Remote Desktop Services roles (2023)

  • Article
  • 7 minutes to read

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016

This article describes the roles within a Remote Desktop Services environment.

Remote Desktop Session Host

The Remote Desktop Session Host (RD Session Host) holds the session-based apps and desktops you share with users. Users get to these desktops and apps through one of the Remote Desktop clients that run on Windows, MacOS, iOS, and Android. Users can also connect through a supported browser by using the web client.

You can organize desktops and apps into one or more RD Session Host servers, called "collections." You can customize these collections for specific groups of users within each tenant. For example, you can create a collection where a specific user group can access specific apps, but anyone outside of the group you designated won't be able to access those apps.

(Video) Complete Guide to setting up Remote Desktop Services in Windows Server 2016

For small deployments, you can install applications directly onto the RD Session Host servers. For larger deployments, we recommend building a base image and provisioning virtual machines from that image.

You can expand collections by adding RD Session Host server virtual machines to a collection farm with each RDSH virtual machine within a collection assigned to same availability set. This provides higher collection availability and increases scale to support more users or resource-heavy applications.

In most cases, multiple users share the same RD Session Host server, which most efficiently utilizes Azure resources for a desktop hosting solution. In this configuration, users must sign in to collections with non-administrative accounts. You can also give some users full administrative access to their remote desktop by creating personal session desktop collections.

You can customize desktops even more by creating and uploading a virtual hard disk with the Windows Server OS that you can use as a template for creating new RD Session Host virtual machines.

For more information, see the following articles:

Remote Desktop Connection Broker

Remote Desktop Connection Broker (RD Connection Broker) manages incoming remote desktop connections to RD Session Host server farms. RD Connection Broker handles connections to both collections of full desktops and collections of remote apps. RD Connection Broker can balance the load across the collection's servers when making new connections. If RD Connection Broker is enabled, using DNS round robin to RD Session Hosts for balacing servers is not supported. If a session disconnects, RD Connection Broker will reconnect the user to the correct RD Session Host server and their interrupted session, which still exists in the RD Session Host farm.

(Video) Setting Up Remote Desktop Server | Step 1: Installing RDS Roles

You'll need to install matching digital certificates on both the RD Connection Broker server and the client to support single sign-on and application publishing. When developing or testing a network, you can use a self-generated and self-signed certificate. However, released services require a digital certificate from a trusted certification authority. The name you give the certificate must be the same as the internal Fully Qualified Domain Name (FQDN) of the RD Connection Broker virtual machine.

You can install the Windows Server 2016 RD Connection Broker on the same virtual machine as AD DS to reduce cost. If you need to scale out to more users, you can also add additional RD Connection Broker virtual machines in the same availability set to create an RD Connection Broker cluster.

Before you can create an RD Connection Broker cluster, you must either deploy an Azure SQL Database in the tenant's environment or create an SQL Server AlwaysOn Availability Group.

For more information, see the following articles:

  • Add the RD Connection Broker server to the deployment and configure high availability
  • SQL database in Desktop hosting service.

Remote Desktop Gateway

Remote Desktop Gateway (RD Gateway) grants users on public networks access to Windows desktops and applications hosted in Microsoft Azure's cloud services.

The RD Gateway component uses Secure Sockets Layer (SSL) to encrypt the communications channel between clients and the server. The RD Gateway virtual machine must be accessible through a public IP address that allows inbound TCP connections to port 443 and inbound UDP connections to port 3391. This lets users connect through the internet using the HTTPS communications transport protocol and the UDP protocol, respectively.

(Video) 42. Install and Configure Remote Desktop Services RDS on Windows Server 2019

The digital certificates installed on the server and client have to match for this to work. When you're developing or testing a network, you can use a self-generated and self-signed certificate. However, a released service requires a certificate from a trusted certification authority. The name of the certificate must match the FQDN used to access RD Gateway, whether the FQDN is the public IP address' externally facing DNS name or the CNAME DNS record pointing to the public IP address.

For tenants with fewer users, the RD Web Access and RD Gateway roles can be combined on a single virtual machine to reduce cost. You can also add more RD Gateway virtual machines to an RD Gateway farm to increase service availability and scale out to more users. Virtual machines in larger RD Gateway farms should be configured in a load-balanced set. IP affinity isn't required when you're using RD Gateway on a Windows Server 2016 virtual machine, but it is when you're running it on a Windows Server 2012 R2 virtual machine.

For more information, see the following articles:

  • Add high availability to the RD Web and Gateway web front
  • Remote Desktop Services - Access from anywhere
  • Remote Desktop Services - Multi-factor authentication
  • Set up the RD Gateway role

Remote Desktop Web Access

Remote Desktop Web Access (RD Web Access) lets users access desktops and applications through a web portal and launches them through the device's native Microsoft Remote Desktop client application. You can use the web portal to publish Windows desktops and applications to Windows and non-Windows client devices, and you can also selectively publish desktops or apps to specific users or groups.

RD Web Access needs Internet Information Services (IIS) to work properly. A Hypertext Transfer Protocol Secure (HTTPS) connection provides an encrypted communications channel between the clients and the RD Web server. The RD Web Access virtual machine must be accessible through a public IP address that allows inbound TCP connections to port 443 to allow the tenant's users to connect from the internet using the HTTPS communications transport protocol.

Matching digital certificates must be installed on the server and clients. For development and testing purposes, this can be a self-generated and self-signed certificate. For a released service, the digital certificate must be obtained from a trusted certification authority. The name of the certificate must match the Fully Qualified Domain Name (FQDN) used to access RD Web Access. Possible FQDNs include the externally facing DNS name for the public IP address and the CNAME DNS record pointing to the public IP address.

(Video) 05 - Remote Desktop Services Role and Feature Installation Part 1

For tenants with fewer users, you can reduce costs by combining the RD Web Access and Remote Desktop Gateway workloads into a single virtual machine. You can also add additional RD Web virtual machines to an RD Web Access farm to increase service availability and scale out to more users. In an RD Web Access farm with multiple virtual machines, you'll have to configure the virtual machines in a load-balanced set.

For more information about how to configure RD Web Access, see the following articles:

  • Set up the Remote Desktop web client for your users
  • Create and deploy a Remote Desktop Services collection
  • Create a Remote Desktop Services collection for desktops and apps to run

Remote Desktop Licensing

Activated Remote Desktop Licensing (RD Licensing) servers let users connect to the RD Session Host servers hosting the tenant's desktops and apps. Tenant environments usually come with the RD Licensing server already installed, but for hosted environments you'll have to configure the server in per-user mode.

The service provider needs enough RDS Subscriber Access Licenses (SALs) to cover all authorized unique (not concurrent) users that sign in to the service each month. Service providers can purchase Microsoft Azure Infrastructure Services directly, and can purchase SALs through the Microsoft Service Provider Licensing Agreement (SPLA) program. Customers looking for a hosted desktop solution must purchase the complete hosted solution (Azure and RDS) from the service provider.

Small tenants can reduce costs by combining the file server and RD Licensing components onto a single virtual machine. To provide higher service availability, tenants can deploy two RD License server virtual machines in the same availability set. All RD servers in the tenant's environment are associated with both RD License servers to keep users able to connect to new sessions even if one of the servers goes down.

For more information, see the following articles:

(Video) RDP - Complete configuration of Remote desktop session host- Windows server 2012 part- 2

  • License your RDS deployment with client access licenses (CALs)
  • Activate the Remote Desktop Services license server
  • Track your Remote Desktop Services client access licenses (RDS CALs)
  • Microsoft Volume Licensing: licensing options for service providers


What is Remote Desktop Services roles? ›

The Remote Desktop Session Host (RD Session Host) holds the session-based apps and desktops you share with users. Users get to these desktops and apps through one of the Remote Desktop clients that run on Windows, MacOS, iOS, and Android. Users can also connect through a supported browser by using the web client.

What is the difference between role based or Remote Desktop Services installation? ›

The 'Remote Desktop Services' step provides information about the use of Remote Desktop Services. You can immediately proceed to the next step 'Role Services'. The 'Role Services' step checks if there are features that are required for the installation in order for the 'Remote Desktop Connection Broker' to function.

What is Remote Desktop Services Manager? ›

The Remote Desktop Services Management Pack helps you manage computers that are running Remote Desktop Services on Windows Server 2016 and above by monitoring the health of all Remote Desktop Services role services, except MultiPoint Services.

Is Remote Desktop Services the same as RDP? ›

RDC or Remote Desktop is a technology that allows the user on the computer to connect to a remote computer or the terminal server in a different location. Remote desktop protocol (RDP) is a proprietary protocol that helps a user connect to another computer over a secure network communication when they work remotely.

What is the 6 components of Remote Desktop Services? ›

Several basic components are needed for Remote Desktop Services to function, including a VM host, a connection broker, a VM publishing service, a Web portal and a redirector.

What does a remote support specialist do? ›

A remote support specialist is responsible for assisting customers and end-users on their network and system issues through electronic communications.

What role enables users to access remote desktops? ›

The primary workload role, hosting Windows desktops and applications, is Remote Desktop Session Host (RDSH). RDSH contains session-based sharing capabilities that allow multiple users to access desktops and applications simultaneously on a single instance of Windows Server.

What is the difference between roles and permissions? ›

Roles provide a way for community administrators to group permissions and assign them to users or user groups. Permissions define the actions that a user can perform in a community. When they assign roles, community administrators consider the tasks of a user in the context of a particular community.

How many types of RDP are there? ›

There are two major categories of remote desktop software: operating-system-based and third-party solutions. The OS-based solution is provided by the same company that provides your business' OS, which means that it is baked right into the system.

What is Remote Desktop Services infrastructure agent? ›

Remote Desktop Services Infrastructure Agent aka Windows Virtual Desktop Agent. In the Windows Virtual Desktop Service framework, there are three main components: the Remote Desktop client, the service, and the virtual machines.

What does service control manager do? ›

Service Control Manager (SCM) is a special process under the Windows NT family of operating systems that starts and stops Windows processes, including device drivers and startup programs. Its main function is to start all the required services at system startup.

What is difference between VPN and RDP? ›

While RDP and VPN serve similar functions for remote access, VPNs allow users to access secure networks whereas RDP grants remote access to a specific computer. While useful to provide access to employees and third parties, this access is open-ended and unsecure.

How do I access Remote Desktop Services? ›

On your local Windows PC: In the search box on the taskbar, type Remote Desktop Connection, and then select Remote Desktop Connection. In Remote Desktop Connection, type the name of the PC you want to connect to (from Step 1), and then select Connect.

What is the difference between remote desktop and SSH? ›

The main difference between RDP and SSH is that SSH typically uses public and private key pairs instead of standard credentials for authentication. Unlike RDP, SSH lacks a graphical user interface (GUI) and instead uses text-based command-line interfacing.

What are the most important features of RDP? ›

The Microsoft Remote Desktop Protocol (RDP) provides remote display and input capabilities over network connections for Windows-based applications running on a server. RDP is designed to support different types of network topologies and multiple LAN protocols. This topic is for software developers.

What are the four basic elements of a remote access policy? ›

Physical and virtual device security. Network connectivity, e.g., VPN access. Access and authentication mechanisms, including password rules. Acceptable use.

What are two characteristics of RDP? ›

Features of RDP

RDP is a secure, interoperable protocol that creates secure connections between clients, servers and virtual machines. RDP works across different Windows OSes and devices and provides strong physical security through remote data storage.

What are remote support services? ›

Remote Support (RS) enables a person to be more independent and less reliant on staff to be physically present to receive support. The remote caregiver can interact, coordinate supports, monitor, and/or respond to the person's needs through equipment capable of live two-way communication.

What are three skills needed in support services? ›

Three common soft skills for a support services coordinator are compassion, time-management skills and communication skills.

What is the job description of support services? ›

Their responsibilities typically revolve around responding to calls and correspondence, troubleshooting, analyzing customer needs, identifying the root of issues, and providing the necessary corrective measures, all to ensure efficiency and client satisfaction.

Do administrators have remote desktop access? ›

Administrators have access via RDP enabled by default. However you may need to restrict remote access for a specific administrator: if you want to be sure that every task (backups for example), services or other operations that may launch using his credentials won't stop working.

How do I give admin rights to remote desktop? ›

Add a User to the Administrator Group:
  1. Open the Start menu from your desktop, and select Control Panel.
  2. Choose User Accounts and pick User Accounts.
  3. Select Manage User Accounts.
  4. From the User Accounts window, choose the account to be altered and choose Properties.
Sep 29, 2022

What is a remote management user? ›

The Remote Management Users group is generally used to allow users to manage servers through the Server Manager console, whereas the WinRMRemoteWMIUsers_ group is allows remotely running Windows PowerShell commands.

What are the 3 types of roles? ›

A role is a set of behavioral expectations, or a set of activities that a person is expected to perform. Managers' roles fall into three basic categories: informational roles, interpersonal roles, and decisional roles.

What are the 7 roles? ›

These roles are: (1) chief of state, (2) chief executive, (3) chief administrator, (4) chief diplomat, (5) commander in chief, (6) chief legislator, (7) party chief, and (8) chief citizen. Chief of state refers to the President as the head of the government. He is the symbol of all the people.

What are the 4 roles? ›

There are four different roles activists and social movements need to play in order to successfully create social change: the citizen, rebel, change agent, and reformer. Each role has different purposes, styles, skills, and needs and can be played effectively or ineffectively.

What is the best remote desktop Manager? ›

Dameware Mini Remote Control is our top pick for a remote desktop connection manager because it is an integrated solution that provides unattended remote access and screen sharing options.

What is the difference between RDP and Citrix? ›

RDP is tried and true, is cost-efficient and offers overall stable performance. However, Citrix is clearly more adaptive and flexible, offering superior performance, scalability, usability, reliability and security.

What is another name for RDP? ›

Microsoft currently refers to their official RDP client software as Remote Desktop Connection, formerly "Terminal Services Client". The protocol is an extension of the ITU-T T. 128 application sharing protocol. Microsoft makes some specifications public on their website.

Why do you need DaaS? ›

The benefits of Desktop as a Service (DaaS) include simplified management, increased flexibility, and lower cost of ownership compared to traditional models. Businesses that aim to offer remote work options and personal device flexibility can use DaaS to quickly and easily create a digital workspace.

Should I disable Remote Desktop Services? ›

Unfortunately, hackers can exploit Remote Desktop to gain control of remote systems and install malware or steal personal information. It's a good idea to keep the remote access feature turned off unless you actively need it. By default, the feature is disabled.

What is Remote Desktop Services in Azure? ›

Azure Remote Desktop Services (RDS) is a VDI solution on Azure, which provides secure access to virtualized applications and desktops. RDS lets end users access their applications and desktops remotely on the cloud, via mobile and desktop devices.


1. Installation of Remote Desktop Services In Server 2019
2. Get Started with Windows Server 2019 RDS!
3. Remote Desktop Services Licenses
(Roger Zimmerman)
4. Configuring Remote Desktop Web Access In Server 2019
5. How to Publish Remote App programs in Remote Desktop Service
(Curious Coach)
6. Configure Collection In RDS Windows Server 2019
Top Articles
Latest Posts
Article information

Author: Jeremiah Abshire

Last Updated: 02/05/2023

Views: 6750

Rating: 4.3 / 5 (54 voted)

Reviews: 93% of readers found this page helpful

Author information

Name: Jeremiah Abshire

Birthday: 1993-09-14

Address: Apt. 425 92748 Jannie Centers, Port Nikitaville, VT 82110

Phone: +8096210939894

Job: Lead Healthcare Manager

Hobby: Watching movies, Watching movies, Knapping, LARPing, Coffee roasting, Lacemaking, Gaming

Introduction: My name is Jeremiah Abshire, I am a outstanding, kind, clever, hilarious, curious, hilarious, outstanding person who loves writing and wants to share my knowledge and understanding with you.