Hi Folks,

I was testing out the solution provided by MS in one artciles to configure RDGW/WEb access server behind Azure LB but was confused with step3.https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds-rdweb-gateway-ha

ManeeshB

Hi, I've this issue after migration of RDS server from 2012 R2 to 2016 and client have Windows 10 1709 but with Windows 10 1703 no issue.

Any suggestions?

Hello,

I have accidentally removed HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSLicensing from registry. Now I have login errors - licensing issues. Can somebody help how to recreate this MSLicensing key to log to RDS Server. I have Server 2008R2 logging to server 2003. On server 2003 I have terminal license server . Sorry for bad english. I am not native speaker.

By default, Remote Desktop Services sessions provide access to the full Windows desktop, unless a program has been specified to start when the user logs on to the remote session.If an initial starting program has been specified, it will be the only program that the user can use in the Remote Desktop Services session. The Start menu and the Windows Desktop are not displayed when the user logs on to the remote session, and when the user exits the program the session is automatically logged off. This feature does not work 2016 server it ignores whatever we specify and always starts a Desktop Session. We are running a work group so group policy is not an option as a workaround. In the 2012 server, 2008 Server it works. Kindly please advise how to get this basic feature to run in Server 2016.

I'm attempting to setup a Windows 2016 RDS Standard Deployment for Session Hosting.  The layout is as follows:
RDS01 - RDS Connection Broker and Web Access
TS02 - RDS Session Host
TS03 - RDS Session Host

The domain these servers are part of has (1) Windows 2008 Server and (2) Windows 2016 Servers acting as DCs.  The domain is running at Windows 2003 Functional Level.

All servers are on a single routed network with no firewall between them.  All DNS A and PTR records for all servers exist and resolve on all hosts.  All servers can be pinged by each other. In other words, there are no network connectivity issues.

I've setup the RDS deployment several times w/ the same results.

The Issue
I can login via the RDWeb interface on RDS01 from a Win10 desktop and connect to the published RDP desktop without issue (i.e. no error messages to the user) and no errors in the logs.  When I try to directly RDP to RDS01, I successfully authenticate as a user (per the event log) but get an error stating that the user doesn't have access to the system.  In the event log I get event id 1306 with the message of "Remote Desktop Connection Broker Client failed to redirect the user <domain>\<test user>.  Error: NULL".  

If I RDP to RDS01 as an administrator, I get the same error message but the RDP session opens and presents the desktop on RDS01.

I can RDP directly to TS02 or TS03 and login as a user and open the RDP session.  Redirection to some degree appears to be working in that I can disconnect a user session from TS02 and RDP to TS03 and the session is redirected back to TS02.  The event logs on RDS01 record this happening as well.

What I've tried already
1. In searching this event 1306 issue, I found several posts with this exact same behavior in WS 2012/R2.  Most "solutions" suggested point to the fact that the RDS Session Broker doesn't have sufficient authority to look up the users AD group membership via the tokenGroupsGlobalAndUniversal attribute or AuthzInitializeContextFromSid API function which leverages the tokenGroupsGlobalAndUniversal attribute.  (Example: https://social.technet.microsoft.com/Forums/windowsserver/en-US/29733a87-dbda-47bc-8b37-6eeac5ab5a0a/2012-rds-nonadministrators-can-not-access-vdi-pool?forum=winserverTS#97d883f1-7a64-4d02-9492-309638f92e79 )

The service is running as "Network Service" which does have network access via the Computer Object's authority in AD.  So following Microsoft's instructions (https://support.microsoft.com/en-us/kb/331951), I've added RDS01 to both the Windows Authorization Access Group and Pre-Windows 2000 Compatibility Access groups and rebooted RDS01 with the same results.  

2. I've verified the Windows Authorization Access Group has rights to read the tokenGroupsGlobalAndUniversal property/attribute on my test users and the computer objects of the servers.

3. I've setup an AD Service account following Microsoft's instructions (https://support.microsoft.com/en-us/kb/842423) with a similarly described access issue.  The service account user was added to the Windows Authorization Access Group.  This was unsuccessfully as well w/ the same event 1306 error.

4. I ran the following powershell commands to verify access of the Connection Broker to the OU (https://technet.microsoft.com/en-us/library/jj215512.aspx#)

Test-RDOUAccess -Domain [redacted.domain] -OU "Computers" -ConnectionBroker rds01.[redacted.domain] -verbose

This failed so I ran the following to grant access

Grant-RDOUAccess -Domain watsons.local -OU "Computers" -ConnectionBroker rds01.watsons.local -verbose 

The Test-RDOUAccess then succeeded.

I repeated this for the OUs that contained the users and the server computer objects.

I've disabled all GPOs to ensure there's no conflicts but have seen no change in the behavior or error messages.

With all that, I've exhausted every option that I can find to resolve this error to gain the expected functionality.  As a work around for the moment, I've setup a round-robin DNS A record that points to TS02 and TS03 w/ a very short TTL.  This gives the test users the ability to login and atleast test the desktop functionality.

Sorry for being so long winded with this but I thought it better to put all the cards on the table.

I'm open to any and all suggestions.

Thx!

I have a single Remote Desktop Server on the domain.

I have added the server to  the RDS Access Servers group on the local server and Active Directory.

All of the Remote Apps are set to be visible in RD Web Access.

I did setup the server and publish the apps prior to adding the Remote Desktop Web Access role.

Joshua Lance

Good afternoon,

We had some contract work done by a MITS company to deprovision our old RDS VMs and build a new one. Once the new one was in place, we started letting users into it, but we found a couple of strange problems I haven't encountered before.

-Right-Clicking doesn't work. I've checked the local GP, and the File Explorer context menus are not disabled. Neither is it disabled in the registry.

-In File Explorer, users do not see the "This PC" section in the left navigation pane, where they would normally select local and mapped drives. They can still access these drives by typing the file path in the navigation bar.

We do not have these problems with domain admins, only non-admin users. It happens if we RDP into it or use any other remote software, such as vsphere's remote in or Jade's ScreenConnect. These problems are not occurring on all of our other VMs, which are all WinSvr2012R2.

The crew who deployed this VM were not instructed to implement any special security measures, our previous GPOs and ACLs were sufficient for access control.

Hello:

I have installed  couple of Windows 2008 R2 RDS in a Windows 2003 Domain, and everything works fine for remote access, the only

item that I cannot figure out is how to prevent users from installing any software on the RDS server other than what is offered.

I have looked at software restriction policy and there has to be an better way to prevent users from installing

any unauthorized software. At the moment users can download anything and run the install so I am not sure what I missing

Any help is appreciated.

Thanks.

Dear Sirs,

We are configurating RDP web cliente.

We want to redirect the port 443 from 4040 but when we change this port, the gateway not open the port.

There is any posibily to change this port.G

Gateway server is a public dns (in order to not use VPN) but in this server, we can add the port.

Best Regards

Recently my server has been remotely accessed by unknown users. Do I get some log of remote access information from which I could know who has been tampering with my server?

Thank You so much

Hello

We have 2 RDS License server in the domain with 40 Per User CAL on each server with OS Windows Server 2016 DataCenter. and we have GPO in place as well point RDS license server But only one RDS License server is allocating the licenses. Second server is not allocating. 

Both server are activated for RDS license.

Need help in this.

Thanks & Regards,

Sapan Shah

Hi All

We are encountering a rather strange issue on a few of our VMs. We are running a Hyper-V environment on 30 physical hosts. The hosts are made up of 4 different models, from 2 different manufacturers (Dell and Cisco). All our VMs are Server 2008 R2, 2012 R2 or 2016. They are either Enterprise or Datacentre edition and full desktop installs, nothing running core edition. We run Symantec Endpoint Protection on all physical and virtual servers.

The issues we are having seem to manifest themselves in 2 main ways, although both seem to be connected. The first thing we notice is issues with resource redirection. We run an RDS environment for clients. With some of the VMs, the clients are unable to see their locally connected printers. On some of these machines, restarting the spooler seems to sort this. On the rest, a full server reboot is required. Following the reboot, it seems to work fine for that day, then it drops off again requiring another reboot. No errors or warnings in the event logs. It just doesn’t seem to work. We tested the drive redirection, and this also seems to drop off when the printers fail to connect. However, if the printers failing to work is fixed by the restarting of the spooler alone, the drive redirection is not affected and always stays working. This seems to happen on all 3 releases of Windows Server. It happens on different physical hosts from different manufacturers and ranging from 4-year-old hosts to 2-month-old hosts.

The other issues we have noticed is in the Server Manager. When you select the All Servers tab, you get a box in the middle showing the list of the servers that are online or offline, and deeper details if its online but cannot talk. Some servers seem to show up as “Online – Cannot get role and feature data”. These servers we cannot manage properly remotely or indeed locally for things such as RDS Broker that requires the Server Manager. We are unable to change any of the roles or features, to remove or add new ones. We are unable to install or uninstall any applications or Windows Updates. We are also unable to access Disk Management, the VDS being unavailable. We reboot the affected server and that will bring it back online, but the issue will come back, it may be an hour, or it may be a few days.

I have taken copies of VMs that are struggling and removed the AV, and removed all updates installed in the last month. The issue persisted. What is interesting, I took another copy of the same VM and popped it into an isolated network (Private Network) and it didn’t seem to be affected by the issue. I am running this test again and will update this with the results to confirm, but that does seem to be hugely out of the pattern, purely by isolating it. Now this may be due to another VM causing issues, or a lack of WAN access but I am pretty much out of ideas. I have tried as many iterations of this as I can think of, removed and tried various versions of it. I cannot see what is causing this. It seemed to start badly 3-4 weeks ago. It is not affecting all servers, and it is affecting different clients with their environments ranging from Workgroups to Domains, each client having their own space on the hosts. However, the network is one large subnet, so it is possible that something is passing across the LAN. As I say, I have tried everything that I normally would and done lots of digging online and found nothing.

Many Thanks

James

A user (AA) in the main site is allowed an RDP connection through an RDS Broker. When user AA goes to another site and initiate an RDP connection thought the same RDS Broker, he gets "logon attempt failed" for three times then the account locks. On the forth time (when an account it locked) the Broker opens a connection but shows error "The referenced account is currently locked out and may not be logged on to". When a user clicks ok on this message and wait for his account to be unlocked in AD, he is able to login to the RDS.

This is affecting all users in this site. They have accessed the RDS servers through the Broker in the past (till early April)

All other sites are able to access the RDS servers thought the Broker with no issues. Can you help me narrowing this issue and fine a resolution please

YRK

Have a functional Server 2016 RDS Deployment consisting of RD Web Access (not using), RD Gateway, RD Connection Broker, RD Session Host on TS-01, RD Licensing on DC-01, and a 2nd Session Host on TS-02.  There is one existing Collection serving up one RemoteApp program to both Session Hosts.

The TS-01 server needs to be redeployed from scratch due to an OS issue so I need to move the RD Web, RD Gateway, RD CB roles to the DC-01 server first, leaving the Session Host role in place on TS-01 for now.

I've seen articles about migration which I don't think apply here.  I do not want to enable HA on this since I know you can't go back to non-HA.  Can each role be deployed on the other server and then removed from the TS-01 server?  Or is this a deploy from scratch scenario?

Can you offer up some suggestions regarding the following System log events? We are seeing these errors frequently on the Windows Server 2012 R2 server which is hosting the Remote Desktop license server.

1. Are these warnings and errors concerning and require action to correct? If so what steps?

2. What end user experience symptoms (other than the posted messages to System log) would we expect to see?

Log Name:      System
Source:        Microsoft-Windows-TerminalServices-Licensing
Date:          4/29/2019 11:12:28 AM
Event ID:      4105
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      MSRDSLIC.mydomain.com
Description:
The Remote Desktop license server cannot update the license attributes for user "useraccountname" in the Active Directory Domain "mydomain.com". Ensure that the computer account for the license server is a member of Terminal Server License Servers group in Active Directory domain "mydomain.com".
If the license server is installed on a domain controller, the Network Service account also needs to be a member of the Terminal Server License Servers group.
If the license server is installed on a domain controller, after you have added the appropriate accounts to the Terminal Server License Servers group, you must restart the Remote Desktop Licensing service to track or report the usage of RDS Per User CALs.
Win32 error code: 0x80070005

Log Name:      System
Source:        Microsoft-Windows-TerminalServices-Licensing
Date:          4/30/2019 5:51:17 AM
Event ID:      44
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      MSRDSLIC.mydomain.com
Description:
The following general database error has occurred: "ESE error -1003 JET_errInvalidParameter, Invalid API parameter."

Log Name:      System
Source:        Microsoft-Windows-TerminalServices-Licensing
Date:          5/1/2019 11:46:41 AM
Event ID:      4106
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      MSRDSLIC.mydomain.com
Description:
CAL reporting: Windows Server 2012 : RDS Per User CAL - Installed: 850, Issued: 881

In addition, I can confirm that, per instructions in event 4105, the license server is not a domain controller and the computer account is a member of the built-in "Terminal Server License Servers" group.

A similar question TechNetForumTopic, TechNetForumQuestion, SysAdminTipBlog, and MsITprosBlog refers to a solution involving old accounts for long-term employees who are appearing in event 4105. I have validated that many of them are old enough that they likely existed back when this domain was at the 2003 functional level (it is now at the 2012 level). However, these users are not reporting any symptoms, so the event 4105 seems to not cause any downside other than logging the event. (Which goes back to my original questions, what symptom effect should we be seeing?)

Thanks in advance for your assistance.

1.We have installed RDS (RDCB, RDSH, RDWeb) on one host. RDS service is working well without any errors. But if we open Server Manager->RDS we're getting "A Remote Desktop Services deployment does not exist in the server pool.
To create a deployment, run the Add Roles and Features Wizard and select the Remote Desktop Services installation option."

2. We get the same error after Get-RDServer - "The RD Connection Broker server is not available"

3. If we add Roles-> RDS Installation, the next error - "could not retrieve the deployment information from the rd connection broker"

4. If we add this server to Server Manager on another host we receive - "Kerberos Security Issue". All hosts was added to Trusted.

All RDS services are running (including WID). ServerManager and Posh running by Administrator.

How to resolve it?

Hi, on some clients when connecting to a remoteapp the abort button is not displayed correctly. 

On one of the clients where this problem is occurring is Windows 10 Enterprise Version 1809 (Build 17763.437) installed. The OS of the RDS-Server is Windows Server 2016 Standard.

Any ideas how to solve the problem?