Quantcast
Channel: Remote Desktop Services (Terminal Services) Forum
Viewing all 27656 articles
Browse latest View live

Per User RDS licensing on Windows Sever 2016 in Workgroup environment

May 8, 2019, 3:30 am
$
0
0

Hello to All!

We have a problem with RDS feature on 2016 Server.

Server was deployed with no CALs installed and worked some time in a trial mode. Then owners of this server bought 30 Per User licenses trough SPLA programm and I was asked to activate and install licenses in it.

Before I connect to server I saw that owners are now in procces of deleting grace period registry entry (because grace period has ended and they was in big hurry to make it work again).

After all this and mine (standart activation and installing licenses proccess) manipulations server now did not want to see legal licenses and continuing working in trial mode (grace period still ticking). Last manipulations was to delete grace registry again and reboot the sever (I found similar situation https://www.360ict.nl/blog/no-remote-desktop-licence-server-availible-on-rd-session-host-server-2012/) but it did not helped and now grace period start ticking from beginnig (120 days).

I found info that 2016 server is still can issue Per User CALs to local users in Workgroup environment and made all manipulations with local group policies https://digitalbamboo.wordpress.com/2017/04/05/deploy-remote-desktop-services-in-a-workgroup-easily/ and other stuff and now in diagnostics there have no warning and all green.

Maybe some one faced similar problem or have any suggestions I would be very graceful. I'm desperate already.

Search

Specify a Program to Start Automatically When a User Logs On Does Not Work in 2016 Server

December 22, 2016, 2:26 pm
$
0
0

By default, Remote Desktop Services sessions provide access to the full Windows desktop, unless a program has been specified to start when the user logs on to the remote session.If an initial starting program has been specified, it will be the only program that the user can use in the Remote Desktop Services session. The Start menu and the Windows Desktop are not displayed when the user logs on to the remote session, and when the user exits the program the session is automatically logged off. This feature does not work 2016 server it ignores whatever we specify and always starts a Desktop Session. We are running a work group so group policy is not an option as a workaround. In the 2012 server, 2008 Server it works. Kindly please advise how to get this basic feature to run in Server 2016.

Specify a Program to Start Automatically When a User Logs On Does Not Work in Server 2016

Windows 2016 RDS event 1306 Connection Broker Client failed to redirect the user... Error: NULL

December 31, 2016, 11:06 am
$
0
0

I'm attempting to setup a Windows 2016 RDS Standard Deployment for Session Hosting.  The layout is as follows:
RDS01 - RDS Connection Broker and Web Access
TS02 - RDS Session Host
TS03 - RDS Session Host

The domain these servers are part of has (1) Windows 2008 Server and (2) Windows 2016 Servers acting as DCs.  The domain is running at Windows 2003 Functional Level.

All servers are on a single routed network with no firewall between them.  All DNS A and PTR records for all servers exist and resolve on all hosts.  All servers can be pinged by each other. In other words, there are no network connectivity issues.

I've setup the RDS deployment several times w/ the same results.

The Issue
I can login via the RDWeb interface on RDS01 from a Win10 desktop and connect to the published RDP desktop without issue (i.e. no error messages to the user) and no errors in the logs.  When I try to directly RDP to RDS01, I successfully authenticate as a user (per the event log) but get an error stating that the user doesn't have access to the system.  In the event log I get event id 1306 with the message of "Remote Desktop Connection Broker Client failed to redirect the user <domain>\<test user>.  Error: NULL".  

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-Windows-TerminalServices-SessionBroker-Client" Guid="{2184B5C9-1C83-4304-9C58-A9E76F718993}" />
  <EventID>1306</EventID>
  <Version>0</Version>
  <Level>2</Level>
  <Task>104</Task>
  <Opcode>13</Opcode>
  <Keywords>0x2000000000000000</Keywords>
  <TimeCreated SystemTime="2016-12-29T16:47:27.634726700Z" />
  <EventRecordID>47</EventRecordID>
  <Correlation ActivityID="{F4209120-29ED-44E4-845A-25A2570F0000}" />
  <Execution ProcessID="828" ThreadID="3668" />
  <Channel>Microsoft-Windows-TerminalServices-SessionBroker-Client/Operational</Channel>
  <Computer>rds01.[redacted.domain]</Computer>
  <Security UserID="S-1-5-20" />
  </System>
- <UserData>
- <EventXML xmlns="Event_NS">
  <param1>[redacted.domain]</param1>
  <param2>[redacted.user]</param2>
  <param3>NULL</param3>
  </EventXML>
  </UserData>
  </Event>


If I RDP to RDS01 as an administrator, I get the same error message but the RDP session opens and presents the desktop on RDS01.

I can RDP directly to TS02 or TS03 and login as a user and open the RDP session.  Redirection to some degree appears to be working in that I can disconnect a user session from TS02 and RDP to TS03 and the session is redirected back to TS02.  The event logs on RDS01 record this happening as well.

What I've tried already
1. In searching this event 1306 issue, I found several posts with this exact same behavior in WS 2012/R2.  Most "solutions" suggested point to the fact that the RDS Session Broker doesn't have sufficient authority to look up the users AD group membership via the tokenGroupsGlobalAndUniversal attribute or AuthzInitializeContextFromSid API function which leverages the tokenGroupsGlobalAndUniversal attribute.  (Example: https://social.technet.microsoft.com/Forums/windowsserver/en-US/29733a87-dbda-47bc-8b37-6eeac5ab5a0a/2012-rds-nonadministrators-can-not-access-vdi-pool?forum=winserverTS#97d883f1-7a64-4d02-9492-309638f92e79 )

The service is running as "Network Service" which does have network access via the Computer Object's authority in AD.  So following Microsoft's instructions (https://support.microsoft.com/en-us/kb/331951), I've added RDS01 to both the Windows Authorization Access Group and Pre-Windows 2000 Compatibility Access groups and rebooted RDS01 with the same results.  

2. I've verified the Windows Authorization Access Group has rights to read the tokenGroupsGlobalAndUniversal property/attribute on my test users and the computer objects of the servers.

3. I've setup an AD Service account following Microsoft's instructions (https://support.microsoft.com/en-us/kb/842423) with a similarly described access issue.  The service account user was added to the Windows Authorization Access Group.  This was unsuccessfully as well w/ the same event 1306 error.

4. I ran the following powershell commands to verify access of the Connection Broker to the OU (https://technet.microsoft.com/en-us/library/jj215512.aspx#)

Test-RDOUAccess -Domain [redacted.domain] -OU "Computers" -ConnectionBroker rds01.[redacted.domain] -verbose


This failed so I ran the following to grant access

Grant-RDOUAccess -Domain watsons.local -OU "Computers" -ConnectionBroker rds01.watsons.local -verbose


The Test-RDOUAccess then succeeded.

I repeated this for the OUs that contained the users and the server computer objects.

I've disabled all GPOs to ensure there's no conflicts but have seen no change in the behavior or error messages.

With all that, I've exhausted every option that I can find to resolve this error to gain the expected functionality.  As a work around for the moment, I've setup a round-robin DNS A record that points to TS02 and TS03 w/ a very short TTL.  This gives the test users the ability to login and atleast test the desktop functionality.

Sorry for being so long winded with this but I thought it better to put all the cards on the table.

I'm open to any and all suggestions.

Thx!

Adding another icon/ rdp shortcut to the RDWEB Page

May 7, 2019, 5:13 am
$
0
0

Hi,

I have set up a Windows Server 2016 RDS environment which is as follows:

1 RD Gateway Server (RDGW1)

1 RD Web Server (RDWeb1)

5 RD Session Hosts (RDS1 to 5)

1 RD Broker (RDBroker1) - also does licensing.

gateway url is: gateway.domain.com which points internally and externally to the RDGW1 server.

The RD gateway and RD Web servers are in the DMZ.

We now want to implement Azure MFA using the NPS Extension as described here: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension-rdg  

To minimize impact, I set up another Gateway server in the DMZ called RDGW2, along with an NPS server in the LAN (NPS1). Following the documentation linked to above, I was able to successfully set this up.

To test, I have downloaded the RDP icon from the RDWeb page and edited it to direct via RDGW2 rather than RDGW1. I also created an External DNS entry for gateway2.domain.com pointing to the WAN IP for RDGW2.  This works fine from outside of the network and I get MFA prompts and can see connections going through RDGW2.

I now need to publish 2 RDP shortcuts. One would be using the old non MFA gateway (RDGW1)  - this is already there. The second would be the edited RDP Shortcut that uses the new MFA configured Gateway (RDGW2).

Is there any way I can publish the second RDP icon? Perhaps by editing the relevant web page or locating where the original icon is located? Publishing via RemoteApp is not an option. The reason for having both is to provide a transition environment and possible future DR environment (in case there are issues with Azure).

Thanks,

2016 RDS issue - Single user | Windows cannot find local profile.

May 8, 2019, 10:00 am
$
0
0

Hello, 

I'm receiving a few errors with my RDS 2016 build. Randomly a user, upon logging in will be given a temporary profile. I do the normal remediation steps by deleting the temp profile in the registry and Advance User options, the server is rebooted and they can log in fine. But after a while the error comes back again. All other users can remote in fine with no issues, it only effects one user at a time. A few errors I see....

1. Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off.

2. 

The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{D63B10C5-BB46-4990-A94F-E40B9D520160}
 and APPID 
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
 to the user (xxxxxxxxxxxxxxxxxx) SID (S-1-5-21-3444666529-4500789-23435591xx-xxxxx) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

The RDS server shows this error

3. Remote Desktop Services could not apply a user desktop for a user account with a SID of S-1-5-21-3444666529-4500789-23435591xx-xxxxx. A temporary profile was enforced for the user. Verify that the user profile disk settings are correct. The error code is 0x15.135

4. Remote Desktop Services could not attach a user profile disk for a user account with a SID of S-1-5-21-3444666529-4500789-23435591xx-xxxxx. The error code is 0x15.135

Thanks.

Please assist, 

Seneb

cant launch remote app

May 8, 2019, 1:08 pm
$
0
0

Hello i have everything on single server

rdweb

rd gateway

session host

i am forwarding 443 thru my firewall to my server

when i go to launch a remote app i get the following

Remote Desktop web client exception with disconnect code GatewayProtocolError 52 , extended code=, reason = Gateway tunnel authorization failed with error code = 2147965403

May 1, 2019, 11:33 am
$
0
0

Scope of this is that out of dozens of accounts that work fine for rdwc sessions, there are two that do not.  The connection starts but within a few seconds fails with, user facing side, 'we couldn't connect to gateway because of an error.'  When running a capture, the key error appears to be:

"The connection generated an internal exception with disconnect code=GatewayProtocolError(52), extended code=<null>, reason=Gateway tunnel authorization failed with error code=2147965403"


This is what’s in the nps log from the RD server:

"orgRD","RAS",04/05/2019,15:22:31,1,"DOMAIN\SAMACCOUNTNAME",,"UserAuthType:PW",,,,,,,,,,,,5,,,12,,,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"TS GATEWAY AUTHORIZATION POLICY",2,"TS GATEWAY SERVER GROUP","xxx.xx.xxx.xx",,
"orgRD","RAS",04/05/2019,15:22:31,11,,,,,,,,,,,,,,,,,,,,,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"TS GATEWAY AUTHORIZATION POLICY",2,"TS GATEWAY SERVER GROUP","xxx.xx.xxx.xx"",,

And this is from the NPS server:

"FILES","IAS",04/05/2019,15:22:31,1,"DOMAIN\USERNAME","domain.org/Users/FirstnameLastname","UserAuthType:PW",,,,,,,0,"xxx.xx.xxx.xx","orgrd",,,5,,,12,7,"RDpolicy",0,"311 1 xxx.xx.xxx.xx 03/19/2019 04:54:59 292",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"RDGWauth",1,,,,
"FILES","IAS",04/05/2019,15:22:31,11,,"domain.org/Users/FirstnameLastname",,,,,,,,0,"xxx.xx.xxx.xx","orgrd",,,,,,,7,"RDpolicy",0,"311 1 xxx.xx.xxx.xx 03/19/2019 04:54:59 292",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"RDGWauth",1,,,,

Any pointers in the right direction, or if anyone else has seen these errors, would be much appreciated!

Need to Move 2016 RDS Roles from one Server to Another

May 8, 2019, 1:33 pm
$
0
0

Have a functional Server 2016 RDS Deployment consisting of RD Web Access (not using), RD Gateway, RD Connection Broker, RD Session Host on TS-01, RD Licensing on DC-01, and a 2nd Session Host on TS-02.  There is one existing Collection serving up one RemoteApp program to both Session Hosts.

The TS-01 server needs to be redeployed from scratch due to an OS issue so I need to move the RD Web, RD Gateway, RD CB roles to the DC-01 server first, leaving the Session Host role in place on TS-01 for now.

I've seen articles about migration which I don't think apply here.  I do not want to enable HA on this since I know you can't go back to non-HA.  Can each role be deployed on the other server and then removed from the TS-01 server?  Or is this a deploy from scratch scenario?

Search

2019 RDSH - not able reconnect to Disconnected session, every time new session (with fSingleSessionPerUser=0)

May 3, 2019, 10:46 am
$
0
0

Hello colleagues

When we are doing such config (enable multiple sessions per user):

Computer Configuration\ Administrative Templates\ Windows Components\ Remote Desktop Services\ Remote Desktop Session Host\ Connections

Restrict Remote Desktop Services users to a single Remote Desktop Services session     Disabled

We are not able to reconnect to any disconnected session that was running previously.

It seems that it was mentioned here for Inside build, but we have same...

https://techcommunity.microsoft.com/t5/Windows-Server-Insiders/Bug-no-reconnect-to-disconnected-session-with/m-p/282056/highlight/false#M829

Any solutions for this problem?

Regards,

Sergii V

Using Remote Desktop Services instead Teamviewer

May 8, 2019, 2:41 pm
$
0
0

Hello,

I would like to access the server without Teamviewer. I`ve been told that we need to set up terminal services and that I need a licence. Are there any tutorial on this?

Many Thanks,

VPN to access Remote Desktop Services

May 8, 2019, 2:42 pm
$
0
0

Hello,

Which VPN software are you using to access Remote Desktop?

Many Thanks,

Stuck at Establishing Connection Quality in 2016 and error message on broker -"RD Connection Broker failed to process the connection request for user Error: Cannot create another system semaphore."

May 8, 2019, 4:38 pm
$
0
0
I have users that use remote desktop to connect to a DNS farm name that has all the session host IP addresses. In Server 2016 RDS, I have the Collections setup with all the Session host in it.  I have a HA broker environment setup. I have one Licensing server.
If I use the DNS farm name to connect to Remote Desktop Session Host, randomly the Session host will stop the user at Establishing Connection Quality. It mostly happens when alot of users are logging in during shift change. I have around 10 Session host. If I only have two session host IP addresses listed in DNS farm name, only those Session host will stick at Establishing Connection Quality. The other session host are not affected. I do not see error messages in the event viewer for the session hosts. I do see error messages in the broker server called: 
"RD Connection Broker failed to process the connection request for user Error: Cannot create another system semaphore. "
I delete the Collection that is setup in RDS. And recreate the collection. The problem goes away for about a day and comes right back.
I created another collection that does not use DNS farm name connections. It only uses RDweb apps. The session host in this collection never lock at Establishing Connection Quality.
When stuck at Establishing Connection Quality, I have to restart the server to allow users to connect again. I had this problem in 2012 r2, but in 2012 r2 I would have a Blank user in Task manager when Session host locked at Establishing Connection Quality. I would have to connect to user in task manager and see that the user was stuck at Signing out. Once I disconnected from the session, 2012 r2 would then remove the blank user from task manager. A blank user does not appear in 2016 under Task manager but it still gets stuck at Establishing Connection Quality. I would have to do an Ipconfig /flushdns to make the user point to a different host listed in DNS in order to log in. 
Why does using the DNS farm name with Session Host IP addresses cause only those Session host to stick at Establishing Connection Quality?

Windows Server 2016 RDSH Intermittent BSOD (DRIVER_POWER_STATE_FAILURE)

April 30, 2019, 7:17 am
$
0
0

Hi,

Not sure if this should be asked here or not. If I have submitted in error, please let me know and I will redirect my query elsewhere.

We have an RDS platform (single GW/CB/Lic server - Windows Server 2016, 3 RDSH servers - also Windows Server 2016). The platform is accessed using HP Thin Clients via the Gateway's RDWeb feed. The clients connect fine and all applications and hardware devices appear to work correctly.

However, intermittently (doesn't seem to be any rhyme or reason that I can ascertain) one of the servers (it can be any of the three) will BSOD with a bugcheck of 0x0000009f (DRIVER_POWER_STATE_FAILURE). The server automatically reboots after a period of time and then works normally. Sometimes the BSOD happens only once, but then other times it will BSOD three or four times in a row shortly after coming up from the previous BSOD reboot.

From what I can gather, Windows is attempting (and failing) to instruct some device attached to the system (presumably via one of the remote sessions) to enter into a power saving mode and BSODs as a result. I have disabled USB power saving on the server but this does not resolve the issue. I have tested one of the RDSH servers by removing it from the connection pool and left it running without clients for a number of months and it has so far not given me any problems.

I took the MEMORY.DMP file (which is available for anyone to peruse upon request) and tried my best to analyse it using the tools available, and it seems to point to hidusb.sys, though I am unsure as to how to trace the problem any further.

All RDSH servers are patched with latest crticial/security patches as of a week ago.

Any possible thoughts as to avenues I could explore to diagnose/resolve this issue?

Thank you in advance for any advice you might be able to offer.

Users CAL Pool for RDS

May 6, 2019, 7:12 am
$
0
0
Hello,
I have a SPLA contract with RDS licenses per user. I have to declare 1 license each time a user logs on to the service.
I would like to know if I can do the following: declare a license pool for a specific AD group. For example: 10 users in an AD group with the right to 4 simultaneous licenses. I can create my 10 users, but declare a maximum of 4 licenses actually used per month.

Is it possible to do this via the RDS license manager and AD groups?

Thank you

DDA and group policy with a GPU

May 6, 2019, 12:15 pm
$
0
0

I have setup a Windows RDS box on Server 2016 that runs in a VM. I've got The DDA (PCIe device passthrough) setup on a Nvidia P2000 gpu. 

To make the RDS server use the gpu instead of the CPU for video which group policies should I modify?

Thank you

Search

RDS Licensing Questions

May 1, 2019, 1:20 pm
$
0
0

OS in question Server 2016 and Server 2019

If we have a 2019 Remote Desktop Server and it has 20 RDS User Client Access Licenses. All 20 users have logged in at some point and consumed a License. Then a 21st person logs in.   What Happens?  

Do the old users eventually still drop off if they have not connected?

Is there a Manual way to Assign/deassign a License to a user?

Forcing UDP for RDS session

May 1, 2019, 3:13 pm
$
0
0

I've got a RDS environment that is using Windows Server 2016. The thin clients we use are Wyse 3040. I am wanting to use UDP instead of TCP for the connection. I've not been able to figure out how to use UDP. I can see on my wyse client that a few packets use UDP but 99% use TCP.

We connect using a VPN so we don't have a gateway setup. Is there a group policy I can add or what is the best way to do that?

Thank you

Windows server 2008 R2 - How can I fix the warning message (120 days) appears when using remote desktop session

May 1, 2019, 4:48 am
$
0
0

Hello 

I am using windows server 2008 R2 with multiple users (5 users accounts). I facing a problem where a 'pop up' warning message appears saying * you have 120 days left ......* every time when I or other users logged in to this server. I tried to check through the remote desktop licencing server and add the license server's name and its credentials (Remote Desktop Services > Remote Desktop Session Host Configuration) in the configuration. Then there is no error and green tick appears in the License diagnosis tab under 'Remote Desktop Session Host Configuration' seem every thing fine. However, when log off and log in again I need to supply the credentials again and again for every time and for every user who log in. Also, the days are reducing meaning , I am left with 118 days more for remote desktop sessions .  

Q: Why every time the user logged in to the server , still getting this warning popup, although a valid license server name and its credentials were supplied ?? 

Q How can I fix this problem . I need complete solution for multiple users ? 

I hope you understand the problem. 

Thanks 

Faisal




Multiple RDS License Server with Split licenses

May 8, 2019, 9:04 pm
$
0
0

Hello

We have 2 RDS License server in the domain with 40 Per User CAL on each server with OS Windows Server 2016 DataCenter. and we have GPO in place as well point RDS license server But only one RDS License server is allocating the licenses. Second server is not allocating. 

Both server are activated for RDS license.

Need help in this.

Thanks & Regards,

Sapan Shah

RWW via a Mac or IOS

May 6, 2019, 5:23 pm
$
0
0

Hello support,

I have Windows 2012 R2 standard server as a RDS clients on it.  it runs an applications on it called ACT! and 7 users login to it to access the Act! program and their individual email outlook. There are three users that have Apple devices that use RDP client for Mac that access the server.  I want to close port 3389 and use Remote Web Access (via a ssl certificate) and using essential experience to access the server instead of RDP.  But when I go to browser (Safari) and put in the remote link.  https://remote.domain.com/remote,     I am able to log in and the remote client is downloaded and when I click on it, it wants to open it with an app and it cannot find and goes to App Store but all the programs there are greyed out or not available.  

The same process for iPad and iPhone. How can safely access the server?  I appreciate your help.

Jamshid  

Viewing all 27656 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>