none
RDP single server solution with per user licenses RRS feed

  • Question

  • I am new to RDP so explicit answers / suggestions are very welcome. 

    A small organization wants update their 2008 server to a more recent version of Windows Server and move it to the cloud. They will be supporting up to 6 Remote Desktop clients running Microsoft Web Expression 4 (yes, it’s obsolete / unsupported) and Office 365.

    As a test we set up an Azure 2008 VM using the two administrative RD connections and installed Expression. This configuration works well for them except that they need valid licenses and up to 6 concurrent RDP sessions (per user, not per client licenses) and would like to be using Windows 2016 or 2019. 

    We would like to make this as simple and inexpensive by using a single server. We are planning on following the solution outlined in the article below. 

    https://support.microsoft.com/en-us/help/2833839/guidelines-for-installing-the-remote-desktop-session-host-role-service

    I am looking for suggestions / advice on choosing a VM configuration that will perform well as a single server solution for 6 remote connections with relatively light demands.

    Thanks

    Friday, October 18, 2019 6:13 AM

Answers

  • Andy and all, this is resolved.

    The problem was not with the server. The RDP clients had the ‘Connect to an admin session’ option enabled -which was forcing all connections to be admin sessions and limiting the number of connections to two.

    After using Azure for the first time to set up a vm I assumed the problem was with how I set up the server and never considered looking at the client configurations.

    Thanks for your help with this!

    Bill

    • Marked as answer by Bill_Ferguson Thursday, October 24, 2019 4:28 PM
    Thursday, October 24, 2019 4:27 PM

All replies

  • HI
    we must use w2019 rds per cal in AD domain environment.so we need to install ADDS,ADCS,RDSH,RDLS on the same W2019 server.
     installing RDLS role on domain control ,we need to check if we have added below 2 accounts(Network Service account and DC hostname ) on DC like picture 1
    "The computer account for the license server must be a member of the Terminal Server License Servers group in AD DS. If the license server is installed on a domain controller, the Network Service account must also be a member of the Terminal Server License Servers group"
    https://support.microsoft.com/en-us/help/2473823/best-practices-for-setting-up-remote-desktop-licensing-terminal-server

    There may be below problem ,when we deploy RDLS on DC ,we can using below document to fix it. 
    FIX Event ID 4105: Remote Desktop license server cannot update the license attributes for user in Active Directory Domain.
    https://www.wintips.org/fix-event-id-4105-remote-desktop-license-server-cannot-update-the-license-attributes-for-user-in-active-directory-2008-2012-2016/


    Best Regards
    Andy YOU
    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.




    Friday, October 18, 2019 1:24 PM
    Moderator
  • Thanks Andy. We had a test server using Windows Server 2016 on Azure using the steps outlined in:

    Installing the Remote Desktop Session Host role service on Windows Server without the Connection Broker role service

    https://support.microsoft.com/en-us/help/2833839/guidelines-for-installing-the-remote-desktop-session-host-role-service

    We do not have CAL’s yet - we intend to use the RD licensing 120 day grace period to test the server configuration before purchasing the CAL’s. 

    We are running into a problem where we are limited to two RD clients - apparently using the administrative connections. Remote Desktop Licensing server has been activated on the server.

    I’ve added ADCS and verified that NETWORK SERVICE and our DC / RD server are members of Terminal Server License Servers as you suggested but we are still limited to two sessions. 

    We get the following event on the DC server:


    ac9 5774 Error NETLOGON System 10/18/2019 5:12:51 PM

    The dynamic registration of the DNS record 'corp.ac9.org. 600 IN A 10.0.1.4' failed on the following DNS server:  

    DNS server IP address: :: 

    Returned Response Code (RCODE): 0 

    Returned Status Code: 0  

    For computers and users to locate this domain controller, this record must be registered in DNS.  

    USER ACTION  

    Determine what might have caused this failure, resolve the problem, and initiate registration of the DNS records by the domain controller. To determine what might have caused this failure, run DCDiag.exe. To learn more about DCDiag.exe, see Help and Support Center. To initiate registration of the DNS records by this domain  controller, run 'nltest.exe /dsregdns' from the command prompt on the domain controller or restart Net Logon service. 

      Or, you can manually add this record to DNS, but it is not recommended.  

    ADDITIONAL DATA 

    Error Value: Bad DNS packet.

    Running dcdiag.exe everything passes except:

          Starting test: DFSREvent

             There are warning or error events within the last 24 hours after the SYSVOL has been shared.  Failing SYSVOL

             replication problems may cause Group Policy problems.

             ......................... ac9 failed test DFSREvent

    Running nltest.exe as suggested…

      PS C:\Users\bill> nltest.exe /dsregdns

      Flags: 0

      Connection Status = 0 0x0 NERR_Success

      The command completed successfully

      PS C:\Users\bill>

    After rebooting the server reported the following events:

    ac9 40961 Warning Microsoft-Windows-LSA System 10/18/2019 7:12:44 PM

    The Security System could not establish a secured connection with the server ldap/corp.ac9.org/corp.ac9.org@CORP.AC9.ORG. No authentication protocol was available.

    ac9 44 Error Microsoft-Windows-CertificationAuthority Application 10/18/2019 7:12:44 PM

    The "Windows default" Policy Module "Initialize" method returned an error. The specified domain either does not exist or could not be contacted. The returned status code is 0x8007054b (1355).  The Active Directory containing the Certification Authority could not be contacted.

    I’m new to Windows Server / ADDS and suspect that I’ve overlooked something simple in setting up this single server DC / RDSH / RDLS.

    Anyone have suggestions?

    Thanks,

    Bill

    Friday, October 18, 2019 8:03 PM
  • HI
    1 did you install ADDS role after you installed ADCS role and configured domain name ?
    2 what's other applications will be installed on a single session host server ?
    3 did you add the domain users to remote desktop group on session host server?

    Best Regards
    Andy YOU
    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Wednesday, October 23, 2019 1:29 AM
    Moderator
  • Hi Andy,

    The error I previously reported:

    ac9 44 Error Microsoft-Windows-CertificationAuthority Application

    -has been resolved by setting ADCS to Delayed Start

    To answer your questions:

    1. ADCS was installed / configured after ADDS.
    2. No apps have been installed yet -but will eventually install: Office 365 E3 and Expression Web 4
    3. Yes, the domain users have been added to the server’s Remote Desktop Users group.

    Rebooting the server now generates these warnings:

    ac9 1014 Warning Microsoft-Windows-DNS Client Events System 10/23/2019 5:00:39 AM

    Name resolution for the name _ldap._tcp.dc._msdcs.corp.ac9.org. timed out after none of the configured DNS servers responded.

    ac9 6038 Warning Microsoft-Windows-LSA System 10/23/2019 5:00:54 AM

    Microsoft Windows Server has detected that NTLM authentication is presently being used between clients and this server. This event occurs once per boot of the server on the first time a client uses NTLM with this server.

    NTLM is a weaker authentication mechanism. Please check:

          Which applications are using NTLM authentication?

          Are there configuration issues preventing the use of stronger authentication such as Kerberos authentication?

          If NTLM must be supported, is Extended Protection configured? 

    Details on how to complete these checks can be found at http://go.microsoft.com/fwlink/?LinkId=225699.

    ac9 10154 Warning Microsoft-Windows-Windows Remote Management System 10/23/2019 5:00:54 AM

    The WinRM service failed to create the following SPNs: WSMAN/ac9.corp.ac9.org; WSMAN/ac9. 

     Additional Data  - The error received was 10054: %%10054.

     User Action  - The SPNs can be created by an administrator using setspn.exe utility.

    And logging in generates this error:

    ac9 10016 Error Microsoft-Windows-DistributedCOM System 10/23/2019 5:03:04 AM

    The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {8D8F4F83-3594-4F07-8369-FC3C3CAE4919} 

     and APPID {F72671A9-012C-4725-9D2F-2A4D32D65169} 

     to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

    My impression is that SPNs use kerberos. Is the NTLM warning above connected to the authentication used by SPNs and causing the SPN failure? 

    Still looking to resolve why we are still limited to the 2 RD sessions. What is causing the server to not use RDSH when a remote connection is made? 

    Thanks,

    Bill

    • Marked as answer by Bill_Ferguson Thursday, October 24, 2019 4:27 PM
    • Unmarked as answer by Bill_Ferguson Thursday, October 24, 2019 4:27 PM
    Wednesday, October 23, 2019 7:11 AM
  • Andy and all, this is resolved.

    The problem was not with the server. The RDP clients had the ‘Connect to an admin session’ option enabled -which was forcing all connections to be admin sessions and limiting the number of connections to two.

    After using Azure for the first time to set up a vm I assumed the problem was with how I set up the server and never considered looking at the client configurations.

    Thanks for your help with this!

    Bill

    • Marked as answer by Bill_Ferguson Thursday, October 24, 2019 4:28 PM
    Thursday, October 24, 2019 4:27 PM
  • HI
    Thanks for your reply. I am glad to hear that the issue is solved.

    Best Regards
    Andy YOU
    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, November 1, 2019 3:11 AM
    Moderator