Server 2012 R2 RDS deployment, all virtual, and 1 component shy of proper functionality. This is strictly for use with RemoteApp, and there are no hosted VDIs.

I'm reusing a known working mandatory profile, but they are not being deleted after users are logged off by the system. My investigation has come to the following state:

1. All user profiles from system/advanced properties are shown as 'Local'.

2. HKLM\..\ProfileList\<sid>\CentralProfile = the UNC path specified in my GPO (with .v2 appended)

3. HKLM\..\ProfileList\<sid>\State = 518  ? .. unknown. what state this profile is in.

4. DelProf2 sees all profiles as 'Roaming Profiles' and is able to programatically detect and delete roaming profiles.

Now... I could certainly do a simple triggered task on Security event 4647 to run DelProf /r  ... but

Any ideas on why system advanced properties is showing these profiles as local, and why the GPO option would be failing to remove them on logoff? Specifically, GPO settings are

- System/User Profiles/Delete cached copies of roaming profiles = Enabled

- Windows Components/Remote Desktop Services/Remote Desktop Session host/Profiles/Set path... = UNC path of profile

- Windows Components/Remote Desktop Services/Remote Desktop Session host/Profiles/Use Mandatory profiles... = Enabled

Hello. I have deployed a number of server 2012 r2 machines and I have been experiencing a problem with remote desktop. All servers are DC and one of which is the RD licensing server (I'll call it machine A, the rest as B and C). In order for remote desktop service to function, I need to physically go to machine A and logon as admin. If no one is logged in on machine A as admin, I cannot remote into any of the servers, but in different fashion.

For machine A, a message pops up saying "Remote Desktop can't connect to the remote computer for one of these reasons: ..." before I get to type in my username and password.

For the other servers, I get to type in my user name and password, but it says "Access is denied" after loading a while, possibly because the serves cannot communicate with machine A which houses the RD licensing server.

I also tried to logon to machine A, then remote into machine B and C, then logout of machine A. The connection to B and C didn't drop, but they cannot see machine A online and complains RD will stop working in 98 days because RD licensing server is missing.

So, it appears to me that machine A goes offline once I logout as admin. The issue suddenly appears in one morning, I am wondering if anyone has seen ti or has a fix for this. Thank you.

Dominic

Hello

I have a new RD Gateway set up and it's working fine both internally and externally using my external domain name with a wildcard SSL certificate enabled.  However, when I connect to my web apps I am getting the following message:

The identity of the remote computer cannot be verified.  do you want to connect anyway?  the certificate is not from a trusted certification authority.  do you want to connect?

If I press yes it connects fine

This happens both internally and externally. 

How can I get around this/

I have an environment with a 2012 R2 RDS server farm consisting of:

RDGW - Gateway, Broker, RDWeb

RDS01, RDS02, RDS03 - Three RDS Session hosts

All users utilize RDWeb to connect to the farm. They navigate to rds.companyname.com and the RDS gateway load balances connections. 

We have a problem, in that there are about 75 old thin clients that are running Windows Embedded 6.0 and do not support a TS gateway. So, what can we do? I was going to configure old school round robin DNS, make an A record of rds for each of the three RDS session host IP's. I never entirely understood how RR DNS worked, is it entirely random? Is this the only solution I have for the old thin clients? What are some problems I might run in to? Purchasing new thin clients is not an option. 

Also, I know that we are never suppose to use RDP for 2012 anymore, and are only suppose to use RDWeb. But, let's say we buy some new thin clients that support RDP 8.1. Can we configured RDP connection to use the RD Gateway? When I try to use RDP on a desktop and I enter the gateway under advanced, and then the RDGW server name under comptuername, it tries logging me directly in to the gateway and does not send me to a session host. 

Hi,

I have purchased some RDP Device CALs under Open License.  I need to downgrade them from 2012 version to 2008.

We currently have 45 installed and just purchased another 5.  This time round we could only get 2012 version, but Ingram told us to just call Microsoft and have them downgraded to 2008.     Sound easy.  I've spent 8 hours over 2 days being bounced around from one department to another regarding this.   I must have made 10 calls and given out my details 10 times.

I got close when I contacted the clearing house, and they said yes we can do that for you, only to find out that they only deal with Retail licenses and not Open Licenses and put me back to the main support number.    After speaking to various people there, one of whom told me very rudely that I would need to reinstall the OS and to contact an IT professional, the last person I spoke to said that I could open a  support ticket at the cost of $390.00 or post to technet for free.  Here I am.

I need to downgrade my RDP 2012 licenses to 2008 R2, they where purchased under open licenses without software assurance.   I am in Australia.  How do I do this please.

thanks.

Steve

Hi Everyone,

I got a strange issue with RDS environment, On one fine morning , we are not able to view the pooled managed collections under collections tree, however if we click on collection you can see it as unknown( below screenshot ). I am able to manage other pooled collection apart from one with 140 VMs with the help of PowerShell. Apart from this everything is running as it should be , however now we are not able to manage it and this is major problem that we are not able to manage settings. 

This checked till now.

1.       All Pooled Managed VDIs are showing unknown.

2.       Only  One Pooled Managed Collection having issue.

3.       Collections are working and behaving normally, Only one Collection with 140 VMs having issue while updating the collection and rest of the collection are accessible and working fine from command line.

4.       No changes in RDSCB SQL database, no job are pending to execute in DB as well.

5.       No Major events related to VDI connection broker.

Getting Below error while managing with powershell.

New-Object : Cannot convert argument "2", with value: "", for "RDVirtualDesktopCollectionJobStatus" to type "System.DateTime": "Canno
t convert null to type "System.DateTime"."
At C:\Windows\system32\WindowsPowerShell\v1.0\Modules\RemoteDesktop\VirtualDesktopCollection.psm1:2167 char:22
+         $jobStatus = New-Object  Microsoft.RemoteDesktopServices.Management.RDVi ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [New-Object], MethodException
    + FullyQualifiedErrorId : ConstructorInvokedThrowException,Microsoft.PowerShell.Commands.NewObjectCommand

Server Manager>Dashboard>Create Server Group

Is populated with IP Address data under WIN-12345.mysite.com with Operating System of WS2012R2 has 1 computer found and offers 1 computers selected.

How do I get "Create Server Group Server Pool" to show up in RD Web Access, RD Gateway and RD Virtualization Host under right-click Add "RD Server Pool"?

After deploying a new desktop collection (Win7) if I log into any one of the virtual desktops at the Hyper-V Console (2012 R2) I am seeing a "You must restart your computer to Apply these changes" prompt.  When I click restart and log back in I see this prompt.  When I log out of the console the virtual desktop reverts back to the snapshot and the process starts all over.   Any ideas?

(setting the stage)
Workstation:  Windows 7 Enterprise SP1, member of Domain A, up to date on security patches
Server:  Windows Server 2008 R2 Standard, Domain Controller of Domain B, up to date on security patches
Middleware:  ActivIdentity ActivClient (v7.0.2.408) - installed on workstation and server

Hi Everyone,

I've got an interesting question/problem, I'm hoping someone else out there has run up against.  We've been tasked with trying to enable PIV authentication via RDP so our domain admins can use their PIV card to log into remote boxes, and not a username/password.  There is currently no trust relationship between domain A and domain B in my set up.  The server is not running Remote Desktop Gateway.  It is configured to use TLS 1.0 security layer and FIPS compliant encryption level.  It is also configured to require NLA and is using a domain controller certificate issued by a 3rd party CA.

I have taken my PIV authentication certificate and have mapped it to my account in domain B (so the altSecurityIdentities attribute is now populated).  After a lot of Googling, I found that I had to set the registry key "UseSubjectAltName" (located under HKLM\SYSTEM\CurrentControlSet\services\kdc) to 0.  I also needed to set two Group Policy settings "Allow certificates with no extended key usage certificate attribute" and "Allow user name hint".  After I set these settings, and imported the necessary certificates to the NTAuth Store and Trusted Root Certification Authorities, I still couldn't RDP from my workstation to the server using my PIV card with the name hint ofuserid@domain.name.gov.  I would get an error message saying "The specified user name does not exist.  Verify the user name and try logging in again.  If the problem continues, contact your system administrator or technical support.".  After a lot of troubleshooting, I discovered that if I turn off NLA on the server, I can type in my PIN anduserid@domain.name.gov into the RDP window on my workstation, it would then launch an RDP session where it would make me type in my PIN and name hint once again.  After I type everything in a second time, the server will load my desktop and I can proceed as normal.

My question is, is there a way to accomplish the end result of using a smart card to RDP to a server in a different domain (no trust relationship), and have NLA enabled.  Disabling NLA "works", but I don't think my I.T. Security folks are going to go for that as an option.

Thanks in advance for any suggestions!

-Matt

Hi, we are replacing our old windows 2003 rdp server with a 2012 one and i cannot remember how i restricted users on the 2003 to only see and use remote desktop connection.

i need to duplicate this on the new 2012 rdp server

any suggestions?

I've seen a lot of discussions about this in this forum, but I'm not able to get this to work. 

I've got a single server with all of the RD roles installed on it with valid licenses. It's behind a router with a single static IP address assigned to the WAN interface with ports 3391-UDP and 443-TCP forwarded to my internal local static IP on my Windows Server 2012 R2 machine. It is part of local domain, let's call it, "server1.domain.local."

Connections from within my local network to https://server1.domain.local/RDWeb allow a published application to run properly. 

When I look at the Deployment Properties of RD Web Access Server it points to an non-editable entry called, https://server1.domain.local/RDWeb, not my external FQDN

I used the, "Change published FQDN for Server 2012 or 2012 R2 RDS Deployment" https://gallery.technet.microsoft.com/Change-published-FQDN-for-2a029b80 to see if that helps, but it doesn't seem to work. The local value still shows up in the Deployment Properties of RD Web Access Server.

I am likely to be unable to set up a public network interface with the external FQDN on it, namely remote1.domain.com as an example. I need to keep the server behind the firewall and continue using port forwarding with NAT.

When I connect to https://remote1.domain.com/RDWeb I can see the published apps. I've had various failures from this point on. Right now I'm getting, RemoteApp Disconnected" User account not authorized, or computer not authorized, or incompatible method. 

I have a public Cert that works fine. The same cert was used for all 4 required roles. I created a .pfx exported from IIS for this purpose with a third party certificate authority. 

I also tried setting up an mstsc connection with the public external FQDN used as a gateway. This fails, too. 

I used the Add Roles and Features, RDS installation, Quick, Session-based to set this all up. 

I thought maybe my Gateway just wasn't working properly. I uninstalled it, rebooted, and re-installed it. No joy. 

Domain Users can access RDS via mstsc locally. 

I can't figure out where to look next. 

I thought this would be instructive:

https://social.technet.microsoft.com/Forums/windowsserver/en-US/67dfab70-7e10-4e0b-a3c8-63ce776f2355/how-do-i-change-the-url-to-the-remote-web-access-server-in-windows-server-2012?forum=winserverTS

However I'm still getting nowhere. 

If you have any suggestions, please be specific and clear. I expect I'm missing something. For example someone posted this at the previously mentioned page, "1. Please configure the RD Gateway FQDN in deployment settings so that it is set to the external address for your server, for example, remote.yourdomain.com."

Obviously, if I could do that I might not have a problem, but how does one do that in my circumstance? 

Help.

Thanks,

Steven

Hallo!

I have set up a Remote Dexktop Service using the "Quick" deployment method in Server Manager and everything is working greate internally, but I cannot start an app published in Remote Web Access from outside our network.

The problem is that it wants to start the using the internal URL, for example, server.domain.local, instead of the external one, for example remote.server.com.

I therefore want to know how I can change the default URL for the Remote Web Access server and all the Remote Web Apps in Windows Server 2012?

I have allready looked in Server Manager and I can change some of the deployment settings in server manager, but there is no way to alter the URL of the Remote Web Access server. See below images:

Pressing the internal URL only results in opening the internal URL.

This was very simple to do in Windows Server 2008 R2 using the tsconfig tool, but it does not seam to be any way of solving this in server manager.

A possible sollution would be to alter the registry someware in HKLM->Software->Microsoft->Windows NT->Terminal Services. But this can easaly lead to problems due to wrong format, etc. and is probably not supported.

Is there a simpler and supported way?

I did setup an new RDS License server in oud RDS/Citrix environment on a Windows 2012 server.

We are using RDS Per Device CAL. Everytime a license has been requeted we automatically get a warning:

Log Name:      System
Source:        Microsoft-Windows-TerminalServices-Licensing
Date:          9/4/2015 9:11:57 AM
Event ID:      42
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      Test.com
Description:
An error occurred in policy module "Policy Module for company Microsoft Corporation product A02 has denied new license request with error code 14.
".

Does anyone knows what this warning means and how to solve it?

Regards,

AJ Dubach

 Hi,

We have this OO flow for C: clean-up. However for ESX servers, the OO flow always fails. Just checked the log & found this. Could see few access not granted

______

WriteData (or AddFile): Not granted
AppendData (or AddSubdirectory or CreatePipeInstance): Not granted
WriteEA: Not granted
ReadAttributes: Granted by ACE on parent folder D:(A;;0x1301bf;;;BA)
WriteAttributes: Not granted

______

Kindly suggest what to do ?

Well, this is the event from the log::

Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 8/26/2015 10:49:01 PM
Event ID: 4656
Task Category: File System
Level: Information
Keywords: Audit Failure
User: N/A
Computer: inkerperum01
Description:
A handle to an object was requested.

Subject:
Security ID: ****\a16992167-3
Account Name: a16992167-3
Account Domain: ****
Logon ID: 0x36c0a555

Object:
Object Server: Security
Object Type: File
Object Name: C:\Windows\System32\ServerManager.msc
Handle ID: 0x0

Process Information:
Process ID: 0x2c50
Process Name: C:\Windows\System32\mmc.exe

Access Request Information:
Transaction ID: {00000000-0000-0000-0000-000000000000}
Accesses: READ_CONTROL
SYNCHRONIZE
WriteData (or AddFile)
AppendData (or AddSubdirectory or CreatePipeInstance)
WriteEA
ReadAttributes
WriteAttributes

Access Reasons: READ_CONTROL: Granted by D:(A;;0x1200a9;;;BA)
SYNCHRONIZE: Granted by D:(A;;0x1200a9;;;BA)
WriteData (or AddFile): Not granted
AppendData (or AddSubdirectory or CreatePipeInstance): Not granted
WriteEA: Not granted
ReadAttributes: Granted by ACE on parent folder D:(A;;0x1301bf;;;BA)
WriteAttributes: Not granted

Access Mask: 0x120196
Privileges Used for Access Check: -
Restricted SID Count: 0

Hi All,

I'm having issues with a RDS 2012 R2 Server Farm we have.

I have 4 servers in the farm and about 100 users accessing the farm.

The issue is that when users connect (random users) it tells them that the server is busy and to re try.

Looking at the servers connections within the connection broker I can not see any connection for them.

If I look at the users connected on each of the servers I see lots of blank users all with 4 processes still active,  a right click sign off will not remove these.

The 4 processes are always the same 

1. Desktop Window Manager

2. Windows Logon Application

3. Client Server Runtime Process

4. Windows Logon User Interface Host

If I connect to these sessions they are hung with "Please wait for Group Policy Client"

I have installed all available patches via Windows Update, Check out the GPO's Applied, Disabled the use of "Remote Desktop Services Profiles"

The only way I can clear these is to reboot the servers.

I have seen a lot of posts with issues like this in earlier versions, but cant seem to see a fix or patch for 2012 R2.

Any ideas?

Thanks in advance

Dale

Hello,

I am setting up office 365 on an RDS server. my domain used non-routable domain (company.local) so i had to create an alternate UPN that matched the routable registered domain for the company (company.com). the problem that i am having now is that when i have logged onto the RDS and start an office application, i am still prompted with the activation prompt, asking for an email. if i enter the testuser's email and then password on next screen, i am able to register the user and get a token license.

This is not my desired solution as i wouldnt want my users to have to do this every x days. The technet on this topic is very fluffy, a lot of 'Probably, might, some and should' as opposed to definitive answers. https://technet.microsoft.com/en-us/library/dn782860.aspx (under section 'How shared computer activation works for Office 365 Plus').

My domain is already DirSynced with password sync too.

any help would be appreciated on how to automate this process so the user never sees this prompt. ideally, Office should pickup the email and password without the user entering anything.

regards,

InfoAdmin

My configuration

All servers - Windows 2012 R2.

One Connection Broker. Two collections with several RD Session Host servers. One Web Access server.

There is policy for RD Session hosts:

Restrict Remote Desktop Services users to a single Remote Desktop Services session: Enable

But from different RD clients I can launch two sessions on different RD session host servers from the same RD collection.

How to disable multiple remote desktop sessions per user per RD collection?

Hi,

We have an existing RDS 2008 farm which is configured with 1 Connection Broker and two Session Host servers. There is a single name record (rdfarm) that RR to Session Host 1 and Session Host 2. The users open a mstsc and type "rdfarm" and they are connecting to session host 1 or session host 2.

I have been told that the broker server is managing the connections but I don't know how? Like I said they mstsc to "rdfarm" directly and no Connection Broker is specified anywhere.

Are they really using the Connection Broker server?

My understanding in Windows 2012 RDS is that in a scenario where you have 1 Connection Broker and 2 RDSH that if a broker wants to be used to establish the connections then the RDP settings have to be modified (Explained in this blog). Otherwise the only way to avoid changing the settings will be using the RDP through the Web Access.

Is this different in RDS 2008? I am totally confused can someone please help me understand.

Thank you!

We have a Remote Desktop server running 2012 R2 and we don't want to use Easy Print. I've Disabled the Easy Print option in Group Policy in Computer and Users and added the drivers to the server. When I login, nothing gets created and I see lots of Event 603 in the PrintService Logs

Orange County District Attorney