none
Best Practices Analyzer keeps saying to add groups/users to RDP Server 2008R@

    Question

  • Server 2008R2, RDS running, licensed, 20 user cals.....when I run the best practices analyzer it keeps telling me "The Remote Desktop Users group on the Remote Desktop Session Host server does not contain any domain users or groups."  It keeps telling me to add them - they are already there - Domain Users and another group we use Healthmatics Users.....what am I missing?

    Thank you

     

    Sunday, November 18, 2012 9:19 PM

Answers

  • Hi,

    To fix the 4105, please follow these instructions (they assume your schema is 2008 version):

    1. Logon to your 2008 R2 DC as an administrator
    2. Start--Run--adsiedit.msc
    3. In the left pane, navigate to where the OU for your users is located
    4. In the left pane, right-click on CN=<Your OU> and choose Properties
    5. On the Security tab, click the Advanced button
    6. Click the Add button, type Terminal Server License Servers and click OK
    7. On the Properties tab, select Descendant User objects in the Apply onto box
    8. In the Permissions box, select Allow for all of the following:

    Read msTSExpireDate
    Write msTSExpireDate
    Read msTSLicenseVersion
    Write msTSLicenseVersion
    Read msTSManagingLS
    Write msTSManagingLS

    9. Click OK, and click OK again to save your changes

    Please test by having a standard user logon to your RDS.  After the user has logged on, check the event logs of the server, there should not be a event id 4105 Warning for the user in the System log, and there should be a event id 4143 Information entry for the user under Microsoft-Windows-TerminalServices-Licensing/Admin log.

    The 1012 error means that someone attempted to log on to your server via Remote Desktop and entered an incorrect username/password combination 5 times in a row.  This could be normal (user forgot their password), or it could mean somehow is trying to guess username/passwords of your server.

    If your server is exposed directly to the Internet and you are seeing these 1012 errors frequently I would recommend you change the default RDP port to something different, or implement RD Gateway.

    Thanks.

    -TP

    Monday, November 19, 2012 12:52 AM
    Moderator
  • Hi,

    RDS Licensing is not concurrent, it is either Per User or Per Device.  In your case you need a Per User RDS CAL for each unique user that connects to your RDSH server using Remote Desktop.  For example, say you have 100 employees in your company that use your RDSH server, but only 20 are logged on at any one time.  In this example you need to purchase 100 Per User RDS CALs.

    If your PIX firewall is simply forwarding the RDP traffic to your internal server then it makes no difference in regards to outsiders attempting to guess usernames/passwords.

    Remote Desktop Users group exists in both 2003 Server 2008/2008 R2.  Starting with 2008 R2 Terminal Server was renamed Remote Desktop Session Host and Terminal Services was renamed Remote Desktop Services, etc.

    -TP

    Monday, November 19, 2012 1:29 AM
    Moderator

All replies

  • Hi,

    Did you add the groups to the local Remote Desktop Users group on the RDSH server, using Computer Management?  Are regular users able to use Remote Desktop to log on to your server, or are they getting an error?

    -TP

    Sunday, November 18, 2012 10:27 PM
    Moderator
  • Users can log on and work - the events in the event viewer are Event ID 4105 and 1012....this is a DC......not sure what you mean or how to add the groups to the local RD users group......
    Sunday, November 18, 2012 11:32 PM
  • Hi,

    1. Since this is running on a DC I would ignore the BPA message regarding the RDU group.

    2. In regards to the 4105 error, did you make NETWORK SERVICE as well as the server's computer account a member of the Builtin\Terminal Server License Servers group and then restart the Remote Desktop Licensing Service?  After making this change please log on as a user account that was triggering this error and see if it is logged again.

    3. Please post the exact/complete details of the event 1012 error/warning.

    Thanks.

    -TP

    Monday, November 19, 2012 12:25 AM
    Moderator
  • 1.ok

    2. yes the server and network service are members of the built in\terminal server license server......the 4105 is generated for each user/computer logging in to RDS......is this where I need to add each user account? Here is that error:

    Log Name:      System
    Source:        Microsoft-Windows-TerminalServices-Licensing
    Date:          11/18/2012 7:17:02 PM
    Event ID:      4105
    Task Category: None
    Level:         Warning
    Keywords:      Classic
    User:          N/A
    Computer:      A4HS03.A4HS-DOM.local
    Description:
    The Remote Desktop license server cannot update the license attributes for user "Fuji11" in the Active Directory Domain "A4HS-DOM.local". Ensure that the computer account for the license server is a member of Terminal Server License Servers group in Active Directory domain "A4HS-DOM.local".
    If the license server is installed on a domain controller, the Network Service account also needs to be a member of the Terminal Server License Servers group.
    If the license server is installed on a domain controller, after you have added the appropriate accounts to the Terminal Server License Servers group, you must restart the Remote Desktop Licensing service to track or report the usage of RDS Per User CALs.
    Win32 error code: 0x80070005
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-TerminalServices-Licensing" Guid="{4D99F017-0EB1-4B52-8419-14AEBD13D770}" EventSourceName="TermServLicensing" />
        <EventID Qualifiers="51456">4105</EventID>
        <Version>0</Version>
        <Level>3</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2012-11-19T00:17:02.000000000Z" />
        <EventRecordID>16193</EventRecordID>
        <Correlation />
        <Execution ProcessID="0" ThreadID="0" />
        <Channel>System</Channel>
        <Computer>A4HS03.A4HS-DOM.local</Computer>
        <Security />
      </System>
      <UserData>
        <EventXML xmlns:auto-ns3="http://schemas.microsoft.com/win/2004/08/events" xmlns="Event_NS">
          <param1>Fuji11</param1>
          <param2>A4HS-DOM.local</param2>
          <param3>0x80070005</param3>
        </EventXML>
      </UserData>
    </Event>

    3. here is the 1012 error:

    Log Name:      System
    Source:        Microsoft-Windows-TerminalServices-RemoteConnectionManager
    Date:          11/18/2012 6:52:19 PM
    Event ID:      1012
    Task Category: None
    Level:         Information
    Keywords:      Classic
    User:          N/A
    Computer:      A4HS03.A4HS-DOM.local
    Description:
    Remote session from client name a exceeded the maximum allowed failed logon attempts. The session was forcibly terminated.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-TerminalServices-RemoteConnectionManager" Guid="{C76BAA63-AE81-421C-B425-340B4B24157F}" EventSourceName="TermService" />
        <EventID Qualifiers="16384">1012</EventID>
        <Version>0</Version>
        <Level>4</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2012-11-18T23:52:19.000000000Z" />
        <EventRecordID>16145</EventRecordID>
        <Correlation />
        <Execution ProcessID="0" ThreadID="0" />
        <Channel>System</Channel>
        <Computer>A4HS03.A4HS-DOM.local</Computer>
        <Security />
      </System>
      <EventData>
        <Data>a</Data>
      </EventData>
    </Event>

    Thank you for your help

    Monday, November 19, 2012 12:41 AM
  • Hi,

    To fix the 4105, please follow these instructions (they assume your schema is 2008 version):

    1. Logon to your 2008 R2 DC as an administrator
    2. Start--Run--adsiedit.msc
    3. In the left pane, navigate to where the OU for your users is located
    4. In the left pane, right-click on CN=<Your OU> and choose Properties
    5. On the Security tab, click the Advanced button
    6. Click the Add button, type Terminal Server License Servers and click OK
    7. On the Properties tab, select Descendant User objects in the Apply onto box
    8. In the Permissions box, select Allow for all of the following:

    Read msTSExpireDate
    Write msTSExpireDate
    Read msTSLicenseVersion
    Write msTSLicenseVersion
    Read msTSManagingLS
    Write msTSManagingLS

    9. Click OK, and click OK again to save your changes

    Please test by having a standard user logon to your RDS.  After the user has logged on, check the event logs of the server, there should not be a event id 4105 Warning for the user in the System log, and there should be a event id 4143 Information entry for the user under Microsoft-Windows-TerminalServices-Licensing/Admin log.

    The 1012 error means that someone attempted to log on to your server via Remote Desktop and entered an incorrect username/password combination 5 times in a row.  This could be normal (user forgot their password), or it could mean somehow is trying to guess username/passwords of your server.

    If your server is exposed directly to the Internet and you are seeing these 1012 errors frequently I would recommend you change the default RDP port to something different, or implement RD Gateway.

    Thanks.

    -TP

    Monday, November 19, 2012 12:52 AM
    Moderator
  • OK - the 4105 is gone....but I see this now in best practices scan:

    Issue:
    There are not enough Remote Desktop Services client access licenses (RDS CALs) installed to allow users and devices to connect to the Remote Desktop Session Host server.

    Impact:
    Some users or devices may not be able to connect to the Remote Desktop Session Host server.

    Resolution:
    Install more Remote Desktop Services client access licenses by using Remote Desktop Licensing Manager.

    I have 20 user CALS installed.......I have more user accounts, but not being used....does this mean that I am ok as long as not more than 20 users are connected at once?

    the 1012 is many entries - we have a PIX firewall, and I know our users are not trying to connect...

    Another question - we have two DC's one 2003 R2 and one 2008R2......I initially added specific users to Remote desktop users group....is this 2003 and terminal service users is 2008?

    Monday, November 19, 2012 1:13 AM
  • Hi,

    RDS Licensing is not concurrent, it is either Per User or Per Device.  In your case you need a Per User RDS CAL for each unique user that connects to your RDSH server using Remote Desktop.  For example, say you have 100 employees in your company that use your RDSH server, but only 20 are logged on at any one time.  In this example you need to purchase 100 Per User RDS CALs.

    If your PIX firewall is simply forwarding the RDP traffic to your internal server then it makes no difference in regards to outsiders attempting to guess usernames/passwords.

    Remote Desktop Users group exists in both 2003 Server 2008/2008 R2.  Starting with 2008 R2 Terminal Server was renamed Remote Desktop Session Host and Terminal Services was renamed Remote Desktop Services, etc.

    -TP

    Monday, November 19, 2012 1:29 AM
    Moderator
  • I am seeing the 4143 in the event log....we only have 18 employees (users)......so should I delete the user accounts that are no longer being used?  The max we will ever have is 20 on ever. I am still seeing this in the best practices scan:

    Issue:
    The Remote Desktop Users group on the Remote Desktop Session Host server does not contain any domain users or groups.

    Impact:
    If the Remote Desktop Users group on the RD Session Host server does not contain domain users or groups, users will not be able to connect to the RD Session Host server.

    Resolution:
    Use the Remote tab in the System Properties dialog box to add domain users or groups to the Remote Desktop Users group on the RD Session Host server.

    Have restarted the services and rescanned....thank you for your patience and help

    Monday, November 19, 2012 1:40 AM
  • Hi,

    For RDS Per User tracking you should create a report in RD Licensing Manager, and save the report as a .csv.  Then you can open the .csv file in Notepad and see actual Per User usage.  You need to periodically create these reports to monitor your usage and make sure you have enough Per User CALs.  If a user has not connected to your server in more than 60 days they will drop off of the report.

    Please ignore the BPA regrading the RDU group, as I mentioned above.

    Thanks.

    -TP

    Monday, November 19, 2012 1:53 AM
    Moderator
  • Thank you for the information here - also, If connections are exceeded based on CAL licensing, will excessive attempts be denied?
    Monday, November 19, 2012 1:58 AM
  • Hi,

    Thank you for the information here - also, If connections are exceeded based on CAL licensing, will excessive attempts be denied?

    No.

    -TP

    Monday, November 19, 2012 2:43 AM
    Moderator