Task 02: Enable RDP
DOCUMENT CATEGORY: Runbook
SCOPE: Remote desktop enablement
PURPOSE: Enable RDP on all cluster nodes for graphical remote access from the management server and delivery engineer workstation
MASTER REFERENCE: Phase 03: OS Configuration
Status: Active
Overview
Enable Remote Desktop Protocol (RDP) on all Azure Local nodes. This provides graphical remote access for configuration and troubleshooting throughout the deployment engagement.
WinRM is already enabled from Task 01, so this task can be run either directly on each node via iDRAC Virtual Console or remotely from the management server.
Prerequisites
| Requirement | Description | Source |
|---|---|---|
| Task 01 Complete | WinRM enabled on all nodes | Task 01: Enable WinRM |
| iDRAC console access | Virtual Console accessible for each node (if using SConfig or Direct tab) | variables.yml: nodes.<name>.idrac_ip |
| Administrator credentials | Local admin password set during OS installation | Key Vault: node-<hostname>-local-admin |
Variables from variables.yml
| Path | Type | Description |
|---|---|---|
nodes.<name>.management_ip | string | Node IP for RDP connection after enabling |
cluster_nodes[].hostname | string | Node hostname for connection verification |
Execution
- SConfig Utility
- Orchestrated Script
- Standalone Script
Run on each node via iDRAC Virtual Console.
- Open
https://<idrac-ip>→ Virtual Console → Launch - Log in as
Administrator - Type
SConfigand press Enter - Select option 7 — Remote Desktop
- Enter E to enable
- Select 1 — Allow connections from any version
- Verify status shows Enabled
- Repeat for every node
Run from the management server. Reads node names from variables.yml.
$ConfigPath = ".\config\variables.yml"
$config = ConvertFrom-Yaml (Get-Content $ConfigPath -Raw)
$NodeNames = $config.cluster.nodes | ForEach-Object { $_.name }
$Credential = Get-Credential -Message "Enter local Administrator credentials"
foreach ($node in $NodeNames) {
Write-Host "Enabling RDP on $node..." -ForegroundColor Cyan
Invoke-Command -ComputerName $node -Credential $Credential -ScriptBlock {
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' `
-Name "fDenyTSConnections" -Value 0
Enable-NetFirewallRule -DisplayGroup "Remote Desktop"
$rdp = Get-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' `
-Name "fDenyTSConnections"
[PSCustomObject]@{
Node = $env:COMPUTERNAME
RDPEnabled = ($rdp.fDenyTSConnections -eq 0)
}
} | ForEach-Object {
$status = if ($_.RDPEnabled) { "Green" } else { "Red" }
Write-Host " $($_.Node): $(if ($_.RDPEnabled) { 'Enabled' } else { 'Not enabled' })" -ForegroundColor $status
}
}
Self-contained script. Update $NodeNames and $Credential before running.
#region CONFIGURATION
$NodeNames = @("node01", "node02", "node03", "node04")
$Credential = Get-Credential -Message "Enter local Administrator credentials"
#endregion CONFIGURATION
foreach ($node in $NodeNames) {
Write-Host "Enabling RDP on $node..." -ForegroundColor Cyan
Invoke-Command -ComputerName $node -Credential $Credential -ScriptBlock {
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' `
-Name "fDenyTSConnections" -Value 0
Enable-NetFirewallRule -DisplayGroup "Remote Desktop"
$rdp = Get-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' `
-Name "fDenyTSConnections"
[PSCustomObject]@{
Node = $env:COMPUTERNAME
RDPEnabled = ($rdp.fDenyTSConnections -eq 0)
}
} | ForEach-Object {
$status = if ($_.RDPEnabled) { "Green" } else { "Red" }
Write-Host " $($_.Node): $(if ($_.RDPEnabled) { 'Enabled' } else { 'Not enabled' })" -ForegroundColor $status
}
}
Validation Checklist
- RDP enabled on all nodes
- RDP port 3389 accessible from management server
- Can connect via Remote Desktop Client to each node
- Firewall rules enabled for Remote Desktop group
# Test RDP port from management server
Test-NetConnection -ComputerName <node-ip> -Port 3389
# Expected: TcpTestSucceeded : True
Troubleshooting
| Issue | Cause | Resolution |
|---|---|---|
| Connection refused on port 3389 | RDP not enabled | Re-run enable script on the node |
| Port blocked | Firewall rule not enabled | Enable-NetFirewallRule -DisplayGroup "Remote Desktop" on the node |
| Authentication failure | Wrong credentials | Verify local Administrator password from Key Vault |
Scripts for this task are located in the azurelocal-toolkit repository under scripts/deploy/ in the appropriate task folder.
Alternatives
The procedures in this task use the scripted methods shown in the tabs above. Additional deployment methods including Azure CLI and Bash scripts are available in the azurelocal-toolkit repository under scripts/deploy/.
| Method | Description |
|---|---|
| Azure CLI | PowerShell-based Azure CLI scripts for Azure resource operations |
| Bash | Linux/macOS compatible shell scripts for pipeline environments |
Navigation
| ← Task 01: Enable WinRM | ↑ Phase 03: OS Configuration | Task 03: Configure Static IP → |
Version Control
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | 2026-01-31 | Azure Local Cloud | Initial document |
| 2.0 | 2026-03-04 | Azure Local Cloud | Full rewrite to standards — complete frontmatter, 4-tab structure, orchestrated reads variables.yml, standalone with config region, Navigation and Version Control |