Quantcast
Channel: Remote Desktop Services (Terminal Services) forum
Viewing all 7220 articles
Browse latest View live

MSTSC /admin switch, non-admin users and "SD_CONSOLE"

June 17, 2009, 3:12 am
$
0
0
In my organisation "administrators" do not logon with administrator accounts but use ordinary user accounts. Any elevation is achieved through use of secondary logon ("run as administrator"). All good practice and no problem using RDP to administer servers.

But when it comes to the "Terminal Server" it is necessary to use mstsc's /admin switch to avoid consuming a CAL. Except that if you use an ordinary user (non-admin) with the /admin switch the session will be denied.

So how can I achieve best-practice and not use a TS CAL?

The nearest I've got to solving this comes from M. Tulloch's book "Introducing Windows 2008": "To obtain administrative sessions using /admin, the user must be part of the Remote Desktop Users group and should be listed in SD_CONSOLE". Apparently only the Administrators group is listed in the SD_CONSOLE ACL.

But on earth is the SD_CONSOLE?
Search

Can A Windows 7 Virtual Machine Be Used As An RD Session Host?

April 18, 2019, 2:03 pm
$
0
0

Hi all, our Windows 2012R2 RDS system was just handed over to me to support. With little knowledge I was tasked with setting up the following and am wondering if this even possible.

Task: Set up a Windows7 32bit session host so that some very old software can be loaded on it and it would be accessed by only one person. The user is working remotely and can only get to an internet accessible RDS gateway that would provide access to the Windows 7 Session Host inside our network.

The windows7 Hyper-V virtual machine was created and then I get on our Windows 2012R2 server where RDS is managed and I open up Server Manager and add the new Windows7 PC. The Server Manager shows a Manageability status of "Online - Cannot manage a client-based operating system'.

Can I still add this Windows 7 vm as a Session Host in RDS? Is Windows 7 even a supported operating system to function as an RDS Session Host? Can I create a session collection such that the win7 session host will be used for Remote Desktop sessions?

Any feedback will help me understand RDS better and would be much appreciated.

 

Disabled tls 1.0 in windows 2012 r2 prevents remote desktop service from starting.

July 4, 2018, 8:29 pm
$
0
0

I searched everywhere and i cant find an answer. I tried enabled fips, it worked but the remoteapps failed to launch and crashes.

I tried setting the rdp security layer and that didnt help, the rdm still failed to start.

The only thing that work is enabled tls 1.0 which we need to disabled.

Any ideas. Thank you

Disabling TLS 1.0 on Server 2012 R2 causes Remote Desktop Management Service to fail to start

August 15, 2016, 1:11 pm
$
0
0

Very basic RDS setup on Server 2012 R2.  Single VM running all roles.  Everything works fine until I disable TLS 1.0 on the Server.

Then Remote Desktop Management Service fails to start with Error code: 0x88250003.  

Service Control Manager error gives error code: %%2284126211

And I see tons of SChannel 36871 errors: A fatal error occurred while creating an SSL client credential. The internal error state is 10013.

Any ideas?

Patrick

Windows Server 2012R2 - svchost.exe 60-100% load!

April 10, 2014, 7:32 am
$
0
0

We are using RDS collection with two Windows Server 2012R2 session hosts. Both hosts are virtual servers (clean installation) and are used as session hosts (terminals) with 10 to 25 users each. RDS Connection Broker is also virtual machine with Windows Server 2012 R2. Our users are using Windows 7 Embedded thin clients with MSTSC RDP 8.0.

There is problem with high cpu load on these servers. Sometimes Svchost.exe starts to cause 60-100% load. Our virtual machines have 10 virtual processor cores. Load is caused by LSM (Local Session Manager) Service from DCOM Launcher group. Svchost creates many thread as you can see on picture attached. Sometimes this load disappears after 12-24 hours, sometimes it needs restarting whole server.

We still cannot find cause of this problem, although we managed to reproduce this issue one time by logging two admin accounts to server console and force disconnecting one of these accounts by third admin account connecting to server console by RDP mstsc.exe with -admin parameter.

Our users are very unsatisfied :-(

This is screenshot of Process Explorer - svchost.exe - Threads:

The Remote Desktop license server cannot update the license attributes

May 5, 2010, 6:58 pm
$
0
0

I have a domain that was successfully running with two Windows 2003 DCs.  I added a Windows 2008 R2 DC to the network successfully.  I demoted (removed) one of the 2003 DCs.  I added a Windows 2008 R2 Terminal Server to the network.  I added the TS Licensing Server as well.  I activated the Licensing Server and installed my User CALs.  All seemed to work well until I looked at the error log.  Whenever a non-administrator user logs in to the TS machine I get an error in the errror log telling me that

The Remote Desktop license server cannot update the license attributes for user "USER" in the Active Directory Domain "DOMAIN". Ensure that the computer account for the license server is a member of Terminal Server License Servers group in Active Directory domain "DOMAIN".

I do not get this error when an administrator logs in via TS.

When I look at the Security Groups in the DC for the domain there is a Builtin Security Group called "Terminal Server License Servers" and it has the terminal services computer (which is the same as the license server) listed in the group.

How do I fix this?

 

"Terminal Services license server group" is not added to user accounts in Windows 2003 domain

February 11, 2009, 4:11 pm
$
0
0
We have a Windows 2003 domain and have just set up some terminal servers using a Windows 2008 terminal server licensing manager server in the domain (we are using per user licensing). This license server is not a DC.

Our problem is that mostusers will not be assigned licenses from the license server and the eventviewer says:

The Terminal Services license server cannot update the license attributes for user "XXX" in the Active Directory Domain "mydomain.intern". Ensure that the computer account for the license server is a member of Terminal Server License Servers group in Active Directory domain "dirnat.intern".
If the license server is installed on a domain controller, the Network Service account also needs to be a member of the Terminal Server License Servers group.
If the license server is installed on a domain controller, after you have added the appropriate accounts to the Terminal Server License Servers group, you must restart the Terminal Services Licensing service to track or report the usage of TS Per User CALs.

Well, sure enough the server in question was not member of the "Terminal Server License Servers" group at first but was added. Restarted (both ts and licensing servers) and the situation is still the same.

A little further investigation shows that this problem occours for apx 3 out of 4 users. Checking users permissions with powershell get-adpermission reveals that the group "Terminal Server License Servers" is present with some special permissions on the accounts who works, and is absent on the rest. At first it looked like it was a inheritance problem, but the users OU shows no trace of the "Terminal Server Licensing Servers"-group.  Interestingly enough all newly created users gets the correct permissions which makes me think that the permissions are added as a part of default settings from the AD-Schema. I can see that the "Terminal Server Licensing Servers"-group is present with permssions on the users objevt, but the AD Schema mmc-snapin doesnt seem to be able to list which particular permissions this is.

Anyway - at one point a job must have been triggered that tried to set these permissions for all user accounts (?) in my domain, but it must have stopped at one point. Is there a way I can trig this manually?  Or is there another way to get this done by the book?

I was thinking I could simply set the permissions manually through powershell and hope for the best, but I really don't like doing that in case this is a sign that something else is wrong with my AD. I suspect this because profile-folders seem to be inconsistent on some users (some are created as USERNAME.V2 while others are created as USERNAME.DOMAIN.V2 and some users gets both of them and the TS keeps alternating between them..) Strange thing, but perhaps this is all connected.

Anyone have a suggestion here?. Should I fix the accounts with a set-adpermission command or choose another approach?

There seems to be others with quite similar problems in this thread:




Event ID 4105 - Need to fix corrupted DACLs

January 27, 2012, 8:37 am
$
0
0

I'm receiving event id: 4105 on my RDS license server event logs.  I've determined that I have a corrupted DACLS because I have reviewed the following articles:

http://support.microsoft.com/kb/2030310

http://itinternals.blogspot.com/2012/01/resovling-event-id-4105-terminal.html

Basically if I follow these directions:

Make sure, the domain group "Terminal Server License Servers" has the following permissions to the active directories users:
- Open Active Directory Users And Computers
- Tick View -> Advanced
- Right click on the root of your domain and select properties.
- Select the Security tab.
- Check if "Terminal Server License Servers" is listed with special permissions. If not, click on "Advanced" and add the domain group "Terminal Server License Servers", select "Applies onto" "User objects", then tick the permissions "Read Terminal Server License Servers" and "Write Terminal Server License Servers".

I don't see "Read Terminal Server" or "Write Terminal Server"

The solution suggested in the MS article states the following resolution:

Windows Server 2003 level Schema

dsacls "CN=XXXX,OU=XXXX,OU=XXXX,OU=XXXX,DC=XXXX,DC=XXXX,DC=XXX" /G
"BUILTIN\Terminal Server License Servers:WPRP;terminalServer"

When you grant the permissions on a container, you should use the following command:
dsacls "OU=XXXX,DC=XXXX,DC=XXXX,DC=XXX" /I:S /G 
"BUILTIN\Terminal Server License Servers:WPRP;terminalServer;user"

 

My question is, am I really typing XXXX or do I need to determine what my CN, OU, DC are?  It's not clear what I should be typing to replace the X's if that I what I should be doing.  Can anyone help?

 


Search

Server 2019 GPU Partitioning

April 29, 2019, 6:50 am
$
0
0

Hi everyone,

we are planning to install a new RDSH server 2019 in our company.

One of the new technologies in 2019 is the GPU Partitioning feature.

However, I am not sure if this feature is only availbe when the RDSH is a virtual machine, running inside a Hyper-V or do we need a bare metal installation of the RDSH?

In addition, could someone recommend a graphic card for such scenario?

The new server will be a HP DL380 G10. About 25 clients will connect to the RDSH and just do the normal office stuff but might also need to watch videos on youtube, etc. and as far as I understood the new GPU Partitioning feature will help to show the videos smoothly.

Thank you very much in advance for your support

Greetings
Aktuator

Remote Desktop can't connect to VM

January 28, 2013, 11:47 am
$
0
0

We started using Hyper-V a few months ago. Until a few days ago, everything is working great. We have 2 physical hosts running Windows Server 2012. Each physical host has been running one VM (Windows Server 2008 R2) which is replicating to the other host.

We have added another virtual machine. It works great except Remote Desktop Connection cannot connect to it. When I try, I get the standard message:

Remote Desktop can't connect to the remote computer for one of these reasons:
1) Remote access to the server is not enabled
2) The remote computer is turned off
3) The remote computer is not available on the network

I've checked everything I can think of including:

  • VM is allowing remote access. To be sure, I even turned it off and back on.
  • There is no firewall blocking anything. To be sure, Windows firewall is turned off.
  • Remote Desktop CAN connect to the other VMs including the one running on the same physical host.
  • Everything else on the VM seems to be working. IIS is running there and web pages come up nicely. File access is good too.

There are 2 differences between this new VM and the other ones:

  • This OS is Windows Server 2008 (not R2). The other VMs are R2.
  • This VM was not created from scratch. I used Sysinternals Disk2vhd to generate a VHD from an existing physical machine and then configured a new VM to use that VHD.

I'd be very grateful for advice on how to get RDC working.

Cam

Load Balance 3391/UDP and 443 for Gateways

April 18, 2019, 1:27 pm
$
0
0

Looking for some help concerning the RDS Gateway Role and load balancing.

I have an pre-production RDS environment that contains 3x Gateway Servers. I have tested the environment by connecting through each one of the individual Gateways and everything works just fine.

I'm now at the point where I want to use my hardware load balancer (F5) to receive the connections and distribute them between the 3 Gateways. I would also like to use the UDP Transport on 3391 as well.

The part that I don't completely understand is that I'm assuming that each individual connection, which will be coming in on both TCP 443 and UDP 3391 would need to be routed to the same gateway?

It would make sense and be easy to set the LB up to balance both ports to the 3 Gateways, but without any specific load balancer magic, connection "A" might go to one gateway for 443 and a different gateway for 3391.

 

 

Jay Schwegler

WindowsServer 2016 RDS CertPropSvc error

March 5, 2019, 7:15 am
$
0
0

One of our customers has the following problem:

If a user using a smart card logs on to the terminal server, the CertPropSvc has an error.
Then the "User Profile Service" restarts.
After that, all other users are only logged in with temporary profiles.

The problem first appeared after the following Windows Server 2016 updates were installed:

  • KB4091664 (2018-09 Update for Windows Server 2016 for x64-based Systems)
  • KB4487038 (2019-02 Security Update for Adobe Flash Player for Windows Server 2016 for x64-based Systems)
  • KB4485447 (2019-02 Servicing Stack Update for Windows Server 2016 for x64-based Systems)
  • KB4487026 (2019-02 Cumulative Update for Windows Server 2016 for x64-based Systems)

After we noticed the error, the following update was installed:

  • KB4487006 (2019-02 Cumulative Update for Windows Server 2016 for x64-based Systems)

However, this did not improve the situation.

At first only one of the servers was affected by the error as it was the only one that got the updates installed.

But the other ones got the same problem after installing the updates.

We currently needed to disable smartcard redirection for the affected rds farm and would 

Event Viewer:

  • 07:28:40 -> User logs on with the smartcard connected via usb (and smartcard enabled on the rds-server)
  • 07:28:46 -> CertPropSvc error #1
  • 07:28:47 -> desktopshellext.dll / sihost.exe error
  • 07:27:47 -> user profile service restart
  • 07:28:57 -> twinui.dll / explorer.exe error
  • 07:29:33 -> user profile service logging in a user with a temporary profile

CertPropSvc Error:

Event 1000, Application Error

  • Faulting application name: svchost.exe_CertPropSvc, version: 10.0.14393.0, time stamp: 0x57899b1c
    Faulting module name: ntdll.dll, version: 10.0.14393.2608, time stamp: 0x5bd133d4
    Exception code: 0xc0000008
    Fault offset: 0x00000000000a975a
    Faulting process id: 0x47c
    Faulting application start time: 0x01d4d1f5f8b67d6b
    Faulting application path: C:\Windows\system32\svchost.exe
    Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
    Report Id: 35e736e3-1a95-4370-8182-06acccf78d28
    Faulting package full name: 
    Faulting package-relative application ID: 

Event 1001, Windows Error Reporting

  • Fault bucket , type 0
    Event Name: APPCRASH
    Response: Not available
    Cab Id: 0

    Problem signature:
    P1: svchost.exe_CertPropSvc
    P2: 10.0.14393.0
    P3: 57899b1c
    P4: ntdll.dll
    P5: 10.0.14393.2608
    P6: 5bd133d4
    P7: c0000008
    P8: 00000000000a975a
    P9: 
    P10: 

    Attached files:

    These files may be available here:
    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_svchost.exe_Cert_26a6b2b3886758ea49d9b56135f8ec6a67e4e8_4de58e77_7009cbd6

    Analysis symbol: 
    Rechecking for solution: 0
    Report Id: 35e736e3-1a95-4370-8182-06acccf78d28
    Report Status: 4
    Hashed bucket: 

User Profile Service:

Event 1531, User Profile Service

  • The User Profile Service has started successfully.  

I could provide other logs if needed.

Remove RD Connection Broker

March 28, 2017, 10:08 pm
$
0
0

I have a new RDS deployment.

We have made the Broker HA.

Attempting to add the second Connection Broker, the role was installed but it reported that it failed, not much else of any use just failure.

As it turns out the Broker role was installed, but not as part of the HA configuration, and it now shows as part of RDS as a connection broker.

Attempting to remove the roles from the RDS deployment (Server Manager) fails responding that it is not part of the deployment.

Question is now how can I force the remove of the server from the deployment scenario sand start again?

I found this, https://support.microsoft.com/en-us/help/2925854/cannot-remove-an-rd-host-from-an-rds-deploymentwhich is of no help as MS want you to call them and I can't exactly do that..

so to sum up: I have an RDS deployment with two brokers, one is in HA mode talking to SQL, adding the second failed but still installed the role but not in HA mode. RDS will not allow me to remove the failed (2nd) server.

Remote Desktop Gateway Service

August 19, 2009, 3:04 am
$
0
0
Hi,

I'm having some trouble with Remote Desktop Gateway services in Windows 2008 R2 RTM Standard. TS Gateway worked perfectly in Win 2008 but it is not working in R2. I have the following logged. It seems like the Network Policy server cannot find the domain controllers. We are running windows 2003 AD and there are no connectivity issues. As I said, Windows 2008 TS Gateway worked perfectly. any help is appreciated!

Log Name:      System
Source:        NPS
Date:          18/08/2009 15:18:33
Event ID:      4402
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      computer.mydomain.internal
Description:
There is no domain controller available for domain mydomain.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="NPS" />
    <EventID Qualifiers="49152">4402</EventID>
    <Level>2</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2009-08-18T14:18:33.000000000Z" />
    <EventRecordID>936</EventRecordID>
    <Channel>System</Channel>
    <Computer>computer.mydomain.internal</Computer>
    <Security />
  </System>
  <EventData>
    <Data>mydomain</Data>
  </EventData>
</Event>

Can Server 2019 RDS use a 2016 RDS CAL

May 2, 2019, 12:27 pm
$
0
0

I have a Windows 2016 RDS license server with "Windows Server 2016 - Installed RDS Per User CAL" licenses installed on it.  I want to use this for Windows 2019 RDS connections.  Will 2019 use these CALs?  If not, what do I do?

1) Do I have to build a new server 2019 RDS license server and migrate my licenses?  Assuming the migrated licenses are backwards compatible with 2008R2, 2012R2, and 2016.

or

2) Can I use my existing 2016 RDS license server and "upgrade my existing" licenses?  Assuming the upgraded licenses are backwards compatible with 2008R2, 2012R2, and 2016.

or

3) Can I use my existing 2016 RDS license server and add NEW CALS that are specific for 2019.  Will that violate my license agreement because I now have double the licenses I own (x amount of the original and x amount added for 2019).

Thanks

NK


Search

Récupérer licence Licence Remote Desktop

May 2, 2019, 2:37 am
$
0
0

Bonjour , 

par erreur nous avons désinstallé la licence  sur le RD licencing Manager . nous avons essayé de réinstaller la licence   on a message que la licence est déjà activé . 

Est ce qu'il y a une solution pour récupérer la licence  ?

Version Windows sever : 2012 R STANDARD


RDS 2012 R2 and corrupt user profile disks (UPD)

February 24, 2015, 3:01 am
$
0
0

Hi!

I have a setup with two RDS 2012 R2 servers and one 2012 R2 server with a share for User Profile Disks.

It's normally running fine but sometimes some profiles gets corrupted and it's a mess to clean up. Also the old profile disk is useless which is strange.

I remove the profiles from the local RDS server (c:\users\username) and also from registry. But I have to also delete existing profile disk, it won't load again. That's a problem as I then have to spend time restoring data from the profile (I have to mount it and copy data).

Does anyone know of a fix ? It's a very time consuming and annoying problem......

Deployment overview is set to "Per User", but Licencing Diagnoser says the server is in "Per Device" mode.

May 5, 2019, 2:30 pm
$
0
0

I'm in the midst of setting up a Server 2016 RDS deployment and as far as I can tell I have everything right, but I'm having a licencing issue. 

For now, until I know everything is set up correctly I have just 5 "per user" CALs installed. They installed without any errors. 

In the Deployment Properties the RD Licensing was set to "Per User". The licensing server listed is the correct one, and the 'per user' cals are installed on the correct server. 

However, when I run the "Licencing Diagnoser", it says that the server is in "Per Device" mode. 

Reinstalling the licences has not helped. I'm not sure what to do, I'd hate to have to re-do the whole deployment. 

3389 not listening 2008r2

September 18, 2013, 11:50 am
$
0
0
i have rdp enabled on this 2008 r2 server but users cannot login via rdp. also 3389 is not listening. any ideas?

Intermittent Connection Issues to our Remote Desktop Server

June 26, 2015, 2:27 am
$
0
0

So we have a Hyper-V VM that is running Server 2008 R2. When using remote desktop to connect to this server we are randomly having issues connecting when trying to connect using both our external dns and ip address and also with the internal server name.

We receive the following error:

Remote Desktop can't connect to the remote computer for one of these reasons:

1) Remote access to the server is not enabled

2) The remote computer is turned off

3) The remote computer is not available on the network

All of the above are fine as we have used this server for a number of years. Its only been a recent thing that this has stopped working intermittently. I have 6 users connected today and now if i try and log in i get this message and i am trying several users who i know have connected recently.

Any ideas would help ?

Viewing all 7220 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>