Remote Desktop Services role - Do I need it in order to use MSTSC (RDP/RDC) in my domain?

Question

Greetings and thanks for reading (apologies for the length).

I'm a new Sys Admin and I have a (potentially silly) question for the more seasoned veterans. I'm migrating our primary Domain Controller from Server 2003 (SrvA) to Server 2008 R2 (SrvB) and I'm making an effort to deduce which roles & features to include on SrvB.

SrvA has the Terminal Services role. In Windows Server 2008 & beyond that role is called "Remote Desktop Services" and this particular nomenclature has me assuming it's a requirement in being able to successfully MSTSC (RDP) into machines in our environment. My assumption could be wrong, but obviously that's an important feature since I need to be able to RDP (locally and over VPN) to manage servers centrally.

My question, I guess, is do I really need the RDS role installed (somewhere on the domain) to be able to do this? I ask because I've tested and my ability to RDP does not seem to hinge on SrvA being online (that being the DC that holds the terminal services role). This is the case for existing sessions as well as creating new sessions (I have not tested over VPN however).

As a side note (and something that has muddled my initial thoughts), I've read it is not a good practice to have the RDS role on a DC for a number of security reasons, not the least because you don't want people "remoting" into your DC to run centrally located applications. This particular best-practice (in combination with my test results above) has me scratching my chin.

Maybe RDS is less of a role that essentially "makes the remote desktop protocol possible on a domain". Maybe it's more of a role that "allows a widely varying number of concurrent users access to an 'application' server to launch centrally-located software." The latter being useful, but less critical than the former for my use case.

This bolsters my findings that RDS seems to require specific CAL(s) for concurrent users (not necessarily admin logins).

TLDR; I think my overarching question is "do I need RDS somewhere on my domain to allow RDP sessions", and if no then "why would I need/want RDS installed at all"?

Answer 1

RDS is a server role that you install on each server individually when you want to deploy it as an RDS Session Host, Virtual Desktop host or RemoteApp server for the purpose of making applications, server desktop sessions or virtual desktops available to your users for the purpose of running LOB applications. This requires the proper RDS or VDI licensing. THIS IS NOT WHAT YOU NEED (based on what you've stated in your question.

It isn't required that you install the RDS server role in order to establish RDP sessions to your servers FOR THE PURPOSE OF REMOTE ADMINISTRATION. You simply need to enable Remote Desktop in the server properties. This does not require any type of RDS or VDI license. You're limited to two simultaneous RDP sessions per server FOR THE PURPOSE OF REMOTE ADMINISTRATION.

Answer 2

No you do not need RDS installed to be able to RDP to the machine. Remote Desktop Services is the new name for Terminal Services and is better explained here:

https://technet.microsoft.com/en-us/library/cc725560.aspx

But in general, as you explained it, RDS allows concurrent users to access centrally located applications.

Also RDS does require specific CAL's based either on users or devices.