Monday, May 19, 2014

Configure Server 2012 and 2012 R2 with RDP Session Host without the whole RDP-RDMS shebang!

Configure Server 2012 and 2012 R2 with RDP Session Host without the whole RDP-RDMS shebang! - Part 1
Configure Server 2012 R2 with RDP Session Host without the whole RDP-RDMS shebang! - Part 2


Updated: 2016-05-25

Threw this into PowerShell to make this a little quicker for me, and now for you.

Current version at https://github.com/cajeeper/PowerShell/blob/master/Setup-Standalone-RDS-Host.ps1

 #Install Roles
 Get-WindowsFeature | ? { $_.Name -match "RDS-Licensing|RDS-RD-Server" } | Install-WindowsFeature

 #Allow RDP Access to the server
 Set-ItemProperty "hklm:\SYSTEM\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" -Value 0

 #Per Device  
 #$licenseMode = 2

 #Per User  
 $licenseMode = 4

 #Licensing Server  
 $licenseServer = "$env:computername.$env:userdnsdomain"

 Set-ItemProperty "hklm:\SYSTEM\CurrentControlSet\Control\Terminal Server\RCM\Licensing Core\" -Name "LicensingMode" -Value $licenseMode  
 Get-ItemProperty "hklm:\SYSTEM\CurrentControlSet\Control\Terminal Server\RCM\Licensing Core\" -Name "LicensingMode"  
 New-Item "hklm:\SYSTEM\CurrentControlSet\Services\TermService\Parameters\LicenseServers"
 New-ItemProperty "hklm:\SYSTEM\CurrentControlSet\Services\TermService\Parameters\LicenseServers" -Name SpecifiedLicenseServers -Value $licenseServer -PropertyType "MultiString"  
 Get-ItemProperty "hklm:\SYSTEM\CurrentControlSet\Services\TermService\Parameters\LicenseServers" -Name SpecifiedLicenseServers   

 #Allow Shadowing Users
 # Values: 0 (No Remote Control), 1 (Full Control with user's permission), 2 (Full Control without user's permission), 3 (View Session with user's permission), 4 (View Session without user's permission)
 New-ItemProperty "hklm:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" -Name Shadow -Value 2 -PropertyType "DWORD"

 #Update GPO for Shadowing Users
 gpupdate /force

 #Open the firewall for RDP
 netsh firewall set service remotedesktop

 #reboot may be needed from Windows Feature Installation
Formatted for web with http://codeformatter.blogspot.com/ 





I went to setup a basic RDP Session Host, as I usually have done with our old 2008 R2 servers, and I was met with some slight grief. Apparently, in Windows Server 2012, Remote Desktop Configuration Manager is no longer available and you're advised to use the Remote Desktop Management Server (RDMS) in order to "... create and manage [your] Windows Server 2012 Remote Desktop environment." http://blogs.technet.com/b/askperf/archive/2012/10/30/windows-8-windows-server-2012-remote-desktop-management-server.aspx

I just want a stand-alone Session Host running a private RDS License Server on a workgroup - not a full scale deployment on an AD domain. I had tried installing just the two features, but had no way to directly configure the roles and continued to the 120 day notice for not having a configured my RDP Session Host. After tinkering around - here a Google, there a Google, everywhere a google Google - and I think I stumbled upon a simple way to configure just what I wanted with nothing more than just replacing my prior tasks in Remote Desktop Configuration Manager with creating a registry key, creating a registry Multi value string, and editing one registry key.

If you're like me and want to just keep it simple, go ahead and install just the two services - Remote Desktop Licensing and Remote Desktop Session Host, configure your licensing services, and then edit the registry to complete your configuration. <!-insert obligatory-hands-slapped-clean->

Install the two services:


Configure the Remote Desktop Licensing:



Update the licensing mode (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\RCM\Licensing Core\LicensingMode) registry key:
Enter 2 for per device mode or 4 for per user mode (By default it is 5 and is invalid)


Add the following LicenseServers key (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService\Parameters\LicenseServers) and create the Multi_SZ String Value SpecifiedLicenseServers (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService\Parameters\LicenseServers\SpecifiedLicenseServers) :



Reboot and, BAMMM!... Bob's your uncle!

35 comments:

Anonymous said...

realy nice! thanks!
/Micke

Unknown said...

..thank you uncle!! you help me :)

Anonymous said...

You're The man...!! :-)
I mean, The uncle!!

Anonymous said...

How do you know my uncle?

Excellent post! Helped me a ton!

Anonymous said...

Thank you sir!

And once again, the fix is actually easy. Finding the fix ... not so much.

Wilmar said...

Great!!!!!!
I have tried and It's working since two months ago

Thanks!

Maris said...

Oh yeah! Spent some time to fix that until saw your post.
Weird that to do this you have to temper with registry. In 2008 R2 it was pretty straight-forward.

computer doctor said...

The Computer Doctor of Richmond says!
Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you

Anonymous said...

Thanks a lot!

MarkNL said...

Thank you for this article.
I wonder did you actually test this with multiple users?
I found some references that only per device would work in a workstation setup?

Justin Bennett said...

That's mainly how my session hosts are configured - per user licensing. Thanks!

computer doctor said...

Computer Doctor:

After finding this article, it solved my problems for a new 2012 STD setup in a small workgroup environment. The customer had no desire or need for a domain. They just needed this new server to host quickbooks and have several employees remote in at one time.

I bought a 5 user CAL for RDS. I struggled a lot with getting it setup until I found this blog. It was exactly what I needed.

Anonymous said...

I Love YOU!

PraxisServatur said...

very nice and helpful instructions!

Few comments though:
1.) your new script assumes that userdnsdomain is not empty. For me this is empty though, in my test trials I assigned just a simple Name for the server. As a result the variable $licenseServer then holds the name with an attached dot, in my case would be "WinServer2012R2."

2.) there is an official MS KB2833839 article, which more or less is exactly equivalent to the steps you show. Your's more elegant and clear, their's a bit more confusing as it mixes AD domain and workgroup configurations and needed some additional clarification to understand step 3 is not req'd in work group. But both are doing the same steps.

3.)you and many others such as computer doctor confirm the combination RDSH in workgroup mode with RDS user CALs working fine. This is exactly what we will need as well. However, I'm still a bit concerned especially on long term flawless operation since I (same as MarkNL) also read about that in workgroup only device CALs will work. E.g. MS KB2473823 clearly states device only. I'm currently trying to get more information here about possible issues with user and what can trigger these. You'll find that I posted a link to your blog there :-)

Justin Bennett said...

PraxisServatur, 1) I have $env:computername.$env:userdnsdomain entered, but you can easily delete this and enter in any FQDN of license server you so desire. 2) I had not found any documentation on this process when I wrote these steps - so thank you for pointing out KB2833839. I also wasn't looking to explain the process completely for setting up a licensing server. My posts are merely getting back on track, not how to get there. 3) I have stated the Per User CAL has worked, but you need to ensure you are following Microsoft Licensing on your own. As you mentioned, KB 2473823 outlines Microsoft's RDMS Licensing guidelines in a very grey means and my feeling is they will not license User CALs in this model. You need to ensure your licensing agreement supports what you're doing - that's not up to me to decide for anyone.

Brian Bartlett said...

Succinct, even elegant, awesome hack (the good kind). Thank you. I've been trying to work for an internet age.

Anonymous said...

You are absolutely "The Uncle!" Such a quick simple fix, never mind the hours I spent trying to get server functioning before I came across this post. Thanks!

Anonymous said...

Thank you so much! I've been trying to find a solution to this problem all day. This is a terrific antidote when creating an Active Directory DC isn't necessary.

Anonymous said...

Hi justin
Thank you for sharing. It seem to work for me but I have 2 questions.
1. I have 5 per user RD license installed, but I can keep connecting RD user (had 8 RD desktops online) any idea whay? (its look right and it don't run in grace period it look like your picture 5 of 5 just with 5 licens)
2. when going into RD licensing manager I don't see any issued licens just say 0 like you picture 2of5 and the same if I run a report it don't show. Do you have any idea?
Thank you in advanced
Morten from Denmark

Justin Bennett said...

"Per-User Client Access Licenses (CALs) tracking and reporting is not available in a workgroup. It only works in an AD domain. If your license server is activated and you're not seeing any error messages about the RDSH server being in a grace period, I'd say you're fine." per http://serverfault.com/questions/638132/user-rds-cals-are-not-issued-when-rds-role-is-istalled-on-server-2012-r2-in-a-wo

Have you tried running the RD Licensing Diagnoser to see what it reports?

Also, I found good Q&A over at http://blogs.technet.com/b/volume-licensing/archive/2014/03/10/licensing-how-to-when-do-i-need-a-client-access-license-cal.aspx for reference.

Unknown said...

Hi Justin,
Thanks!! Took me a while trying to get it to work until I found your blog.....don't know whey they make it more difficult on 2012 (compare to 2008).

I have Per-User RDS CALs and this solution works fine. Only thing different was that I found other article about deleting the grace period key in registry and did that first and when I logged onto the server it showed that I had 120 day grace period (again)??

Anyway, after following your steps that 120 day grace period warning message disappeared and I could see the session host is issuing out licenses when users are logging in.

Regards,

Steve

Nathan weiss said...

all went smoothly and i double checked everything. but i am still getting the popup that says no remote desktop license server is available. any ideas?

Nathan weiss said...

my email is nathanw at Cheservices.com to reach me

Anonymous said...

this helped a lot!

thank you

Anonymous said...

I don't know you...but I Owe you a drink....thanks, worked perfectly....brilliant.

Anonymous said...

If I ever meet you in a bar, I'm buying you a drink. You just saved me a stupid amount of work!

Unknown said...

Still works even now - tho I did have trouble in a GCE Instance for 2012 when I had renamed the computer/workgroup. So, I created a new instance, did this first, then rename the computer and workgroup. I had to edit the server name manually, in the registry, and it was good right away using TS License Diags. THANKS!

Justin Bennett said...

Good to hear, best of luck!

Unknown said...

Thanks for the post. This worked for our standalone server but now I'm trying to replace the self-signed certificate with an SSL from a CA. For some reason the system is still recognizing the self-signed cert instead of the SSL. Any idea if this registry change is preventing the system from using the SSL cert instead of the self-signed one?

Justin Bennett said...

Once you've placed the SSL Certificate into the Local Machine's Personal Certificate Store, you need to tell Remote Desktop Session Host (Terminal Services) the SSL's Thumbprint, so it knows to use. (Here's a quick Import/Export walk-thru https://www.geocerts.com/support/migrate_iis)

I'll use Google's SSL Certificate for www.google.com as an example.

It has a Thumbprint of 90 86 a4 3b f5 cf 1b 2e 4e f7 97 96 f9 de ba b9 66 35 86 3f
Here's a screenshot: https://drive.google.com/file/d/0B7WeybicmhdLV2RqRk13MnB6WjA/view?usp=sharing

Then, to tell Remote Desktop Session Host Service of the SSL Certificate by it's Thumbprint:
wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="9086a43bf5cf1b2e4ef79796f9debab96635863f"

Afterwards, you should just need to reboot the host and you should be good to go. If you mess up, you likely won't be able to RDP into the host, so be sure to have backup physical console access of some sort.

Just be sure to remove the spaces in the thumbprint for the SSLCertificateSHA1Hash setting, as show above.

Best of luck!

Unknown said...

That worked - Thanks!

JJLee said...

Similar to Nathan weiss, my users are using the Remote Desktop for few months and out of sudden it's not working.

I am getting the popup that says no remote desktop license server is available

Mean while, server is showing Event ID 1069 with error msg below
"The RD Licensing grace period has expired and Licensing mode for the Remote Desktop Session Host server has not been configured. Licensing mode must be configured for continuous operation."

all first 4 out of 5 pic are the same except pic 5 the RD Licensing Diagnoser showing "License server idcr-oracle_svr is not available. This could be caused by network connectivity problems, the Remote Desktop Licensing service is stopped on the license server, or RD Licensing is no longer installed on the computer."

K Lee said...

Thank you ! God Bless you .

Anonymous said...

Worked very well but the license server doesn't issue a license when a user connects to the server.

What I did:
1.) Ran Powershell script
2.) Windows+R --> licmgr.exe --> install per user CALs

Server sais it is registered but the following cmd command tells me that there are 119 days left and thats why "out of a sudden" after a view months the server will stop working:

wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TerminalServiceSetting WHERE (__CLASS !="") CALL GetGracePeriodDays


any fix available? I dont get it why the server doesn't issue a license

Binh said...

Hi Justin,
Thanks for this. I have a client who just wanted a simple 5 User Server 2012 R2 RDS to run an old accounting software on. They are not on a domain (use Office 365) so I configured the Server 2012 R2 in a Workgroup and installed USER CALS. I noticed the comment from Anonymous (date: May 5, 2017) that their server is still in Grace period. I ran the same command and get the same message:
"DaysLeft = 119"

Can you confirm that what you've done works using USER CALS and that the server doesn't stop working after the 120 Grace days?

Thanks