We have a Windows 2008 R2 environment mostly. Our current DC's are Windows 2008 R2, yesterday we introduced 2 new Windows 2016 DC's and this morning we found that once some of our RDS servers started to query the new DC's users would get an "Access Denied" error trying to establish a connection. We found a reg setting to to have the RDS server ignore the error so users could log in, but then once a connection was established it was with a local profile, not a roaming profile.

In order to resolve the issue we powered off the 2016 DC's.

Anyone know what happened here and what we need to do to power on the 2016 Domain Controllers again.

Thanks.

Hello Team,

I have 30 session host servers and I am using non persistent servers where my users will simply login and use it for a day and log off. Whenever they log off the server will get back to its initial state and all the changes made to the servers will be lost.

I have purchased the Per user licenses and configured them. I have installed licensing role on the sever and applied the below group policies to my session host servers.

• Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Licensing\Specify RD License Servers - I have specified my licensing server.
• Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Licensing\Specify the Remote Desktop licensing mode - I have specified per user licensing mode.

But the licenses are not getting issued. These servers are still depending on 120 days grace period. In the event viewer it says "  The Remote Desktop Session Host server does not have a Remote Desktop license server specified. To specify a license server for the Remote Desktop Session Host server, use the Remote Desktop Session Host Configuration tool". 

I am wondering that I have already specified the group policies and still it displays the above error. 

I tried deleting the grace period registry key as I read in on the forums, since these are non-persistent VM's at the end of the day the registry key will regenerates and starts issuing the free licenses. I am afraid now, what happens after 120 days?

There are no error messages on licensing diagnose? Please advise is this a kind of bug or something else?

Any kind of help is much appreciated

Thanks,

SM

Hi All

I have a virtualised (VMWare) RDS 2012R2 environment with 20 Session hosts spread across 6 Dell ESXI Hosts - 2 Sets of different PowerEdge Models. Over the past 4-6 weeks we have started to get multiple event 7011's followed by a 7046.

A timeout (30000 milliseconds) was reached while waiting for a transaction response from the UmRdpService service.

The following service has repeatedly stopped responding to service control requests: Remote Desktop Services UserMode Port Redirector

At this point some existing connected users cant sign out and applications start to crash including explorer.exe. Trying to shutdown via the GUI just hangs and the only way to get the server back is to reset the power using vSphere console. 

Applications on the Session Hosts are mainly MS Office 2016, Acrobat Reader, 7Zip and Webroot AV. Windows OS and applications are fully patched and up to date and Dell Firmware and drivers are fully up to date. 

Users connect in via RemoteApp and local drives and printers are redirected into their sessions. 

The weird thing is, like clockwork the crashes happen at the end of each day usually between 16:00 - 18:00 - To me its like a degradation symptom or perhaps its the actions of users disconnecting or logging off their session - Its affecting a couple of servers each day. 

On top of this, it appears 7011, 7046 results in a BSOD. I have grabbed the Memory.dmp file and opened it with WinDbg. 

Im now trying to figure out the dmp - uploaded to PasteBin here (happy to paste dmp here but didnt want to "dump" to much information in the post)

What stands out to me is rdbss.sys

Probably caused by : rdbss.sys ( rdbss!__RxAcquireFcb+1f3 )

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 0000000000000000, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: fffff80179d3ba44, address which referenced memory

BUCKET_ID:  AV_rdbss!__RxAcquireFcb

PRIMARY_PROBLEM_CLASS:  AV_rdbss!__RxAcquireFcb

My rdbss.sys version - 6.3.9600.18895

Can anyone help to try and decipher the above and suggest next/best cause of action?

Many thanks :)

Everything was working fine until about 2 months ago.

I have a Windows 7 system that I access with Remote Desktop Connection from a Windows 10 system.  One day I found that my user account, which had been given administrator rights quite some time ago, couldn’t log on remotely.  The Windows 7 system was configured for remote access with the setting “Allow connections only from computers running Remote Desktop with Network Level Authentication (more secure)”. When I tried to log on, I got an error stating “The Local Security Authority cannot be contacted”. 

If I configured Windows 7 to “Allow connections from computers running any version of Remote Desktop (less secure)”, then I could log in but I didn’t want to use this less secure setting.

Doing some experimentation, I found that if I enabled the built-in Administrator account, then the Administrator could log in remotely using “Allow connections only from computers running Remote Desktop with Network Level Authentication (more secure)”.

If I created a new standard user called Test.  I found that Test could also could log in remotely using “Allow connections only from computers running Remote Desktop with Network Level Authentication (more secure)”.

If I promoted Test to an administrator, then Test couldn’t remotely log on.  He got the LSA error.  If I demoted my account to a standard user then I could log in remotely using “Allow connections only from computers running Remote Desktop with Network Level Authentication (more secure)”.

When I promoted my account back to an administrator, the logon failed with the LSA error.

All users have valid passwords that are set to never expire and are members of the Remote Desktop Users group.  The only thing that is changing is whether or not the users have administrative privileges.

Is this a permissions issue, or a behavior change cause by an update to Windows 7?

Mark Wilson

Whenever I connect to more than one RDP session that is through a gateway, some of them will not allow me to log on.  I get the error "The logon attempt failed" and that is all.  If I disconnect from some of the other sessions and reboot my computer, I can then connect to the server that was given me said error.

I can also connect to the server giving me said error without closing down other sessions or rebooting by connecting through a Hyper-V virtual machine on my computer. 

None of this makes any sense.  Has anyone else seen this behavior?

James

Hello

Is there any "official" word about using different versions of Windows server in an RDS deployment?  Is it supported and if so to what extent ? Can't seem to find a definitive resource about this.

Any pointer most welcome !

Hi

I want to change the date format for RDP users for just one VM. I have created the policy and did the f5 trick as per this post 

https://theezitguy.wordpress.com/2014/08/07/group-policy-use-regional-settings-to-change-date-format/

but still the date format is correct when i RDP. 

Under scope - security filtering of the GPO i have entered my own username as well as the VM name in question, any idea why the settings isnt taking effect ? 

Hello and thanks for the help.

I'm trying to find a solution for allowing external users on a different domain to securely access TFS from their copy of Visual Studio to check-in/check-out code. 

I'm using a Privileged Access appliance that has a technology that allows folks to start applications remotely like this, but the rep told me they do not think I could use Visual Studio in this kind of manner because it is not on the "approved list" of RemoteApps.

I've been looking for a little while and can't find any sort of list of approved Microsoft RemoteApps.

It's difficult to search for this because it always brings back error-related threads.

Does an approved list of software for RemoteApps exist and if so, where can I find it?

++ 2008R2  Environment.

++ Installed Session host role, RDGW role and RD WEB access role on one server 

++ Customer is accessing third part application via RD Gateway.

++ Customer has public certificate XYZ.COM but the internal domain is different i.e. XYZ.local

++ RD Gateway is configured on the SSL certificate name.(XYZ.COM)

++ Customer created the Forward lookup zone within DNS with the name XYZ.COM and created the host records.

++ Customer has published third party applications to access them via RD Gateway instead from RDweb.

++ I checked from DC customer is able to ping the Gateway server and able to access the third party application.

++ But from client machine which are in same Network unable to ping RD Gateway and unable to access third party application along with mstsc.

Error Message:

Your computer can't connect to the remote computer because the Remote Desktop Gateway server is temporarily unavailable. Contact your network administrator for assistance.

Could any one please suggest on the above issue...

Hi, 

We want to use RDP for connecting to remote machine, execute Desktop Application Automation there. The challenge that we face is that on the customer end there are restrictions on idle timeout in RDP session. Once we start executing the automated desktop application and if execution takes longer that than the idle timeout to execute, the remote desktop session ends, and the Desktop Automation fails. Is there a way to handle this?

1. I have tried TSCON, but TSCON unlocks the console session, so it may not be acceptable to customers.

2. I have also tried Java's Robot classes to do some mouse action(https://stackoverflow.com/questions/52874/how-do-you-keep-the-machine-awake) This also works with limited scope. In case the RDP session loses focus, it does not work.

Is it possible to keep the RDP session from disconnecting on Idle Timeout?

Thanks in Advance.

Best,

Sumit

We have an RDS server (2016).  Since November or October, every cumulative update (well until Jan, haven't applied latest yet), breaks RDP. We can connect to the gateway fine, but accessing the RD desktop just fails with a warning about not being able to connect.  If I uninstall the Cumulative update, then all works again.

Event log shows hundreds of Schannel events (A fatal error occurred while creating a TLS client credential. The internal error state is 10013.)  The remote desktop management service fails to start and the server manager shows this issue:

the server pool does not match the rd connection broker that are in it. errors

Any ideas on how to fix?

Running Windows Server 2016 Remote Desktop Services (session-based desktops).

Multiple session host servers, one DC, all running as VMs under Citrix XenServer 7.1. The servers are fully updated to present time as of 7 March 2019.

Every few days a user reports that after logging in to an RDS session he does not see his desktop but sees a black screen. When this happens, I can see that some users on that same RDS server still have their session working normally, but every user logging in after this also gets this black screen.

There are numerous references to this problem on the internet. It is apparently occuring since Server 2012 and has never been fixed.

Some people recommend to restart the Windows Audio service. Does not help in my case, never does when it happens to me. Other recommendations were to remove Firefox browser from the RDS session host servers. I did that two months ago and it seemed to help for one week but then it came back. I have not found any other recommendation - there seems to be simply no solution, except restarting that RDS session host server, which is a major inconvenience, it throws out the other users which still work, it takes 10 minutes or more to restart that server, and it can only be done manually. Most often it has to be force-restarted on top of it, as the server is totally unresponsive, and then some users may loose their user profile. Then I have to delete that user and recreate his user profile. Major trouble.

In the last few months I have rebuilt all RDS session host servers from scratch - total new installation, all updates, totally clean. It STILL happens. I have that system running since 2 years, and it has been a problem all the time.

When I try to log in to the console of the offending RDSH I can sometimes not even log in . Sometimes it does let me log in but I also get a black screen as local admin user (both Server\Administrator and Domain\Administrator). In this case, I can bring  up TaskManager via Ctrl+Alt+End and run a command prompt. I can restart services this way and execute other commands, but anything relating to the UI does not show up. Screen stays black.

Managed once to get the black screen off by restarting ShellExperienceHost service but then this logged out all users somehow and corrupted some profiles.

The only applications installed on the RDSH servers are Chrome browser, Thunderbird email client, Libre-Office.

From what I can find on the internet this problem occurs since the release of Windows Server 2012. This is seven years ago. I do not know if this happens to everyone, but there seems to be no common denominator from what I can find, it seems to happens on all sorts of environments, pointing to a bug within Windows Server itself.

From what it seems it is related to the new UI system implemented with Windows 8 (and Server 2012) because I can find no reference to this occurring with Server 2008. I have not run RDS on Server 2008 myself so I have no first-hand experience.

Is there ANYTHING I can do about this? It does NOT seem related to my setup which is really rock-bottom basic. Many users are reporting this as a dreaded issue they hope one day will be fixed by Microsoft.

Can it be related to the virtualization software? Anything having experienced that issue on bare-bone installs of RDSH servers? Any difference with Hyper-V VMs?

WHEN IS THIS GOING TO GET FIXED? THIS IS A PROBLEM SINCE 2012 - 7 YEARS!

I feel forced to start researching for non-Microsoft solutions for RDS type solutions because I simply cannot tolerate non-functional software. To the users it looks like it is me as admin who is not doing his job!

Atradius

Hi all,

We're currently experiencing issues at a random interval with regards to freezing start menu's on Server 2016 RDS Hosts.
When the freeze happens we can see the following items in the eventlog: Event ID 5973

Seems to be related on a per user base, as multiple users can connect to the RDS server but only a few of them are experiencing issues.

We are using User Profile Disks and Start Menu redirection. Any thoughts?

Hi All

Quick Question:

Have a file server in Domain A and need users that have been migrated from Domain A to Domain B to RDP back to a file server in Domain A  (No Trust), what the simplest way of doing this ?

Effectively Domain A = Company 1  & Domain B = Company 2

Thanks

Hi,

First of all, please note this: 

• Network level authentication IS supported on all machines as per theAbout Remote Desktop Connection. So please don't ask me to check this on the about remote desktop connection window.
• All clients are set per GPO to use the Remote Setting of the "more secure" option:
• The problem is on random machines, all windows 7. We only have a few windows 10 machines but no issues found on those so far. 
• It doesn't matter if the RDP connection is initiated from a windows 7, windows 10 or Windows Server 2012 R2. The problem remains and is exactly the same.
• The problem exists when attempting to connect RDP from personal home PCs (not managed by company GPOs and MS update schedules) over VPN

So the problem is this, first comes the first message and then the second.

It seems to have started after we deployed some Microsoft server updates, but its very inconsistent, some sites seems worse off then others, but its not all machines at any site. We haven't even done client updates yet.

Again, please don't give me a link to an old post or blog saying that I need to enable network level authentication, as shown by the top screenshot, it is already enabled/supported.

I already spent hours googling this. Please, I want responses from people who have actually had the exact same symptoms and issues or someone who has an idea that I haven't already clearly stated that I've checked above already.

Thank you.

I am looking for a way to allow domain users click the .rdp file and it can auto automatically logon the remote desktop server and run remote app with their AD credential. I currently published the remote app and downloaded the remote app .rdp file to the workstation. But it still requires users to type username and password to logon, then the remote app run.

Thanks,

Hanson

Getting to where I HATE certs.

2 node 2016 RDS farm.  Generated a SAN cert from my MS CA.  It contains common name *.xxx.xxx.  The SAN names are the Farm FQDN and the FQDN of both servers.

Imported this into the Server Manager RDS Deployment Properties successfully.

It WORKED properly after I imported those 2 certs that afternoon, several times.

Then, the next day, the 2nd server (not the first) decided it would use the Self-Signed RDS cert it has rather than the SAN cert assigned the previous day.

So, I have 1 server (which is a Gateway and session host) use the SAN cert, but the 2nd (session host only) uses a self-signed.

WHY?  Any suggestions on how to fix?