For Geeks @nd the not so Geeky

Remote Desktop Services

Remote Desktop Services (RDS) Basics

Remote Desktop Services (RDS) in Windows Server 2008 and Windows Server 2008 R2 replaces Terminal Services used in previous versions of Windows.

The major name changes include a change from Terminal Server to RD Session Host as well as the renaming of TS session Broker to Remote Desktop Services  Connection Broker. Another advantage is that you can try the service for 120 days without requiring any Client Access Licenses (CALs). windows 2008 r2 remote desktop services

Both Remote Desktop – included in all Windows operating systems since XP- and Remote Desktop Services rely on the Remote Desktop Protocol (RDP) which uses TCP port 3389 to establish connections.

However, on a system running Windows Server 2008 R2 only 2 users can be concurrently connected if the RDS role is not installed.

Remember that being logged on locally to the computer is also considered a session which leaves you with one possible remote connection.

Remote Desktop Services Features not available in Remote Desktop

  • Scalability through multiuser support
  • RemoteApp provides the ability to deploy an application remotely and add it to the user’s start menu giving it the look and feel of a locally installed app. This is a handy feature for legacy apps or a way to avoid licensing needs.
  • RD Web Access is another way of making remote apps available through a web browser.
  • The RD Connection Broker manages the connections between the client and a server farm enabling the reconnection to disconnected sessions.
  • The RD Virtualization Host enables  RDP client connections to virtual machines hosted in Hyper-V on the RDS server or farm.
    RD Gateway lets authorized users on the Internet connect to the RDS server on the private corporate network using the HTTPS protocol  for data encryption thereby eliminating the need for a VPN tunnel.
  • Remote FX is a new feature included in Windows Server 2008 SP1 which can enhance the graphical capabilities of RDP

Network Level Authentication (NLA)

RDP 6.0 and later give you the option to require NLA when enabling the remote desktop feature. Vista and later versions of Windows natively support NLA whereas you will have to apply a registry fix to Windows XP SP3 to enable NLA.

Network Level Authentication in remote desktop services lets a user authenticate before a remote desktop connection is established unlike previous versions of RDP where a user could only enter credentials after the Log on to Windows Screen.

Remote Desktop Services – Enabling remote Desktop in Server Core


You can use Cscript.exe to run Scregedit.wsf from the command line using the /ar switch with a value of 0 to enable Remote Desktop on Server Core.

Cscript.exe C:\Windows\System32\Scregedit.wsf /ar 0

This command configures the server to accept RDP connections using NLA. To allow clients prior to Windows Vista to connect you should run the following command.

Cscript.exe C:\Windows\System32\Scregedit.wsf /cs 0


Another way to install Remote desktop on a Server Core installation is by running Sconfig from the command line. Sconfig also prompts you to define NLA settings.

remote desktop connection services

Client Access Licenses in Remote Desktop Services

Per Device CAL – The client device is issued a temporary licence upon first connection which gets permanently activated on the second connection providing enough licenses are available. Recommended when multiple users use the same device like shift workers for example.

Per User CAL – Allows users to access RDD from any number of devices in a domain based scenario.
Recommended for roaming users using multiple devices or when you organization has more devices than users.

Connection Configuration through RDP-Tcp

RDP-Tcp is used as the default connection for all local RDP connections and is bound to all local network adapters. You can create exceptions by creating new connections that apply to specific network adapters. Be aware that 3-rd party software such as Citrix uses its own proprietary protocol.

RDP-Tcp Properties Security Layer

Default – native encryption built into RDP and compatible with clinets running an earlier version then version 6.0. Clients cannot verify the identity of the RD session host.

SSL (TLS 1.0) – Stronger encryption than the above and offers the ability for server authentication for clients that use RDP version lower than 6.0. This is achieved through the use of SSL which requires a computer certificate to be present. SSL nevertheless slows down performance due to its high encryption.

Negotiate – The default setting which will only use SSL encryption when supported by the client.

Remote Desktop Session Broker

The RD Connection Broker is used for load balancing in a server farm. It can detect the load balance of the various servers as well as reconnect users to disconnected sessions on the correct farm member server.

The server on which you install the RD Session Broker Role must be part of a domain as this is a prerequisite to add other servers in the domain to the farm.

Remember to disable IP redirection if you are using a hardware load balancer device supporting routing tokens.

Leave a Response