I want to use the "RDS Endpoint Servers" group to determine which RD Session Host servers the license server will issue licenses for.

Does this group not handle group nesting? I would ideally want to use an AD DS security group that both applies the correct group policy settings (license mode and server) and allows it to use the license server. 

The servers are a member of the group, the policy applies, the group membership shows up on the session host servers, but the RD Licensing Diagnoser shows an error saying it can't issue licenses because the "License server security group" setting is enabled and suggests that the server should be added to the "RDS Endpoint Servers" group on the license server. 

If I add a server as a direct member of the "RDS Endpoint Servers" group and refresh the RD Licensing Diagnoser it turns green and everything is OK. When I remove it, it goes back to the error, despite the server being in the group (albeit nested). 

By the looks of it only direct membership is working, but I want to confirm if that's the case (which would seem a bit strange) or if I'm missing something. 

Any ideas? 

I have a program that our clients run as a RemoteApp. This program copies files out of a folder to another folder, then zips those files and downloads/copies them off the remote server to the clients local machine or flash drive. 

The big picture of what I am trying to achieve is to have the ability for the client to set up a schedule of when they want the files downloaded/copied to their machine out being logged into the RemoteApp. 

I have created the interface in the RemoteApp to create a schedule and it then creates a task in Windows Task Scheduler for the program to be run and the files be copied, zipped, and downloaded/copied. 

The task created is successful and is executed to completion when the zipped files are moved to a location on the server that Task Scheduler and the Program are on. 

However when the path to place the zipped files is on my local machine it fails because it can not access the path location when Task Scheduler is running the program. When the user creates a path to their local machine and runs the program in an Interactive Session the path is as follows:

\\tsclient\C\Data Export files

As I understand it Task Schedule launches the program using a users credentials in a Batch Job session. Is there anyway to let this session connect to my local machine and move the zipped files? Do I need to specify the computer that I am moving the data to IP Address' or some other kind of Identifier in the file path?  

Hi,

We have set up ( with GPO) session timeout for RDS users :
- IDLE session : 1 hour
- disconnected session : 1 hour
- close session when timeouts are reached

But sessions never hit timeout because each time a new user logs in or an IDLE user reconnects, all IDLE session counter are reset to 0.

I am not able to figure out what is happening...

Does anyone have an idea ?

Regards,

Arnaud

I have published URL shortcut as Remote app on rd web. It keeps forcing users to logoff immediately. 

So I changed the Remote app from URL shortcut to a batch file with command "start chrome https://internalwebsite/"

Still users complain they are forced to log off. 

Is there any better way of publishing Remote for end users to access URL. I was thinking of Chrome GPO with bookmark but the policy adds bookmark under managed bookmarks folder. I am looking to URL directly available on bookmark bar.

I even made easy for user by making the site to open on startup. But the users doesn't want site to open when they launch chrome on the RDSH server.

So I am looking for the URL to only work on Remote App or provide bookmark on bookmark bar. Please let us know if anyone know how to achieve this.

Thank you

Shekar-Technet

Hi.

I have notice that Server Manager\Remote Desktop Services\Collections\CollectionName\Connections 

shows incorrect Idle time. It begins count Idle time only for disconnected sessions. 

Even when session was reconnected it continues counting Idle time, ignoring user activity.

Powershell cmdlet Get-RDUserSession returns the same incorrect Idle time.

Only "query user" command returns correct information.

Has anyone else seen this problem? 

P.S. Reproduced on Windows Server 2012 R2 with latest updates.

The issue: Due to a problem, i need to change all reg keys related to all TS/RDP users

first i list the SIDs with REG QUERY HKEY_USERS and the cmd lists 12 user´s SIDs (i´m not counting well-know, _Classess keys, etc)

So i did a "for" loop, changing the proposed reg key for these 12 keys, no problem.. untill now...

So i noticed that i have several (more than 10) users logged on my TS/RDP, but they´re not listed in the USERS hive in registry

So, the problem: I need to change a reg key for all TS users, because users have no right/permission to open CMD, use regtool, etc, so I need to modify the reg keys for each individual user, but most of the users are not present in the USERS reg key

The main script is:

for /f %f in (SIDs.txt) do reg add "HKEY_USERS\%f\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"  /t REG_EXPAND_SZ /v Cache /d ^%USERPROFILE^%\AppData\Local\Microsoft\Windows\INetCache /f

But rhe SIDs.txt was built based on availble reg keys under HKEY_USERS, but i have  several users, active, online, using the TS and they have no related reg key under USERS

So, why and more important, how can I change the Cache key for TS users??

A couple months ago I deployed a Windows Server 2012 R2, with the intent of using RDS Gateway on it for a client.  I got it working, but there is a 60 second delay during the login process to the RDS Gateway.  Specifically, the RDP client hangs on "Configuring Remote Session."  This happens 100% of the time from outside the network (but never when connecting to the same server on port 3389 from *inside* the same network that the server is on).  It is also important to know that even though there is always a 60 second delay, it still connects successfully 100% of the time.  The client is not happy with the 60 second delay though (understandably), and has asked me to to solve the problem.  I have done a ton of research, but the few possible solutions I came up with ended up not solving the problem.  Here is everything I have done so far:

-My problem is *most* similar to this other post:  http://social.msdn.microsoft.com/Forums/en-US/20a68eec-d639-47f7-abd1-3ae10aaf4db8/remote-desktop-to-web-role-gets-stuck-on-configuring-remote-connection    However, the problem in that case eventually resolved on its own, & I have already tried the only suggestion mentioned in that thread (disabling port re-direction).....either I did that improperly, or it did not help).

-100% of the time immediately after a 60 delay login, I get this warning in the server's event log:  

"Remote Desktop Services has taken too long to load the user configuration from server \\servername.domainname.local for user XXXXXX"   (where XXXXXX is an actual username).

The only recommendation I can find after researching *that* warning message is a small registry edit, which I have tried, and it did not help.

-In my research, I came across someone's theory that the problem is related to the SSL certificate, & the fact that the internal domain has a .local extension (which mine does).  According to this theory, Microsoft's RDS Gateway (unfortunately) exposes the RDS Session host's computer name (including its .local extension) to the remote/external RDP client, and therefore the 60 second delay is caused by the remote/external RDP client taking time to look for the SSL certificate for the session host, which doesn't exist.  The only way to determine whether this theory is the actual cause of the 60 second delay, or not, is to actually purchase a UC Certificate, which supports multiple domain names.  There is an additional problem with testing this theory however, in that ICANN has mandated that certificates will no longer support .local (and similar) domain extensions come November, 2015.  Therefore, even if I go through all the work to purchase & install the UC Certificate, *and* it happens to solve this 60 second login delay problem (which is a big "if"), that solution would only work for 1.5 more years from now.

I hope you can see I have tried hard to solve this problem on my own, but I am unable to.  I really need some outside perspective to cut through the troubleshooting fog in my head regarding this particular problem.  It is for that reason that any assistance with this problem would be greatly appreciated!  Thank you in advance!

Hello,

We have a Windows Server 2016 box that is being used for users to remote in to their computers by way of RDWeb. Every time someone goes to the website to login we we get the following Warning logged in events:

Event code: 3005 
Event message: An unhandled exception has occurred. 
Event time: 10/26/2018 10:49:47 AM 
Event time (UTC): 10/26/2018 2:49:47 PM 
Event ID: 00f90daa62f94580925cf71413f5874d 
Event sequence: 5 
Event occurrence: 1 
Event detail code: 0 
Application information: 
    Application domain: /LM/W3SVC/1/ROOT/RDWeb/Pages-6-131850389869549350 
    Trust level: Full 
    Application Virtual Path: /RDWeb/Pages 
    Application Path: C:\WINDOWS\Web\RDWeb\Pages\ 
    Machine name: XXXXXX 
Process information: 
    Process ID: 5096 
    Process name: w3wp.exe 
    Account name: IIS APPPOOL\RDWebAccess 
Exception information: 
    Exception type: NullReferenceException 
    Exception message: Object reference not set to an instance of an object.
   at Microsoft.TerminalServices.Publishing.Portal.FormAuthentication.TSFormAuthTicketInfo..ctor(HttpContext objHttpContext)
   at ASP.en_us_default_aspx.<GetAppsAsync>d__0.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Web.UI.PageAsyncTaskManager.<ExecuteTasksAsync>d__3.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Web.UI.Page.<ProcessRequestAsync>d__554.MoveNext()

 
 
Request information: 
    Request URL: https://XXXXXXXXX:443/RDWeb/Pages/en-US/Default.aspx 
    Request path: /RDWeb/Pages/en-US/Default.aspx 
    User host address: XXXXXXXX 
    User:  
    Is authenticated: False 
    Authentication Type:  
    Thread account name: IIS APPPOOL\RDWebAccess 
 
Thread information: 
    Thread ID: 115 
    Thread account name: IIS APPPOOL\RDWebAccess 
    Is impersonating: False 
    Stack trace:    at Microsoft.TerminalServices.Publishing.Portal.FormAuthentication.TSFormAuthTicketInfo..ctor(HttpContext objHttpContext)
   at ASP.en_us_default_aspx.<GetAppsAsync>d__0.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Web.UI.PageAsyncTaskManager.<ExecuteTasksAsync>d__3.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Web.UI.Page.<ProcessRequestAsync>d__554.MoveNext()
Custom event details: 

Hello,

I have one RDGW and three RDSH server (rdsh1, rdsh2, and rdsh3) in a same domain and we need to purchase some license/CALs. But I have some questions about the licensing:

1. Do I need to purchase the per device CALs for the RDGW/RDSH? We already activated the Windows Server 2016 std using the open license.
2. If I purchase 50 per user CALs, can rdsh1, rdsh2, and rdsh3 share those CALs? or I need to purchase 50 CALs for each RDSH server separately? which means we need to purchase 150 per user CALs in total for 3 of RDSH servers?

Thanks.

Dear,

Problem is is that after installing KB 4512495 it is impossible to connect to the remote desktop services (RDS). So it is a real big problem. This could be solved to uninstall KB 4512495 but this took hours and hours while the screen says: "Don't turn off your computer. Installation 100% complete!". So we had to wait a full frustating night because the other day customers had to use this server 2016.

Questions are:

1) What procedure had to be followed so that a production server can be updated without interruption.

2) Should KB 4512495 for security reaseons to be installed? And if yes, when will we be informed after this nasty problem has been solved?

Thanks in advance for any help!

Best Regards,

Aart

It seems that the predefined Firewall exception "Remote Desktop Gateway HTTP-Listener" can't be modified by the system.

Any clues on the cause of this problem? Thanks in advance for any hint!

Kind Regards
Andreas

Hi all,

We're currently experiencing issues at a random interval with regards to freezing start menu's on Server 2016 RDS Hosts.
When the freeze happens we can see the following items in the eventlog: Event ID 5973

Seems to be related on a per user base, as multiple users can connect to the RDS server but only a few of them are experiencing issues.

We are using User Profile Disks and Start Menu redirection. Any thoughts?

I do the IT work for a local small business. A few months ago the owner decided to change from one software vendor to another. The previous was a web based application and the new one is accessed through Remote Desktop/Remote Access to a Windows 2008 R2 server. All of our desktops run the latest up-to-date versions of Windows 10, all are HP computers, all get about 50mbps down and 20mbps up. We went live with the system on the first of the month however since the beginning our client desktops will experience odd session hanging/freezing seemingly randomly. I will bring up another program(Google Chrome, Outlook, etc) for a few minutes and go back and it will be "frozen". Although this is inconsistent as I can do the same thing for longer and it won't hang/freeze. When this happens I'll kill the app in task manager. Then I go through the log in process again and it brings up the session just how it was before it "froze" saying something along the lines of "Are you sure you want to restart the connection" with yes and no options. I'll then hit no to continue the previous session and it is like it never happened. This only takes a minute but this happens 10-20 times a day for each of my users and they are getting frustrated.

The vendor says they are working to find a solution and that our problem is unique, however it has been a few weeks and they haven't really said much outside of normal troubleshooting efforts. I cannot do anything server side, that's on them, but on the client side I've tried just about everything I could think of or find. I've tried turning off/on just about every MSTSC setting there is, I've updated all drivers for everything(was specifically targeting network and graphics), I've disabled auto-tuning on the NIC, I've edited the registry to only only allow TCP connections in TS, I've reset our router, and I've tried other remote desktop apps. When we went live and noticed it happening we immediately did a Ping Monitor on one of our hosts for a week and ruled out network/internet issues. I've also remoted in to the server from a Windows 8 laptop from home and the issue was not present. Event viewer show nothing anywhere, it's like it isn't happening even though it is. 

If anyone has any tips or suggestions, I'm open to anything at this point. If not I'll wait around for the vendor to hopefully figure it out. 

Greetings, I am moving this post from Windows 10 IT Pro > Windows 10 Networking..to this forum. 

I am running Windows Server 2016. Network Logon service stops running arbitrarily in some indefinite period of time, sometimes hours, sometimes a day or two. The system is fine and then Network logon service stops and I can no longer connect via remote desktop. I have no console attached on a permanent basis to remote desktop is my primary connection method. When it stops, I have to power down and restart the server or attach temporarily the console and restart Network Logon service which I have verified has indeed stopped. 

In the registry are the correct entries:

Under Value Data:

LanmanWorkstation

LanmanServer

I'm seeing some other errors in the event viewer which seem related.

The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has successfully processed. If you do not see a success message for several hours, then contact your administrator.

followed by....

Critical Alert: AutoStartServicesServerOS is raised at GCQALOHA. <Title> One or more services are not running. <Description> The following important Windows services are not running:

Netlogon (Netlogon)

Note: Services can be stopped when software updates are applied.. <AdditionalInfo> .

This one a bit earlier....

Dynamic registration or deletion of one or more DNS records associated with DNS domain 'HaleAloha.local.' failed.  These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition).

having issues with users connecting reliably and quickly. it can take numerous frustrating tries to connect both over LAN and over Internet.

the remote desktop server does not seem to be collecting any information at all about these failed attempts. users are not getting prompts for passwords, they get messages saying the system is off or not available or remote access is turned off.

mac users get a connection refused error and that's it.

is there another system log on the RDS server (2008 R2) that I should be looking at? the security log is really doesn't help.

would another network system see these events, like a domain controller, or a DNS server? having a heck of a time diagnosing this.

any thoughts appreciated. thanks in advance.

cheers!

I am currently having an issue installing RDS on a Windows Server 2016STD. This server IS currently a domain controller. I know it's not recommended to run a terminal server on a DC but it is what is required for the situation. 
From what I understand Microsoft temporarily disabled the ability to install both RDS and ADDS on a single server, but from the info I can find on Server 2016 this has since been re-allowed. 

I am attempting to do a session-based deployment.

When trying to go through the standard deployment method, the installation fails on the RD Connection Broker role service with: "Failed: Unable to install RD Connection Broker role server on server 'Server'".

If trying to install with the Quick Start deployment method, the deployment fails at Remote Desktop Services role services with the error: "Failed: Unable to install the role services. Exception calling "Translate" with "1" argument(s):"Some or all identity references could not be translated."

There don't appear to be any errors or relevant events in the Event Viewer.  

Any help will be greatly appreciated!

Hi,

We have set up ( with GPO) session timeout for RDS users :
- IDLE session : 1 hour
- disconnected session : 1 hour
- close session when timeouts are reached

But sessions never hit timeout because each time a new user logs in or an IDLE user reconnects, all IDLE session counter are reset to 0.

I am not able to figure out what is happening...

Does anyone have an idea ?

Regards,

Arnaud

Hi Expert,

We would like to ask something if there is any solution to resolved our problem in VDI server. Is there any recommendation and best practices? 

Scenario :

Publish user

User was able to login using Remote session but upon opening any apps like Excel, word etc. it will get stuck Connecting....

Pool user:

User was able to log in using Remote session, a log windows based screen appear but once they open a any apps it will get stuck again.. connecting... 

Pool - proper shutdown start>poweroff>click shutdown : VM

Tried everything below : 

Publish User

1. Rodante 

Resolution: Sign out in vdirwm > login to another wyse device > logoff using cmd

2. Manuel 

Resolution: Sign out in vdirwm server

3. Rina 

Resolution: Sign out in vdirwm server

4. ESDMinibar 

Resolution: Sign out in vdirwm server

5. ESDMinibar

Resolution: Sign out in vdirwm server

6. Glenny 

Resolution: Sign out in vdirwm server

7. Rodante

Resolution: Sign out in vdirwm09 > login to another wyse device > logoff using cmd 

8. Limleo

Resolution: Sign out in vdirwm server 

Pool User

1. Nelson 

Resolution: Stop/Start virtual pool in vdirwm01

2. Razzel A

Resolution: Restart wyse computer

3. Joshua 

Resolution: Login to another WYSE PC 

4. Renmark 

Resolution: Login to another WYSE PC 

Homer Sibayan

Hello everybody,

i'm having a problem on our Terminalserver with the Internet Explorer. (Exactly the some like this guy here: https://www.bleepingcomputer.com/forums/t/552892/cant-download-anything-using-ie-11-but-chrome-works-fine/)

When i start the IE with normal User Permissions i can't download any file. I get the download prompt, but when i click on save, the message:  "Filenamecouldn't be downloaded."This Error appears on every download i tried, except PDF's how open in the integrated Adobe Reader of the Browser. 

When i start the IE with Admin Rights, no problem downloads are working fine.

When i start Google Chrome with normal user rights, no problem downloads are working fine.

I also found no difference in the User GPO when i compare the Group Policy Results of my normal user and my Admin User on the same machine.

So i think it will be a problem with some permissions, but where could i start to look. Where does the IE Explorer need permissions that he can handle downloads? 

May somebody of you have an idea for me, thank you very much! :) 

Greets

Good day,

We're trying to install owasmime.msi on terminal server (WinServer 2012 R2) for all users in order to enable them to read encrypted emails.

However, we're kinda stuck. The thing is, if we try to deploy owasmime.msi through normal means (via install software in terminal server from Control panel), it looks like IE can't see addon installed. It IS indeed shows as installed in programs and features, but when you try to open encrypted email in IE it shows that no ActiveX s/mime component is installed, please install it.

If we try to deploy it via GPO with User Configuration - Software installation, then it just doesn't work. According to RSOP, the policy itself is indeed applied. And all the settings from the policy is active BUT the software package that should be deployed with it (owasmime in this case). So every setting in the policy is fine and applied (as well as the policy itself, according to rsop), but software package is not.

I'm running out of ideas, to be honest. One more way to go should be manually copy dlls and register them under every user via GPO.

Looking for help.