How to enable the 2 concurrent (+1 console) sessions on Windows Server 2012

rdpremote desktop

I have a Windows Server 2012 VM running on Windows Azure.

I want to enable the ability for 2 simultaneous administrative sessions over Remote Desktop. This is permitted under the EULA for Windows Server 2012. This is not the same thing as the fully-blown Terminal Services (Remote Desktop Services) feature.

In Windows Server 2000 and 2003, multiple concurrent sessions (up to a limit of 2, plus the root /console session) were enabled by default (such that logging-in via RDP without logging-out first would create a new session rather than reconnecting to the old session). In Server 2008 and later it uses single-sessions by default, as this simplifies administration (as most people want to connect to old sessions).

In Windows Server 2008 R2, you can add the MMC snap-ins for Remote Desktop Host Configuration which allows you to re-enable concurrent sessions.

However, in Server 2012, after adding the Remote Administration snap-ins from Server Manager it seems the Remote Desktop Host Configuration snap-in has been removed.

How can I re-enable the multiple concurrent sessions for Remote Desktop for Administration in Windows Server 2012?

Best Answer

There is no more /console RDP switch since Windows Vista.

Yes, the Remote Desktop Services mmc snapins that you were used to in 2008 have been removed.

A Windows license grants you two "administrative" simultaneous remote desktop sessions before you need to install the Remote Desktop Services role with CALs. There is no "2 administrative connections +1 console (which would make 3 simultaneous interactive sessions)" though. It's just two. You can use the /admin switch with the Remote Desktop Client to avoid using up CALs when the RDS Session Host role is installed, but you can only have two admin connections at a time regardless.

From this Microsoft article which does a great job of explaining:

At any point in time, there can be two active remote administration sessions. To start a remote administration session, you must be a member of the Administrators group on the server to which you are connecting.

To RDP to a Windows Server 2012 VM hosted on Azure, you need to ensure that you have opened the endpoint in the Azure portal (think of it like a firewall ACL) in Azure, and also make sure RDP (port 3389-in) is allowed through the Windows Firewall as well. Then you need to make sure you're logging in with a user account who has 'Remote Desktop Users' privileges or better.

Next, disable the setting Restrict Remote Desktop Services users to a single Remote Desktop Services session by using the Group Policy Object Editor MMC-snapin to edit your Local Policy.

It's under Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections.

Run gpupdate after you make changes to the policy to apply them immediately.

I have a Server 2012 VM hosted on Azure, and I just followed the above steps, and now I am logged in twice, interactively, as the same user.

Related Solutions

Windows Server 2003 – reconnecting to existing session

I suspect you have to reconnect from the same PC that you originally connected from. Not sure though. I've seen the same behavior. As regards the mstsc syntax Microsoft in their wisdom decided to change the switch from /console to /admin from Vista onwards for console sessions.

Ssl – Configure custom SSL certificate for RDP on Windows Server 2012 (and later) in Remote Administration mode

It turns out that much of the configuration data for RDSH is stored in the Win32_TSGeneralSetting class in WMI in the root\cimv2\TerminalServices namespace. The configured certificate for a given connection is referenced by the Thumbprint value of that certificate on a property called SSLCertificateSHA1Hash.

UPDATE: Here's a generalized Powershell solution that grabs and sets the thumbprint of the first SSL cert in the computer's personal store. If your system has multiple certs, you should add a -Filter option to the gci command to make sure you reference the correct cert. I've left my original answer intact below this for reference.

# get a reference to the config instance
$tsgs = gwmi -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'"

# grab the thumbprint of the first SSL cert in the computer store
$thumb = (gci -path cert:/LocalMachine/My | select -first 1).Thumbprint

# set the new thumbprint value
swmi -path $tsgs.__path -argument @{SSLCertificateSHA1Hash="$thumb"}

In order to get the thumbprint value

Open the properties dialog for your certificate and select the Details tab
Scroll down to the Thumbprint field and copy the space delimited hex string into something like Notepad
Remove all the spaces from the string. You'll also want to watch out for and remove a non-ascii character that sometimes gets copied just before the first character in the string. It's not visible in Notepad.
This is the value you need to set in WMI. It should look something like this: 1ea1fd5b25b8c327be2c4e4852263efdb4d16af4.

Now that you have the thumbprint value, here's a one-liner you can use to set the value using wmic:

wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="THUMBPRINT"

Or if PowerShell is your thing, you can use this instead:

$path = (Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'").__path
Set-WmiInstance -Path $path -argument @{SSLCertificateSHA1Hash="THUMBPRINT"}

Note: the certificate must be in the 'Personal' Certificate Store for the Computer account.

Best Answer

Related Solutions

Windows Server 2003 – reconnecting to existing session

Ssl – Configure custom SSL certificate for RDP on Windows Server 2012 (and later) in Remote Administration mode

Related Topic