For a RDS VDI test environment we decided to use an internal switch on the Hyper-V server. This is not working.
As a consequence, in Hyper-V the external network was not up. This resulted in the following error during the creation of a VDI collection:
Server computer.domain.com either does not have a virtual switch configured or none of the configured virtual switches have an IP address assigned
This is unlikely to be a concern in any type of real life environment because those will have the external NIC connected at all times. However, it may occur when you are in a test environment and are trying to isolate from the production environment.
Conclusion: You have to configure an external switch which is connected to a physical LAN cable. DHCP is enough but of course you can also set a static IP on the NIC.
In some cases you recieve an error when you try to connect trough the RD Gateway using a RDP Connection. The error is a generic error for the user and does not help you to find out the reason.
“Remote Desktop can’t connect to the remote computer “computername” for one of these reasons: …”
The Event Viewer on the RD Gateway server shows errors in the Microsoft\Windows\TerminalServices-Gateway\Operational log like this:
The user “domain\username”, on client computer “remote-ip”, did not meet connection authorization policy requirements and was therefore not authorized to access the RD Gateway server.
The following authentication method was attempted: “NTLM”. The following error occurred: “”
Also under the security logs you will find the Event 6274 Audit Failure. Error message: “The authentication or accounting record could not be written to the configured accounting datastore. Ensure that the logfile location is available, has available space, can be written to, and that the directory on the SQL server is available.”
Open up the Server Manager on your RD Gateway Server and expand Roles > Network Policy Server > NPS (Local) > Accounting. In the main section, click the “Change Log File Properties”.
Uncheck the checkbox “If logging fails, discard connection requests”. If you have a Server Farm for Gateways in use, make sure you configure all the Gateway Server the same way. After that try again to connect.
The way how to redirect the RDS Webinterface in TP4 of Windows Server 2016 didn’t really change. But from time to time it make sense to put things back on a blogpost.
There are two options to redirect your RDWeb straight to your personal URL.
First you can use the IIS redirection. The feature will be installed when you install the RDWeb Role.
Anyway, make sure the role is installed. Use the easy way of powershell to confirm – run following command:
Get-WindowsFeature -Name *Web-HTTP-Redirect*
After that start your IIS management console and navigate to the Default Website. Open “HTTP Redirect” and enter the URL you want to redirect to. For examlple https://rds.alschneiter.com/RDweb/Pages. This will redirect the user from http to https and also to the right place of the RDWeb.
Second option: You can use the application.Host.config file from IIS. Open the file with notepad or notepad++ in admin mode and navigate to the code:
<system.webServer> <httpRedirect enabled=“false” />
First enable the httpRedirect by changing “false” to “true” and add the rest of the code like this:
<httpRedirect enabled=”true” destination “https://rds.alschneiter.com/RDweb/Pages” />
For more details of the application.Host.config file visit https://www.iis.net/configreference/system.webserver/httpredirect
It seems to be a need to know the used ports by the Remote Desktop RD Gateway. Find a short overview bellow:
Internet –> Gateway WAN NIC:
UDP: 3391 (You have to enable UDP on the RD Gateway)
Gateway LAN NIC –> Session Host Servers:
TCP / UDP: 3389
Gateway LAN NIC –> Connection Broker Servers:
TCP / UDP: 3389
Gateway LAN NIC –> Domain Controllers:
TCP / UDP: 88
TCP / UDP: 389
TCP / UDP: 53
TCP / UDP: 445
TCP Dynamic Ports (NTDS RPC service )
Connection Broker Servers –> Gateway LAN NIC
TCP 5985 (WS-Management and PowerShell Remoting)
TCP: 3389 (Remote Desktop)
Let me know if this helps.
After blogging on sccmfaq.ch I finally started my own blog – blog.alschneiter.com. I’m focused on all the new and rising Microsoft Windows Client technologies. This includes stuff like, Windows 10, Configuration Manager (ConfigMgr), EMS, Office365, Azure RemoteApps, Remote Desktop Services (RDS), MDOP and much more! Just the modern workplace. Any questions to me? Feel free to contact me using this blog or twitter!
And, don’t miss all the technical deep dives, technical news and also some fun stuff. Subscribe right now!
In some cases (DNS changes, expired certificate, etc.) you have to renew a certificate on your RD Webservers. I hat to do this today on a environment wit two RD Web Servers load balanced by a F5 Loadbalancer. But just replacing the web certificate on the RD Connection broker was not enough.
For some reason the cert was not valid after the replacement.
- Delete all the old certificates in the personal store of the RD Webservers
- Reboot the Webservers
- Request a new certificate by using certlm.msc of one of the RD Webservers
- Export the .pfx file for the Connection Broker
- Redeploy the certificate using the Server Manger / Remote Desktop Services / Deployment Overview / Tasks / Edit Deployment Settings
This should allow you to access the RD Websites without having any certificates warnings.
During a VDI deployment by one of our customer we ran into an issue with the RDS Connection Broker in HA mode. The user were unable to login to the pool.
The error in the RD Management Server Event Log showed up with Config sync failed. Following error occurred: 0x88250001
One of the reason causes this issue was the Licenensing Server which did not have a User or Device selection. So we changed that to “User” for our case.
But after this, users where still unable to login.
To get rid of this error, change the active Connection Broker Server using the Remote Desktop Management Admin Console:
Deployment Overview – Tasks – Set Active Remote Desktop Connection Broker server
This solved the logon problems to the VDI Pool.
Hope this helps someone.
Hi – It’s me, Al
Blog post updated: July 19th 2017
Remote Desktop Services (RDS) on Windows Server 2012 R2 is now on market since a while. Let’s have a look at the 2012 R2 Certificate configuration (for a Lab).
First we have to create a template on the internal Certificate Authority (CA). We use a Workstation Authentication Template for that. Open your CA Manager – Cartificate Templates – Manage
Duplicate the “Workstation Authentication” Template.
Continue reading “How to deploy Remote Desktop Services 2012 R2 Certificates using internal CA #RDS”