So we have a few 2012 R2 Terminal Servers at my company that were working fine until we started the process of replacing our Domain Controllers with new Windows 2016 Servers.

Since then our users are getting intermittent "Access Denied" errors when they try to RDP to these terminal servers.

Generally the "Access Denied" error occurs when a terminal servers starts to use one of the newly added 2016 domain controllers. We can workaround the problem by sending an command telling the terminal server to use one of the older 2012 R2 domain controllers instead. Then things work again.

So the question:

Is there a misconfiguration with the new 2016 domain controllers or can an adjustment be made with the 2012 Terminal Servers?

Is the problem that Windows 2016 Domain Controllers are not compatible with 2012 R2 Remote Desktop Services servers?

We are having problems finding documentation on this.

What we do know is that if we decide to start upgrading to new 2016 Terminal Servers we will have to purchase new 2016 RDS Cals (not sure if we are budgeted for that...)

For those interested, you can find out the domain controller you are using by running the following elevated PowerShell command (this assumes the command is run remotely as you might be locked out due to the RDP access denied error):

nltest /Server:<your-terminal-server> /DSGETDC:<ad domain>

to specify the domain controller you want to be on (in our case we want to switch to back to a 2012 R2 domain controller), the command is:

nltest /Server:<your-terminal-server> /SC_RESET:<ad domain>\<specific domain controller>

We have a domain, with multiple servers and multiple users. We use a domain login script, which primarily maps drives, and everyone is setup to run the login script in Active Directory. It has been working for years. Suddenly, last week, I'm getting reports of drive letters not being mapped. I tested several users, and it wasn't running the script on login, on either our 2008R2 or our 2012R2 servers. If I manually run the script, it works fine, so there isn't anything regarding access to the script, or the locations. Temporarily, I setup group policies to map the drive letters, but that isn't really the way I'd like to have things work. Any idea what might be wrong?

Thank you.

Jeremy Heymann Market Mentor Online

Hi,

Ive recently deployed the HTML5 Web Client, at an existing RDS 2016 setup, using this guide:

https://custominterfacesolutions.com/html5-web-client-microsoft-remote-desktop-services-2016-steps-install-rd-web-client/

The setup contains 1 x RDWeb server, 2 x RDGW and 2 x Connection brokers.

A single public trusted wildcard certificate is used, for the entire RDS setup, containing the domain name, that the servers is belonging to.

Im able to login to the Web Client, and see all the published applications, that is available.

But when trying to connect, i then get an certificate error, containing the name of the Remote Desktop Session host...

Ive managed to find the certificate at the Session Host, containing the same thumbprint as the one on the picture.

Added the certificate to the trusted root cert auth, across all the frontend RDS servers (Web,GW,CB) - but that didnt help.

What seems to be the problem, since i cant find any solution to this error?

I have a client that is on a single 2012 rds server now in azure using remote apps internally and externally.

We'd like to do two 2016 servers for more redundancy.  Is it possible to install the gateway/connection broker/web/session host roles on both servers and configure for high availability?  Otherwise could we do 2 session hosts and 1 server with the gateway/connection broker/web services on it.  A lot of the examples show 4,6 or more servers but they do not want to pay for that.  Just looking for some ideas here, thanks!

Hi,

We have a server 2008 R2 with Hyper-v rule and some VM servers on it. when we connect to the VMs everything is OK.

we have a customer with a connection of 130Mbits/S when they access one of the servers and they open a picture (5mb) and try to zoom in and scroll the pic then we see pic move block by block.

Any idea why with 130 Mb/s connection this customer has poor performance when come to scrolling a picture?

Thanks

Shahin

I assumed its the 25 alpha of the OS of a connecting user, but all that i attempt to input fail.

Is it looking for another 25 alpha other than OS, connecting computers are win 7 pro and windows 10.

Server is setup in a workgroup.

When purchased on the last workgroup server in open volume licensing we received one 7  5 alpha character code and the remote desktop licensing accepts that license.

 Any input appreciated

Dear all,

I have some trouble with some (not all) users connecting to RD Gateway. The RD Gateway is running Windows Server 2012 R2, the clients having the issues are Windows 10.

When these users try to connect to the GW, the following error with Event ID 306 occurs in the Eventlog:

The user "Unknown", on client computer "x.x.x.x", was not authorized to connect to the RD Gateway server because a tunnel could not be created. The authentication method attempted: "Cookie" and connection protocol "HTTP". The following error occurred: "2147965432".

I tried to Google that but with little to no success. I found similar issues though, talking about checking the GW Certificate in one post, actually that was setup correctly. Another post talked about just doing an iisreset, which I did but also to no avail.

Also I checked the LANMan settings (Network security: LAN Manager authentication level) on server and client both seem to be established via Domain GPO (I can't change them. Anyway, they are both set to the same level.

Did anyone else face similar issues with RD Gateway and Windows 10? What else could I do?

Any help is much appreciated.

Thanks,

Harald

hi,

we're suffering from session hosts that produce black screen errors in a RDS 2016 farm.

already connected users can mostly work, all new connections end up with a black screen.

to resolve the error the server has to be restarted.

i can say that

- this error appears after error 1534 (Fehler bei der Profilbenachrichtigung des Ereignisses Delete für Komponente {709E2729-F883-441e-A877-ED3CEFC975E6}. Fehlercode: Das System kann die angegebene Datei nicht finden.) starts appearing in the eventviewer.

- upon checking the registry for this SID i end up at "ProfileNotifyHandler Class app id {E10F6C3A-F1AE-4adc-AA9D-2FE65525666E} inprocserver32, C:\Windows\System32\gameux.dll".

- starting explorer.exe per taskmgr does not open an actual explorer window although the process appears in taskmgr

- tskmgr, eventvwr, cmd can be started without problems

- affected users appear as active in RDS management

- no third party security software is installed

- farm is fully patched

- HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ProfileGUID and ProfileList are ok (no old or .bak entries)

looking forward on how to resolve this without  rebooting the server or a permanent fix

thank you

best regards

Apologies in advance if this has been asked, but I've been spending the best part of 2 weeks trying to find an answer to this issue online.

I have a Windows Server 2012 R2 server running Remote Desktop Services in a Quick Start deployment for Session-based (as opposed to Virtual machine-based). This has been running perfectly fine for over a year without issues, but since a couple of weeks ago 1 user can't launch applications properly. When trying to log in it just sits loading the app. If I click Details, it displays the Windows Server 2012 R2 login process with the username and underneath it says "Preparing Windows" and the dotted circle has stopped moving.

When this first happened I restarted the server and removed the local profile but they were still unable to load the application. In the end I created them a new account and transferred their files across to their new profile. That was on 19/06/18 and today they have the exact same problem which I have resolved for them in the same way - creating yet another account for them and transferring their files.

I can't keep creating a new account for this user every 6-10 days or so. This issue has happened on 18/06, 29/06, 03/07 and today (09/07).

So far I have managed to rule out our AV products as tried to log on with them disabled which experienced the same issue.

I have also managed to rule out GPO settings on the user account (even though the same settings are applied to 200+ accounts which are working fine) by moving the user account in AD to a new OU and disabling inheritance before logging back on and getting the same issue.

I can't find anything in the Windows Event Logs and the server processes hundreds of connections without issues, nor can I find anything concrete online aside from issues when renaming admin accounts or removing temporary profiles (these are not even being created but are not forbidden from doing so) or dead forum posts where no-one has answered in over 3 years or try adding the site to Trusted Sites Zone. I even ran sfc /scannow on my server and it found nothing to fix.

I know the issue must be with the profile as I can load applications perfectly fine as my account from my PC but when I try as the user having issues I see the same as they do. Nothing changes on my PC between it loading fine for me and not for them so please don't say there is something on my PC or in my IE/computer policy setup.

The user is getting more and more frustrated about the issue and I am getting to my wits end trying to solve it. Any assistance would be heartily received.

We have a Windows 2008 R2 environment mostly. Our current DC's are Windows 2008 R2, yesterday we introduced 2 new Windows 2016 DC's and this morning we found that once some of our RDS servers started to query the new DC's users would get an "Access Denied" error trying to establish a connection. We found a reg setting to to have the RDS server ignore the error so users could log in, but then once a connection was established it was with a local profile, not a roaming profile.

In order to resolve the issue we powered off the 2016 DC's.

Anyone know what happened here and what we need to do to power on the 2016 Domain Controllers again.

Thanks.

Hi all,

I RDP into this server, it gives me to the company security warning and has me click OK, from there it goes to the signing out screen with the rotating dots and just sits there indefinitely.

If I log into the server using the console on our VM host, after entering my credentials it immediately goes to the singing in dot circle.

I suspect this has something to do with way I may have disconnected from the server with a previous RDP session, the only fix I've found is to have someone else log in and disconnect/log me off.

Any ideas?

Hi,

our workstations with Windows 10 pro are in this weekend updated to version 1803. For main system we use RemoteAPP aplications on Windows server 2012R2 (Windows server 2012R2 is full updated). After update on client station are RemoteAPP slower, and  right mouse button is unresponsive, or react verly long time... 

It is a big problem for us.

PS: after replace mstsc.exe and mstscax.dll from older version Windows 10 is all OK. but this is not a solution.

Thanks.

When connecting to Remote Desktop Connection, and trying to print from an office document, the printer reverts to default settings, which for the Canon Imageclass D1520 is 2 sided print. In the settings of the remote, the printer is set for 1 sided printing by default, which is not factory default settings. Is there a way to force the printer on the host via remote desktop to keep the settings on the remote local instead of the mfg default? This is trying to print from Excel or Word 2016.

Canon said that "We do not support the use of Terminal Services/Remote Desktop Connection with the imageCLASS D1520".

We are disabling TLS 1.0 per the standard recommendation via keys:

HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client

HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server

Hi everybody,

I use a program calleed Acombat in remoteapp and it's use mapi to send email.

I get the popup of outlook 2013 open for send email without program and got no error while sending email.

I discovered that email did't reach destination and then I opened outlook 2013 in remoteapp and I seen all unsend email there.

Immediatly when I opened it they starting sending automaticly.

Each time it do the same thing, they stay theyre until I open outlook in remote app and opening send folder.

Not it's not a send folder like a folder for email already send, it's a folder that seem for email about to be send...

It's in french so I can't translate name of the folder but it's maybe you will understand where they was.

When I open this send folder I did't see email content but a list of them.

Thanks for your help.

I have an external user who connects to a remote app via RdWeb. They had no issue until last week and no changes were made on the terminal servers.

THE ISSUE:

When they launch the remote app, the user gets a black screen if you click details. They can RDP to the server fine (using the Connect to another PC tab in IE).

The mstsc.exe process has to be killed via Task Manager. 

Another user in their office is having no issues.

Things I have tried:

1. Had the user with issues try from the PC of the user without issues. Same problem.

2. Had the user connect to 3 instances of this remote app in 3 different collections. 1 uses User Profile disks. 1 does not and sits on the same network as the previous. 1 does not use profile disks and sits in our DMZ. The user can get a successful connection from the server in the DMZ but the speed is an issue. 

3. Looked for a profile disk for the user on the network share and there was none (the user is in our Guest child domain which is not a 2 way trust), there was no profile disk, but there WAS a profile with the username and .backup on the actual terminal server.

4. Deleted the local user profile on the both internal servers and had the user try again. Same result.

5. Had the user RDP to the server and launch the app and it worked without issue. 

I am thinking it is related to the user's terminal server profile because the issue is repeatable from another user's workstation. However, the user is able to RDP to any of the terminal servers and work fine. 

The difference in the server in the DMZ and the internal servers is that the server in the DMZ uses a different encryption/compression policy. The internal policy forces the encryption level to "low", does not use an encryption algorithm and is set to not require NLA. The server in the DMZ was specifically created with a different encryption policy to resolve a previous issue with external users getting a black screen to the internal servers. The internal servers go through a Cisco WAAS in some cases and the internal policy was set to the recommendations for this setup. 

Keep in mind though, that everything worked fine last week and everything still works fine for everyone except this single user.

Any insight or steps for further troubleshooting would be appreciated.

We were running a Windows 2008 RDS server which had licenses just as old.

The licensing server crashed and we had to reinstall onto another server.

Before this, with 50 licenses, any random 50 devices could remote in.

There was no revoking necessary, and it never permanently assigned a license to someone's machine.

It would stop that 51st person from logging in simultaneously, but it didn't permanently assign a license to a machine where someone else couldn't log in for lack of licensing when less than the max were concurrently running.

Now, the first 50 people that have logged in are the only devices that can, and some of those devices are home machines, or personal mobile devices (like android and iPad tablets).

Did we install the licensing server incorrectly to make such a thing occur, or is this the way it is?

We need to be able to allow the number of users that we have licenses for to use remote access, and not simply the first 50 that got the 50 licenses.

Is there a way or type of license that allows this?

Is there a way to shorten the expiration time so that devices we can't control do not get licensing.

It is not possible to control what device a user uses to access remote services without adding other layers to the network that defeat our business requirements.

Any help would be appreciated.

Alert from Microsoft Forum

Hi Tech Support,

i cant able to connect to remote for other systems, im using windows 10 OS but we are facing this issue hence after windows updated, im sure this issue is because of windows update,  Please find below error & please support me on this, 



An authentication error has occured

the function requested is not supported

Remote computer 192.168.0.44

this would be due to credSSp encryption oracle remidiation.

for more information, see https://go.microsoft.com/fwlink/?linkid=866660

i hope i will get the exact solution, waiting for the reply

Thanks in Advance

Regards

ILIYAZ

Hi,

We've recently moved a client's cloud server to a new data center. The process involved making a backup of the VM in the old environment, and restoring the VM in the new data center environment. This server runs the Remote Desktop Services role on Windows Server 2012 R2.

The migration seemed to go smooth, and the end-users can access their applications using RemoteApp, from any remote location. This particular client has a technical contact, who uses Server Manager on her Windows 10 PC to disconnect users from RDS as and when she needs to.

For some reason, since the migration, if we open Server Manager on the server itself, or on the technical contacts PC, we receive the infamous message:

The following servers in this deployment are not part of the server pool: 
1. [server_name] 
The servers must be added to the server pool.

The thing is, the server IS in fact visible in the list of Servers in Server Manager. I've tried re-adding it using the AD search, using the IP address in the DNS search, and even using the FQDN in the DNS search. All it seems to do is add another instance of the same server to the list of servers, but the above message is persistent and RDS can't be managed from Server Manager.

Has anyone seen this type of odd behavior before?