Hi,

 Where can I find Security Settings in the Session Host Properties? I need to set SSL and Encryption level for Single Sign On. As of now when the user get connects to the Virtual Machine resides on this server, they have to enter their domain credential again which DO NOT want. Please advise.

Tuan

Window 2012 R2, How do I configure Remote Desktop Services for Access RemoteApp and Desktops?

Thanks

Pat

I was hoping someone would clarify the change user /install command for us if deployed via SCCM.

Currently we have an in house application that has quite a few updates from our programmers. In the past we usually manually install these to our remote desktop session hosts with the change user /install command.  We used to have 2 RDSH so this made things easy with the manual process.  We now have 9 of these servers.

We would like to create packages and deploy this via SCCM 2012.  There is not much information out there on SCCM deployment to RDSH servers.  Our question is can these deployed via SCCM without the Change user /Install command?  If this is an MSI installer does it automatically put the server in install mode?  Or does the MSI installer need to have the switch incorporated into it as well from our programmers?

If anyone has more information on this topic in a link somewhere we would greatly appreciate it.

I am sure this topic has been discussed many times from the Internet.  Some people suggested CRTL-ALT-END from the client, some suggested to turn off Presistent Bitmap Caching from the Experience tab under RDP, uninstall Powershell 2.0 etc...  None of this work for me.  Does anyone have a better recommendation?

Thanks,

Brian

Hi,

 Please help me with the SSO for RDWeb. Here is my environement:

1. Cluster with 2 nodes (SRV1 and SRV2)-Hyper-V Server 2012 R2

2.  We have 3 Collections under RD Virtualization Host (Acc-Persistent VMs; IT-Perisistent VMs; Incd-Non-Persistent VMs)

3. Users are from all over the location but all computers are thin PC Windows 7 Embedded, all Virtual Machines are on the same Domain.

4. PGO is set to use Credential Delegation to TERMSRRV/*.inf.com

5. When User go to RDWeb and clicked on one of these 2 icons

6. Everything went smooth, no credential prompts until it gets to the Persistent Virtual Machine (Windows 7 Enterprise), then it asks for Authentication. The lock icon states" The identity of the remote computer was verified by using Kerberos."

Tuan

Hi there,

I have set up an RDS 2012R2 RemoteApp/ RDS proof of concept for a client. The environment is as follows:

Domain and Forest functional Levels: Windows 2003

2DCs: Server 2008R2.

1 RD Managment and Licensing Server (2012 R2)

1 RD Gateway (2012 R2)

1 RD Broker (2012 R2)

1 RD Web Access (2012 R2)

4 Session hosts split up as follows:

RDS1 and 2: For RemoteApps. Collection is called RemoteApp

RDS 3: For Full Desktops. Collection is called Full Desktops

UAT: For User Acceptance Testing. Collection is called UAT1 and is configured for remote apps.

All 3 collections are enabled to allow users from the RDS_UAT group to access them. The RDS_UAT group consists of myself and 4 other testers. Within the collections (for testing):

RemoteApp collection: all apps are configured to be visible to users in the apps_sg security group (myself only). There are several folders which house the apps.

UAT Collection: All apps are configured to be visible to the RDS_UAT group. These all reside in the UAT Apps folder.

I have 2 issues: 

1) A user who is not a member of either security group can log in and see all three collections. To test, I created a new user (user A) who is a member of only domain users. The user could see all the folders and collections. When the user tries to run the application, he is denied permission. Simillarly, the other members RDS_UAT group can see the apps they should not be seeing in the RemoteApp collection.

2) The remoteapp web feed (when added to Windows 7 and windows 2008R2 machines) shows all the applications, even applications the user does not have access to. For example, for user A, I can see all the applications but not access any of them. Furthermore, the folder structure in RD Web Access is lost and all apps are listed alphabetically from top to bottom across all three collections.

Can anyone please advise as I can't seem to figure out why this is happening? I can't see anything in the event logs that would indicate any issues. There was one error on the broker (Remote Desktop Connection Broker server could not enumerate the targets for the provider named NULL from the database) which I resolved by adding the broker to "Windows Authorization Access Group" as per https://social.technet.microsoft.com/Forums/windowsserver/en-US/aef50c99-0f0e-4da2-bc4c-d5435692cb8b/server-2012-rds-remote-desktop-connection-broker-client-failed-to-redirect-the-user?forum=winserver8gen

Thanks,

HA

Hello,

I have an RDS deployment where I have the following machines:

Domain Controller 1

Domain Controller 2 

RD Connection Broker / RD Licensing Server

RD Gateway Server 1 / RD Web Access 1

RD Gateway Server 2 / RD Web Access 2

RD Session Host 1

RD Session Host 2

File Server (SMB share for User Profile Disks)

The problem is every time the a user remotes in and it gets into Session Host 1 the user cannot delete any files on that user's profile, but if the user logoff and login again an it's assigned into Session Host 2 then the user can delete files. I have check the permission on the SMB share and they look the same that it was before this issue appear.

Have anyone has this issue before?

Thanks in advance for any help.

redirectclipboard:i:1
 redirectposdevices:i:0
 redirectprinters:i:1
 redirectcomports:i:1
 redirectsmartcards:i:1
 devicestoredirect:s:*
 drivestoredirect:s:*
 redirectdrives:i:1
 disableremoteappcapscheck:i:1
 session bpp:i:32
 prompt for credentials on client:i:1
 span monitors:i:1
 use multimon:i:1
 remoteapplicationmode:i:1
 server port:i:3389
 allow font smoothing:i:1
 promptcredentialonce:i:0
 authentication level:i:2
 full address:s:192.168.56.103
 remoteapplicationname:s:||notepad
 remoteapplicationcmdline:s:
 remoteapplicationprogram:s:notepad
 alternate full address:s:192.168.56.103
 alternate shell:s:rdpinit.exe
 screen mode id:i:2
 winposstr:s:0,3,0,0,800,600
 compression:i:1
 keyboardhook:i:2
 audiocapturemode:i:0
 videoplaybackmode:i:1
 connection type:i:2
 disable wallpaper:i:1
 allow desktop com:1
 disable full window drag:i:1
 disable menu anims:i:1
 disable themes:i:0
 disable cursor setting:i:0
 bitmapcachepersistenable:i:1
 audiomode:i:0
 redirectdirectx:i:1
 autoreconnection enabled:i:1
 prompt for credentials:i:0
 negotiate security layer:i:1
 remoteapplicationicon:s:
 shell working directory:s:
 gatewayhostname:s:
 gatewayusagemethod:i:4
 gatewaycredentialssource:i:4
 gatewayprofileusagemethod:i:0
 use redirection server name:i:0
 displayconnectionbar:i:1
 redirectclipboard:i:1

Hi guys,

A client of ours has a medical practice and all their consultation rooms have thin client computers and network printers. It's currently set up so that the doctors can move between rooms and not lose any open applications (specifically Genie) and to be able to print to any printer in the building.

What the client would like is for a particular networked printer to be the default printer when a doctor uses a specific computer.

For example, there are 3 consultation rooms, all of which have their own network printers. At the moment when a user logs into a TS session, their default printer is whatever was set last, and it stays the same no matter what thin client they are using. When they log into a session on the thin client in room three, they want room three network printer to become the default printer, and when they log into a session in room one, the room one network printer becomes the default machine.

Is this possible ? 

Hi,

First of all, please note this: 

• Network level authentication IS supported on all machines as per theAbout Remote Desktop Connection. So please don't ask me to check this on the about remote desktop connection window.
• All clients are set per GPO to use the Remote Setting of the "more secure" option:
• The problem is on random machines, all windows 7. We only have a few windows 10 machines but no issues found on those so far. 
• It doesn't matter if the RDP connection is initiated from a windows 7, windows 10 or Windows Server 2012 R2. The problem remains and is exactly the same.
• The problem exists when attempting to connect RDP from personal home PCs (not managed by company GPOs and MS update schedules) over VPN

So the problem is this, first comes the first message and then the second.

It seems to have started after we deployed some Microsoft server updates, but its very inconsistent, some sites seems worse off then others, but its not all machines at any site. We haven't even done client updates yet.

Again, please don't give me a link to an old post or blog saying that I need to enable network level authentication, as shown by the top screenshot, it is already enabled/supported.

I already spent hours googling this. Please, I want responses from people who have actually had the exact same symptoms and issues or someone who has an idea that I haven't already clearly stated that I've checked above already.

Thank you.

Hello,

Our Environment is as follows:

2 RDS hosts, 2012R2
1 host running Gateway, Web Access, Connection broker, 2012R2

Client: Windows 7

The client has two .rdp files on the desktop. I saved one from RD Web so that I got all the config rows in there (workspace ID et cetera) and then made a copy, changing only the user name in the second copy.

Here's the issue:
1. The user connects one session and logs in to the full desktop
2. The user minimizes the session and connects using the second .rdp-file, which has another user name specified
3. A new MSTSC windows connects to an RDS host, but instead of the saved username, the user is reconnected to the first session which was minimized in step 2.
4. Looking at the first MSTSC window, there's an information box letting the user know that he was disconnected from the server

So, in short: Connecting a second RDP session to the same collection/workspace ignores the saved username in the rdp file and instead reconnects to the first, live session.

Question; is this the expected behavior in 2012R2 RDS?
What we are trying to do is connect two concurrent sessions with different user accounts. Is there a setting we can modify to meet that goal?

If we connect the first session, then right click and modify the rdp-file, change the username, and then connect, we get two concurrent sessions with different accounts (the goal scenario). Can't figure out why this exact procedure changes the result.

Hi all,

I'm running into a problem with idle timeout not being displayed correctly in the Connections-overview.

As soon as the connection is disconnected, the idle-counter starts running.

When I reconnect, however, the idle-counter keeps running, instead of being reset to 0.

Reconnect is done from the same machine, same Client IP-address.

Connection is made through an RD Gateway-server.

Hi Folks,

sorry if i will be asking stupid questions. I am pretty new to windows server operating systems, so far i have only used linux for servers, and windows 7 for the occasional game.

I have a program, that i need (want) to run on a terminal server, and have 6 clients accessing the program (via RemoteApp if possible). As far as i have understood, i will need the following Licenses for that: 1 Windows Server license (e.g. 2012 R2), 6 CALs for accessing the server, 6 RDS-CALs (really? i need an extra license to use the RDS?) and of course the os licenses for the clients (they have windows 7 & windows 8 installed, this should suffice right?).

My questions are:

1. Is this correct or do i need more/less/different licenses? Is it ok if i buy OEM-CALs? I find cheaper offers for them on the internet. Is there any drawback when using them?

2. I haven't gotten that far with my research yet, but it seems that i need some kind of an extra server (or virtual instance) as a Domain Controller. Do i really need that? Will i need an extra license for that?

3. Is there any way to test this whole setup before buying all those licenses? Or do i need all the CALs and so on from the beginning on? I have access to Server licenses (for the server os) from my university, but of course i would not be allowed to use them for use in a non-educational environment. I could use them to test the setup first though, but i can not find CALs in my university's microsoft store.

Thank you very much for taking the time to answer my (beginner) questions!

Lasse

I have set up a standard 3 node 2012 R2 RDS for testing. All virtualized on VMware ESXi 5.0. I have a connection Broker, session host, and web access server. I have published several applications and I can access them without a problem. Here is my issue:

When I try to log on to my session host server either locally or thru RDP, I am always logged in with a Temporary profile. It does not mater what user account I use. Even logging on locally as the administrator I get a temporary profile.

All windows updates are installed and current.

I have removed the server from the domain, deleted the account, and rejoined it to the domain.

I have deleted all .bak registry entries from here:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

There is a hotfix here for a similar issue on 2012 but it does not apply to 2012 R2

The only event viewer errors are:

1515 (Windows has backed up this user profile. Windows will automatically try to use the backup profile the next time this user logs on.)

1511 (Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off.)

Any suggestions to resolve would be greatly appreciated.

Russ

Hi

I know this has reared it's ugly head in the past, but we are now getting this issue. 

We are using Terminal Services to supply the applications, they then map the local printer using Remote Desktop Easy Print.  We have found that the Lexmark CX510 when using the scaling options to Fit to one page the preview shows fine but when you print there are hundreds of pages with a single cell on each sheet.  When you go back into the Print preview it then shows one cell per page.  I have tried various different Lexmark drivers (CX510 PCL, PS, Universal driver 2 PCL5e, PCL XL, PS) and all do the same thing.  Have tried an older model drive (CX310) and get the same thing.  Have tried changing the resizing options in the driver to the correct paper size and still no difference (which was mentioned in a previous post from somebody with the same issue).

The clients are mostly Windows 7 and the Terminal Servers are Windows 2008 R2.  On Windows 8.1, I managed to find an install that works (INF file DriverVer=04/21/2009,6.3.9600.17415), but haven't been able to find one that works with Windows 7.  I have tried Lexmark and they basically said it's a Microsoft issue.

We did find a hotfix KB979163 (https://support.microsoft.com/en-us/kb/979163) but when we tried to install it, got the message saying not applicable to our systems.

Any help much appreciated.

Kind regards

Dave

Dear All,

Problem statement:

I have a customer that wants a reinstallation of their gateway server. The company had a virus on this server and the IT Manager wants to be sure that everything is gone.

Additional information:

When I logged on to the “gateway” server I could see that everything is configured via hostname instead of using aliases which for me complicates the “reinstallation” since I cannot reuse the same name for the new configuration and every configuration setting points to this particular server “RDSGW01”.

The user profiles are stored on \\RDSGW01\RDSprofiles and in Active Directory under Remote Desktop Services Profile \ Profile path is also configured to use \\RDSGW01\RDSprofiles\user1

The users of this company open Remote Desktop and connect to RDSFARM.DOMAIN.EXT in DNS there are two records created (RDSFARM – 10.0.0.15 and RDSFARM – 10.0.0.16 / round robin)

Server infrastructure (Windows Server 2008 R2):

RDSGW01 this server has following roles installed on it:

-         File services (users are stored on \\RDSGW01\RDSprofiles, this should be on a DFS normally)

-         Network Policy and Access Services (default configuration)

-         Remote Desktop Services

• Remote Desktop Connection Manager
• RD Gateway Manager
• RD Session Host configuration

-         Webserver IIS

RDSSH01:

-         Remote Desktop Services

• RemoteApp Manager
• RD Session Host
• Licensing via RDSGW01.DOMAIN.EXT
• RD Connection Broker: RDSGW01

RDSSH02:

-         Remote Desktop Services

• RemoteApp Manager
• RD Session Host
• Licensing via RDSGW01.DOMAIN.EXT
• RD Connection Broker: RDSGW01

Is there a solution that I can do this during the day without affecting the users (probably no) and how can I approach this the best way?

Thanks in advance.

Kind regards,

Jeroen Lambrichts

Hi

I want to know if it s possible to make a RDS server into Microsoft Azure network and join this server to a On premise domain ?

I have work Apps in my on premise domain and i need to build a remote desktop for my nomad user.

Someone can explain how can i do that , do i need Gateway for secure access ? do i need to build DMZ

Thanks

Hi all

Currently running in Per User licensing mode.  The RDS platform is within the license grace period, however via RDS Manager added license server and activated by clearing house.  No valid licenses added as yet, so running in temp license allocation mode. Confirmed RDSH is configured to use RDSL by using RD Licensing Diagnoser.

With reference to: https://technet.microsoft.com/en-gb/library/cc725933.aspx and considering Per User mode.

My understanding is that the RDSH MUST be able to contact an RDSL, but only when the RDSH deems applicable - so perhaps this transaction is instigated upon a new client not seen on the RDSH before?  However during testing new clients don't appear to trigger the RDSH to RDSL connection and can still run published apps .

• RDSL service running and RDS Manager configured for Per User mode.  Using RD Licensing Manager I can see 2012 R2 licenses issued for each new user - all ok so far.
  
  
• I disable RSDL licensing service - previously connected users can still connect and I assume RSDH validates license and doesn't need to contact RDSL at this point - not sure when in the future it will though?
  
  Are there reg keys defining this cached information, can they be deleted forcing the RDSH to contact the RDSL again as if it's a new user not seen before?
  
  Here's the weird part - new users never seen on the RDSH before can still open applications!  No licenses appear on the License Manager (obviously as the service is stopped).  
  
  But why can new users connect successfully?
  
  I'm wondering if its due to the Grace period?
  
  

You must configure RD Licensing correctly in order for your RD Session Host server to accept connections from clients. To allow ample time for you to deploy a license server, Remote Desktop Services provides a licensing grace period for the RD Session Host server during which no license server is required. During this grace period, an RD Session Host server can accept connections from unlicensed clients without contacting a license server. The grace period begins the first time the RD Session Host server accepts a client connection. The grace period ends after whichever of the following occurs first:

• A permanent RDS CAL is issued by a license server to a client connecting to the RD Session Host server.
• The number of days in the grace period is exceeded

Re the bullets above, I'm wondering that as I'm currently using temp licenses that the RDSH reverts to the grace period functionality when it cannot communicate with the RDSL, hence my users are still able to connect when teh RDSL service is stopped?

• If I delete c:\windows\laserver\*.* on the RDSL to clear the previously issued license list, I note the RDSH servers do not request licenses for users previously connected.  
  
  How can I delete the RDSH license cache?
  
  
• I note several articles pointing to issues when the grace period expires even though a RDSL is configured, this CONCERNS me significantly as we shall be rolling out the LIVE platform soon.  The previous PoC remained in grace period throughout its testing life so I'm unsure how this will pan out.
  
  In order to resolve articles point to simply deleting the reg key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\RCM\GracePeriod, however doesn't this simply reset the grace period?
  
  The RDSH connects to the RDSL and obtains a new temp license upon every new user, but when the RDSL service is disabled why do I see new users still connecting?
  
  HELP! 

And thanks

Lea