Deploying Microsoft Remote Desktop Services
- Prepare your cloud
- Create a cloud network and subnets
- Create a script to manage a local administrator account
- Create a VM for Windows Server with Remote Desktop Services
- Install and configure Active Directory domain controllers
- Set up the firewall rules
- Set up the license server in the domain
- Set up the Remote Desktop Session Host role
- Add the server to the AD security group and register it as SCP
- Create users
- How to delete the resources you created
Warning
In Yandex Cloud, you can only use Microsoft products with your own licenses and on dedicated hosts. For more information, see Use of personal licenses for Microsoft products.
This scenario describes how to deploy Microsoft Windows Server Datacenter with pre-installed Remote Desktop Services in Yandex Cloud. The Microsoft Windows Server with Remote Desktop Services instance consists of a single server with Remote Desktop Services and Active Directory installed. Images are available with preset quotas for 5, 10, 25, 50, and 100 users. Select the version with the necessary quota. All examples are given for a server with a quota for five users.
Warning
To increase the quota, re-create the VM.
To deploy the Remote Desktop Services infrastructure:
- Prepare your cloud.
- Create a cloud network and subnets.
- Create a script to manage a local administrator account.
- Create a VM for Remote Desktop Services.
- Install and configure Active Directory domain controllers.
- Set up the firewall rules.
- Set up the license server in the domain.
- Set up the Remote Desktop Session Host role.
- Create users.
If you no longer need the resources you created, delete them.
Prepare your cloud
Sign up for Yandex Cloud and create a billing account:
- Go to the management console
and log in to Yandex Cloud or create an account if you do not have one yet. - On the Yandex Cloud Billing
page, make sure you have a billing account linked and it has theACTIVE
orTRIAL_ACTIVE
status. If you do not have a billing account, create one.
If you have an active billing account, you can go to the cloud page
Learn more about clouds and folders.
Note
Make sure that the billing account contains user details required to meet the Microsoft licensing policy requirements. You can launch the product only if you have these details.
Required paid resources
The cost of installing Microsoft Windows Server with Remote Desktop Services includes:
- Fee for continuously running virtual machines (see Yandex Compute Cloud pricing).
- Fee for using dynamic or static public IP addresses (see Yandex Virtual Private Cloud pricing).
- Fee for outbound traffic from Yandex Cloud to the internet (see Yandex Compute Cloud pricing).
Create a cloud network and subnets
Create a cloud network named my-network
with subnets in all availability zones where your VMs will be located.
-
Create a cloud network:
Management consoleCLIAPITo create a cloud network:
- Open the Virtual Private Cloud section of the folder where you want to create a cloud network.
- Click Create network.
- Enter the network name:
my-network
. - Click Create network.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the
--folder-name
or--folder-id
parameter.To create a cloud network, run the command:
yc vpc network create --name my-network
Use the create REST API method for the Network resource or the NetworkService/Create gRPC API call.
-
Create a subnet in
my-network
:Management consoleCLIAPITo create a subnet:
- Open the Virtual Private Cloud section in the folder to create a subnet in.
- Click the name of the cloud network.
- Click Add subnet.
- Fill out the form: enter
my-subnet-d
as the subnet name and select theru-central1-d
availability zone from the drop-down list. - Enter the subnet CIDR: IP address and subnet mask:
10.1.0.0/16
. For more information about subnet IP address ranges, see Cloud networks and subnets. - Click Create subnet.
To create a subnet, run the following command:
yc vpc subnet create \ --name my-subnet-d \ --zone ru-central1-d \ --network-name my-network \ --range 10.1.0.0/16
Use the create REST API method for the Subnet resource or the SubnetService/Create gRPC API call.
Create a script to manage a local administrator account
Create a file named setpass
with a script that will set a password for the local administrator account when you create VMs via the CLI:
#ps1
Get-LocalUser | Where-Object SID -like *-500 | Set-LocalUser -Password (ConvertTo-SecureString "<your_password>" -AsPlainText -Force)
The password must meet the complexity requirements
You can read more about the best practices for securing Active Directory on the MS official website
Create a VM for Windows Server with Remote Desktop Services
Create a virtual machine for Windows Server with Remote Desktop Services. This VM will have internet access.
-
On the folder page in the management console
, click Create resource and selectVirtual machine instance
. -
Under Boot disk image, in the Product search field, specify
RDS
and select the appropriate RDS image: -
Under Location, select the
ru-central1-d
availability zone. -
Under Disks and file storages, enter
50 GB
as your boot disk size. -
Under Computing resources, navigate to the
Custom
tab and specify the required platform, number of vCPUs, and amount of RAM:- Platform:
Intel Ice Lake
. - vCPU:
4
. - Guaranteed vCPU performance:
100%
. - RAM:
8 GB
.
- Platform:
-
Under Network settings, specify:
- Subnet: Network named
my-network
and subnet namedmy-subnet-d
. - Public IP:
Auto
.
- Subnet: Network named
-
Under General information, specify the VM name:
my-rds-vm
. -
Click Create VM.
Wait for the VM status to change to Running
and reset the password:
- Select the VM.
- Click Reset password.
- Specify the Username to reset the password for. If there is no user with that name on the VM, this user will be created with administrator access.
- Click Generate password.
- Save the New password. It will become unavailable once you close the window.
yc compute instance create \
--name my-rds-vm \
--hostname my-rds-vm \
--memory 8 \
--cores 4 \
--zone ru-central1-d \
--network-interface subnet-name=my-subnet-d,ipv4-address=10.1.0.3,nat-ip-version=ipv4 \
--create-boot-disk image-folder-id=standard-images,image-family=windows-2022-dc-gvlk-rds-5 \
--metadata-from-file user-data=setpass
Use the create REST API method for the Instance resource or the InstanceService/Create gRPC API call.
Install and configure Active Directory domain controllers
-
Restart
my-rds-vm
:Management consoleCLIAPI- On the folder page in the management console
, select Compute Cloud. - Select the
my-rds-vm
VM. - Click
and select Restart.
yc compute instance restart my-rds-vm
Use the restart REST API method for the Instance resource or the InstanceService/Restart gRPC API call.
- On the folder page in the management console
-
Connect to
my-rds-vm
through RDP. UseAdministrator
for username, and your password. -
Assign Active Directory roles:
PowerShellInstall-WindowsFeature AD-Domain-Services -IncludeManagementTools Restart-Computer -Force
-
Create an Active Directory forest:
PowerShellInstall-ADDSForest -DomainName 'yantoso.net' -Force:$true
Windows will restart automatically. Reconnect to
my-rds-vm
. Useyantoso\Administrator
for username, and your password. Relaunch PowerShell.
Set up the firewall rules
-
Add firewall rules that protect Active Directory from external network requests:
PowerShellSet-NetFirewallRule ` -DisplayName 'Active Directory Domain Controller - LDAP (UDP-In)' ` -RemoteAddress:Intranet Set-NetFirewallRule ` -DisplayName 'Active Directory Domain Controller - LDAP (TCP-In)' ` -RemoteAddress:Intranet Set-NetFirewallRule ` -DisplayName 'Active Directory Domain Controller - Secure LDAP (TCP-In)' ` -RemoteAddress:Intranet
Set up the license server in the domain
-
Add the Network Service system user to the Terminal Server License Servers group in the Active Directory security group:
PowerShellnet localgroup "Terminal Server License Servers" /Add 'Network Service'
-
Set the licensing type.
Note
You can only use
User CAL
licenses.PowerShellNew-ItemProperty ` -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' ` -Name 'LicensingMode' ` -Value 4 ` -PropertyType 'DWord'
-
Specify the RDS licensing service:
PowerShellNew-ItemProperty ` -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' ` -Name 'LicenseServers' ` -Value 'localhost' ` -PropertyType 'String'
-
(Optional) Limit the number of permitted concurrent server sessions:
PowerShellNew-ItemProperty ` -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' ` -Name 'MaxInstanceCount' ` -Value 5 ` -PropertyType 'DWord'
Set up the Remote Desktop Session Host role
Install the Remote Desktop Session Host role on the server:
Install-WindowsFeature RDS-RD-Server -IncludeManagementTools
Restart-Computer -Force
Add the server to the AD security group and register it as SCP
Add the server to the Terminal Server License Servers group in the Active Directory security group and register it as the license service connection point (SCP) for users:
- Click Start.
- In the search field, enter
Remote Desktop Licensing Manager
. - Right-click the server in the list and select Review Configuration....
- Next to the first warning on the
Terminal Server License Servers
group, click Add to Group and then click Continue. - Next to the second warning, the one on the service connection point, click Register as SCP.
- Click OK.
- Restart the VM.
Create users
-
Create test users:
PowerShellNew-ADUser ` -Name ru1 ` -PasswordNeverExpires $true ` -Enabled $true ` -AccountPassword ("P@ssw0rd!1" | ConvertTo-SecureString -AsPlainText -Force ) New-ADUser ` -Name ru2 ` -PasswordNeverExpires $true ` -Enabled $true ` -AccountPassword ("P@ssw0rd!1" | ConvertTo-SecureString -AsPlainText -Force ) New-ADUser ` -Name ru3 ` -PasswordNeverExpires $true ` -Enabled $true ` -AccountPassword ("P@ssw0rd!1" | ConvertTo-SecureString -AsPlainText -Force ) New-ADUser ` -Name ru4 ` -PasswordNeverExpires $true ` -Enabled $true ` -AccountPassword ("P@ssw0rd!1" | ConvertTo-SecureString -AsPlainText -Force ) New-ADUser ` -Name ru5 ` -PasswordNeverExpires $true ` -Enabled $true ` -AccountPassword ("P@ssw0rd!1" | ConvertTo-SecureString -AsPlainText -Force )
-
Issue the
Remote Desktop Users
permissions to users:PowerShellAdd-ADGroupMember -Members 'ru1' -Identity 'Remote Desktop Users' Add-ADGroupMember -Members 'ru2' -Identity 'Remote Desktop Users' Add-ADGroupMember -Members 'ru3' -Identity 'Remote Desktop Users' Add-ADGroupMember -Members 'ru4' -Identity 'Remote Desktop Users' Add-ADGroupMember -Members 'ru5' -Identity 'Remote Desktop Users'
-
Set up RDP access permissions for the
Remote Desktop Users
group:PowerShell& secedit /export /cfg sec_conf_export.ini /areas user_rights $secConfig = Get-Content sec_conf_export.ini $SID = 'S-1-5-32-555' $secConfig = $secConfig -replace '^SeRemoteInteractiveLogonRight .+', "`$0,*$SID" $secConfig | Set-Content sec_conf_import.ini & secedit /configure /db secedit.sdb /cfg sec_conf_import.ini /areas user_rights Remove-Item sec_conf_import.ini Remove-Item sec_conf_export.ini
How to delete the resources you created
If you no longer need the created resources, delete the VM instances and networks.