Get started
Language / Region
© 2022 Yandex.Cloud LLC
Practical guidelines

Deploying Microsoft Remote Desktop Services

Written by

This scenario describes how to deploy Microsoft Windows Server 2019 Datacenter with pre-installed Remote Desktop Services on Yandex Cloud. The Microsoft Windows Server with Remote Desktop Services instance consists of a single server where Remote Desktop Services and Active Directory will be installed. Images are available with quotas for 5/10/25/50/100/250/500 users. Select the version with the necessary quota. All examples are given for a server with a quota for 5 users.

Warning

To increase the quota, re-create the VM.

To deploy the Remote Desktop Services infrastructure:

  1. Before you start.
  2. Required paid resources.
  3. Create a cloud network and subnets.
  4. Create a script to manage a local administrator account.
  5. Create a VM for Remote Desktop Services.
  6. Install and configure Active Directory domain controllers.
  7. Set up the firewall rules.
  8. Configure the license server in the domain.
  9. Set up the Remote Desktop Session Host role.
  10. Create users.

Before you start

Before deploying servers, you need to sign up for Yandex Cloud and create a billing account:

  1. Go to the management console. Then log in to Yandex Cloud or sign up if don't already have an account.
  2. On the billing page, make sure you linked a billing account, and it has the ACTIVE or TRIAL_ACTIVE status. If you don't have a billing account, create one.

If you have an active billing account, you can create or select a folder to run your VM in from the Yandex Cloud page.

Learn more about clouds and folders.

The cost of installing Microsoft Windows Server with Remote Desktop Services includes:

Create a cloud network and subnets

Create a cloud network named my-network with subnets in all the availability zones where your VMs will be located.

  1. Create a cloud network:

    To create a cloud network:

    1. Open the Virtual Private Cloud section in the folder where you want to create the cloud network.
    2. Click Create network.
    3. Enter a network name: my-network.
    4. Click Create network.

    To create a cloud network, run the command:

    $ yc vpc network create --name my-network

  2. Create three my-network subnets:

    To create a subnet:

    1. Open the Virtual Private Cloud section in the folder where you want to create the subnet.
    2. Click on the name of the cloud network.
    3. Click Add subnet.
    4. Fill out the form: enter my-subnet-a as the subnet name and select the ru-central1-a availability zone from the drop-down list.
    5. Enter the subnet CIDR, which is its IP address and mask: 10.1.0.0/16. For more information about subnet IP ranges, see Cloud networks and subnets.
    6. Click Create subnet.

    Repeat these steps for two more subnets, my-subnet-b and my-subnet-c, in the ru-central1-b and ru-central1-c availability zones with the 10.2.0.0/16 and 10.3.0.0/16 CIDR, respectively.

    To create subnets, run the following commands:

    yc vpc subnet create \
  --name my-subnet-a \
  --zone ru-central1-a \
  --network-name my-network \
  --range 10.1.0.0/16

yc vpc subnet create \
  --name my-subnet-b \
  --zone ru-central1-b \
  --network-name my-network \
  --range 10.2.0.0/16

yc vpc subnet create \
  --name my-subnet-c \
  --zone ru-central1-c \
  --network-name my-network \
  --range 10.3.0.0/16

Create a script to manage a local administrator account

Create a file named setpass with a script that sets a password for the local administrator account when creating VMs via the CLI:

#ps1
Get-LocalUser | Where-Object SID -like *-500 | Set-LocalUser -Password (ConvertTo-SecureString "<your password>" -AsPlainText -Force)

The password must meet the complexity requirements.

Read more about the best practices for securing Active Directory on the official website.

Create a VM for Windows Server with Remote Desktop Services

Create a virtual machine for Windows Server with Remote Desktop Services. This VM will have internet access.

  1. On the folder page in the management console, click Create resource and select Virtual machine.

  2. In the Name field, enter a name for the VM: my-rds-vm.

  3. Select the availability zone ru-central1-a.

  4. Under Images from Cloud Marketplace, click Select. In the window that opens, select the Windows RDS image.

  5. Under Disks, enter 50 GB for the size of the boot disk.

  6. Under Computing resources:

    • Choose a platform: Intel Cascade Lake.
    • Specify the number of vCPUs and amount of RAM:
      • vCPU: 4.
      • Guaranteed vCPU share: 100%.
      • RAM: 8 GB.

  7. Under Network settings, click Add network and select my-network. Select my-subnet-a. Under Public address, select No address.

  8. Under Access, specify the data required to access the VM:

    • In the Password field, enter your password.

  9. Click Create VM.

 yc compute instance create \
    --name my-rds-vm \
    --hostname my-rds-vm \
    --memory 8 \
    --cores 4 \
    --zone ru-central1-a \
    --network-interface subnet-name=my-subnet-a,ipv4-address=10.1.0.3,nat-ip-version=ipv4 \
    --create-boot-disk image-folder-id=standard-images,image-family=windows-2019-dc-gvlk-rds-5 \
    --metadata-from-file user-data=setpass

Install and configure Active Directory domain controllers

  1. Connect to my-rds-vm using RDP. Enter Administrator as the username and then your password.

  2. Assign Active Directory roles:

    Install-WindowsFeature AD-Domain-Services -IncludeManagementTools
Restart-Computer -Force

  3. Create an Active Directory forest:

    Install-ADDSForest -DomainName 'yantoso.net' -Force:$true

    Windows restarts automatically. Reconnect to my-rds-vm. Enter yantoso\Administrator as the username and then your password. Relaunch PowerShell.

Set up the firewall rules

  1. Add firewall rules that protect Active Directory from external network requests:

    Set-NetFirewallRule `
  -DisplayName 'Active Directory Domain Controller - LDAP (UDP-In)' `
  -RemoteAddress:Intranet

Set-NetFirewallRule `
  -DisplayName 'Active Directory Domain Controller - LDAP (TCP-In)' `
  -RemoteAddress:Intranet

Set-NetFirewallRule `
  -DisplayName 'Active Directory Domain Controller - Secure LDAP (TCP-In)' `
  -RemoteAddress:Intranet

Set up the license server in the domain

  1. Authorize the license server in the domain.

    The role is on the domain controller, so add Network Service to the BUILTIN group:

    net localgroup "Terminal Server License Servers" /Add 'Network Service'

  2. Set the licensing type.

    Note

    You can only use User CAL licenses.

    New-ItemProperty `
-Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' `
-Name 'LicensingMode' `
-Value 4 `
-PropertyType 'DWord'

  3. Specify the RDS licensing service:

    New-ItemProperty `
-Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' `
-Name 'LicenseServers' `
-Value 'localhost' `
-PropertyType 'String'

  4. (Optional) Limit the number of permissible concurrent server sessions.

    New-ItemProperty `
-Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' `
-Name 'MaxInstanceCount' `
-Value 5 `
-PropertyType 'DWord'

Set up the Remote Desktop Session Host role

Install the Remote Desktop Session Host role on the server:

Install-WindowsFeature RDS-RD-Server -IncludeManagementTools
Restart-Computer -Force

Create users

  1. Create test users:

    New-ADUser `
  -Name ru1 `
  -PasswordNeverExpires $true `
  -Enabled $true `
  -AccountPassword ("P@ssw0rd!1" | ConvertTo-SecureString -AsPlainText -Force )
New-ADUser `
  -Name ru2 `
  -PasswordNeverExpires $true `
  -Enabled $true `
  -AccountPassword ("P@ssw0rd!1" | ConvertTo-SecureString -AsPlainText -Force )
New-ADUser `
  -Name ru3 `
  -PasswordNeverExpires $true `
  -Enabled $true `
  -AccountPassword ("P@ssw0rd!1" | ConvertTo-SecureString -AsPlainText -Force )
New-ADUser `
  -Name ru4 `
  -PasswordNeverExpires $true `
  -Enabled $true `
  -AccountPassword ("P@ssw0rd!1" | ConvertTo-SecureString -AsPlainText -Force )
New-ADUser `
  -Name ru5 `
  -PasswordNeverExpires $true `
  -Enabled $true `
  -AccountPassword ("P@ssw0rd!1" | ConvertTo-SecureString -AsPlainText -Force )

  2. Grant Remote Desktop Users rights to the users:

    Add-ADGroupMember -Members 'ru1' -Identity 'Remote Desktop Users'
Add-ADGroupMember -Members 'ru2' -Identity 'Remote Desktop Users'
Add-ADGroupMember -Members 'ru3' -Identity 'Remote Desktop Users'
Add-ADGroupMember -Members 'ru4' -Identity 'Remote Desktop Users'
Add-ADGroupMember -Members 'ru5' -Identity 'Remote Desktop Users'

  3. Set up RDP access rights for the Remote Desktop Users group:

    & secedit /export /cfg sec_conf_export.ini  /areas user_rights
$secConfig = Get-Content sec_conf_export.ini
$SID = 'S-1-5-32-555'
$secConfig = $secConfig -replace '^SeRemoteInteractiveLogonRight .+', "`$0,*$SID"
$secConfig | Set-Content sec_conf_import.ini
& secedit /configure /db secedit.sdb /cfg sec_conf_import.ini /areas user_rights
Remove-Item sec_conf_import.ini
Remove-Item sec_conf_export.ini
Language / Region
© 2022 Yandex.Cloud LLC
In this article: