I have Windows server 2008 (not R2) server running RD gateway and now finding that any client that has upgraded to windows 8 can longer connect via the RD Gateway server.  We are using domain\username to log in as we have always done with windows 7 RDP client (which just worked).  After reading a number of posts where certain "fixes" or "workarounds" have worked sadly none of these appear to apply to our setup.

I have made sure that ignore client certificates is set to ignore and restarted IIS, I have chacked the server logs and there are no failed logon events, in fact the authentication succeeds but the session isn't created.

Running out of ideas now...any help?

drac

Problem:

I am seeing the below event in our RDS licence server every 15 mins. 

Log Name:      System
Source:        Microsoft-Windows-TerminalServices-Licensing
Date:          11/11/2014 16:27:21
Event ID:      21
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:     SERVER.domain.local
Description:
The Remote Desktop license server "SERVER1" does not have any remaining permanent licenses of the type "Windows Server 2008 or Windows Server 2008 R2 : Per Device CAL (TS or RDS)". As a result, the Remote Desktop license server cannot issue licenses of the type "Windows Server 2008 or Windows Server 2008 R2 : Per Device CAL (TS or RDS)" to the Remote Desktop Session Host or Remote Desktop Virtualization Host server "IP of another host server". To resolve this problem, verify that the Remote Desktop licensing mode configured on the RDSH or RDVH server matches the type of licenses installed on the Remote Desktop license server. If required, purchase and install additional licenses as needed for this Remote Desktop license server.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-TerminalServices-Licensing" Guid="{4D99F017-0EB1-4B52-8419-14AEBD13D770}" EventSourceName="TermServLicensing" />
    <EventID Qualifiers="0">21</EventID>
    <Version>0</Version>
    <Level>3</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2014-11-11T16:27:21.000000000Z" />
    <EventRecordID>20596</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>System</Channel>
    <Computer>SERVER1</Computer>
    <Security />
  </System>
  <UserData>
    <EventXML xmlns:auto-ns3="http://schemas.microsoft.com/win/2004/08/events" xmlns="Event_NS">
      <param1>SERVER1</param1>
      <param2>Windows Server 2008 or Windows Server 2008 R2 : Per Device CAL (TS or RDS)</param2>
      <param3>IP</param3>
    </EventXML>
  </UserData>
</Event>

My checks:

• There are no issues identified in the license diagnosis on any of the hosts pointing to this RDS license server. 
• All hosts are set to "per device". 
• Activation status is "activated"
• Discovery scope is "domain"
• Configuration is "ok"
• I've deactivated and reactivated the licence server
• repeated the install of the licences and rebuilt the potentially corrupt database. 

Any ideas from anyone? 

Craig Brand

Setup is as follows

Server 1 - Server 2012 R2  Session Host, Connection Broker, Web Access, Licensing

Server 2 - Server 2012 R2  Session Host

I want to be able to provide load balancing for this environment however whenever i try to add server 1 into the session collection it allows me to but then if i log off i cant log back in using RDP unless i use the switch mstsc.exe /admin and i get the following error message -

"The remote computer server 1 that you are trying to connect to is redirecting you to another remote computer named server 2. Remote Desktop Connection cannot verify that the computers belong to the same RD session host server farm. You must use the farm name not the computer name when you connect."

If i remove the server from the session collection it will then allow me to RDP back into the server and manage it as normal

So we have a Small Business Server environment. Migrating to Windows Server 2012 R2 VMs. Currently the entire old SBS environment is still in existence. I've added 2nd 2012 DC, 2012 RDS VM, and a Server 2012 File Server as well that will host the UDPs. (Everything is working so far) BUT On the RDS Server I point the UDP Wizard to the share created on the File Server. The UDP does not appear to be created when logging into a desktop collection. The template VHDX is there but nothing else is created in the shared folder on the file server.

I've stumbled upon people having issues with network shares and SMB versions. Do you think this could be an issue with the SMB client, etc since I'm adding them to an older domain? IF so how do I check or upgrade the client version? Will this cause the existing SBS 2003 users from seeing this network share or cause any other issues? I really didn't think it would be an issue because the File Server and the RDS Server are both 2012 R2.

Thanks for any help!



Hi All,

I'm really confused since i forgot how to do it.

The question is simple.

With Windows 2008 R2 (SP1), when logging the the RDWA server with a local admin domain user, we find the Configuration tab where we can set to which server (Broker/RDSH) the RDWA will initiate remote app connection.

How can we do that with Windows 2012 R2.

I want to change the Remote Computer to another server ? (See the picture below)

Regards, Samir Farhat Infrastructure Consultant

We are having an issue with Remote Desktop Services 2012 (and R2) where when I publish an app or desktop all users on the domain can see all apps and desktops even if they are not in the group that is granted access (Domain Users was removed from the apps and desktop).  I originally thought this was because we were running a 2003 domain.  But I have recently upgraded to all 2012 R2 domain controllers and upgraded the domain and forest to 2012 functional levels. I have built a new instance of RDS and have the same issue.  I see no events showing up under any of the servers.

In my test lab I can build a new domain and if I add RDS all works like it should .  Only the users in the groups granted access to the RDS apps and desktops can see them.

Any idea where to start troubleshooting this?

Hi All, 

I have seen a lot of articles for enabling SSO for RDweb on 2012 R2 deployments. Which is great, but I have not seen any information on using SSO with fall back to Forms based Auth. 

If I enable Windows based Auth then if Windows based fails all I get is errors rather then the nice web portal. 

For example if an internal user (not internet based) connects then they by default will try Windows Auth and works, but if an external (internet) based user tries to connect if goes back to the forms based authentication as is the default. 

My infrastructure: 

2x 2012 R2 Servers running RD web access, RD gateway and Load Balanced RD Connection Broker. The RD web and RD gateway are using NLB to provide load balancing and fault tolerance. So RDWeb and RDGW are on a virtual IP presenting to local and internet based hosts.

6x 2012 R2 Session Hosts servers

1x 2012 R2 Server providing User Profile Disks. 

3x Collections (2 Published Desktops, 1x remote app)

Any pointers, happy to hear them!

have a lovely day! :-)

Andy

This article goes over RemoteFX and RDSH for 2008 R2 SP1, but nothing is discussed in regards to 2012 R2 Hyper-V HOSTs for the virtualized RDSH server.

http://blogs.msdn.com/b/rds/archive/2011/03/25/q-amp-a-microsoft-remotefx-and-remote-desktop-session-host-servers.aspx

My goal is to use a 2012 R2 Hyper-V HOST server to provide RemoteFX vGPU performance to a 2008 R2 SP1 RDSH server. Is this possible? If not, are there any solutions that can provide graphics performance benefits to an RDSH server? If so, are there limitations? What are the benefits?

I have a small test lab. One DC, one RDSH server, and one RDCB/RDWA server.

There seems to be an issue with the user assignment properties of remoteapps. Scenario:

I publish a collection and set the group to "domain users."  I publish two remoteapps to the collection. I then edit the properties of App1, expand the "user assignment" pane. I select the radio button to make the remoteapp only available to certain users. I add "user1."  I repeat the same for app2, but add only "user2."  User1 and User2 are both members of "domain users."

The test under user assignment seems to state that RDWA will only display icons for the apps the user has been assigned. However this is not the actual behavior. If User1 logs into RDWA, both apps are present (app2 should not be.)  Similarly, user2 sees both apps (app1 should not be present.)  Both users can launch both apps as well.

So I see one of three possibilities:

1) There is a bug.

2) This particular feature has been deprecated and the intended way to segment apps is now by collection, or

3) I am missing something insanely simple and will feel quite silly when someone points it out to me.

Fire away...

-Cliff

Dear All,

We have setup a new remote desktop servers from Windows Server 2008 R2. However, we found issue that we still can't find the resolution. There is no issue for the remote desktop clients to login to the servers. however, when the session is idle and the clients try to resume the remote desktop after some time, the screen becomes black. Please advise us on this.

Thanks so much.

Regards,

Henry

Hi,

(I apologize for the grammar and spelling mistakes, but im confident in the fact that the text is understandable. If not, please let me know. I have used UK English for spelling.)

I did some research and read the following:

(unable to post links, my email needs to be 'verified')

And some MS pages regarding the CALs for Windows 2008 R2 (don't ask why).

This is basically what i want to do:

OS:                        Windows 2012 R2, possibly 2x because of the RDS role.
Roles Server1:  Active Directory and Exchange 2013
Roles Server2: File server and RDS
Users:                 20
PC’s:                    Approx. 15. Not sure about the exact numbers, but i am sure that there are more users than client pc’s.
Users RDP:        Starting with 10 but eventually every user will be using RDP, so it might be also 20. The 10 we start with will not have the ability of logging into a client PC but RDP only.
MS Software:    Outlook 2010 or 2013, depends on the support by MS.

We are going to start with an AD with a home folder, roaming profiles and an email account. If everything go’s whell, we plan to start letting users connect tot heir workspace via RDP.

I came to the following conclusion and need your input on this:

• 20 User CALs, As far as i know, I need 1 user cal for an AD account and a RDP cal forone RDP account. Without a User CAL, i cant issue a RDP user cal, is this correct?
• 20 RDP User CALs, does this mean that all my users can log into a RDS session via any client, even their own private pc?
• No Device calls, redundant?
• 20 Exchange CALs, I am not sure about this one, the second link i found only mentions acces via web and mobile. I would also like to know if the Exchange CAL is per user or email. If it’s per user, then wat do i do with an email that is meant for multiple users?
• 2 Server CALs, This is just buying 2012R2 isnt it? Does this also allow me to use one physically and the other as a VM in the physical one? Just asking, im not really going to use a VM.

Hope you guys can help me out on this one, i didn’t expect the CALs would bet his complicated.

We have setup a Server 2012 R2 RDS deployment with remote-site RD Host Servers all pulling CALs from a central RD License Server. I am able to RDP five sessions into the first RD Session Host Server OK, and the RD License Diagnoser says all is well with the connection to the license server. However I am not seeing any licenses being issued by the central License Server for those five test users, even after a Refresh. The five test users are local to the RD Session Host Server, and not in AD. Do local accounts not show up in the License Server's RD Licensing Manager screen?  Do they not require the RD Session Host to 'pull' CALs from the License Server?  I am thinking I should be seeing the licenses being distributed to the five users and am concerned that I do not.

License Server 2012 R2 - Per User CALs - Joined to Active Directory

RD Host Server #1 with the five RDP sessions is 2012 R2 - Joined to Active Directory

Thanks in advance for any insights! 

I've deployed a new RDS server w/ RD Gateway based on Windows Server 2012. Everything seems to be in working order on the server and its various roles. I've been testing internal and external access to the RD Gateway from both Windows 7 & Windows 8 computers using various web browsers. (frankly my whole reason for the new deployment)

Windows 8 computers seem to be working fine in IE, FireFox and Chrome although I will get prompted for credentials a 2nd time in Chrome and/or Firefox.

On my Windows 7 x64 PC I keep getting the following error when I launch the desktop from the portal:

Remote Desktop can't connect to the remote computer for one of these reasons:

1) Remote Access to the server is not enabled

2) The remote computer is turned off

3) The remote computer is not available on the network

Make sure the remote computer is turned on and connected to the network, and that remote access is enabled.

Yesterday before I added the server to the RAS & IAS Servers I was logging Event ID 201 in the Terminal-Services Gateway log however those errors have subsided with the group membership change.

What have I missed here?

Thank you for any guidance on this!

Hi All,

Just wondering if anyone has found a "workaround" for the requirement to be an Administrator to perform Remote Desktop Shadowing in Server 2012 R2?

We are a software development company, who offers a Remote Desktop service to our customers to use our software. Our support team needs to be able to take control of these sessions to support them.

We made the leap to 2012 R2 purely for the shadowing feature being re-implemented. However allowing 50+ support staff, some who have little to no knowledge of Server OS's, to have administrative control on an RDS server farm, including the AD server which is the Connection Broker, is just not an option.

The best i can come up with, is to lock down permissions on all Administrative Tools to these users with implicit Deny ACL's, but that does not stop them from being able to launch Add/Remove Server Roles, and perform other tasks within Server Manager.

Also due to the Server Manager integration, gone are the days where you could permit a Terminal Services MMC for these users like we did in the "old days" of 2003.

Does anyone have any brilliant ideas in regards to either enabling Shadowing without Administrator rights, or locking down Server Manager to a set task list?

Thanks,

Nash

As the title suggests, whenever I shadow a session on our 2012R2 RDSH server, the onscreen keyboard appears.  The taskbar also unlocks.

Both of these behaviours mean that the user can tell when their session is being shadowed, which I don't always want to be the case - sometimes I want to be able to monitor the session without their knowledge.

Anyone know how I can stop this from happening?

Hi,

I found this topic https://social.technet.microsoft.com/Forums/windowsserver/en-US/d03f1ad9-94cf-4fac-8655-ea7eb4345bae/cosigning-a-2008-r2-certificate-authority-for-internalexternal-remoteapp-users?forum=winserverTSdealing with the same issue. I haven't found a clear answer if this is possible and if so how to perform these steps. I have my own enterprise ca up and running well. Of couse "my" own ca certificate is only trusted within my own domain. It's not trusted outside. I also found this hint from the system "A stand-alone or enterprise CA-issued certificate must be co-signed by a trusted public CA that participates in the Microsoft Root Certification Program Members program". This sounds like I could use my enterprise ca certificate requested & issued by a trusted provider (so instead my own in the root position one of the trusted ones). Is that possible?

My servers windows 2008r2 Taskbar properties got disable. When i click on taskbar and properties it said Restrictions, This operation has been cancelled due to restrictions in effect on this computer. please contact your system administrator, even though i am the administrator.

Can someone help me to turn it back on?

I am only able to open, and view thumbnails, for a maximum of 6 RDP sessions on my Server 2012 box at a time in Remote Desktop Connection Manager (RDCM). If I add more sessions I just get a variety of connection errors for the additional sessions. If I activate a 7th session one of the existing 6 sessions goes off-line with a connection error message. Sometimes the error says 3334, sometimes the error says 0x8345000E, and sometimes it just says there is a connection error.

I have checked Group Policy on the server to ensure I don't have any settings restricting the number of RDP sessions.

In fact, I will often have 30 or 40 RDP simultaneous sessions opened, I am just not able to view them all in RDCM. I have seen reviews of RDCM with screenshots showing dozens of thumbnails so it seems to be something that's possible to do.

Are there any settings I should make on the server to allow RDCM to connect to more than 6 simultaneous RDP sessions?

Just to be clear, all these RDP sessions are running on the same server. Also, I am just using the trial license for Server 2012 and Remote Desktop Services right now. I don't think that should have an impact, but I wanted to be thorough.

Windows Server 2008 Standard R2/64

Remote Desktop Services, CALs applied.

The Built-In "Remote Desktop Users" group is populated with a Domain based Group for remote Access.

I have a GPO for the "Default Domain Controllers Policy" where; security settings\local policies\user rights assignment --> "Allow log on through Remote Desktop Services" has been properly populated.

I can use RDP to access Domain Participant workstations but I have lost access to the server and I can't figure out why.

I have Google-searched for relevant documents but what I find tells me what I can do to set it up.  This just verifies what I have done is already correct but something is broken.

I have even gone into "Remote Desktop Session Host Configuration" --> rdp-tcp --> security

No matter what, I have lost access as both a User and as anAdministrator and I always get...

"To log on to this remote computer, you must be granted the Allow log on through Terminal Services right..."

I ran RSoP on the server to see if there are conflicting policies or if "Deny log on through Remote Desktop Services" was accidently populated.

"Deny log on through Remote Desktop Services" is Not Defined so there are no explicit denials.

The "Default Domain Controller Policy" is the Source GPO and it is properly populated.