Hello,

We ran a vulnerability scan on one of our server recently from a third party. It showed up few vulnerabilities, I am able to fix most of them but I got stopped at vulnerability -- Windows Remote Desktop Protocol Weak Encryption Method Allowed

Ours is Windows server 2012 R2, I have found fixes for Windows Server 2008 but not for Server 2012 R2.

Solution Provided by our vendor is : RDP needs to be configured to use strong encryption methods or use SSL as the privacy and integrity provider. To configure RDP encryption methods 'Terminal Services Configuration' snap-in can be launched in mmc.exe. In 'Terminal Services Configuration' properties dialog box General tab for the Encryption Level 'High' should be selected.

Anybody has any idea how to fix this in Windows Server 2012 R2.

Mallikarjuna YH, Windows / Exchange

My apologies for this in advance. We are exclusively using 2012r2. I have a dmz network with a firewall between the internal and dmz resources. I have set up the subnets for each in AD S&S.

I have an RODC sitting in the DMZ with the appropriate ports open per https://technet.microsoft.com/en-us/library/Dd728028%28v=WS.10%29.aspx?f=255&MSPPError=-2147217396

The RODC has been set up as a GC server in AD S&S, and the RODC has registersitespecficdnsrecordsonly set to false per https://support.microsoft.com/en-us/kb/977510 and I have confirmed that the new DNS records exist for the RODC (I did allow writes to the DNS system for the RODC). The RODC is also acting as the central NPS server

There is a member server sitting out in the DMZ that is acting as an RDG and a RD Web server. This server has been allowed communication on 3389 (to all internal resources) and 5504 (to the RDS CB). We also have a temporary rule in place that allows ALL network connection through the firewall for that member server (for AD join and configuration). I will call this the "temp rule" later on. All internal to DMZ traffic and DMZ to DMZ traffic is unblocked.

Here are my 2 issues:

1) When I disable the Temp Rule, I watch the firewall and find that there are still a lot of attempts to reach the RWDCs via 135 and the WMI port as well as several other strange ports . Even though there is an RODC server available. This also appears to intermittently cause problems with users not being able to connect to internal resources.

2) When I disable the Temp rule, I go to the RDG and look at the CAPs and RAPs and all of the AD groups are missing. The rules exist but they no longer have an AD group attached. I try to readd the AD groups to the RAPs and CAPs and this is where it gets weird. I can search for the groups and see the results of the search correctly. All AD Groups are found just fine, but when I hit OK to actually apply the groups, the CAP/RAP does not apply the group (the fields stay blank). I have to re-enable the temp rule and reboot twice to be able to reapply the groups to the CAPs/RAPs.

I'm going out of my mind here. I have been searching for 5+ days on how to get this up and running. Am I missing something obvious? Did something go wrong with the deployment and should I just redeploy the web/rdg server? ANY help would be greatly appreciated.

We have to administer Windows 2008 R2 servers which are in domains we are not members of - typically domains that support a particular application. We have DoD smartcards (CAC) and we admin from our Windows 7 desktops. If we disable NLA, we can CAC-authenticate over RDP just fine. With NLA enabled, though, we get "The remote computer you are trying to connect to requires NLA but your Windows domain controller cannot be contacted to perform NLA".

My assumption would be that the Win7 desktops would never know where the particular ADCs are, since we're not domain members, but that they actually need to verify the DoD root cert that signed our CAC. Said root cert has been installed on our desktops and on the servers in the domains.

What is necessary to get NLA with smart cards working for non-domain members?

Edit: With NLA enabled I *can* connect over RDP from one of the domain members to another, so this really seems specific to the non-member desktop settings and how it performs NLA

We have a new RDS 2012 R2 implementation and would like to know if there is a way to only redirect clients local drives and not their network drives. We have logon scripts to take care of the network drives and the redundancy causes confusion and performance issues. On the performance issue's if they chose the redirected network drive it takes 5 minutes or longer to view the contents of a directory versus instantaneously if they use the drive from the logon script. On our W2k003/Citrix implementation that seemed to be the default behavior and we would like that in RDS 2012 R2

Thanks.

Running Windows Server R2 Standard Edition on a Lenovo ThinkServer.  Trying to get licensing mode set up, and we're not running in a domain setting.  One server, 10 user network, so no real need to set up a DC that I can see.

Trying to set up licensing mode before the 120 day grace period expires.  We're using a per device licensing mode.  I thought installing the licenses took care of setting up licensing mode, but it apparently doesn't.

Anyway, when I fire up Server Manager, and navigate to the section that pertains to Remote Desktop Services, I get a "you must be logged on as a domain user to manage servers and collections."  When I ran the "Configure your server" wizard when setting up the new server, it didn't show Active Directory as one of the requirements for setting up Remote Desktop Services.

What steps do I need to take to set up licensing mode?  What do I specify as a licensing server?  When I set up our old Server 2003 server, it filled in the licensing server information automatically.

-=> Carroll McAllister <=- coming to you "almost live" from Searcy, Arkansas

I have the port 3389 incoming rule setup, but I cannot RD from a box in the public zone.  My machine is not actually public (it is on my internal LAN), but it is recognized by Windows 2012 R2 as public.

I have the standard Remote Desktop (TCP-In) incoming rule setup.  I can remote desktop fine if I only turn on the firewall for Private and Domain.  If I make the Public firewall zone active (i.e., ON), I immediately drop my RD connection.

I've tried to troubleshoot with no luck.  The target box is a VMware VM but I don't know why that would matter.

Thanks!

How bad of an idea is it to install the Remote Desktop Services role on a computer that is currently running Remote Desktop Services Gateway?

JamesNT

ATTENTION MODERATORS: I do indeed mark responses as answers after I have had time to test said response and verify that it works. Please do NOT assume you speak on my behalf by marking responses to my questions as answers. Mass-proposing responses as answers gets on my nerves, too. Thank you.

Hi,

we have the following Problem:

2012 Windowsserver as Sessionhost

Outlook 2010 Professional installed and published as RemoteApp. We don't publish the Desktop.

We are starting Outlook RemoteApp to configure the Outlookprofile for the first time(new user) with the wizard.

Everything is working fine. Autodiscover -> click click ready.

Outlook is now starting and start to sync. Than the first password authentication is required.

The Problem is, that the window to type in the password doesn't show up. I guess its a windowfocus problem.

It doesn't matter if the connecting Client is Windows8 or Windows7

Our workaround is to login directly to the Serverdesktop where than the password window is shown.

I don't have this Problem with Windows Server 2012 R2 and Office 2013.

Just wanna know if anybody experience the same problem or perhaps have an idea to fix =)

thanks & greets CZ

Hi,

I have a 2012 R2 session host that has been added to a new app collection on a 2012 rdp gateway host. The new R2 session host is the only host in the new collection I made for this purpose.

I added the session host without errors in the add host wizard.  When I publish a new app from that collection, it gets published without errors.

When I try to launch the app from RDWEB the app fails to launch.  I cant see any errors on the rdgateway or the session host.  Other apps launch fine from other collections on other session hosts.

This is really weird for me, I've reviewed a lot of settings regarding this.  I've also removed the host and deleted the new collection and re added everything again.  Same issue.  Also I confirmed its not specific to the app I'm publishing— same issue when I publish calculator.

Is there anything in the registry I can confirm that the collection and host has been setup correctly?  I'd like to confirm that the wizards actually applied all the operations when I added the host and collection.

Also interesting to know I can rdp directly to the new host, obviously.

Anyone have any similar issues?

Hi,

I have an issue where the WINDOWS folder isn't created under the user's profile when they log in, we use an RDS server for remote apps and some apps store their ini settings in this location. What i find strange though is all the users in our domain get the folder created, but all the users in the trusted forest that RDP to this server don't get the folder created (everything else like Desktop, Documents, Favourites and so on get created fine). The problem is even worse, if i manually create that folder and place the required ini file in it, the application doesn't seem to see it/use it, yet it works fine for users of my domain. The server is 2012 R2.

any reason why this doesn't get created for users from another forest/domain? am i missing some policy setting or something?

thanks

Steve

Hi all,

I am testing RemoteApp on a single Windows 2012 R2 server and I want the applications that I serve out to show a couple of mapped drives when they select "File" -> "Save as". I've tried putting the RemoteApp server into it's own container in AD and using a Domain Group Policy in Loopback Replace Mode to call a login script to map the drive via a batch script but had no luck. I also tried another domain group policy related to Terminal Services Sessions where it should "start a program when the person logs in" and pointed it to my batch script but it didn't work either. I also tried setting a local group policy on the RemoteApp server to have it call my batch script but had no luck. I also thought, "hey...maybe cmd.exe needs to be published to the user as a RemoteApp" but that didn't help. I also tried publishing "explorer.exe" and I can manually map the drives that way but I want it to be automatic.

Any thoughts?

Thanks

RDS 2012 R2. We have the following environment:

• 1 - rds gateway (licensing and rd web)
• 2 - connection brokers
• 2 - session hosts (load balancing)

All these are hyper-v 2012 R2 VM's. We also use UPD and we use remoteapp publishing. So, session host 1 has never worked correctly since deployment. The problem with SH 1 is users would always get temp profiles at login. So i deleted the SH 1 VM using the following command:

Get-VM "VM Name" | %{ Stop-VM -VM $_ -Force; Remove-VM -vm $_ -Force ; Remove-Item -Path $_.Path -Recurse -Force}

This removed the vm, hard disk and xml file. Then i reinstalled 2012 R2 and deployed the session host role to the server. Logged in with domain admin and was given a temp profile. SH 2 was working fine so i left this project and moved on to some other things while i thought about what to do next. I picked the project back up a couple of days ago and didn't have anything to do but delete the VM again in the hopes this delete would somehow delete all traces of the VM. So i used the same command from above and then verified the VM, hard drive and xml file were gone, they were. So i created another VM and installed 2012 R2 again. Did windows updates and logged in as domain admin and was given a temp profile!

You can see why i am thinking some configuration trace is left somewhere! The question is where? Is it possible the connection brokers are holding something related to session host 1? When the SH 1 was removed, you would get "server SH 1 is no longer in the pool..." when you tried to manage the deployment in server manager. I found:

https://social.technet.microsoft.com/Forums/windowsserver/en-US/cee15edd-d1f5-4393-aafa-93e8e4f8e519/remove-already-deleted-session-host-server-from-deployment-configuration?forum=winserverTS

in regards to that issue and wonder if the connection broker is holding some info that keeps giving the temp profile issue. Anyway, i am at a loss on how 2 installs can give this same issue every time. Any ideas?

I have RD Web Access enabled on a RD Session Host server, per instructions inhttps://technet.microsoft.com/en-us/library/cc772214.aspx.  When attempting to configure RD Web Access using RemoteApp source, I get the message          "RD Web Access was not able to access Sheds.SoundDataHosting.com:60383.  Verify that the RD Session Host server name was entered correctly, that the server is running and connected to the network, and then try again.

I've also tried Localhost/Sheds.SoundDataHosting.com:60383, and the name without the port.

Obviously I'm missing something here.  Can anyone help?

Of course, this may not solve your particular problem, but if you check this out, you will be able to immediately tell if this is your problem.

I recently had a Terminal Server that when people logged in, it just about crippled the server, and it was also extremely slow to log out. It turns out that there can be thousands, or even hundreds of thousands, of HP keys in the following locations in a terminal server environment. They are dynamically added when users log in due to their local printers. Over time, they add up, and can cause great problems. So you can determine if you have the problem by just checking those locations.

HKEY_CURRENT_USER\Software\Hewlett-Packard
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\ Hewlett-Packard
HKEY_USERS\.DEFAULT\Software\ Hewlett-Packard

Even after deleting them, which can be done safely (if you have any doubts, export the key first, then test), eventually the problem will return, so here is my solution:

Create the following registry script in the C:\Windows\system32 directory and name it CleanupHP.reg

Windows Registry Editor Version 5.00

[-HKEY_USERS\.DEFAULT\Software\Hewlett-Packard]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\ Hewlett-Packard]

Create the following registry script in the C:\Windows\system32 directory and name it CleanupHP_User.reg

Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\Software\Hewlett-Packard]

Then create the following batch file in the C:\Windows\system32 directory and name it CleanupHP.bat

regedit /s C:\ Windows\system32 \CleanupHP.reg

Create the following batch file in the C:\Windows\system32 directory and name it CleanupHP_User.bat

regedit /s C:\ Windows\system32 \CleanupHP_User.reg

Open gpedit.msc and go to Computer Configuration>Windows Settings>Scripts and add “C:\ Windows\system32 \CleanupHP.bat” to the shutdown scripts.

The go to User Configuration>Windows Settings>Scripts and add the second script C:\ Windows\system32 \CleanupHP_User.bat to the logoff scripts.

For more information: http://forums13.itrc.hp.com/service/forums/questionanswer.do?admit=109447627+1302781474639+28353475&threadId=1247687

On Windows 2003 Server or Windows XP, you can install the User Profile Hive Cleanup Service to help close down sessions more quickly when you log out. It closes open file handles, remaps them to the default user, and runs as a service, set to automatic. It starts and stops itself as needed, but does not run continuously. It is not necessary on Server 2008 and Windows Vista and later as it has since been incorporated into the OS as the “User Profile Service”.

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=1b286e6d-8912-4e18-b570-42470e2f3582&displaylang=en (Note: The documentation correctly states that version 1.6d will not operate on 64-bit versions, but if you look closely, they are actually up to 1.6g as of this writing, which does support 64-bit.)

I have not yet tested this, but I am hoping that this is also why Microsoft and Windows updates may take so long.

All the best,

Kevin Cotreau

MCSE+I, MCNE

Hi

We have an RDS farm with the following set-up (using Windows Server 2012 R2) to serve RemoteApps to our clients:

• Two RDS Gateways
• Four Session Hosts (24-physical processors and 512 GB ram each)
• User profile disks enabled
• One RDS Licensing Server
• Two RDS Broker Servers

The problem we are facing is that it seems like there's a "magic number" of about 450 connections (fluctuating between 445 and 455) per each Session Host.

Once this number is reached users start to report:

• General session slowness (slow update of Remote App window contents)
• Some users are unable to log in to their (new) session
• Some users are connecting but presented with "empty" screen
• Some users are getting (randomly?) disconnected 

When the issue happens, based on performance counters, the CPU is in range of 30%, RAM has about 200 GB free.

Processor Queue length during the day is mostly within "<2 range", with ~30% of the time going higher up to 6 intermittently (not consistently), and with ~1.5% of the time being more than 10. (There's no continuous queue build-up) So our understanding that this is not a CPU/RAM limitation. 

There were no limits on concurrent number of sessions set on Session Hosts as of SW side to my knowledge. Review of Application/System/RdpCoreTs Logs does not show anything really suspicious at the time the limit is hit, the errors/warnings in event logs do not correlate with timing of the problem.

We've been investigating this issue for a several weeks now and it's still absolutely unclear what could cause such limitation. Maybe someone experienced similar issues.

Any suggestions are welcome.