
  • Set up firewall rules
  • Set up a domain license server
  • Set up the Remote Desktop Session Host role
  • Add your license server to the Active Directory security group and register it as SCP
  • Create users
  • How to delete the resources you created
  1. Tutorials
  2. Microsoft products in Yandex Cloud
  3. Deploying Remote Desktop Services

Deploying Microsoft Remote Desktop Services

Written by
Yandex Cloud
Updated at May 7, 2025
  • Get your cloud ready
    • Required paid resources
  • Create a cloud network and subnets
  • Create an administrator account management script
  • Create a Windows Server Remote Desktop Services VM
  • Install and configure Active Directory
  • Set up firewall rules
  • Set up a domain license server
  • Set up the Remote Desktop Session Host role
  • Add your license server to the Active Directory security group and register it as SCP
  • Create users
  • How to delete the resources you created

Warning

In Yandex Cloud, you can only use Microsoft products with your own licenses and on dedicated hosts. For more information, see Use of personal licenses for Microsoft products.

In this tutorial, we will deploy a Yandex Cloud Microsoft Windows Server Datacenter consisting of a single server with pre-installed Active Directory and Remote Desktop Services. You can select one of the images with preset quotas for 5, 10, 25, 50, and 100 users. In our example, we will select a 5-user quota.

Warning

To increase the quota, you will need to re-create the VM.

To deploy the Remote Desktop Services infrastructure:

  1. Get your cloud ready.
  2. Create a cloud network and subnets.
  3. Create an administrator account management script.
  4. Create a Remote Desktop Services VM.
  5. Install and configure Active Directory.
  6. Set up firewall rules.
  7. Set up a domain license server.
  8. Set up the Remote Desktop Session Host role.
  9. Create users.

If you no longer need the resources you created, delete them.

Get your cloud readyGet your cloud ready

Sign up in Yandex Cloud and create a billing account:

  1. Navigate to the management console and log in to Yandex Cloud or register a new account.
  2. On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one and link a cloud to it.

If you have an active billing account, you can navigate to the cloud page to create or select a folder for your infrastructure to operate in.

Learn more about clouds and folders.

Note

Make sure that the billing account contains user details required to meet the Microsoft licensing policy requirements. You can launch the product only if you have these details.

Required paid resourcesRequired paid resources

The cost of Microsoft Windows Server with Remote Desktop Services infrastructure includes:

  • Fee for continuously running virtual machines (see Yandex Compute Cloud pricing).
  • Fee for dynamic or static public IP addresses (see Yandex Virtual Private Cloud pricing).
  • Fee for outbound traffic from Yandex Cloud to the internet (see Yandex Compute Cloud pricing).

Create a cloud network and subnetsCreate a cloud network and subnets

Create a cloud network named my-network with subnets in all availability zones that will host your VMs.

  1. Create a cloud network:

    Management console
    CLI
    API

    To create a cloud network:

    1. Open the Virtual Private Cloud section of the folder where you want to create a cloud network.
    2. Click Create network.
    3. Specify the network name: my-network.
    4. Click Create network.

    If you do not have the Yandex Cloud CLI yet, install and initialize it.

    The folder specified when creating the CLI profile is used by default. To change the default folder, use the yc config set folder-id <folder_ID> command. You can specify a different folder using the --folder-name or --folder-id parameter.

    To create a cloud network, run this command:

    yc vpc network create --name my-network
    

    Use the create REST API method for the Network resource or the NetworkService/Create gRPC API call.

  2. Create a subnet in my-network:

    Management console
    CLI
    API

    To create a subnet:

    1. Open the Virtual Private Cloud section in the folder where you want to create a subnet.
    2. Click the cloud network name.
    3. Click Add subnet.
    4. Fill out the form: enter my-subnet-d as the subnet name and select the ru-central1-d availability zone from the drop-down list.
    5. Enter the subnet CIDR: IP address and subnet mask 10.1.0.0/16. For more information about subnet IP address ranges, see Cloud networks and subnets.
    6. Click Create subnet.

    To create a subnet, run this command:

    yc vpc subnet create \
      --name my-subnet-d \
      --zone ru-central1-d \
      --network-name my-network \
      --range 10.1.0.0/16
    

    Use the create REST API method for the Subnet resource or the SubnetService/Create gRPC API call.

Create an administrator account management scriptCreate an administrator account management script

If you are going to create your VM via the CLI, create the setpass file with a script that will set the administrator password:

PowerShell
#ps1
Get-LocalUser | Where-Object SID -like *-500 | Set-LocalUser -Password (ConvertTo-SecureString "<your_password>" -AsPlainText -Force)

The password must meet the complexity requirements.

You can read more about the best practices regarding Active Directory safety on the MS official website.

Create a Windows Server Remote Desktop Services VMCreate a Windows Server Remote Desktop Services VM

Create an internet-facing VM with pre-installed Windows Server and Remote Desktop Services.

Management console
CLI
API
  1. On the folder dashboard in the management console, click Create resource and select Virtual machine instance.

  2. Under Boot disk image, type RDS in the Product search field and select the appropriate RDS image:

  3. Under Location, select the ru-central1-d availability zone.

  4. Under Disks and file storages, enter 50 GB as your boot disk size.

  5. Under Computing resources, navigate to the Custom tab and specify the required platform, number of vCPUs, and amount of RAM:

    • Platform: Intel Ice Lake
    • vCPU: 4
    • Guaranteed vCPU performance: 100%
    • RAM: 8 GB
  6. Under Network settings, specify:

    • Subnet: Network named my-network and subnet named my-subnet-d.
    • Public IP address: Auto.
  7. Under General information, specify the VM name: my-rds-vm.

  8. Click Create VM.

Wait for the VM status to change to Running and reset the password:

  1. Select the VM.
  2. Click Reset password.
  3. Specify the Username to reset the password for. If there is no user with that name on the VM, this user will be created with administrator access.
  4. Click Generate password.
  5. Save the New password. It will become unavailable once you close the window.
 yc compute instance create \
   --name my-rds-vm \
   --hostname my-rds-vm \
   --memory 8 \
   --cores 4 \
   --zone ru-central1-d \
   --network-interface subnet-name=my-subnet-d,ipv4-address=10.1.0.3,nat-ip-version=ipv4 \
   --create-boot-disk image-folder-id=standard-images,image-family=windows-2022-dc-gvlk-rds-5 \
   --metadata-from-file user-data=setpass

Note

The commands yc compute instance create | create-with-container | update | add-metadata support substitution of environment variable values into VM metadata. When you execute a Yandex Cloud CLI command, these values, specified in the user-data key in $<variable_name> format, will be substituted into the VM metadata from the environment variables of the environment the command is executed in.

To change such behavior, i.e. to provide a variable name to the VM metadata in $<variable_name> format rather than take the variable value from the CLI command runtime environment, use the two-dollar syntax, e.g., $$<variable_name>.

For more information, see Specifics of providing environment variables in metadata via the CLI.

Use the create REST API method for the Instance resource or the InstanceService/Create gRPC API call.

Install and configure Active DirectoryInstall and configure Active Directory

  1. Restart my-rds-vm:

    Management console
    CLI
    API
    1. On the folder dashboard in the management console, select Compute Cloud.
    2. Select the my-rds-vm VM.
    3. Click and select Restart.
    yc compute instance restart my-rds-vm
    

    Use the restart REST API method for the Instance resource or the InstanceService/Restart gRPC API call.

  2. Connect to my-rds-vm through RDP. Use Administrator as the username and your password.

  3. Assign Active Directory roles:

    PowerShell
    Install-WindowsFeature AD-Domain-Services -IncludeManagementTools
    Restart-Computer -Force
    
  4. Create an Active Directory forest:

    PowerShell
    Install-ADDSForest -DomainName 'yantoso.net' -Force:$true
    

    Windows will restart automatically. Reconnect to my-rds-vm. Use yantoso\Administrator as the username and your password. Relaunch PowerShell.

Set up firewall rulesSet up firewall rules

  1. Add firewall rules protecting Active Directory from external network requests:

    PowerShell
    Set-NetFirewallRule `
      -DisplayName 'Active Directory Domain Controller - LDAP (UDP-In)' `
      -RemoteAddress:Intranet
    
    Set-NetFirewallRule `
      -DisplayName 'Active Directory Domain Controller - LDAP (TCP-In)' `
      -RemoteAddress:Intranet
    
    Set-NetFirewallRule `
      -DisplayName 'Active Directory Domain Controller - Secure LDAP (TCP-In)' `
      -RemoteAddress:Intranet
    

Set up a domain license serverSet up a domain license server

  1. Add the Network Service user to the Terminal Server License Servers Active Directory group:

    PowerShell
    net localgroup "Terminal Server License Servers" /Add 'Network Service'
    
  2. Set the licensing type.

    Note

    You can only use User CAL licenses.

    PowerShell
    New-ItemProperty `
    -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' `
    -Name 'LicensingMode' `
    -Value 4 `
    -PropertyType 'DWord'
    
  3. Specify the RDS licensing service:

    PowerShell
    New-ItemProperty `
    -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' `
    -Name 'LicenseServers' `
    -Value 'localhost' `
    -PropertyType 'String'
    
  4. Optionally, limit the number of concurrent server sessions:

    PowerShell
    New-ItemProperty `
    -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' `
    -Name 'MaxInstanceCount' `
    -Value 5 `
    -PropertyType 'DWord'
    

Set up the Remote Desktop Session Host roleSet up the Remote Desktop Session Host role

Install the Remote Desktop Session Host role on the server:

PowerShell
Install-WindowsFeature RDS-RD-Server -IncludeManagementTools
Restart-Computer -Force

Add your license server to the Active Directory security group and register it as SCPAdd your license server to the Active Directory security group and register it as SCP

Add your license server to the Terminal Server License Servers group Active Directory group and register it as the license service connection point (SCP):

Windows Server
  1. Click Start.
  2. In the search field, type Remote Desktop Licensing Manager and press Enter to open the manager.
  3. Right-click your license server in the list and select Review Configuration....
  4. You will see the warning that your license server is not a member of the Terminal Server License Servers group and is not registered as a service connection point (SCP). Click Add to Group and then click Continue.
  5. Click Register as SCP.
  6. Click OK.
  7. Restart the VM.

Create usersCreate users

  1. Create test users:

    PowerShell
    New-ADUser `
      -Name ru1 `
      -PasswordNeverExpires $true `
      -Enabled $true `
      -AccountPassword ("P@ssw0rd!1" | ConvertTo-SecureString -AsPlainText -Force )
    New-ADUser `
      -Name ru2 `
      -PasswordNeverExpires $true `
      -Enabled $true `
      -AccountPassword ("P@ssw0rd!1" | ConvertTo-SecureString -AsPlainText -Force )
    New-ADUser `
      -Name ru3 `
      -PasswordNeverExpires $true `
      -Enabled $true `
      -AccountPassword ("P@ssw0rd!1" | ConvertTo-SecureString -AsPlainText -Force )
    New-ADUser `
      -Name ru4 `
      -PasswordNeverExpires $true `
      -Enabled $true `
      -AccountPassword ("P@ssw0rd!1" | ConvertTo-SecureString -AsPlainText -Force )
    New-ADUser `
      -Name ru5 `
      -PasswordNeverExpires $true `
      -Enabled $true `
      -AccountPassword ("P@ssw0rd!1" | ConvertTo-SecureString -AsPlainText -Force )
    
  2. Grant Remote Desktop Users permissions to the new users:

    PowerShell
    Add-ADGroupMember -Members 'ru1' -Identity 'Remote Desktop Users'
    Add-ADGroupMember -Members 'ru2' -Identity 'Remote Desktop Users'
    Add-ADGroupMember -Members 'ru3' -Identity 'Remote Desktop Users'
    Add-ADGroupMember -Members 'ru4' -Identity 'Remote Desktop Users'
    Add-ADGroupMember -Members 'ru5' -Identity 'Remote Desktop Users'
    
  3. Set up RDP access permissions for the Remote Desktop Users group:

    PowerShell
    & secedit /export /cfg sec_conf_export.ini  /areas user_rights
    $secConfig = Get-Content sec_conf_export.ini
    $SID = 'S-1-5-32-555'
    $secConfig = $secConfig -replace '^SeRemoteInteractiveLogonRight .+', "`$0,*$SID"
    $secConfig | Set-Content sec_conf_import.ini
    & secedit /configure /db secedit.sdb /cfg sec_conf_import.ini /areas user_rights
    Remove-Item sec_conf_import.ini
    Remove-Item sec_conf_export.ini
    

How to delete the resources you createdHow to delete the resources you created

If you no longer need the resources you created, i.e., VMs and networks, delete them.

Was the article helpful?

Previous
Deploying Microsoft Exchange
Next
Deploying an Always On availability group with an internal network load balancer
Yandex project
© 2025 Yandex.Cloud LLC