Hi,
I'm trying to block domain users from accessing a computer through netlogon, so I denied them from accessing this computer through network (in secpol.msc),
Now these users can no longer connect to the workstation with remote desktop, (by default it uses TLS as negotiated), and now they got:
"The Local Security Authority cannot be contacted"
If I configure the terminal service to use RDP security layer, this problem would be gone.
Any thoughts?
Hi,
I have published few application through RDS 2012. I am trying to access the remoteapp using email ID option for windows 8 'Access remote apps and desktops'. I have created a record in DNS and able to resolve when enter user email ID and click on next in 'Access remote apps and desktops' wizard.
I am able to access RemoteApps through RDWeb or using the URL on windows 7 'Access remote apps and desktops' . On windows 8 machines as well I was able to access remoteapps through full URL (..../Feed/webfeed.aspx) initially but once I remove the connection and trying to recreate it as email ID or URL based, both options doesn't connect with Remoteapp published.
Any pointers would be appreciated. '
Regards,
Ok, re-trying this question, with more accurate information.
I have a client with a RemoteApp and RDGateway services facing the public internet. The conditions are these:
1) Able to log in successfully to the initial RD Web Access web page from any external location. No issues are being reported internally.
2) Able to launch published apps successfully only from some external locations.
3) Using same user credentials, launching published apps from other locations results in "This computer can't connect to the remote computer because the Terminal Services Gateway server is temporarily unavailable" error.
4) From the same locations where launching a published app fails, I am able to make a direct RDP connection to the server running Gateway and RemoteApp services using the native RDP client in Windows.
5) There is no common ISP in the mix.
6) As far as I can tell, there is no CAP or RAP in effect that would cause only selective clients to connect
7) The client is using a DigiCert ssl certificate, not a self-signed cert.
8) The RD Broker service is installed and running.
Can anyone hazard a guess as to why this would be working from some external locations, yet produce the above-noted error at other sites? I will be happy to provide any additional information that mau be needed ... but I just don't know where to start looking.
Regards and thank you in advance.
Chris
It seems out of the blue, I can no longer RDP into any server. The setup is AD 2008 R2, one physical host, with 3 VM's. RDP has been fine for a couple of years, then just stopped.
No updates were done as I run WSUS and haven't had tmie to log in to approve anything in maybe 3 weeks. This issue occurs regardless of what system I am coming from (all Win7 systems). Also i I am at the server and RDP to one of the VM's, no go tghere either. However I can use Hyper-V manager to open standard console sessions to the VM's no problem, for what that's worth. All clients are Win7 systems and also haven't been updated in 3 weeks.
Interestingly, I also cannot pcAnywhere to the Hyper-V host. I have this in place as a backup in case RDP has issues.
So one would think something 3rd party is blocking this stuff. I have SEP 11 running with a nearly default firewall, allowing all traffic from server to server. Just the same I turned off this firewall, no change. Oddly, Windows Firewall was started. I generally disable the WFW service itself as that seems to be the only way to truely tuen if off, since having that plus a 3rd party firewall product is generally not recommended (two FW's on one system). I've followed this practice for years and in various environments without problem. I know you need WFW running to enable RDS, so I do that, then disable WFW.
So I am lost as to how to troubleshoot this since it apepars Symantec isn't the issue, and WFW shoulnd't be since I switch off the service itself, and yet I am getting nowhere. Event logs didn't log any errors at all during the times when I was testing this.
From the client end, in the mstsc window when I click Connect, within 2 secons I get the standard "remote machine isn't RDP enabled, machine is turned off, or machine isn't on the netowrk" kind of error. This happens the same if i use hostname or IP.
Event Logs on both the client and the server(s) contain no entries in Systme or Application hat are timestamped around when I do my logging in attempts.
I'm not sure if I can get anything from the Security event logs, it just has constant Succcess Audits for mydomain admin doing something or NULL SID doing something.
Hi,
to set correct locale and activate desktop guest Windows before rollback snapshot, I issued an unattended sysprep file.
It basically has settings for all Windows welcome screens, key, and commands to use KMS and activate.
Sysprep itself runs correctly using this file. If I power up template then, it will do all the configurations and start working.
But when I create collection off it (I don't use unattend.xml at this step!), creation halts displaying "press ctrl-alt-del" on the VDI's console.
Logging in, out, rebooting didn't help. Desktop creation doesn't continue.
If I don't use sysprep file, then it works, but I get wrong system-wide locale for non-unicode programs for all desktops, which is not acceptable.
Can anyone please help!
Also, is there any unattended sysprep file on RDCB, which is used during desktop creation (where it is located)?
What settings are required by desktop creation service?
Thank you!
I was wondering how to set up my ip ranges on my server for remote access? I can remote into it on my network, but cannot on a local network.
I am using windows 7.
Since I prefer to place the task bar on the top of the screen, I want to move the connection bar to the bottom of the screen when using remote desktop connection.
Otherwise, it gets quite annoying, because when I attempt to click a button on the task bar, and if the mouse pointer happens to hit the top of the screen, it keeps bringing down the connection bar. So, I want to place it to the bottom.
Is it possible?
I've been having some difficulty understanding how to be correctly licensed with all the VDI licensing changes that have been made recently.
In an environment where many users connect up to a Remote Desktop Session (not remoteapp or a virtual computer but to a full desktop on a RDS server):
What licenses do I need for users connecting from a shared thin client (Ex: HP T5540)? I'm thinking Windows CAL & Remote Desktop CAL & any application licenses they use (SQL, Office, Exchange, etc).
Do I need a VDI license for every thin client device as well? Isn't that what the RDS CAL is for (we license per user so it should cover these shared thin clients)?
And how does all of this change when you enter BYOD into the equation? (Ex: tablets)
Would it be better to get a VDI licenses for each thin client as well?
MCSE MCDBA
I am a enterprise admin/domain admin, member of local admin groups.
I checked all the settings logon through term services, remote desktop group. by default domain admins are members.
I get the message when I connect to the DC's: you must be grant allow log through term services........
so I ma wondering if the regedit setting somewhere is hosed.
Thanks
thanks
Hi all. This is a new problem and I suspect it is the result of an update because it was working fine 3 weeks ago. I can use remote desktop if I am inside our subnet but not if I am outside of it.
We have 2 sites and they are connected by a site to site VPN. Our DC's do not have the firewall turned on and they do not have Anti-Virus installed. The DC and the Mail server are VMs running on an ESXi server. I have attempted to RDP with my Win8 and Win7 laptops.
From home I have always been able to RDP to either site. Recently, I changed the port number that the border firewall listens for RDP. I tested it and used it several times with no problems. I haven't needed to remote in to site2 for a few weeks and now it gives me an error that says, "This computer cannot connect to the remote computer. Try connecting again. If the problem continues, contact the owner of the remote computer or your network administrator." The error occurs after Remote Desktop shows "configuring remote session." I never get to the login.
If I remote to site1, which has the same border firewall configuration, I have no problem. After connecting to site1 if I RDP to Site2's DC through the site-to-site link I get the same error. The error occurs when I RDP to the mail server, too. I have a Win7 computer that we run vSphere on to manage the server and I get the same error when remoting to it BUT, if I RDP from site1 to another server in site2 and then, from that server, RDP to my DC, it works fine. Again, If I am at my desk inside the network RDP works fine.
It looks kinda like a firewall port forwarding problem but the forwarding rules don't come into play across the sit-to-site link. I am left with thinking that the subnet is somehow a factor.
I did try adding the two updates, kb2667402 and kb2621440, mentioned in this thread http://social.technet.microsoft.com/Forums/en-US/winserverTS/thread/a9a8c281-c5d5-4cf0-ac1b-38006b9c5fc4 but they were already installed.
I have looked in the error logs but did not see anything.
Thanks for the help. Let me know if you need more information.
Todd MacQueen MCTS, CEH, CHFI, Security+
I have been struggling with this one for a while. I have 2 sites with 2 different clusters in which I would like to use the same gold image to create and deploy VMs. I don't want to have multiple copies of the VM laying around as they will surely not be the same after some time.
This is what I was thinking. Please provide any feedback.
Keep the vm files on a DFS share (2008R2 file servers). Create the vm on one of the Hyper-V servers in Site A (my primary admin site). Apply my updates, etc. and then shut it down. If Site A goes down, I can import the VM in Site B, apply my updates, etc. and shut it down. The changes would then be replicated to Site A when it comes back up.
Is there a better way?
All of my powershell commands against my RDS 2012 VDI deployment are failing except for Get-RDConnectionBrokerHighAvailability with the error message:
PS C:\Users\administrator.JR> Get-RDCertificate
Get-RDCertificate : A Remote Desktop Services deployment does not exist on PRWINVDI-03.jr.local. This operation can be
performed after creating a deployment. For information about creating a deployment, run "Get-Help Set-VDIDeployment"
or "Get-Help Set-RDSHDeployment".
At line:1 char:1
+ Get-RDCertificate
+ ~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Get-RDCertificate
I have tried powershell with RunAs administrator and that did not work either. In addition, Get-Help Set-VDIDeployment does not exist nor does Set-VDIDeployment.
After some more prodding, it seems like the only way I can get it to work is to specify the individual host name that is the active conn broker machine like this: Get-RDVirtualDesktopCollectionConfiguration -ConnectionBroker prwinvdi-04.jr.local
it should work with the ha dns name like this: Get-RDVirtualDesktopCollectionConfiguration -ConnectionBroker rdcb2012.jr.local
any ideas?
I have set up a test Server 2012 RDS collection (Single Server for now) and implemented User Profile disks.
I have two problems.
First: My generic test user can connect and does successfully use the user profile disk as expected. However, atlogoff, the system event log contains these errors:
The error (NTFS 137) is: The default transaction resource manager on volume C:\Users\ts3.test encountered a non-retryable error and could not start. The data contains the error code.
The warning (NTFS 50) that concerns me is:
It appears that the user profile disk is being "disabled" or "disconnected" before the profile data is completely written at logoff. What can I do to troubleshoot this?
Second:
Update: A post from Mike Connor on the following page: -LINK- solved
the problem described below.
My administrative user always logs on now with a temporary profile. At the beginning, the UPD was working and mounting. That stopped working. In attempting to troubleshoot, I logged the admin user off and deleted the UPD disk file from the share. I remember it working again after generating a new UPD disk file in the share. Soon, it quit working again. I deleted the UPD disk file again from the share and ever since, it has never regenerated a new UPD andalways logs on with a temporary profile.
TS 2008 32bit Application Mode became Remote Administration Mode
Hi All
I've one TS 2008 32bit (not R2).
The problem is when we set up to Application Mode and run for few weeks. One day the TS became Remote Administration Mode suddenly.
No related event, the TS service still exist, but terminal service configuration showed that this server didn't installed the TS Role.
Then we can do is remove TS service and reinstall it from server management. And this TS back to work.
But after few days, the problem occurs again. from 11/15 - 12/10, it happened at least 3 times.
any suggestion?
Johnny_Yao
Hi,
I have a Windows 2008 R2 server running Remote Desktop services and configured with Mandatory Profiles. Its all working well except when our users attempt to logon to the server for the first time each day. They get an error:
"The Group Policy Client service failed the logon.
Access is denied."
If they immediately try to log in again, they are granted access, the mandatory profile loads, no problems.
But two 512 KB files appear and remain in their home directory that look like this:
NTUSER.MAN{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms
NTUSER.MAN{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms
So their profiles increase in size at a rate of at least 1 MB / day.
Their failed logon attempts create the following event ids in the Application log:
6004 - The winlogon notification subscriber <GPClient> failed a critical notification event.
1542 - Windows cannot load classes registry file.
DETAIL - The system cannot find the file specified.
6001 - The winlogon notification subscriber <Sens> failed a notification event.
In the Security event log I can see 6 Success events for logon, followed by a brief pause (for the user to click ok) and then 6 success events for logoff.
In the System event log, Winlogon reports:
7001 - User Logon Notification for Customer Experience Improvement Program
7001 - User Logoff Notification for Customer Experience Improvement Program
CEIP is disabled, btw.
If I delete the users profile through Advanced System Settings. They can log in again just fine, but the next day, they'll fail their first login and their profile will grow.
Any suggestions on how to trouble shoot?
Cheers
~ne
Hello,
The following error, an authentication error has occurred The local security authority cannot be contacted, appears when domain users, who have historically connected successfully using RDP, attempt to connect.
About the same time, user shares on workstations can not be accessed from other workstations. A similar error appears, saying the computer is not accessible, logon failure: the user has not been granted the requested logon type at this computer. The shares on the servers are accessible, as always.
One domain account, however, shows none of the symptoms. This account is in the domain local group administrators, but not in the group Domain Admins.
I have carefully compared the working account with the other accounts on the network, and cant find a difference that would break RDP.
I created a new user account and added it to the same group accounts as the working account. The new user account cannot connect.
One change to the network is that one Ethernet switch was replaced, but if this or the router has problems, that would affect all users.
DNS seems ok; the windows clients are not registering with DNS, but this problem has been around for while; typing the IP address into the RDP screen had been the workaround.
I have tried changing the setting in System Properties, from Control Panel, System, Remote Settings, to allow connections from computers without NLA, after reading some of the forums.
Any ideas? User Rights?
thanks,
Hi!
I have Windows Server 2008 R2 with Office 2013. When I log to server via rdp, I run the Outlook and view attachments(word, excel) doesn't work:
'This file can not be preview because there is no preview installed for it'.
When I start Outlook as RemoteApp or connect to server via rdp with option
'Start the program on connection' (outlook), attachments work.
Sorry for my English.
Thank's in advance.