question

PaulKecun-7967 avatar image
0 Votes"
PaulKecun-7967 asked JesseFlintoff-4117 commented

Windows Server 2019 RRAS fails to start when Remote Desktop Host / Gateway Roles Also Installed

Per the subject, have come across this on 2 different Windows Server 2019 installs, one was a migration but one of which was a brand new AD forest/domain.

Latest cumulative updates installed as of 2021/01.

I typically install RD Session Host / Gateway on a domain member.. on rare occasions we need the ability to SSTP VPN also and on 2012 R2 and 2016 we've been able to simply add RRAS and configure SSTP Dial-In without issue on the RDSH / RDG server (lets ignore whether or not that's a best practice for now!)

But on 2019 it seems that if you install RRAS on a server that is also running RDG and RDSH, RRAS fails to start with the following error -

7024, Service Control Manager
The Routing and Remote Access service terminated with the following service-specific error:
A specified logon session does not exist. It may already have been terminated.

When trying to start the RRAS service I see (under RRAS-Provider Event Log) -
ServiceMain: Error 1312 occured during DDM service initialization.
DimCleanup completed for error 1312

I've searched for each and found nothing specific to Windows Server 2019. I've ran through the fixes for other OS (from 2008 -> 2016) but to no avail.

If this was just happening at one location, I'd put it down as a one off but after seeing it happen on a brand new installation with a fresh AD domain, I realised it's more likely to be a 2019 specific issue.

I'm really hoping someone else has seen this scenario and is aware of a fix or has suggestions.

remote-desktop-serviceswindows-server-2019windows-server-infrastructure
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JennyYan-MSFT avatar image
0 Votes"
JennyYan-MSFT answered

Hi,
1.Have you completed the installation of RRAS on the same server? Is there any errors or warning message rather than the event logs you shared?

2.I've ran through the fixes for other OS (from 2008 -> 2016) but to no avail.
Would you mind sharing the fixes that you've tried? Per my search, the failure of starting RRAS might have following possible causes:

  • Status of virtual NIC

  • IPV6 or IPV 4 corruption

  • Certificates between IIS and RRAS

  • Other settings related to NPS and RRAS

https://serverfault.com/questions/397466/rras-won-t-start-with-8007042a-or-event-id-7024-aka-the-routing-remote-access
https://social.technet.microsoft.com/Forums/windowsserver/en-US/e689ec2b-2874-48a9-93eb-e02c198f09ff/remote-desktop-and-ping-does-not-work-while-rras-service-is-started?forum=winserverNIS
Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.


Hope this helps and please help to accept as Answer if the response is useful.

Thanks,
Jenny




5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image
0 Votes"
DSPatrick answered

Better solution may be to add hyper-v role (as only role) to host, then stand up a dedicated virtual machine for active directory domain services, and two more virtual machines for RRAS role and RDS roles.

--please don't forget to Accept as answer if the reply is helpful--





5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

PaulKecun-7967 avatar image
0 Votes"
PaulKecun-7967 answered

Hi DSPatrick,

Thanks for the reply - to be clear I'm aware of the best practices but sometimes we have to make do with the licensing available to us.

I can confirm that in each scenario these are all virtual machines on a Hyper-V Host.

1x Server 2019 VM for DC,
1x Server 2019 VM for fileserver/Lob,
1x Server 2019 VM for RDSH/RDG

I'd just like to add RRAS to the RDSH/RDG

Given the other bugs in Server 2019 RRAS (i.e https://docs.microsoft.com/en-us/answers/questions/49333/windows-2019-rras-server-unable-to-utilize-dhcp-se.html which still isn't fixed in the latest CU last I checked) I suspect the error I'm seeing is a regression considering I can setup the same configuration in Server 2012 R2 and Server 2016 without issue.

Whilst I appreciate that adding a dedicate RRAS server for that role alone is "a solution", it doesn't specifically explain why a configuration that's worked in prior versions of Windows no longer works in Server 2019.

p.s I did try to comment on your reply rather than submit a new answer but it refused to actually submit.

Kind regards,

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image
0 Votes"
DSPatrick answered

it doesn't specifically explain why a configuration that's worked in prior versions

I'd suggest starting a case here with product support.
https://support.serviceshub.microsoft.com/supportforbusiness

--please don't forget to Accept as answer if the reply is helpful--



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

PaulKecun-7967 avatar image
0 Votes"
PaulKecun-7967 answered JesseFlintoff-4117 commented

Hi Jenny,

Thanks for pointing me in the right direction / the links - can confirm I'd worked through each of the solutions in the posts you listed except I'd ignored the possibility of it being related to SSL until you mentioned it again - we hadn't bought an SSL certificate or done any specific bindings so I didn't think anything of it.

But I then remembered that we were using the LetsEncrypt win-acme client at both of the affected sites (which also just so happened to be the only places we are running Server 2019 with this combination of roles).

Turns out if you use the LetsEncrypt win-acme client with the ImportRDSFull.ps1, it stores the generated certificate in the Windows Certificate Store only, it doesn't also store it in the 'My' certificate store unless you configure it to do so - so there's no way to bind the same cert in RRAS. Anyone else that experiences this needs to alter the win-acme settings.json so it's stored in the 'My' store too.

Thanks again.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,
Thanks for the update and glad to be of help.
Please always feel free to post your questions in Q&A forum if any problem related to RDS.

Best Regards,
Jenny

0 Votes 0 ·

Hi Paul.

Can you help me please?

I am in the same boat.

I'm using a free 'lets encrypt' ssl with 'Certify the web' software client.

Can you tell me how you made this work?

Kindest regards.

Jesse

0 Votes 0 ·