We have had a certificate for our TS Gateway from GoDaddy working just fine but, Its about to expire.

Ive renewed and installed and have both certificates available.

How do I verify the new one is going to work before the old one expires?

Im connecting through the gateway now but, cant tell which certificate its using. i dont want to remove the old one till im sure.

Thanks for the help.

Steve

Steve Peterson steve@mcmillaninc.com

I have disabled IE enhanced security for users on the RDS farm. They still have to add certain sites to the "Trusted Sites" list to get features to work right, and that's exactly what I want.

The problem is certain sites, even after adding them to the trusted sites list, don't function quite right. For example, links that use java are still disabled even though the page loads. Take maps.yahoo.com. The page displays an error about java script needing to be enabled. Once you add the site to the trusted sites, that goes away but the page still does not load completely. 

We are a law firm and all of the local court sites are giving me this problem. Can anyone point me in the right direction with GPO or local IE setting to fix this? 

-jbrittain

When using the native Remote Desktop clinet (mstsc.exe) from my workstation, it loads my preferences from the default.rdp file located in My Documents.  I have modified this to include "smart sizing:i:1" so that I can scale the remote desktop window to whatever size I like while being able to see the entire contents of the remote session.

I have set up a number of Remote Desktop Gateway servers and often times find myself using the Remote Desktop tab to connect to machines behind the gateway, however, just like the Remote Desktop client, I cannot enable smart sizing from the web UI.  I know that I can create an RDP file that uses the Gateway server and then modify it to include smart sizing, but I want to include this setting directly from the web site.

How can I modify the default settings of the rdweb remote desktop connection tab to include smart sizing or other customizations?

Ok, re-trying this question, with more accurate information.

I have a client with a RemoteApp and RDGateway services facing the public internet.  The conditions are these:

1)  Able to log in successfully to the initial RD Web Access web page from any external location.  No issues are being reported internally.

2)  Able to launch published apps successfully only from some external locations.

3)  Using same user credentials, launching published apps from other locations results in "This computer can't connect to the remote computer because the Terminal Services Gateway server is temporarily unavailable" error.

4)  From the same locations where launching a published app fails, I am able to make a direct RDP connection to the server running Gateway and RemoteApp services using the native RDP client in Windows.

5)  There is no common ISP in the mix.

6)  As far as I can tell, there is no CAP or RAP in effect that would cause only selective clients to connect

7)  The client is using a DigiCert ssl certificate, not a self-signed cert.

8)  The RD Broker service is installed and running.

Can anyone hazard a guess as to why this would be working from some external locations, yet produce the above-noted error at other sites?  I will be happy to provide any additional information that mau be needed ... but I just don't know where to start looking.

Regards and thank you in advance.

Chris

I am unable to run Remote Apps on my Surface (Windows 8 RT) using the Remote Apps application.  I can configure the App and log in with my account.  I am then presented with the list of applications available.  When I attempt to run one of the applications I am redirected to the desktop and asked to log on to Remote Desktop Services Default Connection.  I enter my domain credentials and I get bounced with the Log-on Attempt Failed.

NOTE:  
- I am able to run Remote Apps from Windows 8 Pro connected to the domain and Windows 7 without any problem.

- I am attempting connections internally and DNS is all OK - I can ping local and remote DNS names for the RD Server.

- The Windows 2008 R2 server is running All roles (Session Host, Web and Gateway).

- I have purchased and installed 3rd party SSL cert.

Any assistance with this would be greatly appreciated.

Hi,

I have a Windows 2008 R2 server running Remote Desktop services and configured with Mandatory Profiles. Its all working well except when our users attempt to logon to the server for the first time each day. They get an error:

"The Group Policy Client service failed the logon.
Access is denied."

If they immediately try to log in again, they are granted access, the mandatory profile loads, no problems.

But two 512 KB files appear and remain in their home directory that look like this:

NTUSER.MAN{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms
NTUSER.MAN{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms

So their profiles increase in size at a rate of at least 1 MB / day. 

Their failed logon attempts create the following event ids in the Application log:

6004 - The winlogon notification subscriber <GPClient> failed a critical notification event.

1542 - Windows cannot load classes registry file.
   DETAIL - The system cannot find the file specified.

6001 - The winlogon notification subscriber <Sens> failed a notification event.

In the Security event log I can see 6 Success events for logon, followed by a brief pause (for the user to click ok) and then 6 success events for logoff.

In the System event log, Winlogon reports:

7001 - User Logon Notification for Customer Experience Improvement Program

7001 - User Logoff Notification for Customer Experience Improvement Program

CEIP is disabled, btw.

If I delete the users profile through Advanced System Settings. They can log in again just fine, but the next day, they'll fail their first login and their profile will grow. 

Any suggestions on how to trouble shoot?

Cheers

~ne

Hi All,

My client need the USB key to sign-off with application on the VDP. I find Microsoft VDI solution does not support USB key very well. I would like to know if there is any 3rd USB redirection tool we can leverage in this senario.

Thanks.

A brief explanation of our setup:

RDS Farm with 6 RDS servers (RDS1 - 6) load-balanced via round robin in DNS

2 RD Gateway Servers (RDG1 - 2) load-balanced via round robin in DNS; both of which have the RD Connection Broker service installed and running

Clients connect to rdsfarm.domain.com via rdg.domain.com

I am new to the company as a system administrator and trying to improve the availability of our RDS Farm for our remote users; the vast majority of the company's employees use RDS to gain access to the resources internal to the network.  One of the things I am noticing is that in the RD Session Host Configuration for each of the RDS Farm member servers is that while they are properly setup to join a Farm via the FQDN of rdsfarm.domain.com, they are all pointed to a single RD Connection Broker server (rdg1.domain.com).  I would think that the RD Connection Broker server specification would be similar to the Farm server specification in which you use the FQDN of the Connection Broker farm vice a single connection broker.

I could experiment by changing this setting on a couple of RDS servers, however, being the new guy, I don't want to change something and end up breaking it when this is a critical business resource for the company; I would like to keep my job.  So looking to see if anyone else has experience with a setup similar to ours (load-balanced Gateway/Connection Brokers PLUS load-balanced RDS Server Farm) and what the correct configuration should be for the Connection Broker server in the Session Host Configuration for each of the RDS servers.

I have searched the net high and low and have found plenty of information from Microsoft and other forums on how to setup and configure a load-balanced farm but I have yet to find anything that describes a load-balanced Gateway/Connection Broker setup.

Your help and responses is much appreciated in advance.  Thank you.

Sincerely,

Carey

Windows 2008 Server

Mixture of Windows XPSP3 Pro and 32- and 64-bit Windows 7 Pro clients.

We run an accounting package (Sage MAS90) on this new terminal server. When we click a link on the menu to spawn a new process, the first application called correctly pops up and asks for the accounting date, and then the resulting applicaiton window correctly becomes the active window. However, all subsequent calls from with the main dashboard/menu to spawn applications result in the main dashboard/menu continuing to have the focus and the newly-spawned application window opening behind the window from which it was called.

This is particularly a problem in that we are setting the environment in the users' AD profiles to force-run the main MAS90 application, there is no taskbar on the server, so when a window opens behind like this, the user cannot tell without first minimizing or restoring MAS90.

I understand this coudl be an application-specific problem, so I will post this qiestopm to a MAS90 forum if this is not a general terminal server issue.

Hi,

Any Powershell cmdlets let me create the vm from collection(like the Add Virtual Desktop in tasks of GUI), I find Add-RDVirtualDesktopToCollection just can add the exsiting vm, but cannot create the vm. Because once i can use the Powershell, i can put it into System Center Orchestrator.

Asuka from ITECN

Hi

I am running a game using Direct3D using RemoteFX. When I disconnect my client the application crashes. I want the game to continue to play even if I am logged off. That way I can change locations, have my character be ingame 24/7 etc.

How can I prevent a fullscreen Direct3D application to crash after I close my connection to the server?

Environment:

Terminal Server 2003 R2 w/ SP2 (Windows updates last run on October 6th, 2012)

Windows XP and 7 clients running either RDP client 5.2 or 6.1. 

Below issue started happening shortly after the terminal server rebooted mid-morning (software app update).  Also, some folders were cleaned up due to low space on the server.  Some of the folders removed were printer driver installer folders.  Unfortunately, I am unable to bring back the data at this point (no backup of the affected folders).

Issue:

I have an issue where it takes users 10+ minutes for their session to log off only when printers are redirected to the session. If I disable printer redirection on the client (uncheck the printers in the options of the RDP client), users log out within seconds.  This happens on RDP clients 5.2 and 6.1.  I have installed UPHClean already, but the problem persists.  I do get event ID 1401 from UPHClean occasionally but not consistantly (when long logoffs occur, this event is not always generated).  The message is related to winlogon.exe, and registry key HKCU\Printers\DevModePerUser.  This behavior occurs with new and old users alike.  It happens regardless of roaming profile settings (on or off), and the user has been placed in an OU in Active Directory that would prevent policy inheritance.  I have also attempted to turn on debug on winlogon.  I gathered a log of user logoff both with and without the printer redirection set.  Both logs appear similar. 

I would appreciate some assistance with this issue.  Thanks in advance!

Hi guys,

I'm having a strange problem here; first time I've posted in these forums so please let me know if I can clarify anything or post elsewhere...

Here's my setup:

* Windows Server 2008 R2 - let's call the server "SERVER1"

* remote desktop services installed and licensed

* Under File Server I've added the "windows search" service to allow for folder indexing.

What happens is, I have users connect to this server via remote desktop session (They are presented with a full desktop, to use documents / microsoft office etc).

Using AGPM I've configured their Documents path to redirect to a UNC path. The path is: \\SERVER1\user_docs$\%username%

I've also used group policy to prevent the users from seeing the C: and D: drives on the server.

the "user_docs$" share is located on the D: drive of the server.

Now, the redirect works fine - and they have complete access to the directory if I browse to it via start > run > "docs path"... they can get to it fine, and read/write data there. So they can NOT see the D: drive as I intend, but they can see the UNC share which is on that drive, and read/write data to it.

What seems to happen is, The path "\\server1\user_dcos$\%username% is added to their "Documents" library but if I go to the "locations" options for the "documents" library it automatically changes the UNC to the local D:\user_docs\%username% path instead.... it only seems to do this because I'm RDPing onto the server that the share is also on - so windows seems to say "Hey! That UNC share is on the local machine, why not just use the local path?" and changes it from UNC to direct local path - the problem is, the group policy prevents the users from seeing the D: drive, and this means they have NO access to their documents!!
I have tried using the IP address in the redirect setting of group policy, instead of the DNS name (e.g. \\10.0.0.1\user_docs$\%username%) and this RESOLVES the issue!! It doesn't any longer change the library path to D:\blah blah....

My question is: I do NOT want to use the IP address in the group policy, as I may want to change the IP of the server in the future, and this will just be another thing to remember to keep track of...

Has anyone ever seen this issue / know what is causing the server to resolve the UNC path to the local path instead? and how to prevent it? 

Thanks for any help! :)

Within my RAP policy on my Remote Desktop Gateway, I specified an active directory group containing the computer accounts of all VMs that comprise my VDI pooled collection, my connection broker and my RDVH computer.

When I try and connect, it fails and in the event log I see it is being rejected based on the target IP address:

The user "DOMAIN\user", on client computer "sourceIP", did not meet resource authorization policy requirements and was therefore not authorized to resource "VDI IP". The following error occurred: "23002".

If I configure the RAP to allow access to any resource it works.

Then I tried configuring the RAP using a local RD Gateway managed group instead, I added the FQDN of my VDI VM and Netbios name. No luck I get the same rejection.

If I add the IP address of the VM also, it works.

Therefore using a RD gateway to connect to a pooled VDI do I need to specify both the machine names and IP addresses, or am I missing some configuration setting?

The machine names of the VMs in the VDI pool have both forward and reverse DNS entries and can be resolved by the Gateway successfully.

So to summarise :

RAP Policy with AD group - rejects access based on IP
RAP Policy with Local RD Gateway managed group with Machine name - doesn't work
RAP Policy with Local RD Gateway managed group with Machine name & IP address - works

This wouldn't be a problem but my VDI pool is sitting on a /23 DHCP range shared with fixed desktops. I don't want to enter every single IP address in, I would like to restrict the gateway to just my pilot VDI collection for now.

Anyone have any ideas?

Thanks,
Paul.

Couple of quick questions:

1. If the TS role holding system goes down, will users still be able to remote into the system at least for a short period of time while we rebuild it? Even new users?

2. If we install the role and CALs on one system and later want to move that role and CAL set to another system is that possible (2008 R2 for now).

3. What CAL pack sizes are available for 2008 R2? I can't find this easily online as each reseller seems to have different sets?

4. If you build a 2012 server with the RDS role and CALs, can 2008 R2 systems point to it as their license server?

5. If I buy 10 CALs for a certain new system (A) and users and another system (B) comes online that has 5 users that need access to it, can I assign max CAL assignments so that there's always 10 available for the users of the first system (A) and 5 for the second (B)? Say for example the first 8 people log into system A. Then 5 log into system B. Then 2 more into system B but those are not the last 2 that need access to system A. Now when the last two users who need access to system B try to log into it, all 15 CALs would have been used up. Obviously we'll need 12 total anyway, but we want to make sure the 10 original users have one for when they access system A. Hope that made sense! :)

We have a windows server 2008 R2 machine. How many "free" licenses are we allowed before we are required to purchase the RD CALs? I was informed that it was 2 but would like to get some confirmation. The connecting machines are running windows 7 and pretty soon we will be outside the grace period.

The licensing mode for the Remote Desktop Session Host server is currently not configured.

Hi,

I have 1 2003 terminal server in my 2008 AD domain. I create users with roaming profiles: when users logon onto win2008 terminal servers all is gone well, but when I try to logon onto the 2003 TS I reach this message.

"Windows did not load your roaming profile and is attempting to log you on with your local profile. Changes to the profile will not be copied to the server when you logoff. Windows did not load your profile because a server copy of the profile folder already exists that does not have the correct security. Either the current user or the Administrator's group must be the owner of the folder. Contact your network administrator."

What I can do?

thanks in advance