I am using msRdpClient8 to establish a remote session and launch an application on the server using the MS Remote App mechanism.

It is found that even after setting the below GPO  ,It is possible to establish multiple remote session and launch same application using the remote app mechanism .

Restrict Remote Desktop Services users to a single Remote Desktop Services session  --> enabled

I want to know if this is a expected and why it behaves like this ?

Is this documented any where in MS site ?

Somaraj

Hi There,

I have build a new server environment for a client of mine, i have build the following servers with the following roles:

DC Server (AD/DNS/DHCP/RD Licencing)
RRAS Server (Connection Broker/Gateway/RD Web Access)
RDS Server (Session Host)
SQL Server (SQL 2014)

They are all virtual machines in HV.

The problem is that the users that login on the RDS can do everything, install/remove software, start computer management, start CMD etc.

So they have admin privileges, but they are not in any admin group! also have i looked for a simple GPO that can block these admin privileges but without luck.

What can this be and how can it be fixed?

Kind Regards,

Mazen Abdelaal

I have the following scenario:

Firewall 

WebAccess (Internet/intranet) - WA.internal.net

Internal 

Gateway - GW.internal.net

Connection Broker - CB.internal.net

Session Host - SH.internal.net

All the internal.net 2012 servers are on the AD Domain internal.net and have a *.internal.net certificate installed.

We would like all the users to go to WebAccess (WA) to logon to access resources on the SH.

We have configured Split-Brain DNS so outside users and inside users can access the URL held on the WA which is www.external.com

We purchased a certificate for www.external.com

I have applied this certificate to the server WA and GW. Via the: Deployment Properties - Certificates.

On logon I get two errors:

Internal logon: Your computer can't connect to the remote computer because the remote desktop gateway server address requested and the certificate subject name do not match.

Web logon:

A website is trying to run a RemoteApp Program... Publisher *.internal.net

Remote computer: CB.internal.net

Gateway Server: GW.internal.net

Click connect:

Your computer can't connect to the remote computer because the remote desktop gateway server is temporarily unavailable. Try reconnecting later or contact your network administrator for assistance.

I guess this is a problem with the www.external.com certificate?

Having read a little more it should be a wild card?

How could a *.external.com work on a domain internal.net?

What do I need to do to get this to work using single Sign on?

Hi,

Having an odd problem with a small deployment of Remote Desktop.

Server 2012R2 RDP server, 2x Windows 10 remote clients connecting via a SonicWall VPN

All was working fine until recently, when one of the client stopped connecting. As the other client still connects, I susspected an issue with the client config. So simply wipped it and rebuilt using a from the box Windows 10 install, connected via the sonicwall, joined the domian, installed the SSL certificates.

However the issue persists. When I go to control panel->RemoteApp and desktop connections->Access RemoteApp and desktops.

Then complete the URL (identical to working PC, same case etc.) I get the ready to setup connection screen, however as soon as I click next on this screen I get "an error occured. Contact your system administrator for assistance." there is no pause whilst it goes to check the server, this error appears instantly. The pc is able to ping the RD server by name without any issues, and ns lookup correctly returns the address of the server as well.

If I replace the FQDN with the IP, then click next, after a few seconds and a progress bar, I get a certificate error  which is correct as the certificate contains the FQDN.

This suggests that the remote app setup is not able to connect to the FQDN, however, as I say it is exactly the same on the other working PC. There is no av installed yet (appart fromwindows defender) and I have tried disabling the firewall - to no avail.

I'm reluctant to change settings on the server as the other machine is still working fine.

Open to suggestions - thanks in adance for taking the ti e to read this.

Richard

Hi, I've found a problem about "License Gateway Server Error". If anyone have experience about this, please suggest to me. My Problem details is as follow.

In our network, I used windows server 2012 as active directory server. We have another server (Lets' say Server2)that needs to remote login. So, technician set up our AD Server as "License Gateway Server" and our users can remotely access to Server2. After three months later, our users can't access to Server2 and IT administrators can't access to AD Servers. When it's try a remote session, it show like this

"The remote session was disconnected because there are no Remote Desktop License Server available to provide a license.Please contact to the Server Administrator."

In this situation, technician make "License Gateway Server " at Server2. Our Users can access Server2 Remotely. But for AD Server, nobody can access with remote Desktop.

So, I would like to know, " If I removed License Gateway Service on AD Server, is there any impacts to network". Or how should I do to make normal remote desktop service to my Active Directory Server. Is there any technical man, please suggest to me. Thanks you.

I am trying to add users to this new azure vm using RDS.

To test it out I purchased 2 RDS CALs from Microsoft and installed.

As it shows it is available but not getting issued to users as a result users cannot access the VM using RDS.

What steps I am missing?

The RDS report is as follow:

CAL Usage Report

RD License Server:,"XXXXXX-WEB01"

Report Date:,"Thursday, December 15, 2016 4:36:11 PM"

CAL Version,CAL Type,Installed CALs,CALs in Use,CAL Availability

Windows Server 2012,RDS Per Device CAL,1,0,Available

Windows Server 2012,RDS Per User CAL,1,0,Available

No Per User License has been Issued

No Per User License Issuance has failed

No Per Device License has been issued

LiveMap

We have setup a single RDS 2012 R2 running a few published apps via RD web

Because these apps are for remote users only, we have a seperate RDS gateway server (2012 R2) setup as well for that purpose.

All remote users are on Win10.

At random times during the day (really no pattern to it) the remote apps the user has open will start stealing focus.

For example they might be typing a new email in their outlook (which is installed locally on the PC), while the remote app program is sitting in the background open, and it will steal focus and come to the foreground.

Here is what I've checked so far:

• I cannot see any disconnections of the client on the event logs of the RD gateway or the RDS server.
• I have tried the following fix without any changes:
• HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client]
  "RDGClientTransport"=dword:00000001 
• This KB doesn't really apply to this problem: https://support.microsoft.com/en-us/kb/2964832
• This KB can't run on Windows 10: https://support.microsoft.com/en-us/kb/2862019
• The users have written down the exact times when this focus issue happens and I can't see any event logs on the PC or the servers that would explain this.
• With a full desktop RDS this problem doesn't happen
• Organising some downtime so I can install November Roll Up updates (last update was done in 02/11/2016)

I'm a bit at loss here, has anyone seen this one before?

Windows Server 2003R2. Terminal Services is installed and started. Remote Desktop is Enabled. In the Terminal Services Manager session window, RDP-TCP is shown as being in a listening state. But when I run netstat -a, port 3389 does not show up. RD client cannot connect. Telnet or ssh to that port does not connect.

TCP is working fine: I can use logmein to view the server; I can VPN to the server, I can look at SMB shares once the VPN is up. No TCP filtering is active. The Windows Firewall is not active.

How can I get port 3389 going and be able to RDP in?

The registry is still showing port 3389 as the listening port.

I have removed and re-created the RDP-tcp port without any trouble and without success. The properties are set on defaults.

Remote Desktop devices in the device manager show as operating fine.

It used to work fine and just recently (sometime in January) it stopped working. As far as I know, no new software was installed at that time.

I have reviewed a bunch of stuff found in Google but none of it seems to help, so far.

I am currently considering a migration from citrix XenAPp to pure RDS and remote apps. However, in testing on this one thing I am not able to do is see who is connected to a specific app and manage them.  If I can do this with powershell that is fine, however I am not seeing it.

For more clarification, I have 8-10 apps that users are in all the time.  In citrix I can select an app and see connected users.  From that I can send a message, disconnect, etc for that app specifically.  I don't want to necessarily terminate all of their sessions as I may be doing maintenance on one specific app.  Also, in citrix I can enable/disable one specific app not the entire host or anything like that. 

Was really hoping to give up citrix but I am getting a feeling that may not be feasible as I continue testing and working through things with only RDS.  I am open to suggestions and any guidance.  If you want to take things offline please let me know.

Hi,

We currently have a 2003R2 server providing TS licensing for 2003 servers, a 2008R2 server providing TS licensing for 2008 servers and of course 2012 server providing RDS licenses for 2012 servers.

I believe that 2012 RDS licensing server should be able to manage CAL's for all of the previous versions of Windows mentioned here, so I was just wondering if someone could point me in the direction of how to remove the licenses from the other servers and move them onto the 2012 server if possible.

Thanks in advance!

Hello all,

I deployed a 2012 R2 RDS server a few months ago, and it's just now getting its first users. However, I realize now looking at it that I made a mistake in the deployment process and I'm trying to recover it. Instead of doing the RDS deployment (quick start or standard) and installing all roles at once, I just selected the session host by itself in the standard add roles wizard. As such, I can't manage the deployment via server manager because it states there is no deployment present.

To try to correct this, I added the gateway, broker, and web access roles to have them all present for a deployment, but that doesn't appear to have rectified the issue. It's curious, though, because using Server Manager to try to manage the RDS deployment, it states that a deployment does not exist. If I go through the wizard to add a deployment, it states a deploymentdoes already exist, and even finds the broker automatically. 

So, here are my main questions:

• As I have all roles installed, is there a way to make them understand all the pieces for a deployment are available for management? 
• If I re-run the wizard and select the same server for deployment, will it redo the installations, or update them? 
• If the installations are re-done, what happens to my existing applications that are already available on the host? 

I know this is a gray area, but if I can avoid re-doing the deployment entirely, that'd be ideal. 

Thanks.

Hello,

I'm setting up on my physical server RDS. My server is windows server 2012 foundation.

As you see in image below, I Installed RD Licensing Manager

I linked it with my 5 CAL per user (image 2)

but I have no RD Connection broker(Is it optional?)

As you see in last image I activated server

Now, How can I provide access to my 5 users? How have I to go on?

Thanks

Carlo

Hi

How can I have standard RDP user open task manager without it asking for a admin usernmae and password. I need all rdp users to be able to open Task Manager without it asking for admin username and password. We are using windows server 2012 R2

I'm attempting to setup a Windows 2016 RDS Standard Deployment for Session Hosting.  The layout is as follows:
RDS01 - RDS Connection Broker and Web Access
TS02 - RDS Session Host
TS03 - RDS Session Host

The domain these servers are part of has (1) Windows 2008 Server and (2) Windows 2016 Servers acting as DCs.  The domain is running at Windows 2003 Functional Level.

All servers are on a single routed network with no firewall between them.  All DNS A and PTR records for all servers exist and resolve on all hosts.  All servers can be pinged by each other. In other words, there are no network connectivity issues.

I've setup the RDS deployment several times w/ the same results.

The Issue
I can login via the RDWeb interface on RDS01 from a Win10 desktop and connect to the published RDP desktop without issue (i.e. no error messages to the user) and no errors in the logs.  When I try to directly RDP to RDS01, I successfully authenticate as a user (per the event log) but get an error stating that the user doesn't have access to the system.  In the event log I get event id 1306 with the message of "Remote Desktop Connection Broker Client failed to redirect the user <domain>\<test user>.  Error: NULL".  

If I RDP to RDS01 as an administrator, I get the same error message but the RDP session opens and presents the desktop on RDS01.

I can RDP directly to TS02 or TS03 and login as a user and open the RDP session.  Redirection to some degree appears to be working in that I can disconnect a user session from TS02 and RDP to TS03 and the session is redirected back to TS02.  The event logs on RDS01 record this happening as well.

What I've tried already
1. In searching this event 1306 issue, I found several posts with this exact same behavior in WS 2012/R2.  Most "solutions" suggested point to the fact that the RDS Session Broker doesn't have sufficient authority to look up the users AD group membership via the tokenGroupsGlobalAndUniversal attribute or AuthzInitializeContextFromSid API function which leverages the tokenGroupsGlobalAndUniversal attribute.  (Example: https://social.technet.microsoft.com/Forums/windowsserver/en-US/29733a87-dbda-47bc-8b37-6eeac5ab5a0a/2012-rds-nonadministrators-can-not-access-vdi-pool?forum=winserverTS#97d883f1-7a64-4d02-9492-309638f92e79 )

The service is running as "Network Service" which does have network access via the Computer Object's authority in AD.  So following Microsoft's instructions (https://support.microsoft.com/en-us/kb/331951), I've added RDS01 to both the Windows Authorization Access Group and Pre-Windows 2000 Compatibility Access groups and rebooted RDS01 with the same results.  

2. I've verified the Windows Authorization Access Group has rights to read the tokenGroupsGlobalAndUniversal property/attribute on my test users and the computer objects of the servers.

3. I've setup an AD Service account following Microsoft's instructions (https://support.microsoft.com/en-us/kb/842423) with a similarly described access issue.  The service account user was added to the Windows Authorization Access Group.  This was unsuccessfully as well w/ the same event 1306 error.

4. I ran the following powershell commands to verify access of the Connection Broker to the OU (https://technet.microsoft.com/en-us/library/jj215512.aspx#)

Test-RDOUAccess -Domain [redacted.domain] -OU "Computers" -ConnectionBroker rds01.[redacted.domain] -verbose

This failed so I ran the following to grant access

Grant-RDOUAccess -Domain watsons.local -OU "Computers" -ConnectionBroker rds01.watsons.local -verbose 

The Test-RDOUAccess then succeeded.

I repeated this for the OUs that contained the users and the server computer objects.

I've disabled all GPOs to ensure there's no conflicts but have seen no change in the behavior or error messages.

With all that, I've exhausted every option that I can find to resolve this error to gain the expected functionality.  As a work around for the moment, I've setup a round-robin DNS A record that points to TS02 and TS03 w/ a very short TTL.  This gives the test users the ability to login and atleast test the desktop functionality.

Sorry for being so long winded with this but I thought it better to put all the cards on the table.

I'm open to any and all suggestions.

Thx!

Good day,

I wish to know if I can get a log that can filter users that have remote into my server?

Currently the log that i have after i export to csv from event viewer requires me to read the whole info in order to know who has logged in remotely.

So I wish to know if it is possible to create a custom log to only log the username, time, location and ip address used when user logged in remotely?

I have set up my Server (2008 R2 Foundation) for remote desktop and RemoteApp as per the instructions provided by Microsoft.  I am using a single server for all functions.  When a user logs in to the Server through remote desktop, the remote desktop screen comes up and then the user immediately gets an 'Access is Denied' message.  If the user connects through RDWeb, the RemoteApps are displayed, but when the user clicks on an application, they are prompted again for their login credentials and then they get the remote desktop screen with an 'Access is Denied' screen as well.  This happens even for Administrators.

I am getting very frustrated with this as I have read many blogs and tried everything to no avail.  PLEASE help me.