In most larger environments you usually want a complete installation with a connection broker, web interface and gateway service. But what about a small environment? Or you just need a stand-alone server from which to manage the rest of the network. Using a connection broker a web interface is overkill, and why install these roles without needing them.

When following all the howto’s on the internet, you’ll always end up with at least four roles installed on one or more servers (RDSH, RDWI, CB and RD licensing). With a session host collection configuration. The part I liked about the way 2008(R2) worked, one could use only RDSH and the licensing role to create a really simple configuration. This option appears to have been removed in 2012 and later. In some cases, such a simple setup can be quite useful, in this blog I’ll explain a way  to do this.

The default path most take leads to opening the server manager, choosing add role to install and choosing Remote Desktop Role:
01_Choose_RD_roleNext next to role list
02_RD_rolesSelectUh oh, no next possible without assigning a connection broker.
03_NoSetupWithoutCBBut it is possible to just install the RDSH role without doing from a connection broker, or using a connection broker. The trick is, don’t select remote desktop services during the adding of the role, but the regular role-based of feature-based installation:
04_NoRDServiceSelectionNext, and one can select Remote Desktop services:
05_selectRDPServiceNext until:
06_Select_rolesAnd here we can select the desired roles, in this case RDSH and licensing. It also offers to install the management features:
07_Add_managementFeaturesBut these are mostly for analyzing licensing and configurering the license server itself. It’s also possible to do this using powershell:

Install-WindowsFeature –Name RDS-Licensing
Install-WindowsFeature –Name RDS-RD-Server -Restart

Great, now lets configure the service using Server manager:
08_NoManaging_hereOk, no go here, which makes sense since the way 2012 and up works completely different than 2008(R2).
Or does it? The truth is, it isn’t. Under the hood, much of the settings are the same as in 2008R2. They’ve removed the management consoles we know from 2008, and added a more centralized server management. More on this in another blog.
Ok, so how to configure this bare bone config? Powershell?
09_NoPowershellWon’t work, they have rewritten the cmdlets to only use the new way. In 2008R2 you could manage the settings of a RDSH farm through the use of group policies, and this is still possible in 2012R2:
10_GPOThe license mode is easily configured:
11_LIcenceModeAlmost everything can be configured here, the RDP certificate is one of those things you cannot do using Group policy. I guess in that in most of these small deployments, having a self generated certificate is acceptable. But not all, so we’ll configure this too. You could of course do it using templates from you’re own CA, but I wanna use another certificate. And besides, having a CA doesn’t really count as a small deployment 😉 .
The powershell cmdlets all need a Connection broker, but as always, there is another way.
The certificate (with private key) has to be imported into the personal store of the local machine.
Now we need the Thumbprint of the certificate:
12_thumbprintAnd after removing all spaces, we can use it in the following powershell script:

$path = (Get-WmiObject -class “Win32_TSGeneralSetting” -Namespace root\cimv2\terminalservices -Filter “TerminalName=’RDP-tcp'”).__path
Set-WmiInstance -Path $path -argument @{SSLCertificateSHA1Hash=”ThumbprintWithoutSpaces”}

Which binds the desired certificate to the RDP protocol:
13_succesCertificateDone, a simple setup. While I know this isn’t a configuration which will be useful in most cases. It’s  just that it can be in some. And I like it to be able to keep it simple 🙂


  1. Karma

    How do you manage user sessions? (disconnect, shadow, …) if you don’t have TSAdmin like we used to on 2008, and if you don’t have the tools available in server manager (as shown in your screenshot) ?

    1. Karma

      (and can’t use the powershell cmdlets, like you already know).
      I think we just need to accept that this kind of configuration is no longer a viable option, and that we need to install the connection broker (even on a single server deployment) and create the session collection.

  2. Eric Verdurmen

    It was meant to be a small environment, but managing is still possible using several old tools, like quser.exe. In 2012R2 you can use mstsc with new /shadow: switch to shadow.
    And it’s possible to use WMI to do more with RDS in powershell.

  3. Martin BErard

    running this on a 2012R2, I get an error trying to execute
    path = (Get-WmiObject -class “Win32_TSGeneralSetting” -Namespace root\cimv2\terminalservices -Filter “TerminalName=’RDP-tcp’”).__path

    Get-WmiObject : Invalid query “select * from Win32_TSGeneralSetting where

    1. Eric Verdurmen

      If you copied the command, try replacing all spaces. If you copy from a webpage, sometimes the space get’s replaced with a &npsb character. These don’t work well in a script.

  4. Kevin R

    Nice write-up Eric. Would you by any chance have instructions for cleanly “uninstalling” the RD Connection Broker role from a server that it was installed on previously but which we’d rather setup using these steps to just run RD SH? I removed the role, but the server still appears to be looking for the RD Connection Broker whenever I try to RDP into it, based on a few odd symptoms and event log messages.

    1. Eric Verdurmen

      Hi, before you uninstall the connection broker, make sure no farm is configured in the connection broker. Otherwise, the RDSH server will try to connect to the connection broker.

  5. Royce

    We don’t have a farm, just a single RDS server. Is it plausible to remove connection broker? I really want to get rid of Windows Internal Database and RD Connection Broker requires it. We don’t need Web Access either, but for some reason it’s installed.

    If we just had RD Licensing and Session Host roles, would it work?

    1. Eric Verdurmen

      It can be done, if you follow the instructions in this blog, you’ll have such a configuration.

  6. Ed Gandolfi

    Eric, I am looking to do this with some new 2012 servers as our current 2008 R2 RDS config does not use a connection broker. We do not publish apps. We have servers that have specific apps installed and we give users the ability to log in via the RD client and run the app off the server directly. Is there a way to set up multiple session hosts and just have those session hosts point to a specific license server? Deploying one in the manner above seems simple, but I need to add multiple session hosts that can get the license from a separate server running the licensing role.

    1. Eric Verdurmen

      This can be done, almost all settings can be done through the use of group policy and the registry. You won’t have load balancing though, if you want that, it’s also possible to use Kemps as load balancers.

  7. Bryan

    Hi Eric, Cool post, thank you, the “Cut down” version is working well so far.

    Question, is there a way to control which programs can fire on a 2012 RD Session host without the collection in manager? I have found this to enable but I cant find where to list the apps that may run
    “You can control which programs on an RD Session Host server can be started remotely by using the RemoteApp Manager on Windows Server 2008 R2 and Windows Server 2008. If you are using Windows Server 2012 R2, you can configure this in the Collection properties sheet by using Server Manager.”

    Many thanks

  8. Chris

    I am also running WIN 2012 R2 and set the same invalid query error when running the script in PS. I made sure there were no extra spaces in the command. The exact error I get is…

    Get-WmiObject : Invalid query “select * from Win32_TSGeneralSetting where TerminalName=’RDP-tcp'”
    At line:1 char:10
    + $path = (Get-WmiObject -class “Win32_TSGeneralSetting” -Namespace root\cimv2\ter …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidArgument: (:) [Get-WmiObject], ManagementException
    + FullyQualifiedErrorId : GetWMIManagementException,Microsoft.PowerShell.Commands.GetWmiObjectCommand

    1. Chris

      SOLVED: looking closely at the script I noticed the formatting of the quotes were different, turned out that’s what the problem was, hope this helps someone out there!

  9. Mark

    Great post this saved me a ton of time. My main experience has been with 2003, 2008 and 2008R2. I don’t want to stand up an entire infrastructure just for one application that needs terminal access.

Leave a Reply

Your email address will not be published. Required fields are marked *