I do not believe the exact configuration you are looking for is possible in the way you are looking to implement it.
I would possibly look at creating multiple collections based on the different types of users you have and then using RDWeb to deploy the RDP icons. You can control what icons are displayed by using groups in RDWeb.
This way you could deploy a single icon (Shortcut to http://rdweb.mycompany.com) across your enterprise and still control everything by groups.
It turns out that much of the configuration data for RDSH is stored in the Win32_TSGeneralSetting class in WMI in the root\cimv2\TerminalServices namespace. The configured certificate for a given connection is referenced by the Thumbprint value of that certificate on a property called SSLCertificateSHA1Hash.
UPDATE: Here's a generalized Powershell solution that grabs and sets the thumbprint of the first SSL cert in the computer's personal store. If your system has multiple certs, you should add a -Filter option to the gci command to make sure you reference the correct cert. I've left my original answer intact below this for reference.
# get a reference to the config instance
$tsgs = gwmi -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'"
# grab the thumbprint of the first SSL cert in the computer store
$thumb = (gci -path cert:/LocalMachine/My | select -first 1).Thumbprint
# set the new thumbprint value
swmi -path $tsgs.__path -argument @{SSLCertificateSHA1Hash="$thumb"}
In order to get the thumbprint value
- Open the properties dialog for your certificate and select the Details tab
- Scroll down to the Thumbprint field and copy the space delimited hex string into something like Notepad
- Remove all the spaces from the string. You'll also want to watch out for and remove a non-ascii character that sometimes gets copied just before the first character in the string. It's not visible in Notepad.
- This is the value you need to set in WMI. It should look something like this: 1ea1fd5b25b8c327be2c4e4852263efdb4d16af4.
Now that you have the thumbprint value, here's a one-liner you can use to set the value using wmic:
wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="THUMBPRINT"
Or if PowerShell is your thing, you can use this instead:
$path = (Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'").__path
Set-WmiInstance -Path $path -argument @{SSLCertificateSHA1Hash="THUMBPRINT"}
Note: the certificate must be in the 'Personal' Certificate Store for the Computer account.
Best Answer
Well honestly you shouldn't install any of them on a DC. A DC should be a DC and nothing else. But I know, I'm a purist. So if you must install RDS on a DC, then all you need is the RD Session Host, and RD Licensing. You can install them both together. The session host is what you need to allow 10 simultaneous connections. The RD Licensing role service will store your CALs.
Oh no, I think I misread your question at first. No, none of them need to be installed on a DC. If you don't care about redundancy/broker service, etc., just install both RDS role services on the same member server.