Remote Desktop Services: RDS Sizing Calculations

KB ID 0001753

Problem

This is a horrible subject to find any decent information on. Microsoft are typically ‘vague’ and most people are stuck with using trial and error, or massively overestimating hardware to be on the safe side. I get asked this occasionally and, just like Microsoft, it’s a question I don’t like to answer!

People are reticent to tell you that you need ‘x’ amount of CPU and ‘y’ amount of RAM. Simply because ‘it depends’ e.g. a dozen users just doing some file and print, and working on office documents, will be much less of a requirement, than a dozen users making MS Teams calls and doing 3D Auto CAD modelling.

I’m going to Assume: That we are deploying RDS in a virtual environment, so I’ll be talking about vCPU requirements. BE AWARE: Running a VM with a LOT of vCPUs can be counter productive for performance (Google CPU Ready).

RDS Sizing Requirements

RDS Dependancies

Most of these will be common sense, 

  • Domain Authentication: Usually via Active Directory or Azure AD credentials.
  • DNS Resolution: Not just for the RDS server roles deployed, for resolving the names on Certificates, and for third party hosted applications.
  • Third Party (Line of Business) Applications: Not all apps support RDS deployment, and many that do, require different licensing (Check!)
  • File and Print: Thankfully these days most file storage is moving into the cloud, but users still need user profiles? How are you going to present them?FXLogix, Redirected folders, Shared folders etc.
  • Access: These days having RDP open to the outside world is a thing of the past, it you want to connect to RDS you either come in via an RDS Web Gateway, or even better, by connecting to a VPN, then accessing the RDS deployment.
  • Licensing: Obviously the RDS servers themselves require licensing, but so does RDS. Depending on what licence model you buy, (user CALs, or device CALs). Typically most people buy user CALs (Device CALs are good for things like call centres e.g. where 3 shift workers use the same PC in a 24 hour period so you can buy 1 device CAL rather than 3 user CALs).*

*Note: Whats a SAL then? A Subscriber Access Licence is used if you have your servers SPLA licenced from a service provider. These are usually on a monthly rental basis.

RDS Sizing: Roles

You can,  (and I think it’s still the default) put all the RDS roles on one server, obviously this is not ideal for anything other than a tiny deployment (5-10 users doing very low impact roles for example). But the individual roles required are;

RD Session Host: This is what does all the heavy lifting, it hosts the remote user sessions. Typically these will be the server(s) in your deployment that suffer with recourse constraints if you get something wrong. As I’ve mentioned above if you’re running 3rd Party Line of Business applications on here MAKE sure they are designed and optimised for RDS. Finally based on what your users are doing is it worth having better/faster/local storage on these servers.

RD Connection Broker: This role had two primary jobs, 1) Connect remote users to the least utilised session hosts, and 2) Reconnect users to the correct session host if they’ve dropped a connection, or have an existing open RDS session. 

RD Web Server: This provides a web logon portal for RDS so that RDS desktops and applications can be accessed over HTTPS. Remember just because traffic is on HTTPS (TCP port 443) do not assume it’s trusted and non malicious. Nearly every exploit and attack these days used HTTPS or SSH to get traffic in and out of your network. Unless you are inspecting https it’s not more secure than http! Typically the RD Web server is deployed in a DMZ. In some small deployments it can also be on the RD Connection broker.

RD Licence Server: Typically this gets put on ‘Another‘ server in the environment, the draw back of this is people forget where it is, and don’t check before decommissioning a server then find out a few days later their licence server disappeared. You install this role, then register it with Microsoft, then finally add your licences to it.

RDS Sizing Calculations

For all RDS roles apart from the RD Session Host(s) Then the footprint is relatively small.

RD Session Host(s) CPU: This depends on the amount of users, typically no more more than 4 users per vCPU , and up to a maximum of 8 vCPUs per host, (this should tell you you need an RDS Session Host for every 24 (approx) users). Remember to factor in additional hosts in case you suffer a loss of server/hypervisor. For that reason it’s also good practice to deploy your session hosts with anti-affix city rules so that they are not all on the same hypervisor host!

RD Session Host(s) RAM: Again depends on the user and what they will be doing, as a rule of thumb, allow between 2 and 8 GB per user, but do not allocate more than 128 GB per RDS Session Host.

RD Connection Broker: (2x vCPU, 8GB RAM, 70GB HDD) Note: Can scale up to 8 vCPU, 16 GB RAM, 70 GB HDD) for larger deployments.

RD Web Server: (2x vCPU, 4GB RAM, 70GB HDD) Note: Can scale up to 8 vCPU, 16GB RAM, 70 GB HDD) for larger deployments. Once you get larger than this you need to look as load balancing multiple RD Web servers.

RD Licensing: (1 x vCPU, 4GB RAM, 70GB HDD) Assuming there’s no additional compute requirements on the same host.

I welcome any feedback and recommendations below.

Related Articles, References, Credits, or External Links

Deploying Remote Desktop Services

Windows Server 2012 R2 – Deploying Remote Desktop Services

KB ID 0001136 

Problem

I’ve had to do a rollout of Remote Desktop Services on Server 2012 R2, and publish it with Active Directory Federation Services and Web Application Proxy. I’m a little rusty on RDS and needed to deploy a few roles, so for my proof of concept I deployed RDS on TWO servers. Below is a run though and my notes on deploying RDS ONLY (I’ll put the links to other articles at the bottom of this post as I write them).

Solution

To save yourself some hassle, visit every server that will be in the Remote Desktop Server deployment, and add all the others into each others ‘server manager’ console.

Manage > Add Roles and Features > Next > Remote Desktop Services Installation > Next.

Standard Deployment. Note: If you choose Quick Start it puts all the roles on one server  > Next.

Session-based desktop deployment > Next.

Next.

Select the server that will host the Connection Broker Rule and add it  > Next.

Add the server that will host the Remote Desktop Web Access role > Next.

Add the server that will host the Remote Desktop Session Host role > Next.

Tick the ‘restart the destination server automatically if required’ > Deploy.

Finish. (Note: There will be a licensing error, we will address that in a minute).

In Server Manager > Remote Desktop Services > Overview > Note: There are two options yet to be configured, (shown in green). Select ‘RD Gateway’.

Add in the server that will host the RD Gateway role > Next.

Add in the public name of the RD Gateway server, this will generate a self signed certificate, (you can replace this with a proper one later).

Add.

Close

Now Add RD Licensing.

Add in the server that will host the licensing role > Next.

Add

Close

All the nodes should now be displayed..

In production you would now add your Remote Desktop Licences, If you don’t,  the whole thing will run for 120 days, (though it continues to nag you about adding licences). I’m content with the 120 day licence for my test deployment. But I will still ‘Activate’ my licensing server.

Follow the instructions

Now you need to create a ‘Collection‘, this is a group of host servers that host applications you can publish. Server Manager > Remote Desktop Services > Collection > Task > Create Session Collection.

Next.

Give the collection a name  > Next.

Add in the server(s) running the RD Host role that will be included in this collection > Next.

Select the user groups that you want to grant access to. Here Im simply using the domain users group  > Next.

If you want to deploy ‘profile disks’ enter a UNC path to the share > Next.

Create.

Close.

To actually publish applications, select the collection you just created > RemoteApp Programs > Tasks  >Publish RemoteApp Programs.

Select the applications, (or add them in if they are not displayed)  > Next.

Publish.

Note: You can change certificates from within Server Manger, but I prefer the manual approach, on the RD Gateway Server > Launch the IIS Manager > Select the server > Server Certificates.

Import > Import your publicly signed certificate, (you can use a self signed certificate but DON’T FORGET your remote client needs to be able to check your CRL, and trust your issuing CA if you do).

Sites > Default Web Site > Edit Bindings.

Select ‘https’ > Edit > Add in your certificate > OK > Close.

Bounce the services with an ‘iisreset‘ command.

Update 070316 You also will need to restart the Remote Desktop Services Service!

Connect to the server on the https://{FQDN}/RDWeb address, and you can check the correct certificate is used.

You should now be able to log into Remote Desktop Services Web Access.

Related Articles, References, Credits, or External Links

Server 2008 R2 Install and Configure Remote Desktop Services (Web Access)

Publishing Remote Desktop Services With Web Application Gateway