Integrating Microsoft Remote Desktop Services via AWS License Manager in Amazon EC2 with AWS Managed AD

While initially appearing to be a minor configuration change, integrating Microsoft Remote Desktop Dervices (RDS) licensing via AWS Licence Manager with Windows Server in an Amazon EC2 environment with AWS Managed AD necessarily requires a quite complex Windows Server and AWS setup.

It demands precise configuration across both AWS services and Windows Server environments. A pre-requisite for attemting this is a deep understanding of the points at which these services from different vendors intersect. Proper configuration of AWS License Manager and adjustments in EC2 at the instance level and within AWS Managed Active Directory are critical to success. The end result is a robust and properly licensed Remote Desktop Services on your Windows Servers which supports Microsoft Remote Desktop access, conveniently billed through AWS billing.

TL:DR – This is I would say, moderately to very difficult. You'll need all the credentials for Windows and AWS. And patience. It took me  quite a while, several days to make it work, and to document and test it for a client. Note: All the screenshots here are from my own AWS environment and the values are dummy values.

Solution constraints

• Windows Server, in EC2 in AWS for a variety of legacy workloads.
• AWS Directory Service (Managed AD).
• AWS System Manager, Session Manager for secure remote access to Windows using Remote Desktop Protocol (RDP).
• Needs to comply with Micrsoft Remote Desktop Services Licensing (RDS).

Solution recommendation

• AWS License Manager, with per user per month pricing for Microsoft remote desktop service subscriptions.
• Integrated with AWS Directory Service (Managed AD).
• Security Groups modified to allow AWS License Manager to communicate Windows Servers
• Implement Remote Desktop role on required Windows Servers in EC2.
• End user access through AWS Systems Manager Session Manager.

Pros and Cons of this solution approach

Implementation

Pre-requisite - Security Groups

You will need to set up Security Groups to allow inbound TCP port 1688 (Microsoft Key Management Services) to the AWS Directory Service (Managed AD) and to any Windows Server instances in your VPC with which you wish to use Microsoft Remote Desktop Services (RDS). You'll need TCP port 3389 for server to server RDP access using the Microsoft Remote Desktop app, for example to test from another server within your VPC. Use AWS Systems Manager Session Manager to access the Windows graphical user interface securely and avoid opening TCP port 3389 to the Internet as it exposes an unnecessary attack surface to your server.

Step 1 Subscribe Win Remote Desktop Services SAL in AWS Marketplace

Microsoft products require an active subscription before you can associate AD users to an instance that includes those products. See 'Subscribe to a product' in Get started with user-based subscriptions in License Manager on the AWS documentation site.

In AWS console, use the search to find 'AWS Licence Manager', Go to User-based subscriptions, Products, Note that Microsoft Remote Desktop Services (RDS) is Inactive.

Select Remote Desktop Services (RDS) and click 'Subscribe in AWS Marketplace'. You'll be taken to the Amazon Web Services provided Remote Desktop Services SAL purchase page for the Win Remote Desktop Services SAL. 

Once completed you'll see the confirmation that your subscription is in place.

Now you can go ahead and continue to set up your account. You'll note that the status of Microsoft Remote Desktop Services (RDS) is now active in AWS License Manager, User-based subscriptions, Products. Select it and click 'View details' to register an Active Directory, Configure Microsoft RDS License Services for Active Directory and Subscribe users.

Step 2 – Register your Active Directory in AWS License Manager

• Select the Active Directory you wish to register.
• Click Register, you'll see an alert like this:
  
   Register Active Directory d-e1f07b8f for Microsoft Remote Desktop Services (RDS) in progress
  This process could take a couple of minutes. You can configure RDS License Server after Active Directory is registered.
• Wait for the process to complete. This process could take a couple of minutes. You can configure RDS License Server after Active Directory is registered.
• Wait for the success alert which looks like this:
  
   Successfully registered Active Directory d-e1f07b8f for Microsoft Remote Desktop Services (RDS).

• Once completed you should be able to see the status as completed in User-based subscriptions: Products, Microsoft Remote Desktop Services in AWS License Manager.
• Now you can continue to Step 3.
• Click on 'Configure RDS License Server'

Step 3 – Configure Microsoft Remote Desktop Services (RDS) license server 

The way that AWS License Manager works is that it requires Active Directory users to be associated with user-based subscriptions managed in AWS License Manager. The Active Directory can be AWS Directory Service (Managed AD) or your own self-managed Active Directory. Once configured, the Microsoft Remote Desktop Services (RDS) License Server issues Subscriber Access Licenses (SALs) to Active Directory users. 

• Create a secret.
• Choose 'Other type of secret'.
• The secret key name must begin with the prefix license-manager-user- for example license-manager-user-admin-for-rds.
• You can give it a description like AWS License Manager Administrative Credentials secret and then assign key names and values for your Active Directory administrative user.
• Set a key called username with a value of Admin.
• Set a key called password with the actual passsword of the AD Admin.
•  Once completed you should see a success alert like this:

• Now you will be able to see the secret in the console. 

Important: Values for the secret

• Now you can use the secret in 'Configure RDS License Server.
• In the Secret section select the 'Choose a Secret' dropdown and your secret should be selectable.
• Click 'Configure' and you'll see an alert like this:

• Once completed you should be able to see the status as completed in  Microsoft Remote Desktop Services, in User based subscriptions: Products, in AWS License Manager

• And in AWS License Manager, Settings: User-based subscriptions you should see the License Server endpoint status set to Provisioned
• Now you are finally ready to subscribe your AD users to Microsoft Remote Desktop Services. Add the AD users you wish to subscribe by user name and click ‘Next’.

• Click ‘Subscribe’ to finally subscribe your users, once you've completed the Step 4 - Windows Server configuration for Remote Desktop Services and Step 5 - Set Group Policy

Troubleshooting Microsoft Remote Desktop Services (RDS) license server configuration with AWS 

This part of the setup is the trickiest part. You might encounter some errors. AWS License Manager depends on a secret with very exact naming in order to communicate with your chosen Active Direcory. The username value is incorrect in the AWS documentation for AWS Directory Service (Managed AD) and the Secret Key and Password must be correct in order to succeed in configuring Microsoft Remote Desktop Services (RDS) license server. With AWS Directory Service (Managed AD) this ONLY works with Admin, not Administrator. No Domain names, no UNC name, no ‘\’.

Common Error message:

Possible causes:

• Incorrect Username or Password in Secret.
  • Fix: Go to Secrets Manager, open the secret used for the RDS license configuration, and confirm the credentials are correct. Test the credentials manually if needed (e.g., with a domain login).
• Account Doesn’t Have Domain Join or RDS Licensing Permissions
  • Fix: Ensure the account has the necessary Group Policy or Active Directory permissions for RDS licensing setup.
• Secret is in the wrong format.
  • Fix: Double check your secret is in the corect format. Triple Check the key names and key values. 

      "username": "Admin",
      "password": "your-password"
    

• Time Sync Issues
  • Ensure the time is synchronized between domain and instances
• Connectivity issues due to a VPC misconfiguration
  • Fix: Confirm that the subnet, route tables, and security groups allow traffic to the domain controller.
• User not in proper AD group.
  • AWS Directory Service (Managed AD) provides only a handful of pre-created delegated groups (e.g., Domain Join, Group Policy Editors), but not ones for RDS-specific tasks. That is why you must use the Admin user account.
• Incorrect secret ARN or region mismatch.
  • If the RDS licensing setup uses a secret from a different region or the ARN is wrong, it will fail. Double-check the ARN and region used in the setup script/console. 

Step 4 – Install the Remote Desktop Services role on required Windows Servers

• Open Server Manager, Add Roles and Feaures wizard

• Specify RD infrastructure servers, according to your Windows Server infrastructure in your environment (which could for example all be the same member server) and Click Next, then wait for the server to complete its configuration and reboot.
• In Server Manager, select Remote Desktop Services > Overview > Edit Deployment Properties > RD Licensing.

•  Select the Remote Desktop licensing mode - Per User
• Specify a License Server using the AWS License Server Endpoint which will be something like 558de409-2f23-406e-adce-6bca0e9e7973.lm-user-subscriptions-license-server.amazon.com. Click 'Add', 'Apply' and 'OK'.

Step 5 – Set group policy

• Go to Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Licensing.

• In the policy list, right-click Use the specified Remote Desktop license servers, and then select ‘Edit’.
• Select Enabled, and then enter the name of the license server under License servers to use, again this will be something like 558de409-2f23-406e-adce-6bca0e9e7973.lm-user-subscriptions-license-server.amazon.com.
• Click 'OK'.
• Back in the policy list, right-click Set the Remote Desktop licensing mode, and then select ‘Edit’.
• Select Enabled. and under 'Specify the licensing mode for the Remote Desktop Session Host server', select Per User 
• Click 'Ok'