Dear all,

  I've working on this for 2 days.

  I have build a RDS platform, 1 broker, 1 gateway and 2 Virtualization hosts.

  I follow the steps in MSDN and create a collection of pooled VMs.

  But when I create them, an error occured:

  Failed: RD Connection Broker could not create the computer account object in Active Directory Domain Services(AD DS). Ensure that RD connection Broker computer account has permissions to create computer accounts in the organizational uint(OU), the RD connection Broker can contact AD DS, and a duplicate computer account object does not exist in a different OU.

   I use delegate control and add DC's computer name with computer objects create permissions and still have that problem.

   Somebody help me!

Hello,

Users from a distant office a connected to the central server using RDP.

In order to centralise their files and folders, the C: drive of their PC is available in the remote session.
However, accessing this disk Inside RDP is very very slow, even if theRDP connexion itself (and all applications Under RDP) is fast.

Do you have any idea to solve this issue ?

Thanks in advance.

With our 2012 servers we are seeing unexpected behavior on the login screen that we did not previously see with other versions. On the login screen we are presented with fields for username and password, and the default cursor focus is username. The username is usually already populated, so we click on the password field, some times after the cursor has appeared in the password field it will without interaction or prompting immediately return to the username field.

Any ideas what might be causing this? I can't seem to find anything when searching, but maybe I am not searching the right places.

Hi - We've just built an RDS deployment with an RDS gateway and we're having an issue when external users are logging in.  It connects to the gateway fine and allows the user to log in but it creates a desktop session on the gateway itself and doesn't put the user on any of the host session servers.  The active session also doesn't show up in active connections on the gateway manager so I know we've done something wrong but we just can't find out what it is. 

We've completely re-run the setup, we've got a signed certificate, we've set up the 2 policies and allowed domain users to connect to any network resources in an attempt to fix this but each time we try remotely we end up on the gateway server.  It works fine internally because it's bypassing the gateway server for local addresses.

It looks as if the gateway server doesn't know it's a gateway server but within the RDS configuration manager that's what it's showing as and that's what we've configured it as.

Any assistance would be really appreciated.

Geoff

Hi fellow Remote Desktop Services admins,

I'm becoming increasingly confused on how well, and exactly under what requirements Windows Server 2012 R2 running the RDS role, supports the use of TLS 1.2 with clients ranging from Win. XP SP3 to Win. 8.1.

So what I understand is:

That TLS 1.2 is supported and enabled by default on Windows Server 2012R2. So I could buy a certificate that uses the SHA256 hash algorithm.

- But am I right that clients ranging from Windows XP SP3 up to Windows 8.1 supports this scenario?

- Would it be necessary to manually enable TLS 1.2 on these clients, in order for them to be able to negotiate the use of TLS 1.2?

- If TLS 1.2 isn't manually enabled on, let's say a Windows 7 client, would the RDS server and the client be able to negotiate the use of TLS 1.0 instead - now that the certificate is SHA256? Because as I understand it, SHA256 is not supported by TLS 1.0. Therefore the same certificate would have to support SHA1, as the communication with a TLS 1.0 client would require SHA1. Correct?

What I have done

Crawled through forums, Wikipedia, blogs and search-machine results. In order to understand possible scenarios and what RDS in Win. 2012R2 supports. But I find it quite hard to get a solid understanding on how things exactly are.

For example: https://technet.microsoft.com/en-us/library/dd320345(v=ws.10).aspx - applies to Win. 2012. But does it also apply to 2012R2? Out of TLS 1.0 and TLS 1.2 - TLS 1.0 is the only one mentioned.

At the same time though, this blog: http://blogs.msdn.com/b/openspecification/archive/2012/07/24/hitchhiker-s-guide-to-debugging-rdp-protocols-part-2.aspx - seems to indicate that RDP on at least Win. 2012 server, pointing to the posts date, supports TLS 1.2.

However it is really hard to find a clear-cut specification from Microsoft on this. I would really appreciate someone that could clarify this for me. Especially because SHA1 certificates is being phased out (start 2017 if I'm not mistaken) and I would therefore strongly prefer to invest in a SHA256 type certificate.

Looking forward to hear from you.

Thank you very much.

Red Baron

Hello,

I tried to change my URL for the RDweb (2012r2), but i seem to have problems accessing the RDP application within RDWeb.

After getting a new CNAME (Same SSL Cert.) i changed the deployment settings to the new url.

The RDP applications gave me a "incorrect gateway" error after applying.

After setting back the old url, it worked without problems. What setting am i missing?

Can someone point me in the right direction.

We are using remote assist on our normal machines but in our RDS environment it prompts for the UAC if the user connected through the connection broker. Here are some screenshots of what i mean. This is when trying to assist the same machine one connected through the connection broker and one connected directly to the machine.

I am having an issue where we set everything up for our RDS Session Based deployment and licenses are being handed out to users based on the Licensing Manager and the Diagnoser shows our licensing server and it's installed licenses; however, the Diagnoser still says:

The Remote Desktop Session Host server is in Per User licensing mode and No Redirector Mode, but license server does not have any installed licenses with the following attributes:
Product version: Windows Server 2012
Licensing mode: Per User
License type: RDS CALs

This is a 10 user environment and all roles are setup on one virtual 2012r2 server. The Session Host Server role is setup and using the Per User Mode and Licensing Server Role (same server) is setup and installed/activated with 10 "Windows Server 2012 - Installed RDS Per user CALs" and are actively being handed out to users when they connect (based on the RD Licensing Manger). A review of the configurations on the RD Licensing Manger show green checks across the board on AD groups and as a registered SCP point.

I do not understand why the diagnoser still gives the error above and I am afraid my server will refuse connections in about 60 more days (although I am not getting a popup saying such as I did before installing the licensing server role and adding licenses). I believe I've read about every article on TechNet (and others) about setting up the licensing and RDS session host deployment out there and all steps have been followed.

I have read quite a few forums listing various ideas (deleting grace period key and rebuilding licensing database); however, I do not want to start making changes without further affirmation on the problem and have not done any of these  . . . yet. So, no rebuild has been done of the licensing server so far.

Hello,

I'm having and issue similar to the question below that seems to be unanswered.

https://social.technet.microsoft.com/forums/windowsserver/en-US/2d611dad-163a-42ae-8238-60442d5dcae2/rd-gateway-message-appearing-twice-for-users

I have everything setup for SSO, and works great internally with no prompts. externally I get a username/password prompt that i fill out and then accept the login message. It then sits there for a minute then the login message comes back up. I accept again and then it connects within 5-10 seconds.

I am using RemoteApp with 2012 R2. Two Brokers, Two RDGs, TWO RDSH. I have followed the guides and tried different certs without any luck. I have tried disabling one RDG at a time with the NLB manager and still have the same issue. I've checked the event logs without much luck.

The machine i am testing with is domain joined and windows 7.

Any help is appreciated.

Mike

Hi,

I just started to have 30-40 users logging in with temporary user profiles. Everytime they log into the Windows Server 2008 R2 Terminal Server, they get this message: "You have been logged on with a temporary profile" or they get

"The User Profile Service service failed the logon. User profile cannot be loaded"

Things I have done

1) Went to C:\Users\Username and deleted the username.

2) Went to C:\Users\TEMP and deleted all TEMP profiles.

3) Went to hkey_local_machine\software\Microsoft\windows nt\currentversion\profilelist\s-1-5-21.bak and deleted all these keys.

4) Went to C:\Users\Default and went to Advanced and selected "Replace all child object permissions with inheritable permissions from this object."

Issue remains that new users are now logging in with temporary user profiles. Any ideas of what else I can try.

Thanks

I have recently setup a Windows Server 2012 R2 VM with Remote Desktop Services with the goal of allowing certain colleagues to access remote apps from home.  I've followed install and configuration instructions via Technet and everything seems to be running as expected with one major exception.  When I go to Server Manager > Remote Desktop Services > Collections > Collection > Properties > User Groups and try to add a group from the same domain that the server is joined to I get this error.

"The security identifier could not be resolved.  Ensure that a two-way trust exists for the domain of the selected users.

Exception: The network path could not be found."

This is puzzling to me since the User Group I'm trying to add and the server that Remote Desktop Services is installed on are both in the same domain.

Any help with this would be greatly appreciated as people are waiting on this to be able to access specific programs from home or when mobile.

We have an environment where we use smartcards to log in to remote resources. It works just fine when we try to remote desktop from a machine that is domain joined, but does not work at our homes or on personal machines brought to work.

Things start working from home when we disable NLA though... but we would like to use NLA for an extra layer of security. OR if we leave NLA on, but only use a username and password it works (but again, we want to use smartcards for the extra layer of security with multifactor blah blah blah).

Stuff I have tried that has not worked:

Installing the internal Domain CA's certs to the off-domain machine and user cert store.

Issuing a "real" certificate from a major 3rd party CA and configuring RDS to use this certificate.

Tweaked some certificate properties, tested CRL paths off-location, anything I could find on BI-NGLE that was related... (shot-in-the-dark methods).

Any ideas out there that I have missed?

Hi,

We have an RDS 2012 R2 deployment with two RD Session Hosts where one (rds01) is running the Connection Broker. We also have a load balancer in front of the RD environment, with a LB IP (10.33.12.26).

The problem we have is that users are not reconnected to their existing session if their new connection attempt is not done against the same RD SH.

I have checked the Connection Broker event log, and can see that it finds the existing connection, but the new connection is still done to the wrong server.

Log from the first connect, without existing connection:

RD Connection Broker received connection request for user DOMAIN\user.
Hints in the RDP file (TSV URL) = tsv://MS Terminal Services Plugin.1.RDS
Initial Application = NULL
Call came from Redirector Server = rds02.domain.local
Redirector is configured as Farm member

RD Connection Broker successfully processed the connection request for user DOMAIN\user. Redirection info:
Target Name = RDS02
Target IP Address = 10.33.12.26, 10.33.12.32
Target Netbios = RDS02
Target FQDN = rds02.domain.local
Disconnected Session Found = 0x0

Session for user DOMAIN\local successfully added to RD Connection Broker's database.
Target Name = rds02.domain.local
Session ID = 18
Farm Name = RDS

This connection request has resulted in a successful session logon (User successfully logged on to the end point). Remote Desktop Connection Broker will stop monitoring this connection request.

I then disconnected the session, and made a new connection with the same user, which ended up on the other machine.

RD Connection Broker received connection request for user DOMAIN\user.
Hints in the RDP file (TSV URL) = tsv://MS Terminal Services Plugin.1.RDS
Initial Application = NULL
Call came from Redirector Server = rds01.domain.local
Redirector is configured as Virtual machine redirector

RD Connection Broker successfully processed the connection request for user DOMAIN\user. Redirection info:
Target Name = RDS02
Target IP Address = 10.33.12.26, 10.33.12.32
Target Netbios = RDS02
Target FQDN = rds02.domain.local
Disconnected Session Found = 0x1

Session for user DOMAIN\user successfully added to RD Connection Broker's database.
Target Name = rds01.domain.local
Session ID = 18
Farm Name = RDS

I might have missed something obvious, but I haven't found the cause. Is the problem that the LB IP is listed in the Target IP Address, so the client might be instructed to connect to that IP? IN that case, can I control which IP addresses should be included in the Target IP Address list?

So the crux of the issue is this:  NLA does not allow users with expired passwords or whose account has been configured to require a password change on next logon to log into a Remote Desktop Server.

Requirement:  Enable SSL/TLS for RDP connections to provide RDS host identity validation and use "current" encryption standards

Background:  We have a fairly large number of remote users in a BYOD situation where the user does not EVER have direct access to the corporate network from a corporate device on the network.  When setting up a new user we require that they change their password upon initial login.  When using the RDP security layer, this is fairly straight forward as they can provide their credentials and are immediately prompted to change their password.  However, if SSL/TLS or negotiate is selected, the connection fails indicating the password is expired without any prompt to change it.  

Documentation on this is a bit unclear, however it all seems to indicate that this should ONLY be an issue if NLA is REQUIRED. However, in my experience NLA is used if it is supported and there is no mechanism in place for the connection to "fall back" to the RDP security layer and the connection just fails.  One oddity to note is that Windows Server 2003 allows either the RDP Security layer or SSL/TLS to be used but does not support NLA. To me this would seem to indicate NLA is separate from SSL/TLS and that there should be the ability to utilize SSL/TLS WITHOUT NLA.  I am aware that there are "patches" available for this issue but I am also aware that they 1) only change the error message displayed on the client side and 2) only enable the password change functionality via RDweb.  We are not interested in using RDweb and are looking for a solution to the problem above.  

In summary, looking for a way to enable SSL/TLS but to disable NLA.  Alternatively, if there is a solution to allow the connection to fallback to the RDP Security layer if NLA fails, I would happily accept that as well.  Thank you all in advance for any assistance you can provide.

Hi

We have recently installed new windows 2012 Server R2 Session servers in our deployment.

However the ability of being able to shadow the sessions is not available.

The central server where the following roles

Remote desktop connection broker

Remote desktop gateway

Remote desktop licensing

Remote desktop session host

Remote desktop web access

Is still on Windows 2012 Server (Non R2)

Am I right in thinking in order for the shadow sessions to work the central server needs to be changed to Windows 2012 Server R2?

Also from what I have read it is possible to do an in place upgrade from Windows server 2012 to windows 2012 R2?

cheers

Hi all,

This will no doubt open up a can of worms as I'm talking about using Mandatory Profiles in Windows Server 2008 R2 RDS (gulp), and no I don't want the headache of sysprepping or having to re-install the OS.  We have a 20 server farm running very well so we don't want this to turn into a nightmare.

Currently Users don't have anything configured in their AD account under the Profile setting, nor is there a GPO which sets an RDS profile.  This is something we wish to implement.



Users logging in to a PC will remain the same, yet those same users who access the RDS platform will get a mandatory profile.  We have a mandatory profile ready, created using this guide:

http://markswinkels.nl/2009/12/how-to-create-a-mandatory-profile-in-windows-server-2008-r2/

There is a new test gpo assigned to a group of users which sets the madatory profile path for an RDS session.

My question, is based around the windows personalized settings popup as this adds to logon times.  Surely we want simple, fast logons.  Why on earth is windows setting up anything when the profile is read only is beyond me.  I had assumed windows would be clever enough that if it found the file ntuser.man it would know it's read only so skip setting anything up.



anyway, I've read many conflicting articles about this.  Some say to delete the stubkeys in the registry on each rds server, whilst others say remove keys in the profile hive?



I'd like to hear the experts take on this please

Info

====

http://blog.appsense.com/2009/08/some-mandatory-profile-best-practices-updated-april-16th-2010/

1. deleting the key “HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders”, because it contains values with the path to the generating user’s locally cached profile folder, will cause problems at logon whereas deleting all of the values in the key, but not the key itself, does not cause issues.
2. Delete all policy registry keys such as “HKCU\Software\Microsoft\Windows\CurrentVersion\Policies” and “HKCU\Software\Policies” (unless of course you want to apply GPO like lockdown this way but it can cause confusion).
3. Strip out anything that you do not want – the best mandatory profiles are generally the simplest. There is, unfortunately, no easy way of deciding what should be stripped out. I tend to focus on Most Recently Used (MRU) lists such as those for opened documents, searches, runs and so on. The benefit of starting with the default user profile rather than a “contaminated” user profile is that this step, generally, is not required.
4. Check all autorun locations, such as “HKCU\Software\Microsoft\Windows\CurrentVersion\Run” and “RunOnce”. It is usually best to have nothing in these keys and have things run at logon via other means.
5. Set application defaults, such as disabling splash screens, either by running the application and configuring it or by directly editing the registry if you know what keys/values need setting.

Hi all,

This is becoming a pain

We have a 2008 R2 RDS environment with user folder redirection.  Every now and again, users are getting this message....

\\server\share$\user45\start menu

I myself have just logged into RDS, and I have this message.  How on earth is this user45 having an effect on my account?

Just for info, user45 is a domain admin and works in IT.  They regularly login to that server either directly, or using the /admin switch

Futhermore, when launching shortcuts from the taskbar I sometimes get unable to find \\server\share$\anotheruser\start menu.  This other user is another IT admin.

Thanks

Hi,
Sorry for asking that question again I have searched through the forum whole night but I was unable to find answer to my problem.
I have managed to install all services on a single machine running Windows Server 2012 Foundation, even thou I understand it is not the best practice to do it all on one physical machine.

Now I have two machines that I have been testing RemoteApp connections from via internet.

Windows 8.1 Pro x64:
https://s01.domain.webaddress.com/RDWeb shows untrusted connection at log on to RDWeb but the applications still start up fine.
Installation of RemoteApp and Desktop work resources is successful and it works great.

KB2574819
KB2830477
KB2847650
KB2913751
KB2923545

But it has not resolved the issue either. 

Any suggestions?

EDIT 29.05.2015:

As per my reply to Amy Wang_ I have also tested the RemoteApp service on another Windows 7 Pro machine and it worked seamlessly. 

Also cut out some of the initial description of Windows Server deployments as I am sure now that the problem is on Windows Embedded Standard side.

Hello everyone,

We host a remote desktop environment for customers consisting of a Windows 2012 R2 Session Broker connecting to Terminal Servers 2012 R2. Clients run mostly Windows 7 and some Windows 8 machines (up-to-date) with Remote Desktop Connection 6.3.9600.

The following situation occurs:
When clients connect through the Remote Desktop Gateway (our Session Broker) and try copying a file from \\tsclient to the terminal server, the RDP connection disconnects and reconnects. The file transfer has been aborted with error message"Error 0x800703E3: The I/O operation has been aborted because of the closing of a thread or because of a command from an application" (Freely translated into English). Choosing Retry from the dialogue option results in a different error message: "Insufficient memory is available to complete this operation."(Again, this is a translated message.)

This problem only occurs when copying files larger than 2,5MB (estimation). Smaller files will be copied correctly. 
This problem does not occur when connecting directly (no RD Gateway) to the terminal server.
Using drag-and-drop to copy the files has no different effect.

Can anyone assist me resolving this issue? If there is need for more information, please let me know.

Auke, Netformatie