Vincent Sprague
Hello All,
I've been scouring the internet looking for the cause of this issue that has popped up since daylight savings went live 3 days ago. This server was configured this year and was not in production last year. This issue is intermittent, currently affecting ~50 of the users connecting. Whilst the environment is running Citrix XenApp 7.6, I believe that it might be underlying with the Windows Time Configuration. A user can log in and out on the same computer into the same or different farm members and see either the current time or pre-daylight savings time (-1 hour).
I've run a few commands where I think the issue may exist:
Incorrect Time:
Correct Time:
When the user has the incorrect time they can see the following:
If they remove the adjustment (They are still 1 hour behind)
When they re-check the box:
Accepting the settings and the time is correct, however this only sticks for the current session, next time they log back in they may face the same issue.
The registry shows the following:
Other background information:
- Allow TimeZone Redirection is enabled and applied in group policy applied to the accounts (verified registry flags are set), also applied and checked in Citrix Policy
- The August 2015 Daylight Savings Patch (KB3077715) is installed on the servers and clients have this patch as well (can't reapply to the server)
- The Timezone is correct
- Clicking on the clock provides the daylight savings message indicating that the server is applying daylight savings settings
- All other servers in the environment are reporting the correct time and configuration
- Administrator RDP into these servers shows the correct date and time
Looking forward to finding out if others have faced similar issues.
Regards,
Michael
We have an RDS setup, where everything is configured as HA
Only issue is the User Profile Discs, which up to now haven't been an issue. However we now have a Collection, where the application breaks if it Looses connection to the UPD, so we need to make it Highly Available.
So far we have tried using our primary DFS but the function where the Sessionhosts need full control permissions on the Top level, does that this isn't a solution.
What is the Recommended solution to make the UPD higly available?
Kind Regards
Ivan Vejsgaard
Hi,
The question I have is based on a scenario for DR I am looking at. I'll describe the scenario first then ask a very specific question.
I have 2 sites, with a RD Session Host on each. The primary site's RDS Host has Licensing installed with some Per User CALs.
The secondary site's RD Host is using the licensing on the primary site.
In my testing of the DR scenario I can turn off the primary site (so no licenses are available) and can still log on to the secondary site server.
Both servers are still in the grace period.
Question------- After the grace period is over, and during a DR event where the primary site's licensing server is not available, what happens when a user tries to connect to the secondary RD Session Host?
I've looked all over and can't find a straight answer to this. My apologies if my searches weren't vigilant enough.
Thanks,
Tim.
RDVDiag (http://support.microsoft.com/kb/2692470) looked promising as a resource gathering tool, but it fails to start on our RDCB.
Here are the details:
Problem signature:Any thoughts?
Cheers
Lea
Hello everybody,
I started to create a test lab for vdi environment. I installed a physical machine with hyper-v 2012 (with the role of RD Virtual Host) and a Windows Server 2012 R2 (with the role of RD Connection Broker and RD Web Access).
Then I created a collection from a windows 7 template but I am facing a very annoying issue:
when I log in to every VM into the collection via the Remote desktop web access the VM ask me to restart. As mentioned on the title it is a vdi pooled connection and I have enabled the "RollBack feature".
I temporary found a workaround removing the rollback checkpoint, restarting the VM and then re-creating it but every time I recreate the VM on the collection I need to apply this workaround. Because I am planning to work with 30/40 VM, It is not a solution.
To notice that if I remote desktop to the VM without using the the Remote desktop web access the VM doesn't ask me nothing.
The template has been created on the same hardware and as a further try I even created a new template starting from a VM (after apply the workaround) but I am still facing the same issue.
There is a way to understand for what reason the VM ask to be restarted? From the registry I didn't find nothing useful.
Thanks.
Denis
I have a Dell VRTX server with 2 blades. Each blade has 2 hyperV VMs running on them consisting of - 1xDC, 1xFile/Print, 2xTerminal Servers.
The terminal servers are running Windows Server 2008 R2.
I have setup network load balancing and rd connection broker.
The problem I have is when I connect via my NLB IP it goes in fine, if I disconnect the session and try and connect again via NLB IP it might reconnect me to the same TS again or if it tries to connect to the other TS it times out. I thought this should redirect to the disconnected TS session? This is a problem as I don't want users repeatedly trying to login until it tries to connect them to the TS they had the disconnected session on.
Any help will be greatly appreciated.
First here is some background information, hopefully someone can help me understand what is going on that the elevation prompt is still appearing. This may get confusing and sound ridiculous, but bear with me as it is what I have to work with.
This is the chain Windows 7 PC (admin) remoting into Windows Server 2008 R2 server then offering assistance through Windows Remote Assistance to another Windows 7 PC (user) through the server. I am remoting into the server because my Workstation is offsite
and outside of the LAN, but is part of the domain via VPN.
Here is the actual problem. I offer remote assistance to the user. The user accepts. I request control. The user checks the box to allow me to interact with the UAC prompts and accepts. The screen goes black for me and has a pause symbol on it. The user has
received a UAC prompt requesting elevation. He is not an admin. We get stuck here.
Here is what I have tried:
I've enabled "User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop."
I've disabled "User Account Control: Switch to the secure desktop when prompting for elevation."
I've tried in both enabled and disabled states "Only elevate UIAccess applications that are installed in secure locations."
I've installed the hotfix described in this KB post: https://support.microsoft.com/en-us/kb/2614066
After each of these changes I have had the user restart and when appropriate I've done gpupdate /force or logged off per requests from Group Policy notifications.
I'm at a loss for why the prompts are not appearing in the Windows Remote Assistance window. Any ideas?
I'm configuring smartcard logon via RDP on domain controllers and have everything working from inside the network but as soon as I try from a VPN connection it fails with the NLA error
“The remote computer that you are trying to connect to requires Network Level Authentication (NLA), but your Windows domain controller cannot be contacted to perform NLA. If you are an administrator on the remote computer, you can disable NLA by using the options on the Remote tab of the System Properties dialog box.”
From the VPN connection:
This is a test domain so it’s not resolvable by our normal DNS servers (the ones that are assigned to my VPN adapter). However, if I change my VPN adapter’s DNS to those of the test domain then smart card authentication works.
It’s weird because NLA should be enabled for both username/password and smartcard but when I’m using a foreign DNS server only username/password authenticates.
I’m pretty sure I have the certificates and smartcard configured correctly but a second set of eyes are welcome.
Any ideas?
Thanks!!
Hi all,
we have a server 2012 R2, and created a VM of win7(enable remotefx) with rdp8.0 and rdp8.1 udpates.
when we connect to win7, we see the button of Shut down with Start menu, and the aero flip 3D works,
but there is no remotefx event 1000 or 1001 in RemoteDesktopServices-RemoteDesktopSession Manager.
we refer to this website https://technet.microsoft.com/en-us/library/ff817580(v=ws.10).aspx.
How do we check which protocol we are running when we establish the connect to win7?(rdp7.0, rdp7.1 or rdp8?)
Thanks,
Derek
Hi
We have an RDS farm with the following set-up (using Windows Server 2012 R2) to serve RemoteApps to our clients:
The problem we are facing is that it seems like there's a "magic number" of about 450 connections (fluctuating between 445 and 455) per each Session Host.
Once this number is reached users start to report:
When the issue happens, based on performance counters, the CPU is in range of 30%, RAM has about 200 GB free.
Processor Queue length during the day is mostly within "<2 range", with ~30% of the time going higher up to 6 intermittently (not consistently), and with ~1.5% of the time being more than 10. (There's no continuous queue build-up) So our understanding that this is not a CPU/RAM limitation.
There were no limits on concurrent number of sessions set on Session Hosts as of SW side to my knowledge. Review of Application/System/RdpCoreTs Logs does not show anything really suspicious at the time the limit is hit, the errors/warnings in event logs do not correlate with timing of the problem.
We've been investigating this issue for a several weeks now and it's still absolutely unclear what could cause such limitation. Maybe someone experienced similar issues.
Any suggestions are welcome.
We have this issue on many 2012 RDS session hosts. The issue has been seen at different clients with different set ups, some have a simple 1 session host RDS server, some have 4 or 5 session hosts in a load balanced farm with RD gateway, connection brokers, RDWeb, ect. The problem in simplest explanation:
A user will call the help desk saying they cannot access the server. They will get an error when RDP is trying to connect.
We check the session hosts, and will find many errors:
"Event ID 4005 - The Windows logon process has unexpectedly terminated"
At that point in time, users who are currently logged in may be able to still work, or their session may lock up (it is not consistent).
Regardless of the current users logged; after the logon process crashes, it continues to crash upon every user attempt to log on. It will happen indefinitely until the server is rebooted. We can not log in, not even via console until the server is rebooted.
Then, everything works fine for some amount of time (not consistent) it may be a couple of days, or it may be weeks, or a month even.
We have had the case open with Microsoft for about two months and they cannot determine what is wrong.
I believe I may have found a possible cause; Webroot Secure Anywhere antivirus. Since we have tried everything from moving from roaming profiles to local profiles, removing all printers, blocking inheritance of GP, fresh server builds with minimal software, ect - it has to be something that is consistent across the board on all servers.
The only thing I can find consistent across the board is the Antivirus; Webroot.
I am curious if anyone else is having this issue? I would like to pin point this to something but it is so intermittent and we cannot force replicate the problem.
Hello experts. We have this same problem across many different clients with 2012 R2 RDS server farms.
Users report that their desktop flashes continuously through out the day. We witness this many times as well. Users are working on a 2012 R2 RDS session host. They are utilizing folder redirection, so their desktop icons reside on a file share. I can simulate the same effect if I hit F5 to refresh the desktop. All icons flash. This is happening on many rds server at many different clients.
I found this post here with an identical issue:
http://discussions.citrix.com/topic/305854-desktop-icons-flickering/
The recommendation is to "creating on the registry the REG_DWORD key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRemoteChangeNotify with value 1. "
I know others have this problem as well, I'm curious as to how to resolve the issue, and if the change mentioned above will have any negative affects for users. Thanks in advance.
Hi, I have a issue that I find very frustrating, and Google has not offered me a solution yet.
RDP works fine in the office (over multiple subnets), but not over VPN.
Client is Windows 10, server is Windows 2012R2, 2008 AD, checkpoint VPN
When i take my laptop home, start vpn, I am able to ping server by name, FQDN or IP, but when i try to connect with RDP, I get delays of many minutes before it prompts me for password.
I have tried : different laptops, different os(8,8.1,10), different servers, different accounts, clearing RDP cache on client.
connecting via does IP seems to work (but who remembers all the server IP when doing admin work late at night)
*Sorry i can't seem to past the dialog box. it says:
title: windows security
"Enter your credentials
These credentials will be used to connect to XXXXXX
Just a moment
< scrolling bar>"
<okay> <cancel> buttons neither of which help, speed things up, infact if i hit cancel, i end up having to kill it task manager
Hi,
I have an RDS 2012 R2 farm that has all the roles on 1 server (gateway, web access, connection broker, licensing) and 3 x session host servers. I have a .local domain so I've used a public cert and followed the work around found herehttp://gallery.technet.microsoft.com/Change-published-FQDN-for-2a029b80 that changes the client access name on the connection broker to one that matches the public FQDN found on the cert.
If I connect through a web browser then I have no problems so I know the fundamental properties around permissions to RDP into the farm are correct.
However, if I try to connect using a standard RDP client I get the error "The connection was denied because the user account is not authorized for remote login". I think the problem is around the fact that it is trying to connect to the broker server itself rather than the farm. If I put my test user in the Remote Desktop Users group on the connection broker then it connects but to the connection broker itself rather than one of the session hosts.
I've used chrome to download the RDP file that works that I get through the web GUI to have a look at the settings and I've mimicked all the settings (including the "Connect from anywhere" settings relating to the RD Gateway" yet I still get the problem. If I use the actual RDP file (downloaded via chrome) then it works no problem.
I know I can just publish the RDP file to my users and problem solved but I have a load of thin clients that are unmanaged (and not on domain) so I want avoid a visit to each one if possible.
Does anyone know why it is trying to connect to the server with all the roles directly rather than being passed on to a session host?
If anyone can help I'd be most grateful.
Cheers,
Tristan
Hello,
I am setting up office 365 on an RDS server. my domain used non-routable domain (company.local) so i had to create an alternate UPN that matched the routable registered domain for the company (company.com). the problem that i am having now is that when i have logged onto the RDS and start an office application, i am still prompted with the activation prompt, asking for an email. if i enter the testuser's email and then password on next screen, i am able to register the user and get a token license.
This is not my desired solution as i wouldnt want my users to have to do this every x days. The technet on this topic is very fluffy, a lot of 'Probably, might, some and should' as opposed to definitive answers. https://technet.microsoft.com/en-us/library/dn782860.aspx (under section 'How shared computer activation works for Office 365 Plus').
My domain is already DirSynced with password sync too.
any help would be appreciated on how to automate this process so the user never sees this prompt. ideally, Office should pickup the email and password without the user entering anything.
regards,
InfoAdmin
Our company just set up a new Windows 2008R2 RDS environment (Gateway/Broker/Host all 2k8R2) and we ran into "cannot change expired or first login passwords" issue.
We have 400+ users who run our app over remoteapp and our "old" environment was a straightforward remoteapp to a single server and changing expired passwords was allowed. Now, with the RDS Gateway in between the client and the host server, changing passwords is disabled.
Is there an option, group policy setting or something that can be adjusted to allow password changing??
I know about the RDWeb hot fix and i'm aware of the 3rd party solutions but i would like to know is there anything that can be done without those workarounds?
Thank you very much.
I'm trying to set up an RD Connection Broker for RemoteApp, but I'm getting an error when I try to create a self signed cert for the RD Gateway:
The self-signed certificate has been successfully created, but RD Gateway cannot store the certificate in the directory C:\Users\myuserid\Documents. Please specify a different directory, and try again."
I tried other directories, all of which I have full rights to, but still no dice. I can't find anything with this error. Any idea how I can get past it?
FWIW, I have no problem logging into this server through RDP.
Thanks.
Hi All
Today I've noted the following when a Collection is renamed through RDS Server Manager:
1. Is there a way to synchronise these?
2. Can PowerShell be used to rename a session Collection?
I spotted this cmdlet: Set-RDSessionCollectionConfiguration however there appears no way of entering both old and new Collection names should you wish to rename a Collection, so it implies only the properties can be modified, not its name.
3. Can a Collection and all attributes and applications be copied to another new Collection?
Custom Icons
I'm unsure how the IconPath variable is used within the cmd: Set-RDRemoteApp -CollectionName "<MyCollectionName>" -Alias "MyAppAlias" -IconPath""
Specifies the path to a file containing the icon to display for the RemoteApp program identified by the Alias parameter. This path must not contain any environment variables. For session collections, the path must be a valid local path on all RD Session Host servers in the collection. For virtual desktop collections, the path must be a valid local path on all virtual desktops in the collection.
The reason I'm confused is that if I point -IconPath to an icon which doesn't have the same name as the App Alias, PowerShell will copy this icon to C:\Windows\RemotePackages\CPubFarms\<CollectionName> and rename it such it does. However Get-RDRemoteApp -alias "<MyAppAlias>" | fl shows IconPath reflecting the original icon file, not the one which RDS has created using the same name as the App's alias.
RD Web displays the icon correctly and I can confirm that the icon RDS creates using the same name as the App Alias is the one being used (not the one pointed to by IconPath) by simply renaming it and watching it disappear from RDWeb.
1. If IconPath doesn't actually match the icon RDS is now using to display, what (if any) are the consequences?
2. What's the actual purpose of IconPath?
3. To align IconPath with the actual .ico RDS is using to display (which to me sounds logical), should I simply create multiple icons from the original source named using each app alias, store here: C:\Windows\RemotePackages\CPubFarms\<CollectionName>\MyAppAlias.ico and register IconPath with C:\Windows\RemotePackages\CPubFarms\<CollectionName>\MyAppAlias.ico
4. Is IconPath used just once when the PowerShell script is run - therefore maybe has no relevance after?
Questions question I know!
Thanks for any pointers...
Lea