Remote Desktop Services – Connection Errors

KB ID 0001132

 

Below is not an exhaustive list of connection errors, it’s just a some things that have tripped me up. If you have a nasty error that you have fixed, feel free to drop me a line, send me some screenshots and the fix, and I’ll add them as well.

General Errors

Remote Desktop can’t connect to the remote computer for one of the following reasons;

1) Remote access to the server is not enabled
2)The remote computer is turned off
3)The remote computer is not available on the network

Make sure the remote computer is turned on and connected to the network, and that remote access sis enabled.

Probably the most common (and easiest to troubleshoot) of RDP errors, firstly ensure that the server is actually ‘listening’ for RDP connections, on the SERVER issue the following command;

[box]

netstat -an | find /i ":3389"

[/box]

You should see it LISTENING (Note: Below its listed twice because its listening on IPv4 and IPv6)

If its not, the the service might not even be running, Look in Services, and ensure the following services are running;

  • Remote Desktop Services
  • Remote Desktop Services UserMode Port Redirector

Make sure that RDP has been allowed on the local firewall of the RDP server, In the past I’ve seen a bug on some versions of Windows when even with the firewall disabled, things didn’t work unless RDP was allowed on the firewall settings. (I know that makes no sense, but I’ve seen it, particularly for remote VPN traffic).

Test RDP Connectivity

From a machine ON THE SAME NETWORK as the target RDP Server, firs see if you can ping the server by both IP address and hostname. (This is more for peace of mind remember the server might ot respond to pings but might be responding to RDP Traffic.

Then test that the machine you are on can get to the the RDP server on the correct port, (TCP 3389*)

[box]

Test-NetConnection {IP-Address-or-Hostname} -Port 3389
OR
Test-NetConnection {IP-Address-or-Hostname} RDP

[/box]

Providing this works, now try the SAME tests form outside you network, i.e. outside the firewall, or on a remote VPN  connection etc.

*RDP Port Note: Normally RDP is on TCP 3389, check on the server just in case someones changed the RDP listening port number. Or the firewall is expecting you to connect on another RDP Port.

Your computer can’t connect to the remote computer because an error occurred on the remote computer that you want to connect to. Contact your network administrator for assistance.

Solution for Windows 10: I struggled with this for a while, all forum posts refer to windows 7/8 and the problem was caused by a windows update (KB2592687), that needed to be removed. But I was connecting with Windows 10? This  was the resolution;

Create/Edit a 32 bit DWORD value called RDGClientTransport in your registry at;

[box]

HKCU > SOFTWARE  >Microsoft > Terminal Services Client

[/box]

Set its value to ‘1’ (one).

Also See Remote Desktop Web Access – Connection Error


Your computer can’t connect to the remote computer because your computer or device did not pass the Network Access Protection requirements set by your network administrator.Contact your network administrator for assistance.

You normally see this error if one (or more), of your Remote Desktop Role servers does not have the correct certificate installed on it, (or the certificate it does has has expired).

Server Manager > Remote Desktop Services > Collection > Task > Select your collection > Task > Edit Deployment Settings > Certificates > Check and reinstall each one as required.

Remote Desktop Gateway Errors

Your computer can’t connect to the remote computer because the Remote Desktop Gateway server address is unreachable or incorrect. Type a valid Remote Desktop Gateway server address.

Your computer can’t connect to the remote computer because the Remote Desktop Gateway server is temporarily unavailable. Try reconnecting later or contact your network administrator for assistance.

The machine trying to connect needs to be able to resolve the ‘public name’ of the Remote Desktop Gateway server. And this may not be the hostname of the server! As you can see in the image above the Gateway server name is set to rdg.smoggyninja.com. The important thing is when I ping this name, it resolves to the correct IP address, (mine responds to pings, yours probably wont if you’re connecting though a firewall.)

In some cases you need to set the public name of the the Remote Desktop Gateway server, in the servers IIS Settings. On the Gateway server > Start > Administrative Tools > Internet Information Services (IIS) Manager > {Server-name} > Sites > Default Website > RDWeb > Pages  > Application Settings > Set ‘DefaultTSGateway’ to the public name of the gateway server. Then from command line run ‘iisreset‘ to restart the web services.

Your computer can’t connect to the remote computer because the Remote Desktop Gateway server’s certificate has expired or has been revoked. Contact your network administrator for assistance.

In most cases this should be easy to fix, if you use self signed certificates make sure your CRL settings and/or OCSP settings are correct. If you use a publicly signed cert make sure your client can contact the publishers CRL (look on the properties of the certificate).

Check the Obvious: It saying the RDG cert has expired, make sure it’s in date! In the Gateway Server Launch Server Manager > Remote Desktop Services > Collections > {Collection-name} > Tasks > Edit Deployment Properties.

Certificates > RD Gateway > View Details > Is it in date?

Everything is OK? But I’m Still Getting This Error? Are you publishing the Gateway with something else like Web Application Gateway? Threat Management Gateway? Load Balancer? Look in that direction.

Also See Remote Desktop Web Access – Connection Error

Related Articles, References, Credits, or External Links

NA

FreeRDP Error: 0x2000D

KB ID 0001416

Problem

The day after I had deployed some RDP Web access servers, I got the call that all the Linux (Intel NUC Thin clients), could not connect to the RDP farm, all the windows machines were fine?

Error

[08:19:16:178] [21254:21255] [ERROR][com.freerdp.core.transport] – BIO_read returned a system error 14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error
[08:19:16:178] [21254:21255] [ERROR][com.freerdp.core] – freerdp_set_last_error ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x2000D]
[08:19:16:178] [21254:21255] [ERROR][com.freerdp.client.x11] – Freerdp connect error exit status 1

Solution

I was confused, because I’d not done any work on the Connection Broker? (All the thin clients are ‘in-house’). While support stated building a new broker, I researched the error online.

The reason this had started, was because of a Windows update KB4088776 After removing this update from the ‘Session Hosts’ and the’ Connection Broker’, the Linux (FreeRDP) client could then reconnect.

Related Articles, References, Credits, or External Links

NA

Windows Server 2012 R2 – Deploying Remote Desktop Services

KB ID 0001136 

Problem

I’ve had to do a rollout of Remote Desktop Services on Server 2012 R2, and publish it with Active Directory Federation Services and Web Application Proxy. I’m a little rusty on RDS and needed to deploy a few roles, so for my proof of concept I deployed RDS on TWO servers. Below is a run though and my notes on deploying RDS ONLY (I’ll put the links to other articles at the bottom of this post as I write them).

Solution

To save yourself some hassle, visit every server that will be in the Remote Desktop Server deployment, and add all the others into each others ‘server manager’ console.

Manage > Add Roles and Features > Next > Remote Desktop Services Installation > Next.

Standard Deployment. Note: If you choose Quick Start it puts all the roles on one server  > Next.

Session-based desktop deployment > Next.

Next.

Select the server that will host the Connection Broker Rule and add it  > Next.

Add the server that will host the Remote Desktop Web Access role > Next.

Add the server that will host the Remote Desktop Session Host role > Next.

Tick the ‘restart the destination server automatically if required’ > Deploy.

Finish. (Note: There will be a licensing error, we will address that in a minute).

In Server Manager > Remote Desktop Services > Overview > Note: There are two options yet to be configured, (shown in green). Select ‘RD Gateway’.

Add in the server that will host the RD Gateway role > Next.

Add in the public name of the RD Gateway server, this will generate a self signed certificate, (you can replace this with a proper one later).

Add.

Close

Now Add RD Licensing.

Add in the server that will host the licensing role > Next.

Add

Close

All the nodes should now be displayed..

In production you would now add your Remote Desktop Licences, If you don’t,  the whole thing will run for 120 days, (though it continues to nag you about adding licences). I’m content with the 120 day licence for my test deployment. But I will still ‘Activate’ my licensing server.

Follow the instructions

Now you need to create a ‘Collection‘, this is a group of host servers that host applications you can publish. Server Manager > Remote Desktop Services > Collection > Task > Create Session Collection.

Next.

Give the collection a name  > Next.

Add in the server(s) running the RD Host role that will be included in this collection > Next.

Select the user groups that you want to grant access to. Here Im simply using the domain users group  > Next.

If you want to deploy ‘profile disks’ enter a UNC path to the share > Next.

Create.

Close.

To actually publish applications, select the collection you just created > RemoteApp Programs > Tasks  >Publish RemoteApp Programs.

Select the applications, (or add them in if they are not displayed)  > Next.

Publish.

Note: You can change certificates from within Server Manger, but I prefer the manual approach, on the RD Gateway Server > Launch the IIS Manager > Select the server > Server Certificates.

Import > Import your publicly signed certificate, (you can use a self signed certificate but DON’T FORGET your remote client needs to be able to check your CRL, and trust your issuing CA if you do).

Sites > Default Web Site > Edit Bindings.

Select ‘https’ > Edit > Add in your certificate > OK > Close.

Bounce the services with an ‘iisreset‘ command.

Update 070316 You also will need to restart the Remote Desktop Services Service!

Connect to the server on the https://{FQDN}/RDWeb address, and you can check the correct certificate is used.

You should now be able to log into Remote Desktop Services Web Access.

Related Articles, References, Credits, or External Links

Server 2008 R2 Install and Configure Remote Desktop Services (Web Access)

Publishing Remote Desktop Services With Web Application Gateway

Windows Server 2012 – RDP Server – How to get the ‘Start / Metro Screen’

KB ID 0000767

Problem

When you RDP to a server running Windows Server 2012, in Remote Desktop Services (Terminal Server) mode. How do you get the start menu up? If you press the Windows Key or Ctrl+Esc, you get the menu on YOUR Machine?

Solution

Firstly, I know it’s not called the ‘Metro Interface’ any more, but that’s what everyone calls it!

1. Drag your mouse pointer off the bottom left hand side of the screen (1) and a thumbnail of the start menu will appear (2).

2. Move the mouse pointer back to the thumbnail (3) this takes a little practice, then click the start menu thumbnail (4).

To shutdown or log off (disconnect) use the same method as you would for Windows 8 (using the charms bar).

UPDATE 04/11/13 (Credit to Thomas Dread)

1. Windows Key +R > mstsc {Enter}.
2. Show Options.
3. Local Resources TAB.
4. Keyboard > Apply Windows Key combinations “On the Remote Computer” drop down menu.

5. Back to General TAB.
6. Save or Save AS.

How Do I Shut Down Windows 8?

Related Articles, References, Credits, or External Links

NA

Remote Desktop Services – RemoteApp Error ‘The remote computer could not be found. Please contact your helpdesk about this error’

KB ID 0000768

Problem

While attempting to launch a web app from a Windows Server 2012 Remote Desktop Services (Terminal) server. Clients were greeted with the following;

RemoteApp Disconnected The remote computer could not be found. Please contact your helpdesk about this error.

Solution

1. On the Server, Start > RD Gateway Manager > Locate your server > right click > properties > Server farm > Type in the FQDN of the server* (Your remote clients must be able to resolve this name!) > Add > Make sure it gets listed as ‘OK’ > Apply > OK.

*Note: This assumes you have one RDS server, if you have many then obviously enter the FQDN of the one fulfilling the RD Gateway role.

2. Start > Internet Information Services (IIS) Manager > Expand the server > Sites > Default Web Site > RDWeb > Pages > Application Settings.

3. Open DefaultTSGateway > Set its value to the FQDN of the RD Gateway server (as above) > OK.

4. Finally restart IIS with an iisreset command.

Related Articles, References, Credits, or External Links

NA

Terminal Server / Remote Desktop Services Server – Printer Not Working (Adding Print Drivers)

KB ID 0000850 

Problem

Windows Server 2008 R2 and 2012 are a lot better with printing support over remote desktop, that their predecessors were. But to be able to print to your remote users ‘local’ machines. The TS/RDP server still likes to have the correct drivers installed.

What about Easy Print?

Easy Print (Introduced with Server 2008 R2) is a ‘proxy’ service that simply sends all print processes to the remote machine rather than the server itself, thus negating the need for a driver. That’s great! Unless your remote home users still have Windows XP or Vista (Pre SP1).

Solution

1. Before troubleshooting, make sure the printer actually works on the client machine, you don’t want to spend an hour trying to get it working when it’s actually out of paper or not turned on, (sorry but users are ‘challenging’).

2. Download the Drivers to the Remote Desktop Server. MAKE SURE if your clients are a mix of x86 and x64 bit versions of Windows you need to download BOTH versions of the driver.

Note: Download x86 and x64 bit versions of the SAME driver, i.e. Try and install an x86 PCL6 driver and an x64 bit PCL5 Driver and you may get an error.

Note 2: With some older printers, you can save a lot of time by simply plugging them into the server and letting Windows Update do the hard work for you. You might think that this is ‘time/cost prohibitive’. But I once spent an afternoon trying to get an HP multifunction printer to work that was worth about £60. The remote client was 45 minutes away, by the time I was finished the cost was greater than replacing this printer with 6 or 7 new ones that would have worked out of the box!

3. You can simply install the printer on the Server if you wish, then delete the printer and the drivers will remain, though the correct way is to add the drivers via the servers ‘Print Server Properties’.

Server 2000 / 2003

Start > Run > control printers {Enter}.

Server 2012/2008 R2

Windows Key+R > control printers {Enter}.

Note: Print server properties is not visible until you select a printer.

4. Repeat the process to add additional driers for the CPU architecture of your remote clients (x86, x64, etc).

Related Articles, References, Credits, or External Links

NA

RDS Server – Remove the Shutdown Command

KB ID 0000499 

Problem

I’m surprised that when you make a server a Terminal Services Server / Remote Desktop Services Server, that this does not get applied from an administrative template anyway, but it does not.

Why would you want to do this? Well users are used to hitting Start > Shutdown, when they are finished working, which is fine, unless they are in a terminal session with 500 other users and they’ve just issued a shutdown command to the server!

Solution

The simplest way to do this is run gpedit.msc on the server itself and remove shutdown through local group policy, but a far more elegant solution is create a domain group policy for the TS Server(s).

1. On a domain controller,  launch the “Group Policy Management Console”. Create a policy, and link it to the OU that contains the Terminal Servers, you want to enforce the policy on, (Or edit an existing policy linked toy them).

2. Now remove the shutdown is a USER policy, and this is a COMPUTER policy we are writing, so it wont work unless we turn on “Loopback processing”. Navigate to Computer Configuration > Administrative Templates > System > Group Policy > User Group Policy loopback processing. (Note: On 2016 It will be called, ‘Configure user Group Policy loopback processing mode’.)

3. In most cases you will already have user policies applied to your users, if so you will want to “Merge” this with them rather than replace them > Apply > OK.

4. Now to remove the Shutdown command. Navigate to User Configuration > Administrative Templates > Start Menu and Taskbar > Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate Commands.

5. Enable > Apply > OK.

6. Then either reboot the TS Server(s), wait a couple of hours or run “gpupdate /force” on them.

 

Related Articles, References, Credits, or External Links

NA

Windows Server 2008 R2 Deploying Applications with RemoteApp

KB ID 0000528

Problem

RemoteApp is a solution for delivering applications to your users from a Remote Desktop Services Server.

Why would you want to do this? Imagine you only had one copy of office to update in your entire organisation when a new service pack or security update is released., or Adobe bring out a new version of Dreamweaver that’s on all your machines – you simply update the master copy on the RDS server, or redeploy new RemoteApps.

In the following example I’ll configure the server, and create a RemoteApp application (Word 2010) and finally, deploy it to my domain clients.

Client requirements: Windows XP (SP2), Windows Vista, Windows 7, Windows Server 2003 SP2, Windows Server 2008, and Windows Server 2008 R2.

Note: For XP and Server 2003 clients you need to have installed Remote Desktop Connection (Terminal Services Client 6.0).

Solution

1. On a 2008 R2 Server (That’s a domain member), Start > Run > CompMgmtLauncher.exe {enter} > Roles > Add Roles > Remote Desktop Services > Add the following “Role Services” > Remote Desktop Session Host > Remote Desktop Web Access > (If you do not have a RDS Licensing services Licencing server add that also).

2. Select “Network Level Authentication” >Select your licensing mode > Add in the user(s) and/or group(s) you want to grant access to > Set your client experience options > Set the scope for the licensing server (per forest or per domain) > When complete let the server reboot.

3. If you do not already have a RDS Licensing server then activate the Licensing Server and follow the instructions. (Start > Administrative Tools > Remote Desktop Services > Remote Desktop Licensing Manager).

4. Then Start > Administrative Tools > Remote Desktop Services > Remote Desktop Session Host Configuration > Locate Licensing > And click the “Not Specified” > Then add in the licencing server you just activated.

5. Install and configure the applications you want to deploy. Then Start > Administrative Tools > Remote Desktop Services > RemoteApp Manager > Add RemoteApp Programs > Install and configure the desired application.

6. Add the computers that need access to RemoteApp(s) to the LOCAL group on the RDS server called “TS Web Access Computers”.

8. In the RemoteApp Manager select “Create Windows Installer Package” follow the instructions and put the resulting .msi file in a network share that your domain clients can access.

9. Send out the .msi file generated to your clients by group policy.

10. By default your deployed RemoteApps will be listed on the clients start menu under “Remote Programs”.

Related Articles, References, Credits, or External Links

Server 2008 – Terminal Server (Remote Desktop Services) Licensing

Server 2008 R2 Install and Configure Remote Desktop Services (Web Access)

Install and Configure Remote Desktop Services (Web Access)

KB ID 0000104

Problem

Originally we had TS Web in 2003, and while I had a little play with it, it basically just gave you RDP over web, which would have been good if it ran over HTTP or HTTPS, but it didn’t. Also, as anyone who has ever done a complex Google search for “/tsweb” will testify, left a nice big security hole in to your servers.

With the release of Server 2008 we got TSWeb 2008, this was a whole different beast, and the web portal was very similar in operation to Citrix Web Presentation Server.

With Server 2008 R2, Terminal Services became Remote Desktop Services, so if you only have a couple of clients (i.e. don’t need an application farm etc,) then this might be just what you need, and buying licences for Remote Desktop Services is a LOT cheaper than buying the same licences plus Citrix licences that are about three times the price per seat.

I originally wrote this for TSWeb 2008, and updated it for Remote Desktop Services 2008 R2, I’ll leave the older information at the bottom for anyone who is still running 2008 R1.

Solution

Setup Remote Desktop Services Web Access on Server 2008 R2

1. In this example I’ve got a fresh server which is a domain member, and I’m going to put the Licensing server and the same box. From server manager (ServerManager.msc) >Roles > Add Roles > Next > Remote Desktop Services > Next > Next.

2. Everything is going on one server, you may want to split roles up in a larger production environment, but here we are adding Remote Desktop Session Host, Remote Desktop Licensing, Remote Desktop Gateway > Remote Desktop Web Access > Next > Next.

Note: When selecting role services, you will be prompted to “add required role services”, please do so.

3. I’m choosing the least secure method (choose this if you have older client running older versions of the RDP client) > Next > Either select a Licensing model (per user or per device, or select configure later) > Next.

Note: The licensing model chosen MUST match the CALS that will be in the licensing server. (If you are unsure configure it later, then you will have 120 days grace period to sort it out).

4. Add in which user groups to want to allow access to the host server > Next.

5. Decide which options you want to allow, to enrich your end user experience > Next > I dont need a scope as all my RD Servers will be 2008 R2, it you have TS servers as well you will need to configure a scope > Next.

6. If you already have a certificate you can select it here, I’m going to manually import the certificate into IIS at the end of the procedure > Select “Now” to configure the access policies > Next.

7. Add in which user groups you want to allow through the Remote Desktop Gateway > Next.

8. At the RD CAP screen, I’m just going to use passwords > Next > Then at the RD RAP screen, I’m going to allow connections TO ANY computer > Next > Next > let it install the Network Policy Server component > Next.

9. Install > Then go and have a coffee.

10. When completed, select yes to reboot which it will do (twice).

11. After you log back into Windows the installation will complete > Close

Import and Enable a Digital Certificate in IIS7

12. Start > Administrative tools > Internet Information Services Manager > Select the {server-name} > Server certificates > From here you can either create a certificate request, or complete a request, and import a certificate.

13. Here is my certificate with the “friendly name” WebServer.

14. To enable my certificate right click the “Default Web Site” (Assuming that’s where you have RDWeb installed) > Edit Bindings.

15. Select HTTPS > Edit > And select your SSL certificate > OK.

16. Restart the website (or run “iisreset /noforce” from command line).

17. Start > Administrative Tools > Remote Desktop Services > RemoteApp Manager.

18. Anything that needs configuring will have a yellow warning triangle, or a red cross over it. First you will see it’s complaining that there are no computers in the “TS Web Access Computer ” group.

19. That’s just a LOCAL group on the server itself, launch ServerManager >Configuration > Local Users and Groups > Groups > Locate the group.

20. Add in your groups as required > Apply >OK.

21. Back in the RemoteApp Manger > Check the RD Session Host Server >Settings (on the menu on the right) > Make sure the PUBLIC name (which will be the CN on your digital certificate) is displayed NOT the LOCAL FQDN of the server. You can also tick the option (shown with the arrow) to display the RDP shortcut to your users on the web portal. > Apply > OK.

22. To do the next step, you need to have the applications you want to give to your users, actually installed on the server. > Either right click at the bottom, or select “Add RemoteApp Programs”.

23. Follow the wizard, and select the programs as required.

24. Click refresh > Make sure there’s no more red/yellow warnings > Close RemoteApp Manager.

25. To test it, connect to your server on https://{servername}/RDWeb and log in.

26. You applications should be shown, give them a test, here I’ll launch Outlook.

27. I already have Outlook configured on the Remote Desktop Server so mine just opens (your users will need to setup Outlook, if they don’t have a profile on the RD server already).

Setup Terminal Services Web Access on Server 2008 R1

1. Start > Server Manager (or Start > run > CompMgmtLauncher.exe (Enter) > Add Roles..

2. Next.

3. Tick Terminal Services > Tick Web Server IIS.

4. As soon as you select IIS > In the Pop up Select “Add Required Features”.

5. Next.

6. Next.

7. Select Terminal Server > TS Licensing > TS Gateway > At The Popup Select “Add Required Roles Services”.

8. Select TS Web Access > At the Popup Select “Add Required Roles Services”.

9. Next.

10 Next.

11 I’m going to select “Do Not require Network Level Authentication” > Next.

12. Next.

13. Next.

14. .I’m selecting “Configure Later” for the licensing (Like previous versions you get 120 days grace to sort this out) > Next.

15. Allowing Access to TS > By default the “Remote Desktop Users” group on the TS server is allowed access you can add additional groups here > Next.

16. Connect externally to https://{public_IP} (Note this has to be in the browsers trusted site list) > Enter a username and password > Login.

17. Select the scope you require for TS Licensing > Next.

18. Later > Next.

20. Next.

21. Next.

22. Next.

23. Next.

24. Install.

25. The Roles will install.

26. Close.

27. Click Yes to reboot.

28. After reboot installation will continue.

29. Close.

Deploying Applications

1. Start > Server Manager (or Start > run > CompMgmtLauncher.exe (Enter)) > Expand > Roles > Terminal Services > TS Remote App Manager > Select “Add Remote App Programs” (Right hand window).

2. Next.

3. Select the application you require or browse to its Executable > Next. >

4. Finish.

Connecting from a client

1. On a Client PC open internet explorer > Navigate to http://{serverIP or name}/ts > Note: If you do not have ActiveX enabled and the latest RDP client you may see this error.

2. There’s your applications > simply select one.

3. Enter your login credentials.

4. Wait for the application to deploy.

5. And there you go 🙂

Related Articles, References, Credits, or External Links

Windows Server 2008 R2 Deploying Applications with RemoteApp /p>

Original Article Written 02/11/11