Contact UsGet started

Deploying Microsoft Remote Desktop Services

Written by
Updated at March 7, 2025

Warning

In Yandex Cloud, you can only use Microsoft products with your own licenses and on dedicated hosts. For more information, see Use of personal licenses for Microsoft products.

In this tutorial, we will deploy a Yandex Cloud Microsoft Windows Server Datacenter consisting of a single server with pre-installed Active Directory and Remote Desktop Services. You can select one of the images with preset quotas for 5, 10, 25, 50, and 100 users. In our example, we will select a 5-user quota.

Warning

To increase the quota, you will need to re-create the VM.

To deploy the Remote Desktop Services infrastructure:

  1. Get your cloud ready.
  2. Create a cloud network and subnets.
  3. Create an administrator account management script.
  4. Create a Remote Desktop Services VM.
  5. Install and configure Active Directory.
  6. Set up firewall rules.
  7. Set up a domain license server.
  8. Set up the Remote Desktop Session Host role.
  9. Create users.

If you no longer need the resources you created, delete them.

Get your cloud ready

Sign up for Yandex Cloud and create a billing account:

  1. Go to the management console and log in to Yandex Cloud or create an account if you do not have one yet.
  2. On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one.

If you have an active billing account, you can go to the cloud page to create or select a folder for your infrastructure to operate in.

Learn more about clouds and folders.

Note

Make sure that the billing account contains user details required to meet the Microsoft licensing policy requirements. You can launch the product only if you have these details.

The cost of Microsoft Windows Server with Remote Desktop Services infrastructure includes:

Create a cloud network and subnets

Create a cloud network named my-network with subnets in all availability zones that will host your VMs.

  1. Create a cloud network:

    To create a cloud network:

    1. Open the Virtual Private Cloud section of the folder where you want to create a cloud network.
    2. Click Create network.
    3. Specify the network name: my-network.
    4. Click Create network.

    If you do not have the Yandex Cloud CLI yet, install and initialize it.

    The folder specified in the CLI profile is used by default. You can specify a different folder through the --folder-name or --folder-id parameter.

    To create a cloud network, run this command:

    yc vpc network create --name my-network

    Use the create REST API method for the Network resource or the NetworkService/Create gRPC API call.

  2. Create a subnet in my-network:

    To create a subnet:

    1. Open the Virtual Private Cloud section in the folder where you want to create a subnet.
    2. Click the cloud network name.
    3. Click Add subnet.
    4. Fill out the form: enter my-subnet-d as the subnet name and select the ru-central1-d availability zone from the drop-down list.
    5. Enter the subnet CIDR: IP address and subnet mask 10.1.0.0/16. For more information about subnet IP address ranges, see Cloud networks and subnets.
    6. Click Create subnet.

    To create a subnet, run this command:

    yc vpc subnet create \
  --name my-subnet-d \
  --zone ru-central1-d \
  --network-name my-network \
  --range 10.1.0.0/16

    Use the create REST API method for the Subnet resource or the SubnetService/Create gRPC API call.

Create an administrator account management script

If you are going to create your VM via the CLI, create the setpass file with a script that will set the administrator password:

#ps1
Get-LocalUser | Where-Object SID -like *-500 | Set-LocalUser -Password (ConvertTo-SecureString "<your_password>" -AsPlainText -Force)

The password must meet the complexity requirements.

You can read more about the best practices regarding Active Directory safety on the MS official website.

Create a Windows Server Remote Desktop Services VM

Create an internet-facing VM with pre-installed Windows Server and Remote Desktop Services.

  1. On the folder dashboard in the management console, click Create resource and select Virtual machine instance.

  2. Under Boot disk image, type RDS in the Product search field and select the appropriate RDS image:

  3. Under Location, select the ru-central1-d availability zone.

  4. Under Disks and file storages, enter 50 GB as your boot disk size.

  5. Under Computing resources, navigate to the Custom tab and specify the required platform, number of vCPUs, and amount of RAM:

    • Platform: Intel Ice Lake
    • vCPU: 4
    • Guaranteed vCPU performance: 100%
    • RAM: 8 GB

  6. Under Network settings, specify:

    • Subnet: Network named my-network and subnet named my-subnet-d.
    • Public IP address: Auto.

  7. Under General information, specify the VM name: my-rds-vm.

  8. Click Create VM.

Wait for the VM status to change to Running and reset the password:

  1. Select the VM.
  2. Click Reset password.
  3. Specify the Username to reset the password for. If there is no user with that name on the VM, this user will be created with administrator access.
  4. Click Generate password.
  5. Save the New password. It will become unavailable once you close the window.
 yc compute instance create \
   --name my-rds-vm \
   --hostname my-rds-vm \
   --memory 8 \
   --cores 4 \
   --zone ru-central1-d \
   --network-interface subnet-name=my-subnet-d,ipv4-address=10.1.0.3,nat-ip-version=ipv4 \
   --create-boot-disk image-folder-id=standard-images,image-family=windows-2022-dc-gvlk-rds-5 \
   --metadata-from-file user-data=setpass

Note

The commands yc compute instance create | create-with-container | update | add-metadata support substitution of environment variable values into VM metadata. When you execute a Yandex Cloud CLI command, these values, specified in the user-data key in $<variable_name> format, will be substituted into the VM metadata from the environment variables of the environment the command is executed in.

To change such behavior, i.e. to provide a variable name to the VM metadata in $<variable_name> format rather than take the variable value from the CLI command runtime environment, use the two-dollar syntax, e.g., $$<variable_name>.

For more information, see Specifics of providing environment variables in metadata via the CLI.

Use the create REST API method for the Instance resource or the InstanceService/Create gRPC API call.

Install and configure Active Directory

  1. Restart my-rds-vm:

    1. On the folder dashboard in the management console, select Compute Cloud.
    2. Select the my-rds-vm VM.
    3. Click and select Restart.
    yc compute instance restart my-rds-vm

    Use the restart REST API method for the Instance resource or the InstanceService/Restart gRPC API call.

  2. Connect to my-rds-vm through RDP. Use Administrator as the username and your password.

  3. Assign Active Directory roles:

    Install-WindowsFeature AD-Domain-Services -IncludeManagementTools
Restart-Computer -Force

  4. Create an Active Directory forest:

    Install-ADDSForest -DomainName 'yantoso.net' -Force:$true

    Windows will restart automatically. Reconnect to my-rds-vm. Use yantoso\Administrator as the username and your password. Relaunch PowerShell.

Set up firewall rules

  1. Add firewall rules protecting Active Directory from external network requests:

    Set-NetFirewallRule `
  -DisplayName 'Active Directory Domain Controller - LDAP (UDP-In)' `
  -RemoteAddress:Intranet

Set-NetFirewallRule `
  -DisplayName 'Active Directory Domain Controller - LDAP (TCP-In)' `
  -RemoteAddress:Intranet

Set-NetFirewallRule `
  -DisplayName 'Active Directory Domain Controller - Secure LDAP (TCP-In)' `
  -RemoteAddress:Intranet

Set up a domain license server

  1. Add the Network Service user to the Terminal Server License Servers Active Directory group:

    net localgroup "Terminal Server License Servers" /Add 'Network Service'

  2. Set the licensing type.

    Note

    You can only use User CAL licenses.

    New-ItemProperty `
-Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' `
-Name 'LicensingMode' `
-Value 4 `
-PropertyType 'DWord'

  3. Specify the RDS licensing service:

    New-ItemProperty `
-Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' `
-Name 'LicenseServers' `
-Value 'localhost' `
-PropertyType 'String'

  4. Optionally, limit the number of concurrent server sessions:

    New-ItemProperty `
-Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' `
-Name 'MaxInstanceCount' `
-Value 5 `
-PropertyType 'DWord'

Set up the Remote Desktop Session Host role

Install the Remote Desktop Session Host role on the server:

Install-WindowsFeature RDS-RD-Server -IncludeManagementTools
Restart-Computer -Force

Add your license server to the Active Directory security group and register it as SCP

Add your license server to the Terminal Server License Servers group Active Directory group and register it as the license service connection point (SCP):

  1. Click Start.
  2. In the search field, type Remote Desktop Licensing Manager and press Enter to open the manager.
  3. Right-click your license server in the list and select Review Configuration....
  4. You will see the warning that your license server is not a member of the Terminal Server License Servers group and is not registered as a service connection point (SCP). Click Add to Group and then click Continue.
  5. Click Register as SCP.
  6. Click OK.
  7. Restart the VM.

Create users

  1. Create test users:

    New-ADUser `
  -Name ru1 `
  -PasswordNeverExpires $true `
  -Enabled $true `
  -AccountPassword ("P@ssw0rd!1" | ConvertTo-SecureString -AsPlainText -Force )
New-ADUser `
  -Name ru2 `
  -PasswordNeverExpires $true `
  -Enabled $true `
  -AccountPassword ("P@ssw0rd!1" | ConvertTo-SecureString -AsPlainText -Force )
New-ADUser `
  -Name ru3 `
  -PasswordNeverExpires $true `
  -Enabled $true `
  -AccountPassword ("P@ssw0rd!1" | ConvertTo-SecureString -AsPlainText -Force )
New-ADUser `
  -Name ru4 `
  -PasswordNeverExpires $true `
  -Enabled $true `
  -AccountPassword ("P@ssw0rd!1" | ConvertTo-SecureString -AsPlainText -Force )
New-ADUser `
  -Name ru5 `
  -PasswordNeverExpires $true `
  -Enabled $true `
  -AccountPassword ("P@ssw0rd!1" | ConvertTo-SecureString -AsPlainText -Force )

  2. Grant Remote Desktop Users permissions to the new users:

    Add-ADGroupMember -Members 'ru1' -Identity 'Remote Desktop Users'
Add-ADGroupMember -Members 'ru2' -Identity 'Remote Desktop Users'
Add-ADGroupMember -Members 'ru3' -Identity 'Remote Desktop Users'
Add-ADGroupMember -Members 'ru4' -Identity 'Remote Desktop Users'
Add-ADGroupMember -Members 'ru5' -Identity 'Remote Desktop Users'

  3. Set up RDP access permissions for the Remote Desktop Users group:

    & secedit /export /cfg sec_conf_export.ini  /areas user_rights
$secConfig = Get-Content sec_conf_export.ini
$SID = 'S-1-5-32-555'
$secConfig = $secConfig -replace '^SeRemoteInteractiveLogonRight .+', "`$0,*$SID"
$secConfig | Set-Content sec_conf_import.ini
& secedit /configure /db secedit.sdb /cfg sec_conf_import.ini /areas user_rights
Remove-Item sec_conf_import.ini
Remove-Item sec_conf_export.ini

How to delete the resources you created

If you no longer need the resources you created, i.e., VMs and networks, delete them.

Previous
Deploying Microsoft Exchange
Next
Deploying an Always On availability group with an internal network load balancer