The Microsoft Remote Desktop Services (RDS) architecture is widely used to publish centralized Desktop and Windows Applications to users from remote sites. With RDS, only the software user interfaces are transferred to the client system. All input from the client system is transmitted to the server, where software execution takes place.
RDS was first released as “Terminal Server” in “Windows NT Server 4.0 Terminal Server Edition”. Starting with Windows 2000, it was an optional role.
Early releases only allowed connections through a single TCP port: 3389/TCP.
Windows Server 2008 introduced the Remote Desktop Gateway service component, also known as RD Gateway, which can tunnel the RDP session using an HTTPS channel, which is most suitable for Internet service publishing.
Early RDS versions could only share the whole Windows Desktop on a remote client. Beginning with Windows Server 2008 R2 and Windows XP, RDS can share single Applications.
Windows Server 2012 introduced session data streaming using a UDP flow: typically, on port 3389/UDP. This stateless data flow allows better performance via connections with a limited packet loss.
Windows Server 2016 introduced User Profile Disks to host users’ roaming profiles.
Modern RDS architecture can become very complex, with Roles hosted on several servers:
The preferred way to access RDS services is through Web Access, either directly from internal LAN or remotely through the RD Gateway component which acts as a reverse proxy.
The default web interface shows the published Desktops and the Remote Applications.
Unfortunately, the user interface cannot be easily customized. But in any event, some interesting basic results can be achieved with just a few configuration changes such as:
Hiding the “Connect to a remote PC” tab.
This tab allows users to connect to a remote PC of their choice (almost useless, and always dangerous).
Go to the RD Web Access server open Internet Information Services Manager (IIS Manager).
Expand the tree on the left and click Pages, then double-click Application Settings and select ShowDesktops. Notice its value is “true” by default, so click Edit and change it to “false”. This change is immediate, without the need to restart IIS.
The same IIS panel contains some other interesting values which can be customized:
PasswordChangeEnabled. Notice its value is “false” by default, so click Edit to change it to “true”. This will allow the user to change his password when it has expired.
PrivateModeSessionTimeoutInMinutes or PublicModeSessionTimeoutInMinutes.
Click Edit to change the default value to something you prefer, or to something that your organization enforces.
Unfortunately some other interesting customizations, such as setting a default Domain in the login panel, can only be done by editing some .aspx files!
The default login panel in fact expects the NT User Account format, e.g. Domain\user name.
In a complex distributed RDS environment, it’s difficult to measure RDS performance: the end user typically experiences site responsiveness in a different way than measuring the single Windows Performance Counters!
The correct way to measure RDS performance is by simulating users’ operations: the Alyvix product is designed for just this task. It can repeat these tasks continuously, building metrics based on common users’ RDS tasks.
This way you can detect not only abnormal situations, but also bad long term trends.
For example, in the graph above you can see that RDS Desktop Ready time has increased by about 10 seconds over 8 days.