Troubleshooting

image

General Admin Issues

Slowness (2) solutions

Issue:


Seeing some slowness when trying to connect in


Solution: 


Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]

"DisableTaskOffload"=dword:00000001


Issue:


General Terminal Server Global turn offs for speed


Solution: 

Admin Command prompt:

netsh interface tcp set global autotuning=disabled
netsh interface tcp set global chimney=disabled
netsh interface tcp set global rss=disabled


Can't see collections

Issue:


Can't see Collections that were created by other users


Solution: 


  1. You must add Windows Authorization Access Group to the security tab in Active Directory
  2. There are two properties you have to set as Read msTSLProperty01
  3. To be able to see the Collections, you additionally need to add all the Servers in your Farm from Server Manager


2018-02-21 11_14_18-Remote Desktop Organizer




2018-03-04 13_29_14-Active Directory Users and Computers


2018-03-04 13_30_02-Active Directory Users and Computers


2018-03-04 13_31_28-Active Directory Users and Computers

Remote Desktop Services tools are not functional after you remove a server from Server Manager

PS C:\> Get-RDServer

Server Roles
------                                             -----
rdhost1.contoso.com                                {RDS-RD-SERVER, RDS-CONNECTION-BROKER, RDS-WEB-ACCESS}
rdhost2.contoso.com                                {RDS-RD-SERVER}
PS C:\> Remove-RDServer rdhost2.contoso.com RDS-RD-SERVER
https://support.microsoft.com/en-us/help/2910155/remote-desktop-services-tools-are-not-functional-after-you-remove-a-se

Connection Broker Install (WMI firewall Access Denied)

Issue:


Failed: Could not create the Windows Management Instrumentation (wmi) Windows Firewall exception on <Server Name>. Could not create the Windows Management Instrumentation Windows Firewall exception on <Server Name>. System.Management.Automation.RemoteException: Access is denied.


Solution: 


Make sure you have no drive mappings in your Windows account.

RDWeb - Change published FQDN

Issue:


A common scenario where the ability to change the published name is useful is when your internal domain is .local, .private, .internal, etc.  For instance, you purchase and install a wildcard certificate (*.yourdomain.com) for use with RDS, but when your users connect they receive a name mismatch error because they are attempting to connect to rdcb.yourdomain.local.  This cmdlet allows you to change the FQDN they will use to a name that will match your certificate (rdcb.yourdomain.com).


Solution:

Set-RDPublishedName.ps1' -ClientAccessName "outside.domain.org" -ConnectionBroker "outside.domain.org"


2018-03-28 09_25_52-CRHRDPORMIS1 on vmesxh10.snet.crouse.org


https://gallery.technet.microsoft.com/Change-published-FQDN-for-2a029b80

RDGateway Server Add error

Issue: 

"The RD RAP could not be created. The following error occured: wmi failure: unable to create resource access policy"  The error is 2147965800. Please check the eventlog on RD Gateway server


Solution: 


Put TEMP and TMP environment variables back to the classic location in c:\windows\temp


** Also make sure that your account can gain entry. Most likely need to make Users:RW  (domain users group, Read/Write/Modify)


** Put the computer into the Terminal Servers Computer group


** Needs a Reboot


To check this, click Start > Control Panel > System and Security > System > Advanced System Settings and click the Environment Variables button.

Under the System variable section, let's verify that both the path of TEMP and TMP environment variables are configured to be on the same volume as the system volume.  By default, it is set to its native location: %systemroot%\temp (i.e.c:\Windows\Temp) .


(In 2016, it was set into the user profile. Also, didn't have permission to c:\windows\temp )


https://social.technet.microsoft.com/Forums/windowsserver/en-US/4f5f00aa-0d78-41e1-909a-4133fb0da6ce/wmi-failure-unable-to-create-resource-access-policy?forum=winserverTS


RemoteApps Cannot Publish App Instance (Error)

Issue:


You try to publish a RemoteApp, could not create a published application instance on the server.


Solution (1):


Make sure that your Certificates are valid

Check certs here


RemoteApps not showing on Web Interface

Issue:


You publish a RemoteApp, but it does not show up for you on the Web Interface


Solution (1):


You must make sure that you have the User/Groups listed in the Remote Collections configuration.


2018-03-09 10_19_00-crhrdpgateway - Remote Desktop Connection


Solution (2):


Make sure that you have added the group allowed to connect in too if you're using the Broker server
Connection Authorization


RDSH Not Load Balancing

Issue:


Seems to be accepting some connections, but people reporting they cannot connect


Solution:


Make sure that the Remote Desktop Service is started on all Farm nodes. 


Also ensure that you see "OK" in the farm statuses. Can confirm in the console that all nodes are being seen and are green

Desktop Client Access License has been Modified

Issue:


the remote session was disconnected because the remote desktop client access license stored on this computer has been modified


Solution:


Click on Start

In the start search box type REGEDIT and press enter.

In the registry editor access the following key: HKEY_LOCAL_MACHINE\Software\Microsoft\MSLicensing


https://answers.microsoft.com/en-us/windows/forum/windows_7-networking/remote-desktop-error/79fb6b83-cba8-40e4-9ca3-4e5f3d8b9371


Remote Desktop Connection cannot verify that the computer belongs to the same RD Session Host Farm

Issue:


This is the Error you'll get if you do not list all servers. In this case, it could not connect to a recently-added group



RDP gateway no good



Solution:


See the "Setting the Servers for the Farm" section


Adding Session Host into RemoteApp Pool

Issue:


Can't see the session host when you click Add Session Host


Solution:


Go to Overview and in the RD Session Host GUI, Right Click and Add Session Host Servers

2018-03-29 09_41_50-CRHRDPORMIS1 on vmesxh23.snet.crouse.org


Changing the Server Manager to Another RDS Farm

Issue:


Can't seem to figure out how


Solution:


2018-03-28 15_19_24-CRHRDPORMIS1 on vmesxh23.snet.crouse.org

Error: Unable to display RD Web Access

Issue:

An unexpected error has occurred that is preventing this page from being displayed correctly.
Viewing this page in Internet Explorer with the Enhanced Security Configuration enabled can cause such an error.
Please try loading this page without the Enhanced Security Configuration enabled. If this error continues to be displayed, please contact your administrator.

2018-03-28 09_23_51-Error_ Unable to display RD Web Access - Internet Explorer


Solution:

Reboot your computer! or try another Browser

Redirect the Default Web Site to /RDWeb

Issue:


Get the Microsoft Stock Landing page


Solution: 


2018-03-29 19_01_54-Clipboard


Website is asking for Credentials when Launching App

Issue:


When you launch and app, you are re-prompted for credentials


Solution: 


Ensure that you're using Internet Explorer and that the site is a Trusted Site in your browser

Also, in the Trusted Site "Custom Level", go to the bottom and check the setting for passing current username and password (not just Local Intranet)

2018-05-03 14_10_35-Security Settings - Trusted Sites Zone

1. Sites 
Click on Add the site. ( ie:  https://gateway.server.com)
2. Click on Custom Level
3. Scroll to the bottom and click the "Automatic logon with current user name and password



RemoteApps taking LONG time to connect in (60+ seconds)

Issue:


When you launch and app, there is a significant delay between the time you launch the RemoteApp and the time it loads


Solution: 


Ensure that port 3389 (RDP) is opened on your Firewall to the RD Broker server

Make sure you Bypass Settings on Gateway Server

Earlier in this book I said to make sure it's unchecked. However, Microsoft has suggested that this be enabled. This did help the 60+ second connection issue

2018-05-05 10_37_59-Server 2016 with RDS [Running] - Oracle VM VirtualBox

Set [Computer] GPO (either local or domain) for security to Negotiate from Security Layer RDP


2018-05-05 10_48_52-Server 2016 with RDS [Running] - Oracle VM VirtualBox


Kill RemoteApps Process

Issue:


Sometimes you need to kill the process


Solution: 


The process that RemoteApps work under is:  wksprt.exe

Cannot Change Password on Login screen

Issue:


By default, the Change Password mechanism is disabled.


Solution: 


You have to enable this by editting the file  %windir%\web\Pages\web.config

Set the value PasswordChangeEnabled to true

2018-05-05 11_22_25-Server 2016 with RDS [Running] - Oracle VM VirtualBox

#

RDS Change Icon

Issue:


Need to change icon


Solution: 


Set-RDRemoteApp -CollectionName "Remote Desktop" -Alias "MEDENT_RDS" –IconPath "c:\medent\bin\webmed.exe" -IconIndex 0

Set-RDRemoteApp : A Remote Desktop Services deployment does not exist

Issue:


Set-RDRemoteApp : A Remote Desktop Services deployment does not exist on <rdsserver.domain.com>. This operation

can be performed after creating a deployment. For information about creating a deployment, run "Get-Help

New-RDVirtualDesktopDeployment" or "Get-Help New-RDSessionDeployment".


Solution: 


Run PowerShell as ADMIN

Cannot Connect to RDP Message

Issue:


A user with a heavily locked down computer could not connect. Getting this message



RDGateway-denied

What I noticed: 


When you log into the RDWeb webpage, we weren't getting the message illustrated here. When you click on the icon, you'd get that ugly error message. Also, the custom RDP file would not launch either

The environment was extremely locked down--so i think that may have played a part in it

RemoteAppsConnectedBubble

Solution: 


We created a Work Resource (available in Win 7 and higher) to our Gateway server. Once logged in, the bubble above popped up and the user--after an unusually long delay--was able to connect in


Solution 2: 


This can also be a locked-out user or disabled account.

An authentication error has occured. The function requested  is not supported

Issue:


.1475272411_CredSSPissue.png.edcaf3deca9f340128ef49dc5c3849f5


Solution: 


REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters]
"AllowEncryptionOracle"=dword:00000002

iOS Devices get an error when connecting  0x00000904

Issue:


0x000000904


Solution: 


In Local Security Policy (secpol.msc) on your Gateway machine, Enable this setting, followed by a "gpupdate /force"

secpol_0x000000904

An authentication error has occurred (Code: 0x607).

0x607x0x000000904

1. Please make sure all client devices have at least RDP 8.0 capable client software.  For PCs, this means clients should have mstsc.exe version 6.2.9200 or later, with 6.3.9600 (RDP 8.1) or later preferred.  For iOS, OSX, Android, Windows Mobile, this means using the latest version of the Remote Desktop app available from the respective app store.

2. On your RD Session Host servers only (not your broker), please delete the following registry value:

HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp

    SSLCertificateSHA1Hash     

NOTE:  Again, do not delete the above value from your broker.  Only your RDSH servers.

After making the above changes, please test to make sure the issue has been resolved.
 
https://social.technet.microsoft.com/Forums/en-US/e0f8f58f-58c9-49fc-9d48-f6bfde830f17/rdweb-authentication-error-0x607?forum=winserverTS

Can't connect to RD Gateway server from Windows 10, or Windows 7 with RDP v7.1 or below

Issue:

"Your Computer can't connect to the Remote Desktop Gateway server. Contact your network administrator for assistance."

Solution:

HKCU\Software\Microsoft\Terminal Server Client\
      RDGClientTransport     REG_DWORD     0x00000002

     // (1 - RPC, 0 - default, 2 - remoteDesktopGateway (WinHTTP))

Additional Data (Windows 7, RDP Version 7.1 or earlier):

A hotfix (KB2574819) followed by RDC version 8.0 (KB2592687).
 
https://social.technet.microsoft.com/Forums/office/en-US/8d7a95eb-9508-4725-8f13-5992c19cfb9f/cant-connect-to-rd-gateway-server-from-windows-10-1709?forum=winserverTS

How to tell your RDP version?

Launch Remote Desktop Connection from the START menu

Click the Window icon and select About

2018-11-14-12_39_36-Remote-Desktop-Connection

Ignore missing channel bindings on the Gateway server

Set the EnforceChannelBinding registry value to 0 (zero) to ignore missing channel bindings on the Gateway server. To do this, locate the following registry subkey, and use the given specifications:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\TerminalServerGateway\Config\Core

Type: REG_DWORD
Name: EnforceChannelBinding
Value: 0 (Decimal)

Note By default, the EnforceChannelBinding value does not exist on the Gateway server. You must create this value.


PowerShell Server Maintenance

Issue:

Example to remove an invalid License server

Solution:

Windows PowerShell

Copyright (C) 2016 Microsoft Corporation. All rights reserved.

PS C:\Users\admin> Get-RDServer

Server                                             Roles

------                                             -----

Server1                                            {RDS-RD-SERVER, RDS-CONNECTION-BROKER, RDS-WEB-ACCESS, RDS-GATEWAY}

Server2                                            {RDS-LICENSING}


PS C:\Users\admin> Remove-RDServer Server2 RDS-RD-LICENSING

Confirm

Removing server from the Remote Desktop deployment. Do you want to continue?

[Y] Yes  [N] No  [S] Suspend  [?] Help (default is "Y"): y

PS C:\Users\admin> Get-RDServer

Server                                             Roles

------                                             -----

Server1                                            {RDS-RD-SERVER, RDS-CONNECTION-BROKER, RDS-WEB-ACCESS, RDS-GATEWAY}

https://support.microsoft.com/en-us/help/2910155/remote-desktop-services-tools-are-not-functional-after-you-remove-a-se

Some patches that might be useful for Win7

http://support.microsoft.com/                                 WIN7-WORK  Update                        KB2592687               WIN7-WORK\Administrator  12/11/2018                                     

http://support.microsoft.com/?kbid=2574819     WIN7-WORK  Update                        KB2574819               WIN7-WORK\Administrator  12/11/2018                                     

http://support.microsoft.com/?kbid=2952664     WIN7-WORK  Update                        KB2952664               NT AUTHORITY\SYSTEM      12/10/2018                                     

http://support.microsoft.com/?kbid=3177467     WIN7-WORK  Security Update         KB3177467               NT AUTHORITY\SYSTEM      12/11/2018                                     

http://support.microsoft.com/?kbid=4457044     WIN7-WORK  Update                        KB4457044               NT AUTHORITY\SYSTEM      12/10/2018                                     

http://support.microsoft.com/?kbid=4459934     WIN7-WORK  Update                        KB4459934               NT AUTHORITY\SYSTEM      12/10/2018                                     

http://support.microsoft.com/?kbid=4467107     WIN7-WORK  Security Update         KB4467107               NT AUTHORITY\SYSTEM      12/10/2018           

Enable TLS 1.1/1.2 by Default in Win7

Issue:

Update to enable TLS 1.1 and TLS 1.2 as default secure protocols in WinHTTP in Windows

Solution:

The DefaultSecureProtocols registry entry can be added in the following path:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp

On x64-based computers, DefaultSecureProtocols must also be added to the Wow6432Node path:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp

The registry value is a DWORD bitmap. The value to use is determined by adding the values corresponding to the protocols desired.

DefaultSecureProtocols Value

Protocol enabled

0x00000008

Enable SSL 2.0 by default

0x00000020

Enable SSL 3.0 by default

0x00000080

Enable TLS 1.0 by default

0x00000200

Enable TLS 1.1 by default

0x00000800

Enable TLS 1.2 by default

https://support.microsoft.com/en-us/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-default-secure-protocols-in-wi


A fatal error occurred when attempting to access the SSL server credential private key. 

Issue:

The error code returned from the cryptographic module is 0x8009030D. 

The internal error state is 10001." 

Solution:

  • The Remote Desktop Host Services service runs under the NETWORK SERVICE account. Therefore, it is necessary to set the ACL of the key file used by RDS to include NETWORK SERVICE with "Read" permissions. To modify the permissions follow the steps below:

    Open the Certificates snap-in for the local computer:

    1. Click Start, click Run, type mmc, and click OK.

    2. On the File menu, click Add/Remove Snap-in.

    3. In the Add or Remove Snap-ins dialog box, in the Available snap-ins list, click Certificates, and click Add.

    4. In the Certificates snap-in dialog box, click Computer account, and click Next.

    5. In the Select Computer dialog box, click Local computer: (the computer this console is running on), and click Finish.

    6. In the Add or Remove Snap-ins dialog box, click OK.

    7. In the Certificates snap-in, in the console tree, expand Certificates (Local Computer), expand Personal, and navigate to the SSL certificate that you would like to use.

    8. Right-click the certificate, select All Tasks, and select Manage Private Keys.

    9. In the Permissions dialog box, click Add, type NETWORK SERVICE, click OK,  select Read under the Allow checkbox, then click OK.

    https://serverfault.com/questions/541364/how-to-fix-rdp-on-windows-server-2012