Quantcast
Channel: Forum Remote Desktop Services (Terminal Services)
Viewing all 27650 articles
Browse latest View live

How to get RDS to trust root CA certs

December 13, 2016, 11:29 am
$
0
0

Sorry for the long writeup,

TLDR; How do I deploy a cert from a root ca that will be accepted by it's own RDS roll

I have recently been tasked to configure a server 2016 RDS for remote app deployment.  I have successfully configured the remote app deployment.  It's a lot of fun and works great!

The problem is with the certifications.  I will need the login to be as seamless as possible (no logins or cert warnings) because it will be deployed to the shop floor.  I am very new to AD CS and I have been vigorously googling as fast as possible to try and catch up to speed. 

The RDS server is also the enterprise root ca for my .local domain.  I figured I would put the ad cs roll on the same server that is deploying the remote app, since we are not big enough to warrant the best practice of having a standalone offline root ca. My plan is to have all of the certs applied internally, with autoenroll per computer.  There is no need to have an external cert at this time. 

Again, I'm very new so I'm probably doing something wrong, but I can't figure out what.  Starting on the MMC window I have with 3 snap-ins;

Certificate  Templates, which correctly points to my primary DC AD database.

Certificates (Local Computer)

Certification Authority

I click on the Certificate Templates snap-in that points to my primary DC's cert template db.  I right click on the Computer template and duplicate. 

Under the General tab, I give it the name - RDPAuth, and check the Publish certificate in AD box.  I believe this gives me the ability to deploy via gpo later if I want?

Under the Request Handling tab, I check the Allow private key to be exported box.  I believe this is needed to generate the .pfx cert required by the RD Web and RD connection broker later.

I check the extensions tab to make sure the the application policies contains both server and client auth.

Under the security tab, I check the boxes for read and autoenroll for domain computers.  I think these will be needed later for auto deployment to the domain PCs.

All other tabs I leave alone.

Now that the template has been created, I click on Certificate Templates under the Certification Authority snap-in.

I right click the templates and do New > Certificate Template to issue, and select the RDPAuth cert I just created.

I then need to request a cert to be generated so that I can export the .pfx to be used by RDS, so I go to the Certificates (Local Computer) snap-in and All Tasks > Request New Certificate.  I drill next through the wizard until I see our RDPAuth.  I check it and Enroll.  It then appears under personal certificates.

I right click on the newly created cert, and All Tasks > Export.  I click Yes, export the private key, and leave the PIE boxes default.  I choose Password for security.  I then store the cert on a folder in C:\, and name it RDcert.  I click next until export is successful. 

I then switch over to the Server Manager tool, and click on the RDS tab.  I click on Tasks under Deploment Overview, and click edit deployment properties.  Under certificates, I select existing certificates and browse to the RDcert.pfx we just made.  I enter the password, and check the allow cert to be published to the trusted root ca store.  I can only do one roll service at a time, but each one acts the same.  I gives a success tag under state, but level remains not configured, and status shows --

Any help or suggestions would be greatly appreciated. 
Thanks in advance.
Search

Multipoint intro / FAQ

December 19, 2016, 6:55 am
$
0
0

I'm at a public library with twenty publicly accessible PCs, for which we use secondhand terminals that have been donated by business. I suspect that the long term best route for us is to install thin or zero clients which load profiles from a server, but I don't really know where to start. We have a server running WS2008, not robust enough to handle it, but I'm wondering whether I could install a single remote profile as proof of concept.

In short, looking for whatever you think is the best resource for a relative novice.

RDS deployment misconfiguration

December 19, 2016, 8:14 am
$
0
0

Hello all,

I deployed a 2012 R2 RDS server a few months ago, and it's just now getting its first users. However, I realize now looking at it that I made a mistake in the deployment process and I'm trying to recover it. Instead of doing the RDS deployment (quick start or standard) and installing all roles at once, I just selected the session host by itself in the standard add roles wizard. As such, I can't manage the deployment via server manager because it states there is no deployment present.

To try to correct this, I added the gateway, broker, and web access roles to have them all present for a deployment, but that doesn't appear to have rectified the issue. It's curious, though, because using Server Manager to try to manage the RDS deployment, it states that a deployment does not exist. If I go through the wizard to add a deployment, it states a deploymentdoes already exist, and even finds the broker automatically. 

So, here are my main questions:

  • As I have all roles installed, is there a way to make them understand all the pieces for a deployment are available for management? 
  • If I re-run the wizard and select the same server for deployment, will it redo the installations, or update them? 
  • If the installations are re-done, what happens to my existing applications that are already available on the host? 

I know this is a gray area, but if I can avoid re-doing the deployment entirely, that'd be ideal. 

Thanks.

Can not rdp to servername - rdp to ipv4 address works fine. Ping and nslookup are ok.

December 19, 2016, 8:15 am
$
0
0

I am troubleshooting a problem where I can not rdp to 2 distinct Windows 2012 servers (B,C) from another Windows 2012 server (A). Both source and target Windows 2012 servers have ipv6 enabled (no active ipv6 inside the domain). I can ping and nslookup their respective ipv4 addresses fine. I can however no longer rdp to them by simply using their NetBIOS or fqdn. Rdp will challenge for the pwd but then hangs trying to secure the connection. I can rdp via ipv4 address fine. I can rdp to other servers from server A fine. I can reach both servers B & C via rdp from other servers without a problem.

Sassan Karai

Event Logs

December 19, 2016, 11:31 am
$
0
0

I am troubleshooting connectivity issues between my 2016 hyper-v VDI solution and a few clients. I have been trying to examine logs on the connection broker, but I cannot seem to find anything useful. Is there a log that shows connections between RPD clients and the connection broker?

I tried checking the terminal services log in even viewer, but it is only recording RDP connections to the server itself. No connections to the virtual desktops are showing up, including successful connections.

Thank you in advance for your help

Secure RDP access on Windows Server 2012 R2 with certificates

September 3, 2014, 12:32 pm
$
0
0

Hello. I've noticed that RDP certificates on all of our production boxes have self-signed certificates located in their respective "Remote Desktop" certificate store. 

I would like all of our servers to use signed, trusted certificates from our internal PKI instead of self-signed certs Windows servers automatically generate. 

I found these two articles that pretty much outline the same process but I get an error when I try to connect:

http://www.petenetlive.com/KB/Article/0000944.htm

http://www.derekseaman.com/2013/01/creating-custom-remote-desktop-services.html

"This computer can't connect to the remote computer. Try connecting again. If the problem continues, contact the owner of the remote computer or your network administrator"

I'm using my Windows 8.1 workstation to RDP into a Windows 2012 R2 box. I created the RDP cert template and GPO in accordance to articles and placed the R2 box in a test OU that has that GPO applied. I'm testing it on a particular R2 box before releasing it production-wide. Also, I can confirm via PortQry and NMAP that the R2 box is listening on port 3389.

Any thoughts????? Thanks!



remote desktop server license

December 19, 2016, 1:11 pm
$
0
0
any one know that microsoft window remote desktop server license is expire or its for life time...please  

RDGateway and RDweb access constraint

December 7, 2016, 11:34 pm
$
0
0

Installing RDWebaccess role will create a 'RDWeb' application in the IIS Manager under Default Website.

Installing RDGateway role will create 'Rpc' and 'RpcWithCert' application in IIS under the same default website.

RDWeb application in IIS after installing RDWebAccess

RPC apps after installing RDGateway

The installed gateway creating a listener which is active at the port 443 by default. To make use of the RD web application, I need to start the service of 'Default Web site'. 

Now the problem is, if gateway service is running, I am not able start the RDWeb Access service. I am getting the following error,

Another webservice(RD Gateway) already using the port, hence I cannot able to start the RDWebAccess service too

I need to move the RDWeb application from the default website to newly created website (by creating a website in IIS manager)  so that, I can make use of RDGateway and RDWebAccess simultaneously. Is there any process to do this? Please share.

Thanks,

Sukumar

Sukumar PK



Search

RD Licensing Server is not able to issue any license

December 19, 2016, 7:52 pm
$
0
0

Hi,

I have set up a RDS per device licensing server.

1. In my RD Web Access Server > Remote Desktop Services > Overview, I can see the server with the RD Licensing role installed in the deployment server.

2. In the RD Licensing Server, I launch RD Licensing Manager > Review Configuration > I can see two green ticks "This license server is a member of the Terminal Server License Servers group in Active Directory Domain Services.." and "This license server is registered as a service connection point SCP) in Active Directory Domain Services.

3) In the session host server, I launch RD Licensing Diagnoser and I an see my RD Licensing Server and no errors. "RD Licensing Diagnoser did not identify any problems to report."

It seems that my RD License Server is setup probably but when I log in using a HP Thin Client, I do not see any license being issued. I tried again on another device (a Windows Notebook) with another username and again I can log in but the number of license issued is still zero.

I check the event logs (administrative events) of the RD Web Access Server, RD License Server and Session Host Server but I do not see any errors or warning.

Any advice is much appreciated.

Switch from Citrix to RDS farm

November 4, 2016, 9:45 am
$
0
0

Hi,

I've a customer which today has Citrix farm to deploy applications/desktop and Netscaler to handle VPN connections. They are really satisfied with the solution but of course this have a price.

Now I'm looking into replacing this with a RDS solution...but I cant figure it out how to do it as good as Citrix do. Regardless how I turn this they will not have a seamless solution as they have today. ....and they are only 35 users.

Does anyone have any advice to do this as good as possible?

OT: Is it possible/any good idea to run/stream App-V on one server?

EventId: 7011 - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the SCPolicySvc service.

March 19, 2014, 5:26 am
$
0
0

Hi

We have two terminal servers (Windows Server 2008 R2). Every few weeks users cannot log in using their smart cards. It looks like no smart card is inserted (redirected).

There is a message in the Event Log: 7011 - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the SCPolicySvc service. Followed by similar messages about other services. Restart solves the problem. We use Gemalto .NET smart card.

Can anyone help?

RemoteApps list empty in RD Web Access when connecting to RD Connection Broker

April 27, 2011, 1:58 am
$
0
0
Hello.
I have three servers, all running Windows 2008 R2, joined to same domain and with RD service roles configured.
server1 has RDSH role installed, joined to RD farm
server2 has RDSH role installed, joined to RD farm
server3 has RDWA, RDCB and RDG roles installed
When using RDWA configured to pull RemoteApps directly from RDSH on server1 and RDSH on server2, everything works well. Also when making manual RDP connections to RD farm, RDBC seems to be working correctly. But when RDWA is configured to use RDCB, RemoteApps list is empty. 
Tried configuring RDWA with localhost and with FQDM of server. Also tried adding server3 in TS Web Access Computer local group, manually adding WMI and DCOM privileges for TS Web Access Computers group even though RDWA and RDCB are on same server. 
Also ran a test with server4 which had only RDWA role installed, just to be sure there is no conflict between RDWA, RDCB and RDG roles. Server4 had same issue, RemoteApps list was empty when configured with RDCB on server3. 
Am I missing some configuration step? Can you please shed some light on the issue? I would appreciate any assistance.
Best regards.

Collection Icon Appears and Dissappears Radomly - RDWEB, Remote Desktop Web Access, Work Resources, RemoteApp And Desktops, .

October 14, 2013, 11:16 am
$
0
0

Hello,

RE: RDWEB, Remote Desktop Web Access, Work Resources, RemoteApp And Desktops, Collection Icon Appears and Dissappears Radomly.

Does anyone know what makes this icon appear or not appear in the RemoteApp and Desktops Current Folder:/ ?

Depending on what emotional state the system is in, one of these states appear both internally and externally.

The Active-X add-on is installed and enabled on each of these machines.

I have found that if I go into IE:

1.) Internet Options->Advanced Tab->Reset Advanced Settings

2.) Internet Options->Advanced Tab->RESET + Delete Personal Settings.

3.) Internet Options -> Security Tab->Set all the securities to as low as possible and turn off protected mode.

Most of the time, the icon will appear.

But this is of course not a solution, just a temporary work around to a real headache.

Of course, my trusted sites contains all the necessary //*.domain.com,http://*.domain.com, https://*.domain.com... And my intranet contains:  *.domain.local,file://*.domain.local, And all the obligatory policies associated to define the domain and local UNCs.

Everything else seems to be working once the Icon appears.

So any information on what makes the miracle of that icon appear or not, would be appreciated.

Thanks,

Robert

No SSO when out of domain network

December 20, 2016, 5:20 am
$
0
0

Hi, I have an RDS environment with GW+Broker, licensing, 2 SH. In deployment settings I configured "use rd gateway credentials for remote computers" and "bypass rd gateway server for local addresses". Now... I configure "remoteapp and desktop connection" on my client with my public name, I mark "remember password" and then I succesfully open remoteapps. Also if the remote session ends (logoff) I still can access remoteapps without entering password. This is when I am connected to domain network.

If I repeat the same configuration when I'm connected to another network, the problem is that I can't mark "remember" password, in this way every time the remote session ends I have to put the password (this happens also if I perform initial configuration connected to domain and then I open remoteapp on the go). Please notice that this happens only on domain-joined client (domain is the same of RDS environment domain), it never happens on non-joined client or with client joined to other domains.

Anyone have ideas?

Publish RD Sessions to workstations via RD Web Access

December 19, 2016, 2:19 pm
$
0
0

Hi,

I have a few users who need to connect from home to their own workstations. I am currently using RD gateway 2012 r2 to allow the connection.  Is there  a way to Publish the workstations using RD web Access? If so, is thee also a way to only display the workstation they are allowed to connect to on the web access page?

Thank you very much. 

Search

Idle Time reset for all users at logon

December 20, 2016, 7:49 am
$
0
0

When I run a 'query user' command to get the idle time for each user, I have noticed that it gets reset back to 0 when a new user logs in. This is a problem because our session timeouts never kick in, even if a user actually is idle. Every single time a user logs on it resets the counter for everyone.

Has anyone seen this behavior before or know how to prevent it? We have idle users who are never kicked off the server because the counter keeps getting reset.

Private vs Shared Program Direcroies

December 20, 2016, 8:46 am
$
0
0

First of I know little of TS and am trying to advise a client who wants to deploy our app via TS. If anyone can point me in the right direction would greatly appreciate it.

Our App, which is self contained in it's own directory (no tmp files or ini's in home directories, etc...), has an auto updating capability per user and files within the program directory need to be writable per user, so the program directory can't be "shared" by each TS session (this is an assumption). 

My question is how to have each TS session have it's own copy of a program directory which also contains the app .exe?

Thanks,

Printers staying offline in terminal services Print Management

December 20, 2016, 10:14 am
$
0
0

Hello,


I'm experiencing a problem on two terminal services with printers installed there via Print Management on a Windows Server 2008 R2.

Every day, at the end of the day, there are some printers that are turned off on the client site.

That next day, when they are turned on, they stay offline in the temrinal services.

I have desabled SNMP and they change the state to ready, and I can print, but if I turn it on they go offline again.

The only way they comunicate via SNMP is if I restart the print spooler service.


Already applied a hotfix 2713128 and the problem continues.


Has anyone experienced tha same that can give me a hint?


Thanks in advance,

Oz


Using a Server 2016 Server as the UPD location for a 2012R2 RDS farm

December 20, 2016, 11:25 am
$
0
0

Is this a supported solution? I haven't been able to find any guidance as of yet.

The customer does not yet have 2016 RDS CALs (has 2012 RDS CALs) but would like to future proof the solution as much as possible in the Interim.

2012 R2 RDS Temporary Profile issue

December 30, 2013, 12:40 pm
$
0
0

I have set up a standard 3 node 2012 R2 RDS for testing. All virtualized on VMware ESXi 5.0. I have a connection Broker, session host, and web access server. I have published several applications and I can access them without a problem. Here is my issue:

When I try to log on to my session host server either locally or thru RDP, I am always logged in with a Temporary profile. It does not mater what user account I use. Even logging on locally as the administrator I get a temporary profile.

All windows updates are installed and current.

I have removed the server from the domain, deleted the account, and rejoined it to the domain.

I have deleted all .bak registry entries from here:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

There is a hotfix here for a similar issue on 2012 but it does not apply to 2012 R2

The only event viewer errors are:

1515 (Windows has backed up this user profile. Windows will automatically try to use the backup profile the next time this user logs on.)

1511 (Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off.)

Any suggestions to resolve would be greatly appreciated.

Russ

Viewing all 27650 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>