I HAVE WINDOWS SERVER 2012 R2

LICENSES APEAR CONFIGURED OK ON  LICENSING MANAGER BUT ON LICENSING DIAGNOSER I HAVE NO LICENSES Y CANT CONECT TO THE LICENSE SERVER

A MESSAGE TELS ME I HAVE FEW DAYS FOR THE LICENSES TO STOP WORKING

I need to enable Restricted Admin Mode for MSTSC across my 2008 R2/W7 domain. I need Authenticated Users (with RD access) to be able to access a Remote App available on RD Web Access Gateway. With RA mode enabled, they get a "restricted access" error when attempting to connect via MSTSC (prior to application launch). If I attempt this while logged in as Domain Admin I am able to connect over MSTSC and launch the application as normal.

I tried adding "remoteapplicationcmdline:s:/restrictedadmin" to the Custom RDP Settings in Session Host configuration, but I get an error that I "cannot override global settings".

Is it possible to apply this cmd line argument to a RemoteApp application, or is there another way to enable Auth Users to connect while still using Restricted Admin mode across domain MSTSC connections?

Hello.

I try to setup new RemoteApp and Desktop Connection silently by command from c#. I use next code for setup connection:

var processStartInfo = new ProcessStartInfo
                                       {
                                           FileName = "cmd.exe",
                                           Verb = "runas",
                                           Arguments = "/C rundll32.exe tsworkspace,WorkspaceSilentSetup RemoteAppConfig.wcx",
                                           UseShellExecute = false,
                                           WindowStyle = ProcessWindowStyle.Hidden
                                       };

Process.Start(processStartInfo);

It works correctly(connection created) only if I launch application in debug mode. But if I install my application by msi, connection won't created. And I see next error in Event Viewer: "An error occurred. Contact your workplace administrator for assistance."

Could you help me please?

Hello everyone!

Today, a customer asked me to fix a problem that they consider a high security risk, and I cannot seem to find a solution for them.

They have a Windows 2012 (first release) RDS farm (but have already confirmed same problem exists with Windows 2012 R2 RDS farm). Security is important to them, so they have disallowed saving passwords for their RDS sessions. When a user connects, he is asked for credentials. If they reconnect to a disconnected session, they also have to give their credentials. So far, so good.

However, recently users have discovered (you would think they have better things to do…), that you can reconnect to a connected session without credentials if reconnecting from the same client. The first RDP window will disconnect from the session as the second window connects.

So now consider this scenario:

•  A user has logged in to RDS (using his credentials)
•  The user goes to lunch and locks his screen with Ctrl - Alt – End. He does this because IT department has repeatedly asked him to do this. His session is locked but not disconnected.
•  As soon as he is gone, his colleague walks over to his desk, and minimizes his locked session using the connection bar or Ctrl - Alt - Break. The session is minimized, but not disconnected.
•  The user uses the same RDP file again to connect to RDS a second time. He is not asked for credentials.
• The first RDP window disconnects as a second RDP window comes up.
• The user finds the RDS sessionunlocked In the second RDP window, so he can use this method to unlock someone else's RDS session without credentials.
  

 I have confirmed this problem exists with both type of clients they have: Windows 7 PC’s and Windows 10 PC’s.

 The IT department has identified this as a major security problem in their company. I cannot find a way to force the Windows clients to ask for credentials in this situation. Also, I cannot find a way to prevent people from minimizing an RDS session. Ctrl - Alt - Break always works.

 Do you have any suggestions?

Excuse my ignorance as I am new to Microsoft RDS.

I used Microsoft RDS to setup a pool of virtual desktops in VMWARE. It works fine but I want to ramp things up as we will be taking on 50 remote resources who will need VDI access.

So, I am going to go with RDS and Hyper-V. 

My question is, what is the best option to allow for 30 concurrent connections to the same desktop setup. They will be Developer workstations so they will be kid of beefy. Lets say 2CPU 8GB RAM and 100GB HD.

So, do I go with Session based or VDI based? I was going to go with a single host, 4 CORE, 256GB RAM and 3TB disk space.

I figured I would spin up 5 VMs in Hyper-V with the above desktop configuration using Session based.  

Would this facilitate the 30 concurrent connections I need to support or should I be going in a different direction?

Thanks in advance.

Hi,

I'm having some trouble setting different keyboard layouts for certain groups

Servers are all running 2012R2.

Qwerty - US INternational is suitable for most users.
Some users need AZERTY lay out.This is what i did:

Logged in with test user.
Set proper keyboard layout.
Tested the configturation
From GP Management console ran the registry wizard.
Imported HKEY_USERS\<GUID of Test User>\Keyboard Layout.

Configured item level targeting for test user.
Removed test users profile

Logged in again.
Verified that the policy is applied.
Registry items are in place, but it defaults back to the QWERTY layout.

In some test it even displayed the AZERTY layout in Language/layout, but still it was QWERTY
It also adds the QWERTY layout codes to the registry.

Why can I make the change manually (keeps working forever)
But when I make a GPO it never works and defaults backup to QWERTY?

Is there a default / remote keyboard thing messing around??

Hope my issue is clear and some one knows how to handle it.

Thanks to anyone who may be of help to me on this issue!  I have been frustrated for months on end now trying to find the correct method for moving user roaming profiles from one server to another and I’ve hit a brick wall every time I’ve tried to accomplish this task. 

My environment is setup using (2) physical host servers, the old host server is running Windows Server 2008 R2 Standard (full GUI), and the new host server is running Windows Server 2012 R2 Standard (full GUI). 

The hosts are setup as follows: 

The new host 2012 R2 server current runs VM's that are all Windows 2012 R2 Standard Servers and the VMs are setup as follows:

VM#1) Primary AD server (DNS, WINS, DHCP)

VM#2) Backup AD server (DNS, other redundancy)

VM#3) WSUS  & Symantec End Point Protection Server

VM#4) SQL Estimating and accounting software backend server, and shared data

VM#5) File and Data shared storage, server has the copied over private Users Profile Folders from the Old server/VM that currently has the user roaming profile folders on it, also has other misc. shared folders etc.

The old host 2008 R2 server runs only one VM currently, as I’ve moved all other VMs to the new host server without any issues. The only VM this old host runs is a Windows Server 2003 SP2 Standard server that holds the current copy of the private Users Profile Folders on it.  Also I don't want to simply export and import the 2003 SP2 VM to the new host, as I feel this servers health is not in the best condition, and I prefer to dump 2003 and have all my VMs running the same OS (Windows Server 2012 R2 Standard).

All users desktop PC's are running Windows 7 Pro 64 Bit.  After using several users as test dummies, I've come to the conclusion that moving the existing profile folders to a new server is much more complex process than my research has led me to believe.  I have done endless research on Google, MS forums, Windows server forums etc. with no solid process producing results.

On my AD server I've changed the AD user settings, profile tab settings to the location of the new server for both the 'User profile, Profile path:  and the 'Home folder, Connect: Drive - To folder’.  I've used GPUpdate /Force at the desktops, I've Un-joined the PC from the Domain and re-joined it, I've deleted the local copy of the Profile (Roaming), I've renamed the existing profile folder on the old server, then get an error message saying can't load profile using temporary one, I've removed the registry entries on the PC that reference the profile list for this user and removed any .bak entries but then when I try to log on as this user it errors on the log in saying something such as the use profile entry is missing or corrupt etc. and returns to the log in screen.   

I do notice that all throughout the registry on this PC the old server profile location is reference about a million times throughout the registry.  So at this point I am through my hands up and say "any one that might be am to help I would greatly appreciated it" 

Hello,

A few months ago I installed RDS on a virtual Machine in HyperV and I had failed errors installing the Virtualization Host role, so Ia have to install RDS on a Physical Machine.

I want to ask if now is possible install Virtualization Host on a Virtual Machine on HyperV or still is a physical machine required?

I will appreciate any advice.

Best regards,

Manuel

Manuel&#180;s Microsoft Forums Threads

Hi Technet

From a long term project we have developped a more or less RFC 2865 compliant RADIUS Server. It supports challenge/response in order to check an OTP sent by text message. For any RADIUS capable client (e.g. firewalls, SSL VPN, Direct Access) we may use our RADIUS Server to protect those appliances with a 2FA/MFA.

Now we would like to test our RADIUS Server with RDS 2012 R2.

We have set up a Demo LAB with a DC and a member server holding all the RDS roles (RD Web Access, Connection Brocker RD Session Host, RD Gateway). This setup works as expected.

There are a lot of partly documentations about NPS and RADIUS and RD Gateway Manager and RADIUS. But there is no how to implement a custom RADIUS Server.

So: which steps do we need to protect the RD Gateway with our RADIUS Server?

And it does look like our RADIUS Server does not respond correctly to the NPS request:

This is what we receive:

Code      : 1 Access-Request
Identifier: 28
Length    : 156
------------------------------------------
  1 User-Name                : lab\user1
  6 Service-Type             : 12
 26 Vendor-Specific          : Vendor-ID: 311 (Microsoft)
                               Data:      2F 06 00 00 00 01
 30 Called-Station-Id        : UserAuthType:PW
 33 Proxy-State              : ??      ?2??+??  
 61 NAS-Port-Type            : 5 Virtual
 80 Message-Authenticator    : 3F 13 3F 3F 3F 56 3F 01 3F 3F 25 2A
------------------------------------------

And what we respond:

Code      : 2 Access-Accept
Identifier: 28
Length    : 40
------------------------------------------
 18 Reply-Message            : Welcome lab\user1
------------------------------------------

For every Firewall, Appliance, Direct Access, Citrix NetScaler our response works. But why won't it work with RD Gateway? It is resending its Access-Request 5 times and we are responding always with Access-Accept. But no Access to the RDP.

BTW: We have no information about RADIUS Service Type 12. RFC 2865 has values from 1-11, but MS RD Gateway sends 12?

Any Ideas?

Dear all,

By default, just two user allowed for RDP. when third user to log into server, a windows appear to allow a user to disconnect the existing session : Select a user to disconnect so that you can sign in.

How can I to disable this windows and not allow the third user to disconnect the existing session?

thanks

john

I have set up a standard 3 node 2012 R2 RDS for testing. All virtualized on VMware ESXi 5.0. I have a connection Broker, session host, and web access server. I have published several applications and I can access them without a problem. Here is my issue:

When I try to log on to my session host server either locally or thru RDP, I am always logged in with a Temporary profile. It does not mater what user account I use. Even logging on locally as the administrator I get a temporary profile.

All windows updates are installed and current.

I have removed the server from the domain, deleted the account, and rejoined it to the domain.

I have deleted all .bak registry entries from here:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

There is a hotfix here for a similar issue on 2012 but it does not apply to 2012 R2

The only event viewer errors are:

1515 (Windows has backed up this user profile. Windows will automatically try to use the backup profile the next time this user logs on.)

1511 (Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off.)

Any suggestions to resolve would be greatly appreciated.

Russ

Hello everyone,

I'm doing a solution for RemoteApp. Based on the question asked in this thread:

https://social.technet.microsoft.com/Forums/windowsserver/en-US/4e50bfed-d3c1-4a33-a207-3c25b808ee99/open-doc-file-with-word-via-remoteapp?forum=winserverTS

I want to make a RemoteApp published on the server, and from the local machine, when right click on a document file (Word, Excel, PDF or any type of document file) there is an option (context menu) to open that file with the RemoteApp published on the server (the RemoteApp will detect the file type and do the job) . I'm testing the solution with Excel, Word, .txt, .pdf it works fine. However, when I try with .bmp (and .png too), the default associated program on the server (Windows 2012 R2) is mspaint but I always get the error "Network error, cannot access to \\tsclient\c\Temp\myfile.bmp" , but that's not possible because other text, word, pdf files are in the same folder and all work very well. I think the problem is the file association with bitmap file. In the registry on the server, I have seen the .bmp has been mapped with a key like PBrush, that was the old Paint Brush program in the very first versions of Windows, I think.

Do you have any idea how to fix the problem file type association with mspaint program on the server (Win 2012 R2)?

Thanks a lot

Thomas Tran

====================

Free tools for Citrix & RDS

http://www.mqtechnologies.com

We have Office 2007 modi installed on our servers along with office 2010.

We have on ocassion users connecting and they have a shortcut for office 2007 outlook for example on their own desktop.

The problem we have is they are clicking this link on their own profile on th term server this is forcing then an install of 2007 then this breaks 2010 installed  for all other users. We then have to log all users off and run a repair for 2010.

How can we stop this happening

Remove the registry entry for the install path - for the source for the 2007 package -

gpo to stop users installing?

Any ideas please?

thanks

John

JA

I am trying to create a RAP with Powershell in 2012R2

Can sombody tell how to create a RAP with powershell in RDS 2012R2

- chris

I am trying to configure a 911 dispatch console.  The dispatchers have one main application that they dispatch from and a bunch of peripheral applications that they use for support (think outlook, internet etc...).  We have had several instances where the peripheral applications have caused problems with the CAD (computer aided dispatch) software.  To prevent this, I am wanting to install a hyper-v virtual machine on the Windows 10 computer that is running the CAD software.  I will then load all the peripheral applications onto the virtual machine.  

In order for the dispatchers to quickly see the information that they need, we have 6 displays connected to the physical computer via 2 NVidea NVS 510 video cards (3 monitors attached to each video card) which each contain 2GB of RAM..  We would like to have the virtual machine come up on two of those 6 and leave the other 4 for the CAD software.  However, I can run the virtual computer on all 6 monitors or only on 1, but not a subset of the 6.

I have added the RemoteFX 3D Video Adapter to the virtual machine and configured it with a maximum number of monitors = 2, set the max resolution to match the resolution of the monitors the VM will be displayed on and maxed out the memory.  When I attach to this VM with more than 2 monitors attached to the system I remotely connecting from, only one monitor is used to display the VM.  If I change the minimum number of monitors to the number of monitors attached to the computer I am remotely connecting from (6), the virtual machine comes up on all the displays as expected; however, this will not work as the dispatchers need to quickly see information on both the CAD software and the peripheral applications (VM system).

Can anyone confirm for me that this is a limitation of RDP/Hyper-V or if I have something configured incorrectly?  In other words, has anyone been successful in using RDP or another software (if so what) to connect to a virtual machine using a subset of the number of monitors on the system being used to access the VM?

I have tried simplifying the configuration, using only 1 video card, attaching 3 monitors, setting the max number of monitors for the VM to 2 and connecting.  This simplified configuration does the same thing… when connected via RDP or the Hyper-V manger, it only displays with one monitor. If I change the max number of monitors to 3, the VM will display on all 3 monitors.

As a side note, I have been testing with VirtualBox and I have been successful in getting this configuration to work but I would prefer to use Hyper-V for multiple reasons.

Thanks in advance for any assistance!/responses!

in my RDS deployment, I've got a connection broker and two session hosts.

The connection broker also has RDWeb roles installed, although I dont plan to use them.
I've configured the collection to loadbalance between the session host servers 50/50.

I can connect to each of the servers individually of course, however I can't seem to figure out how to connect to the farm and have my connection loadbalanced.

I read some documentation which said use round robin DNS, but this strikes me as being backwards as that would attempt to connect users to servers that were offline or otherwise unavailable etc.

It also occured to me that I could use NLB to do this, but again that seems silly when the RDS deployment clearly has some kind of mechanism for this built in; I mean it must have or why would it like me configure loadbalancing within the session collection?

Can someone point me in the right direction?

Hi Guys, Working on trying to get a GPO to work for NLA and Printer redirection.  The GPO shows that it is applying in GPResult/RSOP but the UI is not reflecting the change. I've verified the GPO is showing as the winning GPO. If I open up the session collection settings both the NLA and Allow printer redirection checkboxes are checked. I've rebooted the host and for safe measure added the server to the security filtering for the GPO but it is still showing the settings as checked. Maybe its a UI bug, as I can RDP into the server without an issue even though NLA shows checked, but I've not tested to see if printer redirection is enabled or disabled in practice.

Its quite the simple GPO.

Hi,

We have a 2012R2 RDS Farm deployment consisting of the following:

1x AD ,1x RD Broker / RD Web Access,1x RDGW,3x RDSH,1x File Server for UPD.

All of the servers are running on 2012R2. We're having an issue with UPD's not dismounting when a user is logging off.

So when this happens the load balancing wont take effect. The user can only login to the same server as before and if it login to another server it will get a temp profile because the VHDx is still attached to the the former server. There is not much on the internet and we have tried deleting the VHDx and also cleaning the registry of all the temp SID values in the ProfileList section. And also We have checked network settings and there is no loss of network connectivity between any of servers.

The UPDs are stored on a 2012R2 SMB File Server and the notable  error we can see is the one below:

Log Name:      Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin
Source:        Microsoft-Windows-TerminalServices-RemoteConnectionManager

Event ID:      20491
Task Category: None
Level:         Error
Keywords:     
User:          SYSTEM
Computer:  <Computer>   
Description:
Remote Desktop Services could not disconnect a user disk for the user account with a SID of <SID>. The error code is 0xAA.93

Any help on this one would be highly appreciated.

nimz

I have the follong setup

Internet -> WAP -> (Kerberos delegation) -> RDWeb 

When using form-based (anonymouse) - after login the user can single-sign-on to the published RemoteApps or Computers.

When using windows integrated login (Alternativ login -> WAP -> Kerberos Delegation) - after delegation - the RDWeb page is shown correctly but when clicking a published Computer or RemoteApps - it (the RDP connection) asks for credentials? 

Anyone know why?

Thanks

Mike