RDS 2012 R2 with 1 GW (and web access), 1 CB and 3 SH's. Right now, all those RD servers are inside the LAN. I would like to take the web access and move it to the perimeter of the network (like a DMZ). Is this possible and if so, what is the process of moving an existing web access server to the perimeter network? The RD gateway server is a hyper-v VM.

So we have a single firewall network with 1 port to DMZ, 1 port to "trusted" and 1 port to the internet. The DMZ does NOT have AD DS on it but AD DS is on the LAN.

https://blogs.technet.microsoft.com/enterprisemobility/2009/07/31/rd-gateway-deployment-in-a-perimeter-network-firewall-rules/

I have the following setup:

4 RDSH servers

1 RDBroker

1 RDWEB/Gateway

All are Server 2012 R2

I can publish up to approx 50 apps and the RDMS UI will still load.

When I publish all our apps 114 to be exact.  The UI will not load.  When I open Server Manager and click on the RDS section it tries to load the data and eventually times out with "Could Not refresh the list of servers" "Check the status of the following services on RD Connection Broker Server: Remote Connection Broker. Windows Remote Management and Windows Internal Database.

If I remove some of the apps the UI will open.....  I also have tried to migrate this to an HA Broker setup with the Database stored on a remote SQL Server, all worked until I published above about 60 apps then it still breaks.  Naturally there are no errors other than that one listed above.  I know we are not the only people using this to publish this many apps.  Any help out there?

Johnathan Hughes Fire & Life Safety America Inc. Systems Admin

We attempted a stress load on our server and found users unable to join. The RDS would blackscreen and drop. It happened after 8 users had joined. The performance also was dropping as each connection stacked and after we saw the Event Viewer had 450+ Critical Error 1000 with dwm.exe dwmcore.dll crashing.

HP Dl380 Gen9

2x Xeon E5-2697 v3

192GB Ram

Nvidia Quadro M6000 24GB (Current Driver) RemoteFX enabled

Windows Server 2016

Bare-Metal RD Terminal Sessions

We currently have a similar environment with 2012R2 without a problem,

We are trying to get a published application to work on Window Server 2012 R2 that requires the %CLIENTNAME% environment variable. When logged in locally on that Remote Desktop Server the variable is available and works as expected. When we publish our application and try to reference %CLIENTNAME% we then receive an error that nothing is set for %CLIENTNAME%. I have checked the HKCU\Volatile Enviroment\ and I can see the session with the CLIENTNAME there.

If we change the application to use %USERNAME% or %COMPUTERNAME% than it will input the corresponding values, so I know it is reading some environment variables. 

Our clients are Windows 10.

After upgrading two of my machines to Windows 10 (Education N clean install and Pro N upgrade from Win8.1), I was not able to set up Remote Desktop as I was used to since Windows 7 (maybe this was possible before, too).

I am used to configure Windows to allow RDP connections as a user without password (home usage only). Apparently this is not working anymore after upgrading to Windows 10. (I have enabled this by modifying secpol.msc 's security policies. Further informations provided if needed).

With the "no password" setup i get immediatly disconnected by the local machine which seems to auto login by itself after connecting via RDP. The only solution I managed to find so far was to set up a password. 

Is this a bug or a feature?

Cheers

Hello,

So, I have a company that hosts a quickbooks program for us. They recently dumped Citrix (which I dont agree with, but oh well) and are using an RDS Gateway.  I can connect to the gateway , but I cannot make an RDP connection to the internal PC behind the gateway.  If I pull my PC or another PC outside my firewall and onto a basic cable modem setup, I can connect fine to both.  I am going crazy looking through Palo Alto logs because I am sure it is blocking or decrpyting something.  But, this is apparently not the case.  Anyone else have a similar situation , i.e. Palo ALto Firewalls ?

Thanks,

jeff Z

Hello,

I have researched this issue for hours now and didn't find a resolution.

So I have a physical Dell server which runs Windows Server 2012 R2. Its a single server setup which means all RDS related roles are running on one physical server. Users access published apps on that server and also establish RDP sessions from there. About every 3 weeks all users see the black screen issue when they are trying to open apps from the server and I also see the black screen after login when I directly RDP into the server.

The server is fully patched and has all the recommended hotfixes installed related to this issue. Idle active user sessions are being disconnected after 2h and disconnected sessions are being disconnected after 15min. So the max users I have on this server at a time are between 10 and 15. The server has plenty of resources CPU, Memory and disk space.

When the issue occurs even ctrl+alt+end does not even work. I will have to reboot the server via shutdown -i from another machine. 

I believe the server actually still runs and all services are up because SCOM does not trigger an alert.

I am really clueless why this issue keeps coming back after running for a couple of weeks. We have several other Windows Server 2012 R2 machines and I don't see that issue on them. I have to admit they do not run RDS.

I am tempted to setup a weekly reboot of the server but honestly that would be my last gateway of resort. 

Can someone please help me and give me some additional ideas what the issue could be.

Thank you

Hello everyone,

I have a remote desktop services server under Windows Server 2012 that only publishes one application. All of the roles are on this server. The AD domain that this server is currently a member of is in the process of being decommissioned. I need to remove this server from its current domain and add it to the main domain and get RDS to function again. All of the AD users/groups have already been recreated on the main domain.

Since the production RDS server is a VM, I cloned it and performed all of the necessary changes and added it to the main domain so that I could test reconfiguring the RDS setup. The problem that I can't seem to get by is how to add the new server name/domain to the server pool. Under Server Manager > Remote Desktop servers > Overview I see the following message: "The following servers in this deployment are not part of the server pool: 1.old-server-name.olddomain.local The servers must be added to the server pool"

Any help would be greatly appreciated.

Vossa

Vossa

So Here's my oddball issue.

We have 3 RDS session host servers: RDSHost1, RDSHost2, and RDSHost3.  We followed the wizards to set everything up, but now, we cannot get teh Group policy for "Allow log on through Terminal Services" to work on the servers.  We've provided access to a new Global Security group named "Remote Desktop Site", and enforced/link enabled the policy.  When I do the Group Policy results, the machine shows as getting the policy and having the proper values, but upon logging into the server, the members list is blank.  I've been banging my head against a wall for 3 days on this.  am I missing something?  Does RDS break RDP?

I have 3 terminal servers that have been placed into a farm with load balancing. The session broker is a Server 2008 and the two members are both Server 2008 R2 virtual machines. What we have been noticing is that random users will loose their shortcuts for the application we need them to run. The application only works correctly when the application server has been mapped to the terminal server and the shortcut properties modified to have it look for the map drive and not the server address. It seems like every couple of days users will not be able to run the application because the shortcut is either gone or has reverted back to the old path. We do not have profiles turned on as we have a wide variety of OS and servers in the building. One thing that I have noticed as this seems to happen more to our employees that have to connect through a VPN. We use Cisco AnyConnect as our VPN. Has anyone else had this problem and is there a way to correct it?

One more thing to add is that we had a restart script for all of our terminal servers but we do not think that it is causing the problem.

Hi,

we have an intermittent issue whenever some users connect to our RDS environment. our RDS is setup is we have 2 RDS servers (2012R2) with round robin DNS configured. Users will need to connect via rdp to hostname.domain.com (DNS) but for some users, they wil get the error "The connection has been terminated because an unexpected server authentication certificate was received fro the remote computer".

Now, i didn't get this error before until i installed the win 10 build 1607. 

i found this technet forum were a workaround is able to fix this. You need to replace the current mstsc.exe and mstscax.dll from a system still running win 10 build 151.

https://social.technet.microsoft.com/Forums/Windows/en-US/5871a96e-b80e-4c67-9b0c-1ff8f64565b4/windows-10-1607-update-not-working-with-remote-desktop-gateway-server?forum=win10itprogeneral

is there a permanent fix already for this issue? thank you very much.

cris-up

Hi all - I'm setting up a secure RD Gateway and Session Host for testing and development.  The RD Gateway, Domain Controller, and RD Session Host servers are all up and running.  Now, I successfully exported the SSL certificate from the GATEWAY and imported it into the client.  Now, I'm receiving messages that the RD Session Host server is not trusted. " The identity of the remote computer cannot be verified.  Do you want to connect anyway".

It is my understanding that all traffic is through the gateway - even though it looks like you have to specify the actual RD server you are connecting to in the Remote Desktop Client connection.

Do I have to have a certificate for the RD Server in addition to the gateway?

Thanks!

Hello all,

  I'm working on a project now which has five RDS servers, four of which are Session Hosts, and one functions as both RDS Gateway and RD Connection Broker.  I've got my Four session hosts setup as a RDS Farm using DNS Round-Robining combined with Connection Broker and internally I can access the RDS Farm with only a few issues, namely an error that



 If I click Yes, to Connect Despite these certificate errors, I then get the same message again for another RDS Farm host.

Here is what I think is happening.  When I connect to rds.company.org, DNS has four entries listed, one for each host, so my connection goes to one of them, which prompts this message the first time.  This then uses connection broker to route to the most available host, prompting the message to display a second time.

  My company ordered the SSL certificates for me, so now we have five of them:

Name
----
certificate.crt
Intermediary_Certificate_1.crt
Intermediary_Certificate_2.crt
Privatekey.key
Root_Certificate.crt

  My questions are this :

1. What do I do with these certificates to get rid of the messages we're seeing?
2. How do I then allow remote users to connect to this RDS farm without also getting these errors?  We have public DNS entries now pointing to the RDS farm, but externally, I can't seem to connect to my farms address if I put the name "remote.company.org" in my Remote Desktop Connection Client.  

  Thanks guys for any help you can give.  I feel like RDS is one of those lingering undocumented technologies.  I've checked all the usual sources before coming here.

Hello,

I have just finished installing a RDS Gateway in a DMZ and a Session Host in a LAN (both with 2008 R2)

I am reading some documentation but I am not sure whether I must install the same certificate in both machines.

I installed a certificate (from my internal CA) for the gateway, and then exported it into the Session host machine. 

Could that be correct? . Thanks in advance.

Luis Olías.

Hi, I've found a problem about "License Gateway Server Error". If anyone have experience about this, please suggest to me. My Problem details is as follow.

In our network, I used windows server 2012 as active directory server. We have another server (Lets' say Server2)that needs to remote login. So, technician set up our AD Server as "License Gateway Server" and our users can remotely access to Server2. After three months later, our users can't access to Server2 and IT administrators can't access to AD Servers. When it's try a remote session, it show like this

"The remote session was disconnected because there are no Remote Desktop License Server available to provide a license.Please contact to the Server Administrator."

In this situation, technician make "License Gateway Server " at Server2. Our Users can access Server2 Remotely. But for AD Server, nobody can access with remote Desktop.

So, I would like to know, " If I removed License Gateway Service on AD Server, is there any impacts to network". Or how should I do to make normal remote desktop service to my Active Directory Server. Is there any technical man, please suggest to me. Thanks you.

We have had an ongoing problem affecting all of our terminal servers in a TS farm at random times and not all at once.  It doesn't seem to be a problem with the individual servers but a roaming issue that causes the entire farm to stop serving sessions. There are a couple event ID's that show up in the RDS on the server:

Error 36: Microsoft-Windows-TerminalServices-LocalSessionManager: An error occurred when transitioning from DisconnectedLoggedOn in response to EvConnected. (ErrorCode 0x80070102)

Error 1152: Microsoft-Windows-TerminalServices-RemoteConnectionManager: Failed to create KVP sessions string. Error Code 0x8007007A

The only way to allow the TS farm to start allowing connections is to reboot the problem server at that time.

Hi there,

we've got Win2012R2 Server with RDP services running and some RemoteApps published for end users who use Windows 7 Pro & Windows 10.

If users log in to RDP server using mstsc.exe tool they can use clipboard redirection w/o any issues.

If the same users use a RemoteApp which works on the same server of course then clipboard redirection doesn't work for them.

If I open one of these published rdp files in a text editor I can clearly see that it has all required features enabled such as:

redirectclipboard:i:1
redirectprinters:i:1
redirectcomports:i:0
redirectsmartcards:i:0
devicestoredirect:s:*
drivestoredirect:s:*
redirectdrives:i:1

I played with group policies/local group policies on both ends without any luck.

Would be great to get any help.

Thanks!

I have the following scenario:

Firewall 

WebAccess (Internet/intranet) - WA.internal.net

Internal 

Gateway - GW.internal.net

Connection Broker - CB.internal.net

Session Host - SH.internal.net

All the internal.net 2012 servers are on the AD Domain internal.net and have a *.internal.net certificate installed.

We would like all the users to go to WebAccess (WA) to logon to access resources on the SH.

We have configured Split-Brain DNS so outside users and inside users can access the URL held on the WA which is www.external.com

We purchased a certificate for www.external.com

I have applied this certificate to the server WA and GW. Via the: Deployment Properties - Certificates.

On logon I get two errors:

Internal logon: Your computer can't connect to the remote computer because the remote desktop gateway server address requested and the certificate subject name do not match.

Web logon:

A website is trying to run a RemoteApp Program... Publisher *.internal.net

Remote computer: CB.internal.net

Gateway Server: GW.internal.net

Click connect:

Your computer can't connect to the remote computer because the remote desktop gateway server is temporarily unavailable. Try reconnecting later or contact your network administrator for assistance.

I guess this is a problem with the www.external.com certificate?

Having read a little more it should be a wild card?

How could a *.external.com work on a domain internal.net?

What do I need to do to get this to work using single Sign on?

Hello everyone!

I'm searching for help or advice in my situation. We have multiple RDS servers based on Windows Server 2012R2 with smart-card authentication. Sometimes users start experiencing problems with logon on this servers with following conditions - While using smart-card authentication, logon process hangs on welcome screen, there are multiple unnamed sessions in task manager with four basic processes and service "Certificate Propagation" don't start with warning which says that "service will not start because there aren't any processes that use this service" or something like that. In the same time, I can logon to this RDS server using standard login/password authentication with no problem. Users which is already login to the server with smart-cards continue their tasks on the server with no any problem too. I can not close this unnamed sessions using all known by me tools and problem is solved only by reboot.

Please, can anyone help to find out where is problem and how to solve it?

Best Regards, Bair.