We have this issue on many 2012 RDS session hosts. The issue has been seen at different clients with different set ups, some have a simple 1 session host RDS server, some have 4 or 5 session hosts in a load balanced farm with RD gateway, connection brokers, RDWeb, ect. The problem in simplest explanation:

A user will call the help desk saying they cannot access the server. They will get an error when RDP is trying to connect. 

We check the session hosts, and will find many errors:

"Event ID 4005 - The Windows logon process has unexpectedly terminated"

At that point in time, users who are currently logged in may be able to still work, or their session may lock up (it is not consistent). 

Regardless of the current users logged; after the logon process crashes, it continues to crash upon every user attempt to log on. It will happen indefinitely until the server is rebooted. We can not log in, not even via console until the server is rebooted.

Then, everything works fine for some amount of time (not consistent) it may be a couple of days, or it may be weeks, or a month even. 

We have had the case open with Microsoft for about two months and they cannot determine what is wrong. 

I believe I may have found a possible cause; Webroot Secure Anywhere antivirus. Since we have tried everything from moving from roaming profiles to local profiles, removing all printers, blocking inheritance of GP, fresh server builds with minimal software, ect - it has to be something that is consistent across the board on all servers. 

The only thing I can find consistent across the board is the Antivirus; Webroot. 

I am curious if anyone else is having this issue? I would like to pin point this to something but it is so intermittent and we cannot force replicate the problem. 

Hello experts. We have this same problem across many different clients with 2012 R2 RDS server farms. 

Users report that their desktop flashes continuously through out the day. We witness this many times as well. Users are working on a 2012 R2 RDS session host. They are utilizing folder redirection, so their desktop icons reside on a file share. I can simulate the same effect if I hit F5 to refresh the desktop. All icons flash. This is happening on many rds server at many different clients. 

I found this post here with an identical issue:

http://discussions.citrix.com/topic/305854-desktop-icons-flickering/

The recommendation is to "creating on the registry the REG_DWORD key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRemoteChangeNotify with value 1. "

I know others have this problem as well, I'm curious as to how to resolve the issue, and if the change mentioned above will have any negative affects for users. Thanks in advance. 

Hi, I have a  issue that I find very frustrating, and Google has not offered me a solution yet.

RDP works fine in the office (over multiple subnets), but not over VPN.

Client is Windows 10, server is Windows 2012R2,   2008 AD, checkpoint VPN

When i take my laptop home, start vpn, I am able to ping server by name, FQDN or IP, but when i try to connect with RDP, I get delays of many minutes before it prompts me for password.

I have tried : different laptops, different os(8,8.1,10), different servers, different accounts, clearing RDP cache on client.
 connecting via  does IP seems to work (but who remembers all the server IP when doing admin work late at night)

*Sorry i can't seem to past the dialog box.  it says:

title: windows security
"Enter your credentials
These credentials will be used to connect to XXXXXX
  Just a moment
< scrolling bar>"

<okay> <cancel> buttons  neither of which help, speed things up, infact if i hit cancel, i end up having to kill it task manager

Hi,

I have an RDS 2012 R2 farm that has all the roles on 1 server (gateway, web access, connection broker, licensing) and 3 x session host servers. I have a .local domain so I've used a public cert and followed the work around found herehttp://gallery.technet.microsoft.com/Change-published-FQDN-for-2a029b80 that changes the client access name on the connection broker to one that matches the public FQDN found on the cert.

If I connect through a web browser then I have no problems so I know the fundamental properties around permissions to RDP into the farm are correct.

However, if I try to connect using a standard RDP client I get the error "The connection was denied because the user account is not authorized for remote login". I think the problem is around the fact that it is trying to connect to the broker server itself rather than the farm. If I put my test user in the Remote Desktop Users group on the connection broker then it connects but to the connection broker itself rather than one of the session hosts. 

I've used chrome to download the RDP file that works that I get through the web GUI to have a look at the settings and I've mimicked all the settings (including the "Connect from anywhere" settings relating to the RD Gateway" yet I still get the problem. If I use the actual RDP file (downloaded via chrome) then it works no problem.

I know I can just publish the RDP file to my users and problem solved but I have a load of thin clients that are unmanaged (and not on domain) so I want avoid a visit to each one if possible.

Does anyone know why it is trying to connect to the server with all the roles directly rather than being passed on to a session host?

If anyone can help I'd be most grateful.

Cheers,

Tristan

Hello,

I am setting up office 365 on an RDS server. my domain used non-routable domain (company.local) so i had to create an alternate UPN that matched the routable registered domain for the company (company.com). the problem that i am having now is that when i have logged onto the RDS and start an office application, i am still prompted with the activation prompt, asking for an email. if i enter the testuser's email and then password on next screen, i am able to register the user and get a token license.

This is not my desired solution as i wouldnt want my users to have to do this every x days. The technet on this topic is very fluffy, a lot of 'Probably, might, some and should' as opposed to definitive answers. https://technet.microsoft.com/en-us/library/dn782860.aspx (under section 'How shared computer activation works for Office 365 Plus').

My domain is already DirSynced with password sync too.

any help would be appreciated on how to automate this process so the user never sees this prompt. ideally, Office should pickup the email and password without the user entering anything.

regards,

InfoAdmin

Our company just set up a new Windows 2008R2 RDS environment (Gateway/Broker/Host all 2k8R2) and we ran into "cannot change expired or first login passwords" issue.

We have 400+ users who run our app over remoteapp and our "old" environment was a straightforward remoteapp to a single server and changing expired passwords was allowed. Now, with the RDS Gateway in between the client and the host server, changing passwords is disabled.

Is there an option, group policy setting or something that can be adjusted to allow password changing??

I know about the RDWeb hot fix and i'm aware of the 3rd party solutions but i would like to know is there anything that can be done without those workarounds?

Thank you very much.

Hi All

Today I've noted the following when a Collection is renamed through RDS Server Manager:

• The icon folder store on all Collection Broker servers (HA) C:\Windows\RemotePackages\CPubFarms\<CollectionName> doesn't change from the original name.
  
• The Collection name registry keys living [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\CentralPublishedResources\PublishedFarms\<CollectionName> also remain with the original Collection name.
• Reboots do not force a synchronisation.
• If either the registry key or folders mentioned above are renamed manually, within approx 10 minutes RDS renames them back (or creates fresh copies) using the Collection name originally used upon Collection creation - not using the new name!

1.  Is there a way to synchronise these?

2.  Can PowerShell be used to rename a session Collection? 

I spotted this cmdlet: Set-RDSessionCollectionConfiguration however there appears no way of entering both old and new Collection names should you wish to rename a Collection, so it implies only the properties can be modified, not its name.

3. Can a Collection and all attributes and applications be copied to another new Collection?

Custom Icons

I'm unsure how the IconPath variable is used within the cmd: Set-RDRemoteApp -CollectionName "<MyCollectionName>" -Alias "MyAppAlias" -IconPath""

-IconPath<String>

The reason I'm confused is that if I point -IconPath to an icon which doesn't have the same name as the App Alias, PowerShell will copy this icon to C:\Windows\RemotePackages\CPubFarms\<CollectionName> and rename it such it does.  However Get-RDRemoteApp -alias "<MyAppAlias>" | fl shows IconPath reflecting the original icon file, not the one which RDS has created using the same name as the App's alias.

RD Web displays the icon correctly and I can confirm that the icon RDS creates using the same name as the App Alias  is the one being used (not the one pointed to by IconPath) by simply renaming it and watching it disappear from RDWeb.

1.  If IconPath doesn't actually match the icon RDS is now using to display, what (if any) are the consequences?

2.  What's the actual purpose of IconPath?

3.  To align IconPath with the actual .ico RDS is using to display (which to me sounds logical), should I simply create multiple icons from the original source named using each app alias, store here: C:\Windows\RemotePackages\CPubFarms\<CollectionName>\MyAppAlias.ico and register IconPath with C:\Windows\RemotePackages\CPubFarms\<CollectionName>\MyAppAlias.ico

4.  Is IconPath used just once when the PowerShell script is run - therefore maybe has no relevance after?

Questions question I know!

Thanks for any pointers...

Lea

We are migrating our applications from server 2003 to 2012 and 2008,  We are facing some issues with our legacy applications that use Com, com+ and dcom architecture.

DCOM settings

a) Identity - Interactive User

b) Remote Access - Allowed to all users

When we connect to server using remote desktop services,  DCOM components can be successfully invoked.  However, if we close the remote desktop session, and the server is in disconnected mode the client applications can't invoke the DCOM.

Can someone tell me what setting I should change so the component can be initiated while it is in disconnected mode?

Thanks very much!

Al

Hello,

I managed to lockdown a RDS server (Windows Server 2012r2), but the policy is also applying to users desktops. Loopback Policy has been set in the policy. Also removing the policy does not help.

I linked the GPO to an RDS-Server OU, removed authenticated users and added the RDS server and RDS-USERS security group. So I can see nothing wrong.

Any ideas?

Best Regards,

Robin

Hi,

Sorry for my english.

We have a licence server with 4 per device 2008 Cals packs.

We have 3 problems on these packs:

1- We have unknown devices which take more than one permanent cals per each and many temporary cals too. Is there a way to find these devices or to know on which server the connection have been maid?

2- We have 2 windows 2003 server with citrix (4.5 rollup5 & 4.6) who take many permanent licence on 2008 pack? Why did they don't keep 2003 per device cals?

3- Is there a way to identify devices which have take licence on citrix. For the moment I think citrix server is masking client device on licence server.

Please help me...

Hello

Our environment consists of a two node Hyper-V Cluster and a single Server as Connection Broker and RD Web Access Server. All Servers are Windows Server 2012 R2. In general, everything works fine in this Environment.

The Hyper-Guests  (Windows 8.1) in the pooled collection  are configured with two NIC's. The first NIC get's the IP address from a DHCP Server and the second get configured by a powershell script. This script is attached to a Group Policy as a startup script and runs every time the Client ist started. So far, so good.

The pooled collection runs with the Option "roll back virtual Desktop" enabled. This roll back works fine, but after the rollback the Startupscript from a GPO won't get run.

My question is, how can I force the script to get run the same way as when I reboot the Client?

thanks for your Inputs,

Juerg

I'm trying to set up an RD Connection Broker for RemoteApp, but I'm getting an error when I try to create a self signed cert for the RD Gateway:

The self-signed certificate has been successfully created, but RD Gateway cannot store the certificate in the directory C:\Users\myuserid\Documents. Please specify a different directory, and try again."

I tried other directories, all of which I have full rights to, but still no dice. I can't find anything with this error. Any idea how I can get past it?

FWIW, I have no problem logging into this server through RDP.

Thanks.

Hello

i've had some users report of extreme slowness when viewing various pdfs on our remote desktop servers. these pdfs are below 1Mb and users have no issues with larger pdfs. i myself have opened a reported pdf on the remote desktop servers without any problems. it seems this affects some users.

we have adobe reader x 10.1.4.

i have already implemented Adobes suggestion to implement reg values - https://helpx.adobe.com/acrobat/kb/slow-display-performance-terminal-server.html

this hasnt helped certain users.

is there something inside a users windows profile which could impact performance?

thanks

Elroy

Anyone know what I can do to prevent my RemoteApps sessions from freezing on me? I'm using windows 8.1 Ent. to host a Hyper-v instance of Windows 10 Ent.  I have an rdp file with the remote app parameters set to launch a specific application such as Outlook.  However, after about 5 minutes all the remoteapps will freeze. However, the menu bars in them will still work.  Any suggestions of any settings or a hint of what to try next would be great! This worked completely fine in windows 8.1 and all I did was update my VM to v10.

I have a server that showed these counts in the RD Licensing Manager list (ignoring windows 2000 entry):

Windows Server 2012 - Installed RDS per User CAL Program: Open Total Licenses: 5 Available: 0 Issued: 0 keypack id: 7

Windows Server 2012 - Installed RDS per User CAL Program: Open Total Licenses: 5 Available: 0 Issued: 0 keypack id: 4

Windows Server 2012 - Installed RDS per User CAL Program: Built-in Overused Total Licenses: 0 Available: 0 Issued 13

The firm that set this server up (long gone) probably bought ten licenses, is that how I interpret?

Does built in overused count 13 mean that the normal licenses are not being used, and up to 13 sort of temporary licenses have been issued? The license server and the rd host are both o windows 2012.

The site has at most 10-12 users active at any time. The other day a person could not log on;  I think there were ten listed users at the time; and after I logged off a disconnected user he was able to log on. I might guess that we need to buy some additional licenses...but, does server 2012 rd license server stop issuing licenses after it exceeds 10 in our case? I just want to make sure that is the reason he was able to log on after I dumped an inactive user.

I don't understand about the overused licenses and why the two sets of 5 don't seem to be used?

Hello,

I have a RD Gateway server setup running RemoteApp to serve an application. However, it has been requested that 2FA using soft tokens be setup to secure the system. This would need to be done on the Remote Desktop connection itself rather than through RDWeb as users could just reuse the same file. From looking at it there doesn't seem to be a solid solution built into the current version of RD Gateway; PAA seems like a possibility, and from the sounds of it something can be done by putting it behind ADFS and a WAP, but I haven't been able to get it working.

With that said, is there any way to secure a RemoteApp using a certificate presented by the client?

Thanks!

I'm currently setting up a Remote Desktop server (VM I spun up with Windows Server 2012 R2), and I'm looking to make it a terminal server for employees out in the field (we're a construction company).

Can anyone link a good guide on how to accomplish this? I think I've got most of it down, but I'm wanting them to be able to type a domain name under mstsc.exe (remote desktop connection) to connect over the internet. I'm assuming this involves some records on the domain and a NAT policy configuration?? Port forwarding? Anyhow, any help would be great.

Hello experts. 

We have hundreds of users on 2012 R2 RDS session host servers and have a non-stop problem with the Windows Search .edb file growing extremely large and filling up all disk space. 

This looks to be a major problem for IT departments everywhere, based on a few seconds of searching around. 

The main items we have in place to try and combat this problem:

1.) We have enabled the "DisableSearchBackoff" and added the Corecount registry key found in this post:

http://www.cyberdrain.com/?p=116

2.) We have a batch file that runs the commands found below on a nightly basis, which defragments the search index database. 

https://support.microsoft.com/en-us/kb/2838018

3.) We have moved the index from C volume to dedicated drives. 

The problem is, no matter how much space we add, the files just keep growing. Is the only resolution to add a massive volume to each session host for this file to grow as large as it wants? I have seen many threads on various forums where people have reached out to Microsoft support on multiple occasions for this issue and the work around is to rebuild or defrag the database. I know there are lots of these threads out there but I'm curious if anyone has found a solution yet. Thanks in advance. 

Users are accessing through MSTSC and they have saved the .RDP file with credentials but is still asking for credentials when they clicking on connect button on MSTSC window and after that it is again asking for the credentials at the login screen  of TS server. 

RDP client version 6.0.6001

TS server 2003.

we have tried below things.

1) "Always prompt client for password upon connection" this policy is already disabled as it should be.

2) followed below article .

Thanks, Sajjan T