We have a single forest, single domain AD environment. A password policy has been set through 'Default Domain Policy'. 

We would like to implement second password policy with different complexity requirements. As per the official Microsoft document thus can be achieved through Fine Grain Password policy. 

Please confirm that there is no such system limitations and another password policy can be configured for application administrator's.

Kindly respond at your earliest.

Hi everyone

We have recently renewed our SSL wildcard (GoDaddy) certificate and have successfully installed it.  However we now have a problem where some users are unable to connect and I suspect its an issue with SSL and possibly something I've not done correctly.  Below is a brief overview of the RDS deployment

7 Servers - 1xGateway/web access, 1xConnection broker/licensing, 4xdesktop hosts and 1xapplication host.
SSL Wildcard purchased from GoDaddy and assigned to each server.  CN *.abcd.co.uk

Server FQDN (as seen from connection broker) is server.ad.domain.com (I think this has changed since adding the new SSL from server.abcd.co.uk but can't be certain).
Forward looking DNS A record abcd.co.uk set to private IP for gateway and connection broker servers.

We have a mixture of W7 & W10 Pro clients, a large number of HP thin clients and a few Apple Mac's.

Connecting internal seems to work for Windows user and some thin clients but the Apple users and some of the HP clients cannot get on.  If we change the Gateway settings from defined to automatically detect on on the connection broker, the Apple clients work but not some of the thin clients.

I am convinced the root cause is the way we have configured our Wildcard SSL which has effected the gateway and other settings.

Unfortunately, I cannot find any literature which gives in depth instructions on how to configure and assign SSL certificates from start to finish for an RDS deployment.  

Prior to us renewing the certificates, everything was working fine.

If there is anyone who can advise, then I would be grateful.

Regards

Thackers

I am using a remoteapp application from a windows server 2019 setup. During this remoteapp session I am getting a popup concerning upgrading a malwarebytes subscription on the server.

I do not want users using a remoteapp to be seeing popups from the server ... how do I get rid of them from showing?

Hey RDS techies,

I have a license server with 30 Per device CALs installed on it. I've got another 45 Per user CALs now but by mistake I have installed them as Per Device CALs on same license server which created another keypack ID in licensing manager for these 45 CALs. All these 30+45 CALs are issued now, however, I would like to remove these 45 Per deivce CALs keypack now and want to install them as Per User CALs.

Is it possible ? I'm not sure if the "Convert partial/full licenses" option that is shown in licensing manager works here!

Also, I have come across below commands to uninstall particular keypacks from licensing manager,

Get-WmiObjectWin32_TSLicenseKeyPack

wmic /namespace:\\root\CIMV2 PATH Win32_TSLicenseKeyPack CALL UninstallLicenseKeyPackWithId X

So, do these commands give our RDS CALs back once it uninstalls them from particular keypack ???

I was thinking that, this only removes the entries from licensing manager but doesn't give our CALs back to re-use them!

Any help in clarifying these would be much helpful. Thanks in advance!

I am having trouble with 2016 Server configuring IP Virtualisation, running as vm on a Hyper-V host

If I use a DHCP Server I get the following error 

"Remote Desktop IP Virtualization could not acquire an IP address for session ID 2.  Error code: 0x800714CA"

(If I time it correct on a Cisco 500 switch I can see the IP address being allocated before it aborted)

If I try and use static iP configured in registry I get the following errors in the log,

Remote Desktop IP Virtualization could not load C:\WINDOWS\system32\TSVIPool.dll. Error code: 0x80070002

An error occurred when the computer tried to start Remote Desktop IP Virtualization: 0x80070002.

I followed the following guides  (links removed)

Deploying Remote Desktop IP Virtualization Step-by-Step Guide

Using Static IP Addresses for Remote Desktop IP Virtualization

I have found this which may describe my issue for the static IP. 

https://support.microsoft.com/en-gb/help/2402260/possible-delays-while-assigning-virtual-ip-addresses-in-remote-desktop

However what does it mean when it advises “Workaround:ConfigureRDS Session Initial Program (Startup program) to run with a startup script (logon script) and introduce a 1-3 second delay into the execution of any process“

What do I have to do to implement the workaround? or is there any other suggestions 

Hi,

I working in testlab, testing scenarios on upgrade of RDS farm 2012 to 2016.
I removed all RDCB exepct one, did in-place upgrade which completed successfully.
Tested everything and all worked OK.

Then I did in-place upgrade of second RDCB, which completed ok.
After that I did add second upgraded RDCB to deployment.

After that I'm having problems with accessing recoursed on RdWeb.
Clicking on icon in rdweb window I got error that says:
"Your Computer can't connect to the remote Computer because of the Connection Broker couldn't validate the settings specified in your RDP file. Contact your network administrator for assistance".
Event log on second RDCB gives error on TerminalServices-SeesionBroker hive, Event 802:
"RD Connection Broker failed to process the connection request for user *****
Farm name specified in user's RDP file (hints) could not be found.
Error: The farm specified for the connection is not present."

I removed one DNS record of RoundRobin which was added second to RDS farm and I reestablished that RDS farm is working ok.
But I'm not able to find root cause of the problem, which involves second upgraded RDCB server.

Has someone have a clue what is wrong here?

Hello All,

We have deployed a new RDS environment with Server 2019. We have also Incorporated MFA with this new deployment. Since windows 7 support is about to end we have decided to only allow TLS 1.2. I have configured all of our servers in the environment with only this protocol enabled and I have enabled only GCM TLS 1.2 ciphers, as the CBC ciphers no longer provide forward security. Once I had everything configured I stated testing. I could connect no problem from any of the following OS's: Windows 10, Android 9, and Mac IOS. The only OS I had a problem with was Windows 10. Go figure. When the user signed out of the desktop the screen would stay black. The user would have to open task manager on their machine and end the RDP task to resolve the issue. I checked the Gateway server while the screen was black to see if the connection was hanging open or something and no it was not. According to the connection manager and the logs the user was logged out and the connection was closed successfully. After some testing I found the only way to resolve the black screen after log off issue was to enable the following cipher:

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

or its 128 counterpart. This removes the forward security aspect from my server and can allow a person to compromise the site or credentials at a later time.  

I have not found a way to use better security and continue to use RDS reliably. I will continue testing; however, if someone has any information about this I would greatly appreciate it. If I find something I will post back.

Thanks,

Scott

ALL SERVERS ARE WINDOWS 2016 STANDARDs, the hosts and VMs alike.

I have two (2) Hyper-v Physical Hosts, HV1 & HV2 with plenty of horsepower and 128GB of RAM.  All my participating servers in the FARM are VMs.  HV1 hosts RDSH1 and HV2 hosts RDSH2, which, as the names indicate are Session Host Servers.  HV2 also hosts RDSB, which is the Connection Broker, Gateway, License Server, and Profile Disk Server.  The total number of users is around 55; very low number by any extent of imagination.  After working flawlessly for a couple of months, recently, every user that ends up on RDSH1 gets the TEMP profile.  

Each Session Host Server (RDSH1$ & RDSH2$) have the same Security rights to the Profile Disk Share.  All other configurations are 100% the same.  The only difference is the RDSH1 is on a different physical server, but RDSH2 is on the same physical server as the Profile Disk Server/Share.  Both Physical Hosts are connected physically to the same Cisco Enterprise switch, and the servers and the switch all are only 1 year old.  For now, I have taken RDSH1 out of the equation and all is fine, but I really want to add it back in for many compelling reasons, specifically for the sake of eliminating "single point of failure".

I have been in this field for 20 years, and still know very little, but, for the sake of all, please do not post "no-answer" answers if you do not know the answer, for the sake of accumulating points-- whatever they are worth.  I rarely post anything, because a whole lot of people post nonsense as answers or ask questions that are already in the "Introduction".

But for those who really understand Remote Desktop Server Services (2012 and up), as well as the Virtualization and Physical Layer's aspect of networking, I greatly appreciate the help. 

I have been researching this for weeks.  My gut feeling tells me this is a design flaw by MS.  But who is to say?  And, I have very little faith in MS to come out and admitting it.

Hi Guys and Girls,

I'm quite stuck here, and hopefully you can come up with some nice ideas on this matter. I've got a VM deployed in MS Azure (Type: D2_V2) and I'd like to deploy Remote Desktop Services onto it.

All 3 components - Connection Broker, Session Host, Web access would be the very same server as it would be enough for us.

When I try to run the deployment from the server manager, it gives the well known "Unable to connect to the server by using Windows Powershell Remoting" after selecting the connection broker server.

To make things easier, let me sum up what I have done already:

-No proxy is in place

-The server is in a domain

-I am added as a member of the local Administrator group

-Enable-PSRemoting -Force

-Set-Item WSMan:\localhost\Shell\MaxMemoryPerShellMB 1000

-Creating firewall rules in group policy to enable connection

-Listener is in place

-Allow remote server management through WinRM is enabled in group policy

-Turning off IPv6 did not help

-Even psremoting is working: I can enter a psremote session from another pc on the network aiming the server - but when I run "New-SessionDeployment -ConnectionBroker servername.domain ....." I receive the same "Unable to connect to the server by using Windows Powershell Remoting" error

I've restarted the server after each settings adjustment of course.

I really am a bit clueless here on what else can I try to do. Any idea is welcome.

Hi there

Having issues with an RDS connection to a new 2012 R2 Server, fully updated, issue occurs to all Clients simultaneously. Sometimes brief disconnection (2 - 3 seconds) sometimes a lot longer.

Already performed the "keep alive=1" group policy hack but still happening.

Event ID40 reason codes 0 and 5 mainly - yet my licensing all checks out OK? I have 50 RDS cals but only 7 users - Ive split them into 25 per device and 25 per user to see if it makes any difference (No)

However The License diagnoser  states that ZERO licenses have been issued? Is this a problem? Too much of a Noob to know myself.

many thanks

we have RDS installed in Windows 2016 standard edition and use session-base desktop deployment.

It was working fine for about one year. About two weeks ago, we started to have the following issue:

This computer can't connect to the remote computer.
The two computers couldn't connect in the amount of time allotted. Try connecting again. If the problem continues, contact your network administrator or technical support. 

When this issue happens, we find some users are disconnected in the RDS-Collections-QuickSessionCollection. But we cannot log/sign off those users, they are always showing there.

BTW, we can sign of those users in the Task Manager-Users. 

We can solve this issue by restarting the server. How to fix it without restarting the server?

Thanks!

Which Windows Server versions allow installing the Remote Desktop Server and the Domain Controller role on the same server?

Windows server 2008 R2 does, what about later versions?

Regards

Mario

Hi 

Can anybody share their views if they have experience the similar issue with the remote user. One of the remote user when tried to remote connect to the server her start button and task bar get freeze. But this issue clears when we restart the server, but after couple of weeks this issue comes back again. Its quite frustrating. Can anyone share their ideas if they have experience such kind of issue.

This issue happens only with one user among 10-12 users.

Regards

Resham

Hi All,

The basics...

I want to build 3x "jump box" RDS Servers in 3x different departmental subnets with firewalls between each subnet in a single domain, single forest.

Currently only the required ADDS, DNS and DHCP network ports / flows are allowed between each departmental subnet. All other services for each department sit within their own subnets....RDP will be the only exception...I need to be able to assign security groups the ability to RDS into either DEV / UAT / OFFICE networks from the OFFICE network where our users log into and sit from a domain perspective.

I have got all 3 jump box RDS servers working but only if I leave TLS 1.0 / 1.1 /1.2 enabled on the RDS servers...my company security policy requires us to use TLS1.2only and have the older two protocols disabled.

Where and how can this configuration be made and changed, in my EventVwr checks and online reading it seems I need to address 1 or 2 or both of the below to work.

1. WinRM

I'm currently unable to PSRemote from one subnet to another. Will addressing the required ports and directional flows for WinRM resolve this alone or...

2. TLS Requirements

Do I need to somehow address TLS 1.2 config - this confuses me as I though TLS 1.2 was default for Server 2016?

As always, thanks in advance for your time...

durrie.

Hello -

I am getting a strange error when I attempt to access an application via RemoteApps. The error is "The number of local display monitors exceeds the limit allowed by the remote computer."

I have 6 monitors. The RemoteApps server has the display limit set to the default of 16. I am running Server 2019 as my desktop and the RemoteApps server is also running Serve 2019. For all my Googlefu, I've not been able to find much about this specific error.

First, I'm assuming that the RemoteApps display limit is for all concurrent connections? Is this accurate? If this is the case, it would make sense that my 6 monitors put us over the 16 screen limit, as my co-workers that use this RemoteApps server all have multiple screens.

Second, can the display limit for RemoteApps be increased from 16?

Any advice is appreciated. Thanks.

Setup: Virtualization Host - Physical Dell PowerEdge R540 w 192gb RAM, 2x Xeon procs (cant remember the model, 16 cores total) running Win Server 2016 + Hyper-V Service RD Gateway, RD Broker, RD Web Access, RD Licencing - One VM running on the Virtualization Host. Windows Server 2016, 16gb RAM, 4CPU cores.

Right now I have only have 10 Windows 10 VMs spun up.

Problem #1: At seemingly random intervals, users are unable to connect to their VM via their physical Wyse thin client terminal. After logging in, the client contacts the broker, attempts to sign into the machine and then says "RD Failed". After rebooting the broker server things go back to normal for a few hours, then the "RD Failed" messages return again.

The weird thing: everything works fine if they try to connect from RD Web Access.

Problem #2: Again, at seemingly random intervals, users are receiving messages when logging into their terminals saying: "The requested session access is denied."

The weird thing: this is only sometimes, and usually goes away if they either a) leave the error message on their screen or b) exit and try again.

I'm honestly not sure where to go from here. I thought it could be a policy or permission issue but it only does it sometimes?

Event Viewer messages collected when experiencing problem #1:

The user "DOMAIN\USER", on client computer "10.10.12.41", met connection authorization policy and resource authorization policy requirements, but could not connect to resource "COMPUTERNAME.DOMAIN.COM". Connection protocol used: "HTTP". The following error occurred: "23005".

The user "DOMAIN\USER", on client computer "192.168.4.231", met RD resource authorization policy (RD RAP) requirements but the network resource "10.25.20.197;10.25.20.197" did not meet the requirements, so the connection was not authorized. Try connection to another network resource or possibly lower RD Gateway security by modifying the RD RAP requirements for the connection to be authorized.

RD Connection Broker failed to process the connection request for user DOMAIN\USER. Error: Element not found.

RD Connection Broker failed to process the connection request for user DOMAIN\USER. Load Balancing failed OR Specified endpoint could not be found. Error: Element not found.

Again, after a reboot of the broker/gateway server, everything is back to normal for a few hours.

I'm so lost.

Invoke-WmiMethod -Class Win32_TSLicenseReport -Name GenerateReportEx

Hello, I have a parent/child domain configuration. All of my RD Infrastructure machines (Gateway/Web cluster, Broker, Licenscing) live in the Parent.domain. All of my Sessionhost servers, and users/groups are in the Child.parent.domain.

When I create my rule in the gateway, users in the child.parent.domain can only connect to their server if "Allow users to connect to any network resource" is selected in the RAP.

If I just leave the user group (located in the child.parent.dom) the connection goes all the way through to "Loading Virtual Machine" and acts as if it will connect, then the last second fails out with the standard "User does not have access" error

I think the solution is similar to the issue in this post: https://social.technet.microsoft.com/Forums/en-US/b9111b86-6679-46df-92c6-d03b7dd0a186/rd-gateway-cap-and-child-domain?forum=winserverTS but since my setup is slightly reversed I can't seem to get the group organization across the child and parent domains correct.

Does anyone have any thoughts what I might be missing?
Thanks!

 Ian

Hello all,

I have setup a "loadbalancer" (Server 2016 with the RD Connection Broker,RD Gateway, RD Licesing and RD Web Accessroles).
We have 2 "workers" with the RD Session Host role installed.

When using mstsc.exe to connect to the collection, everything is working fine (using a gateway) but when trying to start the desktop or a published app via RDWeb, it's connecting to the loadbalancer instead of to the collection (one of the brokers).
The users then get an error that they don't have rights to connect to the loadbalancer (obviously).

Where could this error come from?

Hello!

I have a RemoteApp host established, and RemoteApps work well.  When I associate any off the RemoteApps with a file type, the RemoteApps starts to launch, but I receive this error:

When I try to access \\tsclient\ drives from Remote App, I receive this error:

However, if I RDP directly to the host, I am able to access the \\tsclient\ drives from the applications.  The problems only occur when using applications as RemoteApps.

In the Applications and Service Logs \ Microsoft \ Windows \ RemoteApp and Desktop Connections \ Operatoinal event log, I receive event 1041 - Remote Application (Excel) is luanched on RemoteApp and Desktop Connection (RemoteApp Host Name) but no stored credentials are used for single sign on.  (Reason - RemoteApp and Desktop connection does not exist).

Using RemoteApps works fine for the 20-or-so test users.  They all have the same problems, on any machine, when using \\tsclient\ drives in Remote Apps, and receive the same error when trying to open files that have a file associated with a RemoteApp. 

I suspect the two problems (not being able to access \\tsclient drives in RemoteApps, and not being able to open files via file-type-associations in RemoteApps) is related to SSO.

I'd appreciate any thoughts about how to resolves theses.

Thanks!

Scott