Remote Access In Windows Server 2016



Good morning. Time for another installment. Today I wanted to talk about 2 of my favorite Microsoft technologies in one article; RDS (Remote Desktop Services) and the Essentials experience.

I tired to setup Anywhere Access and decided to use the Microsoft 'hosted' domain server. So my URL is After forwarding port's 80 and 443 on the Watchguard firewall to the internal server usinf Static NAT I am presented with the IIS Splash page. I did previously setup during a few occasions, VPN access on Windows Server 2012 R2, but haven’t tested that on the newly released Windows Server 2016. Remote access role is a VPN which protects the network connection or your remote connection from one side to another and protecting both sides from attacks or data sniffing as VPN protocol uses a tunnel inside of a standard data connection. You can use Remote Access to route network traffic between subnets on your Local Area Network. Routing provides support for Network Address Translation (NAT) routers, LAN routers running BGP, Routing Information Protocol (RIP), and multicast-capable routers using Internet Group Management Protocol (IGMP). As a full-featured router, you can deploy RAS on either a server computer or as a virtual machine (VM.

Recently I have seen a rise in the deployment of RDS, specifically Session Host, on Windows Server 2016 Essentials. While this seems like the perfect money saving combination, Essentials is about $200-300 cheaper than the Standard SKU, it is not. While not well documented, this configuration is not supported by Microsoft*. This may not deter some admins. However, it also will not work properly. While I have seen this issue on several occasions in customer environments, I figured I would reproduce this. Below is the documentation of that process.

Enable Remote Desktop Services 2016

I started by installing Windows Server 2016 Essentials into a generation 2 VM (Virtual Machine). I ran the initial configuration wizard to complete setup. I verified that only 2 simultaneous interactive logon sessions would work. See the screen capture below.

Enable Remote Desktop Server 2016

ServerRemote Access In Windows Server 2016

I then shutdown the server and took a checkpoint. After booting the VM back up, I installed RDS via the installation wizard. The roles installed properly, but I received an error when creating the session collection. After a reboot the session collection did show up. This seemed odd to me, but upon checking Server Manager all seemed to be normal. I then tested the number of simultaneous connections again. I ran into the same 2 user limit.

Maybe this is due to RDS licensing not being installed or configured? I then installed and activated a license server on the same machine. I added a 50 pack of user CALs. Finally, I added the license server and the network service account to the Terminal Server License Servers group in AD. After a restart, RD Licensing manager is reporting all green checks. However RD Licensing Diagnoser is reporting it is not configured with a license server. See the screenshots below. This led me to check the deployment properties and I found it was configured for Per User mode with the correct server.

Remote Access To Windows Server

At this point it is pretty clear this is not going to work properly, but I wanted to dig a little deeper and find out why. Time to break out the PowerShell. I ran the following commands to manually configure Session Host via PowerShell:
$obj = gwmi -namespace “Root/CIMV2/TerminalServices” Win32_TerminalServiceSetting$obj.ChangeMode(4)

Upon running the last command I receive an error indicating the method is not specified, meaning the parameter doesn’t exist. This led me to output all parameters from the Win32_TerminalServiceSetting object. This is how I discovered the root cause for the limitation. It appears that even though I have install Session Host, the server is still in Remote Desktop for Administration mode. In this mode it is not possible to specify a license server or licensing mode. Also there is the limitation of two simultaneous interactive logon sessions.

Remote

Remote Access Windows Server 2016 Essentials

So is it possible to get around this or correct it? The good news is that the process is fairly easy. The bad news is that an upgrade to standard edition is required. A walk-through of the upgrade process can be found here. I went through this process in my test environment. After reactivating my license server and updating the licensing mode in the deployment properties, my RD Licensing Diagnoser reported no issues. Also for curiosity sake, below is a screenshot of the same PowerShell output after upgrading to Standard.

So the moral of the story is if you need RDS in Windows Server 2016 you will need Standard edition or higher. I hope this has been informative for you. If you have any comments or suggestions, please leave them below.

*There is only one reference, that I could find, to the supportability of RDS on the Essentials SKU. It is in the Windows Server 2012 R2 Licensing Datasheet. On page 5, look for footnote 8.