Server – Setup Terminal Server

This guide assumes you have used the "Server - Install New Server" SOP to physically install the new server and add to domain.  Do not make the terminal server a domain controller or transfer FSMO roles to it as it is not secure to do so.

Before installing the RDS role, you can install any software using the normal route.  After you install the RDS role, the server must be put into install mode before installing if the software needs to work with RDS.

Open Server Manager, click "Add Roles and Features".  Click Next, select Remote Desktop Services Installation, click Next.  Select Standard Deployment, click Next.  Select Session-based desktop deployment, click Next.  Click Next, click the right arrow to move the TS server over to the right to select it as an RD Connection broker server, Click Next.  Do the same for the RD Web Access Server, click Next.  Do the same for the RD Session Host server, click Next.  Check the box for "Restart the destination server automatically if required" and click Deploy.  The server will reboot once complete.  Once rebooted, login and click close on the add roles and features wizard.

In Server Manager, click on Remote Desktop Services.  Under Deployment Review, click the green plus symbol above RD Licensing.   Click the right arrow to select the license server and click Next and click Add.  Click Close when complete.  Click the down arrow by TASKS, and click "Edit Deployment Properties".  Click "RD Licensing" and choose Per User.  Click OK.

Open Administrative Tools > Remote Desktop Services > Remote Desktop Licensing Manager.  Right click the server name and click Activate Server.  Click Next, click next, fill in the 4 fields and click next, click next.  Uncheck "Start Install Licenses Wizard now", click Finish.

If you purchased licenses and need to downgrade them, you have to call the Microsoft Clearinghouse.  To do that, you right click the server name in the RD Licensing Manager and click "Properties".  Change the connection method to "Telephone" and click OK.  Then right click the server name and click "Install Licenses", click Next.  It will give you a number to call and a license server ID.  It starts off as an automated system.  You have to say "other licenses" and then "remote desktop licenses" to get to the right person.  They will ask for the product keys of the licenses you need to downgrade as well as the license server ID showing on your screen.  Once you enter that and click next, the licenses will show up on the list.

If you do not need to downgrade the licenses, you simply right click the server name and click install licenses, click Next, choose the license type, and type in the info and click Next and then finish.

Record the license type, quantity, and product keys in notes in Connectwise and give to the client to keep in a safe place.

Navigate to Administrative Tools > Windows Firewall with Advanced Security.  Right click on Inbound Rules, click New Rule, Select Predefined, and choose "Remote Desktop".  Click Next.  Select all of the rules and click Next.  Click Finish.  If the Windows Firewall is off, we will need to turn it on, but we need to make sure all necessary ports are open for all other software before doing so and doing it during off hours when we can test all software from a workstation.

NOTE:  If you do not see some of the Group Policy options when setting up the lockdown policy, you may need to update the ASMX files for group policy.

http://www.it.ltsoy.com/windows/lock-down-remote-desktop-services-server-2012/

This seems to dramatically slow down users logging out.

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicy

DeleteUserAppContainersOnLogoff (DWORD)

Value: 1

If server is already in place, go to firewall rules > Inbound rules, scroll over to the right until you see the “Local User Owner” column and sort by that.  Scroll down and you’ll see the thousands of firewall rules.  You can bulk delete them from there.  I didn’t do them all at once, I did a hundred or so at a time until they were all gone.  Then do the same for Outbound rules. Then you can add the registry entry and test. 

Run Command Prompt as administrator.  Type "Change User /Install" and press enter.  When you are done installing applications, do the same but type "Change User /Execute".

Review necessary software by looking at existing workstations to determine what is needed.  For example, they may need Adobe Reader, Google Chrome, Java, Scanning software, etc.  Remember to install AV and backup software and setup AV exclusions.

You cannot download ProPlus and just install it.  Follow this guide to install Office on a terminal server.  https://kb.intermedia.net/Article/21967

Install Google Chrome Enterprise and add ADMX files to Group Policy.

https://www.tbngconsulting.com/blog/bid/404182/Licensing-mode-for-the-Remote-Desktop-Session-Host-is-not-configured