Hello,

Is there a maximum number of simultaneous connections through a 2012 R2 Remote Desktop Gateway?

I found a TechNet article that said "For RD Gateway servers that are running on Windows Server 2008 R2 Standard, a maximum of 250 simultaneous connections is supported."

I assume it is the same for windows 2012 R2, but I wanted to raise the question on here to confirm.

Also, if the max is set at 250, does the user receive a particular error, or you just start seeing degrading performance?

Thanks.

Hi everybody,

we have a new Terminal Server with Remote-Apps and a very interesting problem.

Host: ESXi 5.5

Guest: Windows Server 2012 R2

Remoteapp: CAS (not importend, all Remote-Apps have the problem)

Client-OS: Win7 and Win 8.1

Now the problem:

A Remote-App is started on a client - this works fine. The Remote-App opens a lot of windows (new mail, customer informations and so on) and it happens that the active windows lost the focus and jumps into the background and another windows is in front with the focus.

The problem is not reproducible and with this caution it is not possible to work with the Remote-App.

I found following hotfix (http://support.micro...b/2964832/en-us) but it is not applicable to the clients.

If somebody needs additional information, i will be available.

Thanks for your help and time!

Kind regards

srkonus

Dear Team,

I am facing some issues with remote desktop services (client system is not getting connected   to server through remotely desktop)

Kindly help me out - +91 7898918955

Regards,

Ravi Jasuja

Scenario: 

We publish a web-app using RDS and our costumers connect and use our application. 

What we want: 

The costumer to completely manage the accounts they use to log in. What would you guys recommend? 
What would be a good way to integrate their AD accounts into our environment so they can log-in using their AD accounts. If this is not a possibility, is there a way to delegate account AD account creation so that the customers can add and remove AD accounts as needed (restricted to their own OU of course). We looked at AD Manager pro but its way to expensive. 

Dear all,

I'm developing a small utility program that allows to send a document file from server RDS to local machine and attach it to a new Outlook email, similar like Send to mail recipient. I want now add a ribbon button to MS Word and assign a macro to it, so when I click on the button the current opening document is sent back to local machine. I have successfully created the macro and the button and save to the Word global template Normal.dotm in C:\Users\%USERPROFILE%\AppData\Roaming\Microsoft\Templates folder.

I would like to know if there is a way, GPO or something that allows to install that template with the macro so it becomes available for all users when they log in to RDS server?

I have tried the macro with both MS Word 2010, 2013, it seems the templates and macro are same.

Thank you in advance

Thomas Tran

http://www.mqtechnologies.com

Hi.

I´m working on a project where I need to allow multiple sessions ( already done ), but limit the number of concurrent sessions on a RDS farm...

At the moment, we're using only one RDS server ( R&D stage ), but in the future, there'll be a farm with RDS Connection Broker and many RDS Session Hosts.

I've come to the conclusion that the best approach is to create a custom GPO, apply to the RDS Session Hosts, and use a vbscript or powershell to block the logon when the number of sessions reaches the defined limit.

I'd like to achieve a group based ( Groups: 1RDSsession, 2RDSsession and so on ... ) user logon limit. I have some ideas in mind for a single server, and a possible solution for a farm.

But before spending time on this "adventure" ( I really like this kind of challenge :) ), I'd like to know if Windows2012 provides any means for doing this kind of control.

I know there's a per server sessions limit, but that doesn't solve my problem.

Thanks in advance!

Hello Technet Guys, 

I've created a PoC environment to test the RemoteApp feature of the RDS. Before trying to publish the applications and system of my company, I've decided to do some penetration testing activity. The result is not so good....

I've published the calc.exe using the RemoteApp, and by using the Help Menu, I could gain access to the machine' shell.

Have a look:

01 - https://social.technet.microsoft.com/Forums/getfile/830818

02 - https://social.technet.microsoft.com/Forums/getfile/830819

03 - https://social.technet.microsoft.com/Forums/getfile/830820

04 - https://social.technet.microsoft.com/Forums/getfile/830821

05 - https://social.technet.microsoft.com/Forums/getfile/830822

06 - https://social.technet.microsoft.com/Forums/getfile/830823

PS: I cannot upload the images on the body of this Forum. As my account is new, Microsoft is blocking me.

I dont want to implement others controls (like AppControl) to have a workaround and solve this problem. The perfect scenario would be to have access only to the Calc.exe and no other application.

Microsoft has done some kind of job to block this bypass?

Regards, 

Leandro Soares

So I have been researching all over and having some trouble finding some details on the subject of RD Gateway & RD Web and how (or if) they work together.

I am come from a Citrix background and I am used to a Citrix NetScaler / StoreFront deployment. The Netscaler providing the HTTPS encryption proxying to the StoreFront which is the web interface where a user can launch a full desktop or application. I am curious if RDS works in a similar fashion, with RDS Gateway playing the role of NetScaler & RDS Web playing the role of StoreFront.

I am finding mixed information on this subject. Am I completely wrong and the two are independent of each other?

Is RDS Web used for the LAN only? RDS Gateway used for WAN access and only allowing access from an RDP client?

I have read it is best to have these two roles co-exist on the same machine (which I have done). I also plan to use an externally trusted SSL for my external FQDN remote.mydomain.com

Any information or articles that can me figure this out will be greatly appreciated!

We have a branch office who connects to a web service product at head office via internet explorer. They are saying the web service product is slow and what can be done to speed thing up. The latency between head office and branch office shop is around 300 ms.  We setup a windows server 2008 R2 Terminal services (RDS) with the trial license at head office on as a vmware server. They are saying it is around 1 second faster. I setup their Remote Desktop client in Windows 7 64 bit so the connection speed would be 56k but that is not helping. I figured the terminal services product hosted in the same network and same vmware server as the web services product would be faster as if they were sitting at head office but it seems like it is still fairly slow. Is there some type of compression I can turn on for the terminal services product or any suggestions how I could improve the response time by 2-3 seconds as a lot of screen for them can take 6-10 seconds to load depending on the screens when they run the web services directly from their machine.

Also, are the graphic are rendered on the host computer (the RDP server) instead of on the client device, and the applications use the host’s GPU and CPU to run at full speed? The data on the screen is it then compressed then sent to the client pc by default?.  I need a solution where the experience is almost the same as running the applications on the local computer is running at head office.

Would there be value with me upgrading this to windows server 2012 r2 standard edition?

Any suggestions you may have would be appreciated.

I have an existing Windows 2008 R2 Server, configured with per User Remote Desktop, but the 120 days trial period is finished.

Just need to clarify if I can use WinRmtDsktpSrvcsCAL 2012 SNGL OLP NL UsrCAL license to activate my Remote Desktop on Windows 2008 Terminal Server?

When users connect to our Windows 8.1 virtual desktops from their Wyse WTOS thin clients, they enter in their credentials hit login, the thin client connects and does its thing within 1 second.

Then it hits the RDS server and the Event 303 delay happens:

The user "DOMAIN\JDOE", on client computer "192.168.0.1", disconnected from the following network resource: "rdserver2.my.domain.net". Before the user disconnected, the client transferred 10081 bytes and received 16736 bytes. The client session duration was 7 seconds. Connection protocol used: "RPC-HTTP".

During this 7 second delay (which ranges from 5 seconds to 20 seconds) the user just gets totally black screen and time stops and they think they are using the slowest computer in the whole world.  Then it gets to the Windows login screen and does the normal 'applying group policy' etc, which takes another 15-20 seconds - but that's okay because they can see the computer is "doing something" and not just a black screen.   I will do ANYTHING to reduce this event 303 delay.  

https://technet.microsoft.com/en-us/library/cc775326(v=ws.10).aspx

Microsoft website says "This is a normal condition. No further action is required."  I also created a support case with Microsoft and they did not help.

My users are not normal.  How can i reduce this delay? Again, I'll do anything!

Hi,

My setup is 2 domains and I would like to access via RDP servers in Domain B via Domain A. I have setup a server A in Domain B which has NICs connected to Domains A and B. Server A is joined to Domain B.

Is it possible to use RDS and an RDS Gateway on Server A to provide RDP access to servers in Domain B to Domain A, or is there a more simple method?

Regards,

Paul

Hi,  We have a Server 2008R2 Term server setup.  Have the sessions settings to never disconnect.  But users are still getting disconnected after 10 minutes or so if Idle time.  No idea why it starting doing this.  It just started happening about a week ago and I can't figure it out.  It's a member server in a SBS 2011 domain. 

Thanks

Brian

I've been receiving User Profile Service event id 1530 with nearly every logout from an rdp session.  Our environment is Windows 2008 R2 64 bit running on Citrix XenServer 5.5.  RDP is in remote administration mode.  Tested with and without Windows updates applied.  No additional printers added, no connection to a domain.

Because the environment is virtual, I've been able to try many combinations and have narrowed it down to this: When Windows 2008 R2 has a single processor, the event does not occur.  When I give the virtual server two processors, the event occurs with nearly every RDP logout.  Same results with or without XenTools installed.  I do not have the resources to test the single/multi processor difference on physical hardware.

Any insights would be appreciated. I've posted the full event as well as information about the process that is mentioned in the event.

AB.

Log Name:      Application
Source:        Microsoft-Windows-User Profiles Service
Date:          7/23/2010 8:38:51 PM
Event ID:      1530
Task Category: None
Level:         Warning
Keywords:     
User:          SYSTEM
Computer:      WIN-36DPBES2P14
Description:
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. 

 DETAIL -
 1 user registry handles leaked from \Registry\User\S-1-5-21-2545583-721118796-2022419212-1000:
Process 888 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2545583-721118796-2022419212-1000\Printers\DevModePerUser

----------

Process 888 is svchost.exe running UxSMS (Desktop Window Manager Session Manager), UmRdpService (Remote Desktop Services UserMode Port Redirector, TrkWKS (Desktop Distributed Link Tracking Client), and Netman (Network Connection)

In remote desktop services 2012R2 is it possible to have one collection point to gateway A and a second collection point to gateway B?  I see the gateway setting under "Collections--> Edit Deployment Properties" but that seems to apply to the entire deployment not the specific collection. 

I'm currently using DUO MFA authentication on gateway A.  Using DUO disables the NAP policy on gateway A.  All applications are protected.  I'm interested in protecting certain applications with MFA which would route through gateway A.  The basic applications would be accessed through gateway B without multi-factor authentication.  The desire is for this to be automatic without and end user specifying the gateway in their RDP settings.  Users will be launching applications primarily through the web portal. 

I'm interested in how this would work with a pure Microsoft implementation as well as any suggestions for configuration with DUO currently installed.  I've searched the DUO knowledge base without success.  Thanks!

After upgrading two of my machines to Windows 10 (Education N clean install and Pro N upgrade from Win8.1), I was not able to set up Remote Desktop as I was used to since Windows 7 (maybe this was possible before, too).

I am used to configure Windows to allow RDP connections as a user without password (home usage only). Apparently this is not working anymore after upgrading to Windows 10. (I have enabled this by modifying secpol.msc 's security policies. Further informations provided if needed).

With the "no password" setup i get immediatly disconnected by the local machine which seems to auto login by itself after connecting via RDP. The only solution I managed to find so far was to set up a password. 

Is this a bug or a feature?

Cheers

I have a couple of questions related to the Windows Server 2012 R2 Remote Desktop Role:

1. User Profile Disk location on DFS:

In my home test lab, which includes one DC and one member server, both Windows 2012 R2, domain functional level 2012 R2, with only the default GPOs in place, I am able to store the User Profile Disks for a RDS Session Collection on a DFS path, with the DFS namespace being created with default values (win 2008 mode).

However, at client site, when attempting to use a DFS namespace (created also with same default options), I get:

"Could not create the template VHD. Error Message: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))"

I eliminated the possibility of it being an NTFS/share permission issue by granting "everyone" FULL access share and NTFS permissions. I am able to browse to the same DFS share location in Explorer, and manually create files in there with no problem.

A workaround is to use the direct UNC path that points to the share on the actual server itself rather than using the DFS path. This works fine.

Obviously there are many GPOs at client site and so I really wouldn't know where to start looking if it was a certain policy preventing the UPDs from being stored on DFS path. Can anyone provide any advice?

=============================================================================

2. I want to confirm where I need to apply certificates for the RDS solution in place. This is what we have:

2 RD Brokers working in HA mode with a SQL Database

4 Session Hosts, all part of one session collection

We are not using RD Gateway, nor are we using the RD Web Access (design choice by the TAs).

There are two DNS A Records set in DNS that points the Session Collection Name to the IP address of the primary broker and secondary broker, each being on a different subnet, which caters for users being connected to their site specific broker.

Users will have to open MSTSC, and connect to "SessionName", and this is where DNS will point them in the direction of the broker, which in turn will point them towards the next available session host. This works fine. Without any certificates in place, we see two certificate warnings:

1) From the broker server

2) From whichever session host server I've been redirected to.

There are plenty of blog posts online about which certificates to apply but they don't all match up as to what is required. If we want to eliminate both the above certificate warnings, what's the minimum we need to do? I believe we need to apply the right kind of certificate for both the "Enable Single Sign on" and the "Publishing". However under guidance we were told to apply only the "publishing" one. In addition, we have used Step 17 here: http://www.derekseaman.com/2013/01/creating-custom-remote-desktop-services.html to change the Remote Desktop Services certificate manually on the broker, to use our own CA issued cert.

The CA issued cert is issued to CN=*.domain.com with a SAN of "SessionName". 

This eliminates warning 1) above but warning 2) still remains. Does this mean we have to also change the Remote Desktop cert manually for each session host, or is there a better way of doing it, perhaps by setting a cert for "Enable Single sign on" as above? PS we use no remote apps at all. Just MSTSC to the SessionName.

Thanks

Hi all!

I have a sub-network with many huge firewalls across ) Long story short: from the client on this network i can telnet 3389 to my broker and every session host. I even can open rdp session to any of my session hosts. But if i try establish rdp session to broker or open published app from my portal i recieve error Connection Failed. Which ports i need to open from this networks to rds farm? Or may be its not a network related problem at all?

Thank you

We have a 2008 R2 Server running Remote Desktop Services. It's been working fine for a few months, and access has been quick and consistent.

Recently though, clients using the server have been complaining of very slow logon times, often with the remote session console going 'black' until the desktop eventually appears. This can take anywhere between 2-10 minutes. Once the desktop is available it works fine, and is quick as usual. This only affects 'new' sessions. Disconnected sessions resume quickly with no problem.

When the screen is 'black', if you press CTRL-ALT-END, the Windows screen showing the option the Change Password/Tun Task Manager appears, so there is life in the session - it hasn't hung.

What I've noticed is that, after every 'slow' client logon, I see this entry in the system log on the server;

DCOM Event: 10009

DCOM was unable to communicate with the server <server1.mydomain.local> using any of the configured protocols

In this case, server1.mydomain.local is a DC in a different child domain within our forest root. The terminal server has no need or requirement to communicate with this DC, and infact the domain the DC resides in is completely secured from the terminal server's domain. There's no rogue DNS entry, and I've searched the registry for the FQDN and IP of the referenced DC, but nothing.

I don't know why it's started, or why it's trying to communicate with the DC, but it seems to be really slowing the logon process down for users. Oddly, admin sessions aren't affected - they're as quick as always, it's just user logons.