Hello,

We run Windows server 2016 on our host machines, and we connect to our hosts through an remote desktop gateway, we have run into an issue where users who remote in through the gateway are getting disconnected for about 5-10 seconds and then their session is restored. This happens about once every 30-60 minutes.

Event viewer is throwing the following errors

Disconnect trace:CUMRDPConnection Disconnect trace:'calling spGfxPlugin->PreDisconnect()' in CUMRDPConnection::PreDisconnect at 4726 err=[0xc], Error code:0xC

'Failed GetConnectionProperty' in CUMRDPConnection::QueryProperty at 3015 err=[0x80004001]

I get flooded with these events about 100 times a minute, (not each event, just a collection of related events in one minute).

I'm looking for a way to disable remotefx so the host will not allow the client computers to use remotefx anymore. I tried a few things such as 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations
DWORD: fEnableRemoteFXAdvancedRemoteApp: 0x00000001 (0) - On remote gateway server

The DWORD above is not on any of my host machines, I was concidering adding it and setting the value to zero, but I'm not sure if this will do the job.

I also tried to disable this in group policy,by disabling everything remoteFX related other than the remotefx entry related to compression algorithms.

Has anyone delt with this before? I would greatly appreciate any guidance.

Here is a strange one:

Have a standard setup with the following:

• RD Broker and RD WA on one server
• 2 Session Hosts
• 2 RemoteApp hosts

Setup SSO perfectly and all working as expected.

Then I realised the guy who setup the virtual machines set them up as Gen1 so could not have more than 1 processor due the tech on the host. Tried converting them using the MS PS script but failed.

Alas I had to create 2 new session hosts. After I removed the old session hosts and added the new session hosts, when connecting to the broker server to get allocated a session host, I now get the following error:

"Your System Administrator does not allow the use of DEFAULT credentials to log on to the remote computer

******.*******.co.uk because its identity is not fully verified"

Things I have tried:

• Reapplying the cert to all roles
• Restarting all servers
• Allowing delegated creds using local group policy

Weirdly enough, if I connect via RDWeb or via Remote Resources feed it goes straight through.

It is very strange.

Any ideas?

Thanks in advance.

I have a large app for which we are waiting to configure DPI scaling. Currently, when we launch our app via RemoteApp (RDP to our Windows Server 2016 server) on a high DPI screen, the text and controls overlap. As a work around for our customers with high DPI displays, we found the best solution is to set HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\IgnoreClientDesktopScaleFactor to 1.

This stops the RemoteApp from using DPI scaling and makes it look decent. 

The problem is that the size of the window itself starts off at 100% scaling (96 dpi) even though the computer is set to 200% scaling (192 dpi.) 

If you change the scaling factor on the local PC (to any scaling) and then change it back to 200, it will automatically size the window back up to the correct scaling (200% size.)

We would prefer to use this workaround instead of adding a mstsc manifest file to our customers' PC's, but we would need to know how to force the RemoteApp window to scale the same as the system's scaling when it's first launched.

old reliable 2008 R2 remote desktop server hosts RD Web Access and Remote Desktop Connection. lately RDC not so reliable. clients cannot connect to log in but the RD Web Access page is always easy to connect to.

if client is persistent they will connect with RDC and have a reliable session.

it is a random but common error and server logs not helpful.

Remote Desktop Connection error is the old message:

Remote Desktop Connection can't connect to the remote computer for one of these reasons

1) Remote access to the server is not enabled (IT IS)

2) the remote computer is turned off (GUESS WHAT? IT IS ON)

3)the remote computer is not available on the network (BUT THE RD WEB ACCESS WEBPAGE IS UP AND WORKS)

Make sure the remote computer is turned on and connected to the network and that remote access is enabled.

I can connect to the RD Web Access by domain or public IP so can I rule out DNS?

any suggestions appreciated. thanks in advance.

Hi guys, 

Is there an easy way to migrate local user profiles on an remote desktop server to user profile disks? I am replacing a Server 2008 R2 and want to start using UPD's instead on a Server 2012 R2. 

Best regards,

Hasan

If I put the IP address in of the Remote Session Host server (there is only one) it works. It connects through the gateway and then connects and authenticates successfully to the server. 

Also if I connect to another internal PC remotely on the network through the rd gateway using DNS name it also works fine.

Finally if I connect from outside the office network using hot spot it will resolve both the remote session host and remote PC by DNS name. If I switch it back to the LAN it reverts to orignal behavior.  I have seen this at multiple places.

There must be a different way it is connecting on one network than on the other network that causes this odd behavior.

Also  Remote apps through RD Web will not open after successfully authenticating through gateway ut will work outside of network.

Hi,

If a user using a terminal/thin client logs into a terminal server, then from that RDP Session, connects to different Win servers. would that eat up a user license on terminal server or network? For example:

Thin Client --> Terminal Server ------> File Server
                                                   |
                                                   |---> QuickBooks Server
                                                   |---> App Server

Would that situation above cause the user eat up four user licenses on the terminal server or not?

Thanks

Hello,

We were doing some experimenting with the latest RD Client for an iOS device and accessing a 2016 RDS Host.  What we noticed is that while we had the "Always prompt for password upon connection" enabled on the RDS host and if the correct password was cached in the RD Client on an iOS device, the server responded as expected with the "The server's authentication policy does not allow connection requests using saved credentials" 

What was odd was that if the RD Client had an incorrect password cached, we would not get that response.  We would receive a "User name or password did not work" and the badpwdcount on the user account in AD would increment. 

The point of this exercise was to see if we could prevent users from locking their accounts by having a bad password cached in the RD Client.  We thought enforcing the "Always prompt for password upon connection" would prevent this, but it does not.  It only prevents this if the correct password is cached. 

Is this the expected behavior or is this a bug?  It seems kinda of pointless if the bad password is cached and yet it allows the badpwdcount to increment.   Kinda a DoS attack vector.  

Appreciate any and all feedback. 

Hello,

I have this weird problem that when I am trying to connect to a terminal server with a specific user (let's say "Anna") I am getting this error :

The Group Policy Client service failed the sign-in "Access is denied"

and if I am trying to connect with a different user it's working fine.

anyone have an idea what can cause this error?  (tried already : checking if there is a temp profile .bak in the registry and C:\users\%username% not showing the user profile). 

We´ve got a problem regarding our users using the RemoteApps.

Our enviroment are two Terminalservers on a Windows server 2016 and one Connection Broker Server on a Windwos Server 2016 too.

A few users need to open the RemoteApps multiple times from different workstations so they connect multiple times to the Terminalservers.

the Problem now is that

the user X opens a remoteapp on workstation 1 the connection broker decides to give him a session on Terminal Server 1, now user X opens

a Remoteapp on Workstation 2, the connection broker gives him a session on Terminal server 2 for now everything works fine but if

user X opens now a remoteapp on workstation 3 you get a short message that says you are connected with RemoteApp- and Desktopconnectiion 

but the Remoteapp wont start and if you click on "Details" you can see only a black screen.

So if the same User connects 2 times on the same Terminalserver the RemoteApp dont start and shows just a black screen.

We already edit the Registry:

 - fSingleSessionPerUser     value: 0

 - fdenyTSConnections value: 0

 and edit the Group Policy:

 - Restrict Remote Desktop Services users to a single Remote Desktop Services session    value: Disabled

 - double-click on Limit number of connections and then set the RD Maximum Connections allowed to 999999

 Deleted Firefox, disabled everthing regarding sound.

 The Eventlog shows this warning:

 "The installation of the default connection has been cancelled. A default connection cannot be used on a system that is part of a Remote Desktop Services deployment."

 "Event ID: 1026"

 Does anyone have a Solution for this Problem?

 Thanks in advance.

Hi all,

I am rather unclear about how to set up RD Gateway and Read Only Domain Controller in perimeter network. I have read some of the popular blogs, among those: https://techcommunity.microsoft.com/t5/Enterprise-Mobility-Security/RD-Gateway-deployment-in-a-perimeter-network-Firewall-rules/ba-p/246873 . But I would need a step-by-step guide on how to practically implement this.

I have a two-firewall setup of" internet-outer firewall- perimeter network - inner firewall- corporate internal domain". I have full rights in the internal domain (10.10.1.0/24), but have limited rights in the perimeter network (172.1.0.0/0.0.255.255), which is another domain. I have setup a RODC, and have joined this to the internal domain, and promoted as RODC successfully. Have set up "allowed" and "denied" password replication policies. I have placed RODC in the perimeter network. I have setup a RD gateway server, and currently has not joined neither internal domain nor domain in the perimeter network. It is only set up as a member in perimeter network. I have full rights to configure firewall ports both on the outer firewall and inter firewall. The intended RD Gateway and RODC should be in the perimeter network subnet, but do not  joined the perimeter domain (obviously). there are no firewall between RD Gateway and RODC in the perimeter network.

What I want is to configure the RD Gateway in perimeter network to answer all RDP requests from internet, and authenticate users towards the RODC. If a user is authenticated, she will be allowed (by RAP) to connect to RDSH in the internal domain through say 3398 (I will reassign an uncommon port in the RAP and on the internal firewall NAT to session host).

I know I would need to open ports for RODC to replicate with RWDC. for testing purpose I can manually cache the users passwords. What I fail to understand, is how the RD Gateway in perimeter subnet(172.1.0.0) to contact a DC (in my case the RODC) on the same subnet for authentication. what would I do to let RD Gateway look for my RODC? should I put the RODC as the DNS server on the NIC of RD Gateway? I tried this, and it does not seems to work."There are currently no logon servers available to service the logon request".

Please help and I would be very grateful your assistance.

Hello,

I am working on a 2012 R2 Server and need help with Remote Desktop Services session time limits. I have a user who needs the screen to be on all the time to monitor critical areas and therefore cannot have their session disconnected. We have another user who already has this exception but I can't find where the exceptions are made. I've looked in GPEDIT.MSC and see that the time limits are enabled but that's all. Any help would be appreciated.

I hope someone can help with this issue as Microsoft support will not assist me with licensing questions and issues unless we pay for support, even though the CALS have been purchased which is madness.

We have two RDS 2016 Servers in a workgroup environment so had to use per device CALS.

Server1 (WORKGROUP)

RD Session Host

Licensing Server Installed and Activated (10 Device CALS installed)

Server 2 (WORKGROUP)

RD Session Host

Connects to Server1 licensing server

1. When an Administrator logs in to administer the server they're assigned a device CAL. I was under the assumption that two concurrent Administrators can logon to a server without using any CALS, so why are they being assigned?

2. The next issue is that two of the administrator users are being assigned 2 device CALS for a single computer, when I run the license server report they're appearing as the same computer name but with different hardware ID so now two administrator users who are administering the server have used up 4 licenses.

Hello All,

Thank you in advance, We have 10 servers which are on workgroup and we need to configure the per device license for 10 servers.

So is it possible that i can configure RDSH and install 10 device license on it and rest 9 servers to point that RDSH for license or do i need to install the per device license on each server. please suggest how should i configure this.

Dayanand Gavas

Has anyone been able to setup RD Connection Broker HA with SQL 2017 Standard?  I have been working on it for three days and can not get it to work.  I have assigned numerous excessive security permissions, manually created the database, can connect with ODBC connection, installed client tools, installed SQL Management Studio, can telnet to SQL from connection broker, disable firewall on both sides, followed over half a dozen guides and many other things.  I'm about to loose my sanity.  Is this even compatible??

Thanks!!

Hello, I currently have a Remote Desktop Server "Windows Server 2012 R2" running in a small but busy Accounting Office and it's working great but during last tax season it bogged down from time to time so we are considering implementing a 2nd Remote Desktop Server to help service the load..

Here's some details:

1 - Approx 30 Users running MSOffice and Accounting Apps connecting via RDWeb to run Apps..

2 - The current RDS is a Physical installation with no Gateway as there's no external access at this time to limit security issues.

Question: My plan is to install a New Host "Windows Server 2016" and implement the new RDS as a Virtual Server and I'm not sure if I should tie it back to the current Physical so it can manage the load balancing or if I should just set this up as a separate standalone and just instruct the users how to access each server.. 

My concern is if I tie it to the Physical RDS and there's a problem with the physical server then will it prevent users from accessing the new Virtual RDS.. 

Thanks for you help...Scott

Hi, I have implemented standard RDS 2016 farm deployment in single forest with single domain - 2 Web Access, 2 Connection Brokers and 2 Session Hosts) and collection with many published apps. I want to expand this somehow to other forests too which trust forest hosting RDS 2016 farm.

Is there any detailed guide how to implement this? There are some docs about multi-tenant RDS but I do not see anything useful for my case scenario. I guess I need new session hosts per forest but could I use existing WA/CB servers without adding new ones? 

Any help would be appreciated. Thanks in advance!!!

Hello,

We run Windows server 2016 on our host machines, and we connect to our hosts through an remote desktop gateway, we have run into an issue where users who remote in through the gateway are getting disconnected for about 5-10 seconds and then their session is restored. This happens about once every 30-60 minutes.

Event viewer is throwing the following errors

Disconnect trace:CUMRDPConnection Disconnect trace:'calling spGfxPlugin->PreDisconnect()' in CUMRDPConnection::PreDisconnect at 4726 err=[0xc], Error code:0xC

'Failed GetConnectionProperty' in CUMRDPConnection::QueryProperty at 3015 err=[0x80004001]

I get flooded with these events about 100 times a minute, (not each event, just a collection of related events in one minute).

I'm looking for a way to disable remotefx so the host will not allow the client computers to use remotefx anymore. I tried a few things such as 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations
DWORD: fEnableRemoteFXAdvancedRemoteApp: 0x00000001 (0) - On remote gateway server

The DWORD above is not on any of my host machines, I was concidering adding it and setting the value to zero, but I'm not sure if this will do the job.

I also tried to disable this in group policy,by disabling everything remoteFX related other than the remotefx entry related to compression algorithms.

Has anyone delt with this before? I would greatly appreciate any guidance.