Hi all,

This one is driving me NUTS! The problem itself is when I go to connect to a session host using a web access server I get the error in the title.  This is only happening to some of my session hosts and not all.  I have compared them and can't find a single difference.  I also cant find anything useful in the event logs about this.  Below is my setup.

A full RDS environment using all Windows Server 2012 Data Center.  Nothing 2008 R2.  All Clean installs.

I have 6 servers a VM's split evenly between 2 ESXi 5.1 Hosts.
1. MP-RDP-CB1.inucoda.net (Connection Broker 1)
2. MP-RDP-CB2.inucoda.net (Connection Broker 2)
3. MP-RDP-GW1.inucoda.net (Gateway Server 1)
4. MP-RDP-GW2.inucoda.net (Gateway Server 2)
5. MP-RDP-WA1.inucoda.net (Web Access Server 1)
6. MP-RDP-WA2.inucoda.net (Web Access Server 2)

inucoda.net is an network that is the Domain that all servers are joined to via 2 Domain Controllers splits between each ESXi Host.
My outside domain that you can get to from the web is ucoda.net

The connection brokers have all servers used including session hosts added to the server pool and are configured in HA mode. They use a SQL Server 2012 Fail-over cluster that is on a separate set of VMs for their database and the DNS is configured as round robin. MP-RDP-CB.inucoda.net.  There are two entries of this each with one of the two IPs of the CB1 and CB2 servers.

On each CB server there is a RDS License server role installed with CALs installed and activated/registered. Both LIC servers have been added to the RDS deployment properties.

The GW servers each have the NLB role installed with an extra network adepter for NLB use. There is a DNS name of MP-RDP-GW.inucoda.net that points to the NLB IP of the GW Cluster.  Also both GW servers were added to the GW Server Farm part of the the GW properties.  

The WA servers are also in a NLB Cluster with an extra adapter and a DNS of MP-RDP-WA.inucoda.net pointing to the NLB IP.

Up steam from our inside Windows Domain at our ISP level there is a DNS entry of MP-RDP-WA.ucdoa.net and it points to the NLB IP of the WA NLB Cluster.  (This is not a public IP, we require you be on our VPN to be able to access the IP).

For certificates we have a Comodo issued wildcard of *.ucoda.net with the corresponding Comodo Root Trust and Intermediate Certs. We also have a wildcard *.inucoda.net created by our inside CA.

The *.inucoda.net cert is used for the CB SSO, CB Publishing, and GW while the *.ucoda.net cert is used for the WA.

All session hosts have been configured to use the *.inucoda.net for their RDP sessions.

I can confirm that the *ucoda.net cert is used for the WA part and all other parts are reporting the *inucoda.net, all with no errors or warnings.

For each session collection only one session host is used with no apps, (just RDP).  Security is set to only use NLA, SSL 1.0, High.

On each session host I have verified that the *inucoda and *ucoda certs are installed and the internal CA and Comodo CA/Intermediate CA is installed in the correct stores.  I have also verified that COM Security has the domain\TS Web Access group set with full perms for the Access and Launch/Activation. Also for WMI  Root\CMIV2\TermicalServcies Security has the domain\Ts Web Access group set with full perms. Lastly each group/user that has access to RDS is listed in the Remote Desktop users.

I've checked that both WA servers are listed in the TS Web Access group.

The GW servers RAS/RAP policies are set to be pretty open for testing with using any port, any network resource, and Domain Users and Domain Admins listed.

I have been trying to connect with Windows 8 and Windows 7 clients as the domain\administrator account.  Some of my session hosts connect fine and other don't .  It's always the same ones that connect and don't connect.  I can't find any difference  between the.   I've also blown away my entire RDS and started over with just a 3 server single node model with no NLB or RR DNS and the same exact error happens on certain servers.  I have sense gone back to the 6 server setup described here and again the same error on the same session hosts.

I have also tried Negotiate and RDS Compatible and disabling NLA only for security.  No change.  Now here is the interesting part. If I remove GW servers from RDS by just saying not to use them (not actually uninstalling them or anything), all session hosts connect just fine every time.  When I first did my RDS setup I got he same error with code 0x607 for every connection attempt and found i had to set the RAS/RAP to use any network resource instead of Domain Computers.  However, it is currently set like that and some still don't connect.   So it works with out the GW servers just fine.  It also works without them in the 6 node setup as well as the 3 node setup. 

I don't want to use it without the GW servers because since I am using all inside subnets with a VPN I have to add the CB IP/Name to my host file or it will not resolve and give an error about reaching the Connection Broker. Because I want to use a HA setup this is no good as there are two servers for it.  That's why I use the NLB IP of the WA and publish it with outside DNS with our ISP. 

Any ideas at all??

Thanks,
Chris

Hello all,

We deploy Navision 2009R2 through Remote Desktop Services, the deployment works fine but once I a while, when Navision opens a second program, just a small custom made program (a single .exe) used to trasfer data into navision, the screen starts to flicker and working becomes impossible.

We have to close the entire remoteapp connection and start over.

Steps taken:

• Server is up to date
• Changed to compatibility mode of the program
• Bumped up the vRAM
• Enable/disable RemoteFX

Extra information

• Virtual machine on ESX 5.5 (Host is HP ML380 g8)
• Connection between server & client is 40Mbs (more than enough)
• Frequency of the problem: less than three times a week.

What kan I do to troubleshoot this rather annoying problem and might anyone have a solution?

Kind regards,

I have set up my Server (2008 R2 Foundation) for remote desktop and RemoteApp as per the instructions provided by Microsoft.  I am using a single server for all functions.  When a user logs in to the Server through remote desktop, the remote desktop screen comes up and then the user immediately gets an 'Access is Denied' message.  If the user connects through RDWeb, the RemoteApps are displayed, but when the user clicks on an application, they are prompted again for their login credentials and then they get the remote desktop screen with an 'Access is Denied' screen as well.  This happens even for Administrators.

I am getting very frustrated with this as I have read many blogs and tried everything to no avail.  PLEASE help me.

Hello Team,

I configure terminal server windows server 2008 r2, while i am checking print ,print time is very high,

when i fire print command in no of bunch this time printing time is very high.

how to fix.

thanks, 

Remote Desktop Manager not showing UDP connections on my 2012 R2 gateways. UDP 3391 is enabled and open externally through a Nat. 

I do have two gateways that are load balanced using Microsoft NLB. UDP is enabled on both gateways and VIP is NAT'd in the firewall with 443 and UDP 3391 open. I have seen randomly that a UDP will show up in the manager, but only one. I expect to see an http connection along with two UDP connections.

Is there a reason why I am not seeing the UDP connections come in, or only seeing them randomly? I have it working on the other gateways but they are not load balanced and single gateway instances. It doesn't seem to be related to policy or anything.

I'm thinking about reinstalling the MS NLB.

I have a Server 2012 R2 (Datacenter edition) RDS server.. serving remote apps...... I am still experiencing the same issue on a Windows 10 and Windows 7 clients.

I *can* connect via the web or via the control panel, but if I right click the icon in the system tray and say "reconnect" it generates the endpoint errors.  I can duplicate it every time.

Can someone please help?  This is the only thread my Google-Fu lead me to, that is even close to matching my problem. 

Hi.

The issue is quite simple and I don't know why Microsoft gives nothing for this.

I have Remote Desktop Session Host and RemoteApp. My users start Application via RemoteApp. They need to open JPG or TIFF file in this Application. There is graphic view application on the server. But I can not set File Type Association for this files. GPO (Folder OPtions) - Result: Success, but doesn't work. CMD "ASSOC" and "FTYPE" Success but also have no effect.

So the question is "How to set file type association on RDP Server 2012?".

I suggest to use default profile. I mean, every time new user logs on server, new profile is created and system takes basic default association. Do you know, where it is?

Today I tried to connect via RDP to one of my Virtual Servers (Windows Server 2012 R2), and I ran into this message : "The remote computer that you are trying to connect to requires network level authentication (nla), but your windows domain controller cannot be contacted to perform NLA. If you are an administrator on the remote computer, you can disable NLA by using the options on the remote tab of the System properties dialog box." 

How am I suppose to make that change if I can't even log in to the server? Why only now did this message come up, I've had this server running for months, wth. 

Hello, 

I have a Server 2008 R2 with 10 Remote Desktop User CALs that I have been confirmed to have licensed properly, several times. My issue is that occasionally when some users connect they see the message that there are too many people logged in and they need to choose someone to kick off. This makes no sense to me as every time it has happened, I have logged in to see that there were 6 people logged on. There is noting weird in the event log besides a flood of schannel alerts and incorrect passwords. 

Here are my current theories.

1. Most of the users who use remote desktop, use the remote desktop app on their MacBooks, perhaps there is a licensing conflict with Mac vs windows?
2. The previous IT guy setup a publicly available host name that translates to our static IP that allows RDP traffic through to our terminal server. Regardless of if you are inside or outside of the network you can RDP to the host name and gain RDP access. I am in the process of restricting access to only go through a VPN but could there be some issue there in terms of lingering connections?
3. I have setup the domain policy so that any user is automatically logged off after and hour of idle time and the session locks after 15 mins of idle time and I have required that all RDP session use whatever form of RDP encryption they are capapble of. Could these Policy restrictions be causing the issue?
4. I am open to other theories.

I have attached a sample image of the issue and can send a redacted version of the GPresult report. I would love to see if you guys can help me out.

I am installing new Server 2008 R2 RDS Servers.  We do NOT use a Farm.  I have existing Server 2008 R2 RDS Servers.

.

I want to migrate my users profiles to the new server (which will be configured w/ same software, etc.)

I have tried Robocopy and exporting/importing the Profile GUID/SID into registry AND tried restoring the profile to the new server from Backup along w/ GUID/SID import.

.

User gets temp profile when logging on.  If I delete the imported registry SID for the user, they receive a new profile.

.

Anyone have a link to a good set of instructions and/or recommendations for how to do this?  Also, will recommended process work with 2008 R2 to 2012 R2 migration?

.

Thanks....

I would like to set up IIS redirect as per: http://miscproject.blogspot.co.uk/2015/07/branding-microsoft-remote-desktop-web.html

This should allow users to remember an even simpler URL for web access.

However, our WA and GW roles are combined on the same server, so I am wondering if this is an acceptable change in this scenario, or if setting the redirect will break the gateway connectivity?

Cheers.

I have a RDS setup

I have installed a wildcard certificate (issued to *.mydomain.com) that should secure all servers in the mydomain.com.

A certificate error is encountered when browsing to the RDS  web site (https://rds.ab.mydomain.com) or when connecting to published RemoteApps.

This is the Error: "net::ERR_CERT_COMMON_NAME_INVALID"

Does this mean I should have a wildcard cert which is *.ab.mydomain.com ?

Any suggestions would be helpful!

Thanks in advance.

Hemanth L

KB277551 (which includes kb2726399) is already installed.

Remote Desktop: 2008 R2 fully patched and up to date. Desktop Experience IS installed

Clients: Windows 10 (full HD)

Issue: Published applications (NOT remote desktop!)

What does NOT work: publishing control panel to users and allowing the user to adjust the font scaling from 100% to 125% or 150%, logging out, waiting for the session to close fully and logging back in. (That detail was just in case someone says "wait for the session to be cleared before logging back in"!)

Question: How to allow configure the system so that the Menu font size is readable? Screenshots with 100% scaling. NOTE: The same problem is for all MS apps, I just used a command prompt as an example. (In case someone says it's a third party problem.)

Screenshot with 150% scaling. NOTE: I =t does have an effect, just not on the font size!

Please don't take this as ungrateful, but rather than a link to kb2726399, I'm hoping someone out there haspersonally actually resolved this issue.

TIA

m

Hello,

We have a 2012 r2 server running RDS publishing a number of RemoteApps.

When we go to the Server Manager and drill down to the Remote Desktop Services area we are seeing a number of the sections that will not display their information and we can no longer manage RDS via Server Manager.

Starting at Server Manager\Remote Desktop Services\Overview the "Deployment Servers" window shows a red banner with "Could not refresh the list of servers"

Going to the Server Manager\Remote Desktop Services\Collections, all three of the windows, Collections, Host Servers, and Connections will eventually display the similar type of error message, stating to check the status of the services for Remove Desktop Connection, Windows Remote Management and Windows Internal Database.

The server is fully patched, event logs don't show anything of note.

We've rebooted the server and confirmed all those services and all "Remote Desktop *" services are running.

We're still able to access the RDWeb instance to use the published applications. 

This had been working previously, not sure when it last was though as we don't always go into Server manager. We can manage the remoteapps via powershell, but are curious why Server Manager no longer functions.

Any assistance would be greatly appreciated.

thanks...

Hi,

I,m deploying a new server 2012 R2 farm and want to give the end user a pre defined StartMenu.
I followed this article: http://microsoftplatform.blogspot.nl/2012/11/predefining-and-customizing-modern-ui.html
in which the author describes how to use the appsfolder.itemdata-ms file.

I logged on as an ordinary user and successfully created a nice layout. After that I grabbed the appsfolder.itemdata-ms, copied it to C:\Users\Default\AppData\Local\Microsoft\Windows and made the file Read-Only.

After that I tossed away the test user it's profile disk and logged on. The Startmenu layout was as I hoped for and expected. The layout that I had prepared was in place. I logged out and on again and, the horror: The StartMenu was completely empty.

I Looked in the Users profile: C:\Users\%Username%\Appadata\Local\Microsoft\Windows, and there is the appsfolder.itemdata-ms file I deployed. The Logged on user has Full Control permissions to it, but it looks like it's not being "picked up" bij Windows or whatsoever.

I did some more research and testing, and found out that, without the appsfolder.itemdata-ms in the default users profile, changes to the Startmenu are not being saved. I logged on as a testuser with new profile and created a nice StartMenu layout. Logged of and on again: layout gone.

I guess these two issues have the same course, but i can't find it. I hpe someone can kick me into the right direction on this..

Thanks in advance !

I have a Dell T420 PowerEdge.

It has an onboard video card and Dell says I cannot disable it in the BIOS... If that is the case, and if RemoteFX requires that all video cards be identical, how can Dell Servers ever be compatible with RemoteFX?

What I end up having is -- The Card shows up (sometimes) under Hyper-V Settings, but I cannot assign it to a VM. Then other times it is not there and if I enable / disable the new GPU it works again.

I mean the card always works.. I just mean Hyper-V is randomly "losing" it.. and I am guessing it has to do with them not matching.

I know of literally zero companies that sell servers that come with awesome video cards, so how do any of these Server products ever get used with RemoteFX?

Thanks

At present we have a Windows 2008 R2 RDS Farm consisting of 10 servers which serves around 300 users. User profiles and folders are redirected to a Windows 2012 file server. While this works well we found some of the older 2008 RDS servers are beginning to run low on disk space due to the caching of all 300 user profiles. Every now and then we have to manually clear these down.

We have just purchased some new servers and intend to setup a new Windows 2012 RDS farm as well as two Windows 2012 file servers. We intend to use DFS on both file servers to give us some redundancy.

Questions:

- I seem to recall redirected folders and/or roaming profiles isn't recommend when using DFS. Is this still the case when using Windows 2012?

- Is it best practice to have each Windows 2012 RDS server to cache a copy of the user profiles? Could we configure the 2012 RDS servers to access the user profiles directly from the DFS share/file server without caching a local copy or would we suffer from performance issues?

- Any other best practice suggestions or considerations when setting up a Windows 2012 RDS farm with roaming profiles and redirected user folders?

Thank you in advance for any help or assistance offered.

Ivanildo Teixeira Galvão