Hello,

I just created new 2016 RDS Session Base environment where I have two servers.  1st Server has  RDS Web Services, RDS Gateway, and RDS License Role and 2nd Server has RDS Session and RDS Broker role.  I have configured the way I want it and created DNS Alias for server 1 which is the gateway server rds.domain.com and I have all the configuration setup correctly but I don't seem to get connected RDS Sessions/Broker server when I type in the rds.domain.com. It logs into server number 1 instead of server number 1.  I don't know if I am setting this up wrong or I need the broker and gateway role on same server? any help would be appreciated.

Thank You

Nilay Joshi

I am running a windows server 2016, Installed RDS with broker services. I am trying to remote to another server from this one and get the error listed below. There are no firewalls between the systems and all windows firewalls are turned off. I am not able to telnet to another server using port 3389. I tried disabling the license server configurations (as they are other servers on the domain). I am able to remote to this server from another server but not in reverse.

I am trying to set up an application on a Windows 2008 R2 Remote Desktop server. It is a fairly old application, and we are moving it from desktops to a terminal server (.....long story......domains merging.......legacy apps). There is a component of the application which just refuses to play nice. The application is a document management system (TechnologyOne ECM), and when you install it it adds a 'Send To' entry to Explorer. The idea is you right-click a file, select Send To ECM, and ECM opens up with the file ready to be registered.

The 'Send To' entry isn't a normal part of the application install - you need to do a custom install and select it - but on the image we apply to our PCs it wasn't installed, so whenever we re-image a PC we just uninstall this application, reinstall it and the missing Send To target works just fine. But I can't get it to work on a terminal server. I have tried the uninstall/reinstall trick, but this does not help. I have created a brand new VM and installed the application fresh, but this hasn't worked either  I have grabbed a copy of ShellExView and I can see that this component is listed as an installed shell extension. What normally happens on a PC is when a user first logs on, setup for this shell extension is triggered and the appropriate entry is added to the Send To menu. On a terminal server, this first-logon process does not seem to be being triggered for anyone other than the first user to log on.

I logged onto the terminal server as admin, and did a regsvr32 on the dll in question. The next time a user logged on to the terminal server, the first-logon process was triggered and the Send To entry was properly added and configured for that user, and that user was able to right-click a file, select Send To ECM and ECM opened as it should.

However, the first-logon process has not run for ANY subsequent users logging onto the terminal server. I am at my wit's end.....I have spent hours combing through Process Monitor logs......countless uninstall/reinstalls.......countless rebuilding-of-the-terminal-server-and-start-again episodes. Nothing I seem to do will make this shell extension register properly for anyone other than the first user of the terminal server.

If anyone has any ideas I would be most grateful.

Hi,

We have just start to add extra capicity, for our RDS enviroments.

Previous we had 2 connection brokers, and 1 server hosting the Gateway / Web access server.

We then added 2 new gateways, to replace the old one, and planned on using HAProxy as the load balancer, in front of the 2 new gateways.

When users are logging into the RDWeb on the old Gateway server, they are presented with the RemoteApps, that they have in the collection, that the user belongs to.

When users are logging into the RDWeb on the new Gateway servers, they are presented with ALL the remoteapps, that is available accross all of the RDS collections.

We are 100% sure, that the new Gateways and the old Gateways, are in the same RDS "environment" - and can see all the servers, when looking at the SQL database for the brokers.

Normally we would look at the Domain groups, since all the RemoteApps are available - but then the user should see all the RemoteApps, when logging into the old Gateway server as well.

The only error code, that ive found so far are these:

Connection Brokers:

RD Gateway Configuration Failed on rdsgw3.domain.local With Error: Failed to create RAP for RD Connection Broker Computers group. Error = 2147749913

RD Gateway Configuration Failed on rdsgw3.domain.local With Error: Failed to create new RD Connection Broker Computers group. Error = 2147749913

RD Gateway Configuration Failed on rdsgw3.domain.local With Error: Failed to create RAP for Domain Computers group. Error = 2147749913

But the policies are being created correctly, and are present when looking.

rdsgw3.domain.local

The connection authorization policy "RDG_CAP_AllUsers" could not be created. The following error occurred: "183".

The resource authorization policy (RAP) "RDG_AllDomainComputers" could not be created. The following error occurred: "183". To resolve this issue, ensure that you have configured RAP settings correctly and set the correct value and permissions for the RAP.xml file and the RAPStore registry key.

The resource group "RDG_RDCBComputers" could not be created. The following error occurred: "183". To resolve this issue, ensure that you have configured resource group settings correctly and set the correct value and permissions for the RAP.xml file and the RAPStore registry key.

The resource authorization policy (RAP) "RDG_RDConnectionBrokers" could not be created. The following error occurred: "183". To resolve this issue, ensure that you have configured RAP settings correctly and set the correct value and permissions for the RAP.xml file and the RAPStore registry key.

The resource group "RDG_DNSRoundRobin" could not be created. The following error occurred: "183". To resolve this issue, ensure that you have configured resource group settings correctly and set the correct value and permissions for the RAP.xml file and the RAPStore registry key.

The resource authorization policy (RAP) "RDG_HighAvailabilityBroker_DNS_RR" could not be created. The following error occurred: "183". To resolve this issue, ensure that you have configured RAP settings correctly and set the correct value and permissions for the RAP.xml file and the RAPStore registry key.

We cant seem to find the answer to this, so any help is much appreciated!

hi I have configured rds gateway on windows 2012 , one server having all rds role ( connection broker, webapp,rdgateway & remote desktop session host ) as per this kb :https://www.lemonbits.com/2014/06/20/installing-standalone-remote-desktop-gateway-on-the-windows-server-2012-r2-without-complete-remote-desktop-services-infrastructure/

after that now i am getting remote desktop services temporary unavailable .

Reviewed all setting :removed port 80
Internally using RDWeb works ok.
I have added the certificate in Gateway Manager

Hi.

Environment:

• Windows Server 2016
• RDS Remote Apps
• Office 2016 - MSI Installation
• Windows 10 Enterprise v1803 clients

The Outlook window dissaperars or looses focus when the cursor is moved between e-mails or tasks. Resulting in the application behind Outlook showing instead.

The problem is sporadic and it does not matter what window is behind Outlook. PDF reader, Excel, etc...

The video below shows the problem.

Remember: In the video the user is only moving the mouse cursor. No mouse clicks and no keyboard keys are in play here.

https://streamable.com/5am7k 

./ Lars Olsen

Hello,

This is my first post, and it's more of a "this is what worked for us and I couldn't find this fix ANYWHERE" thing.

We have recently setup a new RDS environment to replace a pathetic wheezing old TS system.

We are running 9 session host servers in three pools hosting three collections - A, B and C. All the session host servers appear in the pools, accept new connections, and apps are configured and working. No problems here.

We have 2 web front end servers in our DMZ, Port 443 is open, things work fine.

We have 2 gateway servers, also in our DMZ in a gateway farm. Work great, no problem. Connectivity is excellent, internal firewalls on but the necessary configuration has been done so everything is talking and happy.

We have two connection broker servers in a high availability configuration and a different namespace for the front end than the domain (we can't use our internal domain name for our externally facing RDS farm).

However, we would get intermittent failures upon logging in, no matter what collection we were accessing.The web servers present the login page and we could successfully authenticate (using ADFS proxies in our DMZ back into the domain) against AD - I verified this in the logs on the broker servers. The user would still fail to connect to the remote computer. The error we received was a generic "unable to connect to remote computer. If problem persists, contact your System Administrator" and the connection broker would record the following 3 alerts:

Event 802: RD Connection Broker failed to process the connection request for user domain\username. Error: Element not found.

Event 1296: Remote Desktop Connection Broker Client failed while getting redirection packet from Connection Broker.
User : domain\username
Error: Element not found.

Event 1306: Remote Desktop Connection Broker Client failed to redirect the user domain\username. Error: NULL

The user can try again, but the same error would likely be thrown, although sometimes they can log in and connect.

I googled constantly. Some had success modifying GPO Default Domain Policy: Computer Configuration / Administrative Templates / Windows Components / Remote Desktop Services / Remote Desktop Session Host / RD Connection Broker / Use RD Connection Broker load balancing - ENABLED. Didn't help; backed it out.

Others had success modifying a registry key on the broker servers: HKLM – System – Current Control Set – Control – Terminal Server – WinStations – RDP-TCP – Security Layer changed from 1 to 0.I didn't like doing this (not fully aware of the security "feature(s)" this disabled). Made no difference - backed it out.

Deleting and recreating collections did not help. Tried adding the server farm to the "Windows Authorization Access Group" (really only helpful for systems that began as Win 2k boxes). No go.

Put in a call with Microsoft. They give me a hotfix (which makes me a bit dubious - I didn't install it), and about 7 patches to run (which had been - our servers were up to date). I wasn't feeling it.

So I fired up procmon and monitored tssdis.exe on the broker servers. According to procmon, everything was a success - except for two keys missing from the registry on both broker servers: HKLM\Software\Policies\Microsoft\System\DNSClient. Procmon showed that key could not be read. Googling was useless, so I decided to manually create the key. Failed - procmon showed the key name as "New Key #1" no matter what I called it. Deleted it and used the following powershell command to successfully create the key: New-Item -Path HKLM:\Software\Policies\Microsoft\System -Name DNSclient -Value "Default Value"

The key was created. YAY! I still didn't know what needed going in there, it was just an empty key. I ran procmon again, and got a clue: tssids was trying to read a value: "PrimaryDNSSuffix" and returning blank. OK - inside of the "DNSclients" new key I created a new string value containing our internal domain name, doing this on both connection broker clients. The end result looked like this:

HKLM:\Software\Policies\Microsoft\System\DNSClient - "PrimarydnsSuffix"  "yourdomainname.com"

INSTANTLY, everyone connected. I could access everything using my acct and my testing accounts. The errors cleared up in the event logs. The sun began shining and the IT gods were, for awhile, placated.

OK - if you are getting 802, 1296, and 1306 errors in RDS 2012 R2 - before lessening security, and before modifying global GPO settings, just check procmon against tssdis.exe on the broker service and see if that key is missing. It's the only thing that worked for us.

I want to modify the RDP port from 3389 to 3500. However when I went into the registry and made the change.

Users were no longer able to login to their virtual desktop from the RDWeb website. 

I the went into the RD Gateway Manager and changed the Resource Authorization Policy to allow connections to 3500.

But that did not help either.

What are the right steps to modify the port so that when they click on the icon rdp connects to the correct port?

We have a XenApp 6.5 server farm which of course relies on RDS CALs and other things RDS.

How do I set up a new Win2k16 *TEST* RDS farm such that it does not conflict with anything involved with the XenApp farm??

For example, how should I specify where the test farm's TS/RDS profiles go, how should I do folder redirection for the test farm, etc.?? -- anything else?? -- can I use the same licensing server as used for XenApp?? (all the RDS licenses are entered therein)

We plan to replace XenApp 6.5 next year with an RDS farm anyway, so these questions must be answered and planned for. :)

I know I could do a single-server RDS farm but I want to be adventurous and try 1 gateway, 1 broker, 2 hosts with apps installed, serving a full desktop.

Thank you, Tom

Current Situation:

2 RDS Servers running Windows Server 2016, with a connection broker that load balances, this works well. 

However, i am getting the issue that seems to give the expected security prompt twice, once for each server.

For example, i connect to the remote desktop 'remote.domain.com' with the same gateway configured within the RDP shortcut.

When connecting , it asks for everything twice, for example, i click connect, it asks for my login:

I specify the login, including the remote domain.

It then asks me again:

I then specify the same account. 

It then goes through to the expected Security message:

I press yes, it then spins through and asks me again for the second RDS server.

Should RDS2 have a heavier load, RDS1 prompts the security message and after pressing yes the session loads, however if RDS1 is on a heavier load, it prompts for RDS1 then spins through and prompts for RDS2 then lets you in. 

Apologies if i am unclear i am new to this! 

Thanks in advance

We have a Server 2016 RDS farm with two collections.  The connection broker and the gateway were upgraded from 2012R2 to 2016 server.  We followed the Microsoft recommended in place upgrade because we are introducing a new Collection of 2016 RDS host. The farms/collections are working as expected and users are logged into both collections.  The old/previous collection has all 2012r2 RDS host and the new collection has all 2016 host. 

Here is my issue:

In server manager under the connections pane after highlighting the collection of the 2012r2 collection I can see all logged in users with no issue.  In the new 2016 collection I can not see any logged in users although users are connected and successfully log in.  We would like to see connected users in the new farm so that we can use tools such as shadow or force a user to log off.  I've opened server manager on several servers, including the connection broker and a domain controller thinking it was maybe my windows 10 RSAT that was having the issue, but none show users for the new 2016 farm.

hello

how many RAM und CPUs does we need for 100 Users on one RDP Server?

our 2008 has 32GB RAM und4 CPU for 100-150 User.

Chris

Hi there,

I'm a left-handed person. So I use the mouse with my left hand and naturally I use "Switch primary and secondary buttons" mouse control panel option.

When it comes to RDP connections, I almost always connect to the desktops where "Switch primary and secondary buttons" is set for right handed people. When I'm inside an RDP session the mouse stops respecting my mouse settings and apply guest desktop settings which creates a lot of confusion to me.

Is there a way to setup my RDP client so that it automatically handles right vs. left buttons translation ?

We are trying to map specific shared folders to specific users logging onto the RDS Server

we have 

RDS Server - "Server02"

5 Users who login to this RDS using RemoteAPP

User01
User02
User03
User04
User05

All users are memeber of Security Group "RemoteUsers"

We have File Server - "Server01"

And all 5 users have a shared folder assigned as below

User01 - \\server01\User01$
User02 - \\server01\User02$
User03 - \\server01\User03$
User04 - \\server01\User04$
User05 - \\server01\User05$

What we are trying to acheive is

When "User01" logs on to the RDS Server "Server02" we need to map drive letter S to "\\server01\User01$"

This is only specific to "server02" hence we have enabled"loopback policy" on this specific server. 

How do we achieve this mapping specific to this user, specific to this server?

Hi,

i'm trying to extend a Remote Desktop environment, consisting of an RD Gateway server and 2 Session Hosts. I came across a behavior when establishing the connection to the session hosts that I can't quite explain.
In my understanding, the connection-sequence is as follows: The client establishes a connection to the connection broker. This decides which session host is suitable, and returns the corresponding host, stating the IPv4 address and fqdn. (I use the RDP file generated via RD-Web).
Although I could not find a clear statement, the behavior seems that the client is now trying to establish the session based on the IPv4 address.
With this behavior, I now have 2 use cases that cause problems:
Access to RD-Farm via DirectAccess: After DirectAcces can not directly address IPv4 addresses, the connection will fail. A direct RDP connection to the session hosts specifying the fqdn works fine.
The second case concerns a NAT-linked external network segment. Although the DNS of the foreign network responds with the correct addresses from the transfer network, here too it seems that the client uses the internal addresses reported by the Connection Broker.

I am now at the end of my knowledge, and on the one hand would ask for your opinion on my stated behavior. Of course, I also gladly accept a solution proposal. Maybe there is a way to force the connection to the session host via fqdn. That should actually solve the problems described.

Thank you very much for any help

I am trying to set up an application on a Windows 2008 R2 Remote Desktop server. It is a fairly old application, and we are moving it from desktops to a terminal server (.....long story......domains merging.......legacy apps). There is a component of the application which just refuses to play nice. The application is a document management system (TechnologyOne ECM), and when you install it it adds a 'Send To' entry to Explorer. The idea is you right-click a file, select Send To ECM, and ECM opens up with the file ready to be registered.

The 'Send To' entry isn't a normal part of the application install - you need to do a custom install and select it - but on the image we apply to our PCs it wasn't installed, so whenever we re-image a PC we just uninstall this application, reinstall it and the missing Send To target works just fine. But I can't get it to work on a terminal server. I have tried the uninstall/reinstall trick, but this does not help. I have created a brand new VM and installed the application fresh, but this hasn't worked either  I have grabbed a copy of ShellExView and I can see that this component is listed as an installed shell extension. What normally happens on a PC is when a user first logs on, setup for this shell extension is triggered and the appropriate entry is added to the Send To menu. On a terminal server, this first-logon process does not seem to be being triggered for anyone other than the first user to log on.

I logged onto the terminal server as admin, and did a regsvr32 on the dll in question. The next time a user logged on to the terminal server, the first-logon process was triggered and the Send To entry was properly added and configured for that user, and that user was able to right-click a file, select Send To ECM and ECM opened as it should.

However, the first-logon process has not run for ANY subsequent users logging onto the terminal server. I am at my wit's end.....I have spent hours combing through Process Monitor logs......countless uninstall/reinstalls.......countless rebuilding-of-the-terminal-server-and-start-again episodes. Nothing I seem to do will make this shell extension register properly for anyone other than the first user of the terminal server.

If anyone has any ideas I would be most grateful.